CN110708296A - VPN account number collapse intelligent detection model based on long-time behavior analysis - Google Patents
VPN account number collapse intelligent detection model based on long-time behavior analysis Download PDFInfo
- Publication number
- CN110708296A CN110708296A CN201910884661.8A CN201910884661A CN110708296A CN 110708296 A CN110708296 A CN 110708296A CN 201910884661 A CN201910884661 A CN 201910884661A CN 110708296 A CN110708296 A CN 110708296A
- Authority
- CN
- China
- Prior art keywords
- data
- vpn account
- model
- vpn
- collapse
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
Landscapes
- Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- Computing Systems (AREA)
- Pure & Applied Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Probability & Statistics with Applications (AREA)
- Mathematical Optimization (AREA)
- Software Systems (AREA)
- Mathematical Analysis (AREA)
- Algebra (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an intelligent detection model for VPN account number collapse based on long-time behavior analysis, which comprises the following detection processes: step one, a data reading stage: reading the collected VPN account login data from the big data distributed storage system; step two, data preprocessing stage: performing data cleaning operation on the read data; step three, a characteristic engineering stage: generating multidimensional characteristics required for building a presumed VPN account collapse model by utilizing data after data preprocessing; step four, a model training stage: training a scoring model and a common list model; step five, model prediction stage: and predicting the lost VPN account with different risk degrees by using the trained model and the read VPN account data. The method does not depend on positive and negative sample labeling in the safety data, saves a large amount of labor and time cost, can be practically combined with a service scene of VPN account number collapse, and effectively improves the recall rate and the accuracy rate.
Description
Technical Field
The invention relates to an intelligent detection model for VPN account number collapse based on long-time behavior analysis.
Background
Since 2017, 6.1.1, the network security law of the people's republic of China was applied by the nation, the attention of enterprises to self security also focuses on the network security of various threats such as bugs, APT events, host computer invagination and the like, and further deepens into the IT office security including employee information leakage, illegal operation, VPN account number invagination and the like, and further deepens into a layer of service security. For business security of an enterprise, IT office security is the last barrier, wherein if an account number is lost, the barrier indicating IT office security is broken through, and the business security of the enterprise is directly threatened. Therefore, the early warning and the warning for the collapse of the enterprise account are very important.
However, in the IT office environment of an enterprise itself, a lot of data such as employee information and VPN account information are filled, and particularly, when the enterprise is large in scale, the data such as employee information and VPN account information is increased by orders of magnitude. How to detect a lost VPN account from massive data and predict a VPN account with a high risk of being lost becomes one of the enterprise security problems which the enterprise urgently needs to solve.
From the perspective of previous security methods and means, people have long relied on known rules for detection. In the known rules, the rule threshold is set manually, the recall rate is often low, and the accuracy rate is to be improved. Therefore, security manufacturers try to use a machine learning algorithm in a mode of focusing on data content, content context relationship, behavior analysis and other characteristics in mass data, multi-dimensional large data analysis is detected from a single point to detect a lost VPN account and predict a VPN account with high risk of loss, so that the increasing data volume of enterprises is coped with, and the recall rate and accuracy rate of detection of the lost VPN account are improved.
However, in actual enterprise security data, normal operation is performed most of the time, and abnormal operation or attack is performed only in a few time periods. Therefore, in the enterprise safety data, negative examples are relatively few, the positive examples and the negative examples are extremely unbalanced, and how operation and maintenance personnel find and confirm abnormal operation or data under attack in a short period of time from massive data and label the data is also very labor-consuming and time-consuming, and few enterprises wish to spend manpower and resources on the data. Therefore, on the premise that no sufficient on-line service data samples exist, the model is trained by using supervised learning algorithms such as classification and regression, and the model is used for detecting the lost VPN account number, so that the recall rate and the accuracy rate of the obtained detection result are unsatisfactory. The accuracy of the algorithm is not high without depending on the unsupervised learning algorithm of the sample, such as a clustering algorithm, a time series prediction algorithm and the like, and the algorithm is often used in combination with other classification algorithms to obtain a satisfactory effect.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a VPN account collapse intelligent detection model based on long-time behavior analysis, which is used for extracting multi-dimensional characteristics aiming at the actual process of VPN account collapse, establishing a multi-scoring function according to the multi-dimensional characteristics, and judging the collapse risk of each VPN account by using a dynamic or static threshold. By using the method, the positive and negative sample labels in the safety data are not relied on, a large amount of labor and time cost is saved, the service scene of VPN account collapse can be combined practically, and the recall rate and the accuracy rate are effectively improved. In addition, the model continuously learns the login habit of each VPN account by using a Recurrent Neural Network (RNN) algorithm or a reinforcement learning mode through a long time window of several months to form a common list of each VPN account so as to realize more accurate judgment of VPN account collapse evaluation.
The technical scheme adopted by the invention for solving the technical problems is as follows: a VPN account number collapse intelligent detection model based on long-time behavior analysis comprises the following detection processes:
step one, a data reading stage: reading the collected VPN account login data from the big data distributed storage system;
step two, data preprocessing stage: performing data cleaning operation on the read data;
step three, a characteristic engineering stage: generating multidimensional characteristics required for building a presumed VPN account collapse model by utilizing data after data preprocessing;
step four, a model training stage: training a scoring model and a common list model;
step five, model prediction stage: and predicting the lost VPN account with different risk degrees by using the trained model and the read VPN account data.
Compared with the prior art, the invention has the following positive effects:
1. minute-level alarm model based on big data
The invention provides a model for realizing minute-level alarm based on big data analysis and from inputting mass data collected by each server to generating alarm output. The method and the thought are practical and effective for aggregating behavioral data such as VPN account login and the like in different servers used by various business functional departments in an enterprise, comprehensively analyzing and judging the collapse risk of each VPN account and quickly generating an alarm.
2. Omitting the links of manual labeling training and sample detection
The method combines the characteristics of the service scene of the VPN account collapse, the login time, the login geographical position, the mathematical statistical analysis (such as times, frequency, login failure rate and the like) of the VPN account login behavior and the like, establishes a multiple scoring function, and judges the collapse risk value of each VPN account by using a dynamic or static threshold. The method does not depend on positive and negative sample labeling in the safety data, omits the links of manually labeling training samples and detecting samples, and saves a large amount of labor and time cost.
3. Support intelligent learning of behavior habits of each VPN account through a long time window of months
The method supports the use of a Recurrent Neural Network (RNN) algorithm or a reinforcement learning mode, continuously learns the login habit of each VPN account by using mass data through a long time window of several months, forms a fine-grained common list of each VPN account, optimizes the collapse risk value of each VPN account and improves the alarm accuracy.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
fig. 1 is a schematic diagram of a network attack flow of VPN account collapse;
FIG. 2 is a VPN account number collapse intelligent detection model based on long-time behavior analysis;
fig. 3 is a schematic flow of deploying a VPN account collapse detection model within an enterprise.
Detailed Description
A typical VPN account collapse attack flow is shown in fig. 1, which generally includes a preparation period, an intrusion period, and a profit period, which are subdivided into the following five stages:
(1) two phases of the preparation period:
stage 1-scout scan: attackers research, sniff, and scan target businesses, typically by using internet crawlers, collecting information such as meeting records, email addresses, social relationships, or by special methods and means.
Stage 2-weapon production: an attacker modifies the remote trojan containing the vulnerability by using an automatic tool and implants the modified remote trojan into a specific carrier, such as a data file format of PDF (portable document format) or Office software commonly used by a client.
(2) Two phases of the intrusion period:
stage 3-delivery implantation: and transmitting the manufactured carrier with the attack weapon to a target environment. The three most popular delivery vehicles used by APT attackers, according to the report of the computer event response group (LM-CIRT) of rockschid-martin, are e-mail attachments, web pages, and usb disks.
Stage 4-exploit: after the carrier is delivered to the victim host or server, malicious code is triggered in an active or passive manner. In most cases, an attacker completes the step by utilizing the vulnerability of an application program or an operating system, and common attack means comprise SQL (structured query language) injection vulnerability attack, logic vulnerability attack and the like; it is also possible that the user may execute the code proactively without knowing it.
(3) One phase of the return period:
stage 5-VPN account collapse: an attacker successfully steals one or more VPN accounts of a target enterprise according to a predetermined plan, uses the VPN accounts as a breach, successfully logs in an internal network of the enterprise by legal identities by using the VPN accounts, further steals the service data of the victim enterprise, and transmits the service data to the outside of the environment of the victim enterprise after gathering, compressing and encrypting; or directly destroy the integrity of the business data of the damaged enterprise and the availability of the business, etc.
As shown in the above attack flow, each link in the attack flow is a sufficient condition for the next link. If the defender can detect and block one of the steps in time, the attacker must give up or find other suitable ways to proceed with the attack. In the whole attack process, the trail of the attacker can be discovered as soon as possible, and the attacker can take the initiative in the attack and defense game process of the network attack by controlling or blocking. Based on the actual environment of the mass data of the enterprise, data records related to VPN account behaviors are selected, multi-dimensional features are extracted, a multi-scoring mechanism is established, and the behavior habit of each employee VPN account in the enterprise is learned by using a large amount of data in a long time window, so that minute-level detection of lost VPN accounts in the VPN accounts which are active in the enterprise at the same day is realized.
An intelligent detection model for VPN account number collapse based on long-time behavior analysis is shown in fig. 2, and the core of the model is behavior analysis. The model has the characteristics of processing large data volume, long time window, multidimensional characteristics, multiple scoring mechanism and intelligent detection, and provides VPN account collapse detection service for cross-department, cross-division/sub-company, mass data summarization of long time window and minute-level detection alarm in an enterprise through four levels of data collection, data preprocessing and characteristic engineering, model training and model prediction.
Data collection: the data summarization function of long time windows of different servers of different departments and different branches/subsidiaries in an enterprise and spanning months is achieved. The method mainly comprises the steps of logging in VPN account numbers in databases of various departments and subsidiaries (such as MySQL or MongoDB databases), reporting alarm data by safety equipment and the like, and summarizing the data into an HDFS (Hadoop distributed File System) or an ElasticSearch system of a big data analysis cluster.
(II) data preprocessing and characteristic engineering: the data cleaning operation of selecting the aggregated mass data according to the field name, selecting the mass data according to the time range, removing the blank and the duplicate and the like is realized; grouping statistics is carried out according to different fields (such as source IP, user name and the like), and aggregation statistics is carried out on data records according to different fields (such as unique identification codes of the data records and the like); aiming at the characteristics with time sequence dimensionality, the size of a time window needs to be set, and in each time window, different fields are selected according to specific requirements (such as login frequency calculation or login failure frequency and the like) to carry out grouping and aggregation statistical calculation. And finally generating multidimensional characteristics including login time, login location, login times, login frequency, login failure rate and the like. And a Spark framework is used to support high-performance batch data processing.
(III) model training: this process mainly trains two types of models. One is a scoring model and the other is a common list model. In a scoring model, multidimensional characteristics generated in data preprocessing and characteristic engineering are used, a specific scene process of VPN account collapse and the value characteristics of different related characteristics are combined, a plurality of characteristics are selected and distributed with different weight basic scores, a plurality of range intervals are divided according to the characteristic values under each characteristic, different range intervals are distributed with different coefficients, when the value of the detected characteristic falls into a specific certain range interval, the product of the weight basic score and the coefficient of the characteristic is the score obtained by the characteristic dimension, and the scores of the characteristic dimensions are added, so that the final score for evaluating different scenes can be obtained. According to the calculation method, different range intervals are divided under each dimension, different coefficients are distributed, and then scores of multiple characteristic dimensions are added to obtain a final score for the scene, so that multiple screening of data amount is achieved, and the detection range of the high-risk lost VPN account is gradually reduced. According to the final scoring value, the VPN account numbers can be classified according to different value intervals and different collapse risk levels, and a dynamic or static threshold value mode is used, so that the VPN account number exceeding the threshold value is finally returned as a high-risk collapse VPN account number.
In another model for establishing a common list for each employee, a neural network with a memory function can be established by using long-short term memory (LSTM) in a Recurrent Neural Network (RNN), or a mode of reinforced learning is used to realize the function of gradually self-correcting the model. The method comprises the steps of learning data in a longer time range of several months, establishing a common list (such as a common login time list, a common login place list, a common login equipment list and the like) for each VPN account of each employee in an enterprise, intelligently eliminating data records judged to be abnormal behaviors according to detection results in an intermediate process in the learning process, and avoiding serious deviation of behavior habits of continuous learning. And finally, outputting the learned different dimensional characteristic data of each VPN account behavior habit to a formulated database.
(IV) model prediction: in the VPN account behavior related data gathered by the enterprise on the same day, the data of each VPN account behavior habit output to the database by the common list model is read first, and numerical values in the corresponding common list are filtered out from the multi-dimensional characteristics of each VPN account after characteristic engineering, so that the characteristic values are further accurately screened. And then, scoring each VPN account by using a multiple scoring function model, and realizing real-time interaction between the model and a front-end interface by adopting a white list strategy, and simultaneously effectively improving the accuracy of the model. After the filtering in the steps, the VPN account number finally output by the multi-scoring function model, namely the lost VPN account number with high risk is judged, and an alarm is generated.
The function of predicting the VPN account collapse model is realized by first deploying the trained model in a cluster, and a specific deployment process is shown in fig. 3. The whole process comprises 6 steps of building a big data storage system (such as HDFS or elastic search) to collect data, building a Spark cluster, configuring a cluster environment, a database environment and a related third-party library required by a model, installing a model program, configuring model parameters and executing the model. The model supports setting a timing task for automatic detection and also supports manual execution of the model according to a specific task for instant detection.
Claims (9)
1. The utility model provides a VPN account number collapse intelligent detection model based on long-time behavior analysis which characterized in that: the method comprises the following detection processes:
step one, a data reading stage: reading the collected VPN account login data from the big data distributed storage system;
step two, data preprocessing stage: performing data cleaning operation on the read data;
step three, a characteristic engineering stage: generating multidimensional characteristics required for building a presumed VPN account collapse model by utilizing data after data preprocessing;
step four, a model training stage: training a scoring model and a common list model;
step five, model prediction stage: and predicting the lost VPN account with different risk degrees by using the trained model and the read VPN account data.
2. The intelligent detection model for VPN account number collapse based on long-time behavior analysis according to claim 1, characterized in that: and the data cleaning operation in the second step comprises selection according to the field name, selection according to the time range, and emptying and duplicate removal.
3. The intelligent detection model for VPN account number collapse based on long-time behavior analysis according to claim 1, characterized in that: step three, the method for generating the multidimensional characteristics comprises the following steps: performing grouping statistics according to different fields, and performing aggregation statistics on the data records according to different fields; and setting the size of a time window aiming at the characteristics with time sequence dimensionality, and selecting different fields for grouping and aggregating statistical calculation to generate the multidimensional characteristics according to specific requirements in each time window.
4. The VPN account number collapse intelligent detection model based on long-time behavior analysis according to claim 3, characterized in that: the multi-dimensional features include: login time, login location, login times, login frequency, login failure rate, and the like.
5. The intelligent detection model for VPN account number collapse based on long-time behavior analysis according to claim 1, characterized in that: when a scoring model is trained, multi-dimensional features generated in a feature engineering stage are used, a plurality of features are selected according to a specific scene process of VPN account collapse and the value characteristics of the related different features, different weight basic scores are distributed, a plurality of range intervals are divided according to the feature values under each feature, different coefficients are distributed in different range intervals, when the value of the detected feature falls into a specific certain range interval, the product of the weight basic score and the coefficient of the feature is the score obtained by the feature dimension, and then the scores of the feature dimensions are added to obtain the final score for evaluating different scenes.
6. The VPN account number collapse intelligent detection model based on long-time behavior analysis according to claim 5, wherein: aiming at the scene of VPN account collapse, the selected multidimensional characteristics comprise: the time of login failure, the place of login failure, the number of login failure, the frequency of login failure, whether there is a data record of login success after multiple login failures, etc.
7. The intelligent detection model for VPN account number collapse based on long-time behavior analysis according to claim 1, characterized in that: when the common list model is trained, the login habit of each VPN account is continuously learned through a Recurrent Neural Network (RNN) algorithm or a reinforcement learning mode, and a common list of each VPN account is formed, so that the VPN account collapse risk can be accurately judged.
8. The intelligent detection model for VPN account number collapse based on long-time behavior analysis according to claim 7, characterized in that: the common list includes: a list of common login times, a list of common login locations, a list of common login devices, etc.
9. The intelligent detection model for VPN account number collapse based on long-time behavior analysis according to claim 1, characterized in that: the method for predicting the lost VPN account by using the trained model comprises the following steps: in the VPN account behavior related data gathered by the enterprise on the same day, reading the data of each VPN account behavior habit output to a database by a common list model, further screening characteristic values by using the multidimensional characteristics of each VPN account generated in a characteristic engineering stage, grading each VPN account by using a grading model, realizing the real-time interaction between the model and a front-end interface by adopting a white list strategy, and finally outputting the VPN account which is the detected lost VPN account with high risk.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910884661.8A CN110708296B (en) | 2019-09-19 | 2019-09-19 | VPN account number collapse intelligent detection model based on long-time behavior analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910884661.8A CN110708296B (en) | 2019-09-19 | 2019-09-19 | VPN account number collapse intelligent detection model based on long-time behavior analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110708296A true CN110708296A (en) | 2020-01-17 |
| CN110708296B CN110708296B (en) | 2022-03-18 |
Family
ID=69194553
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910884661.8A Active CN110708296B (en) | 2019-09-19 | 2019-09-19 | VPN account number collapse intelligent detection model based on long-time behavior analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110708296B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230300165A1 (en) * | 2020-04-08 | 2023-09-21 | Wells Fargo Bank, N.A. | Security model utilizing multi-channel data |
| US12015630B1 (en) | 2020-04-08 | 2024-06-18 | Wells Fargo Bank, N.A. | Security model utilizing multi-channel data with vulnerability remediation circuitry |
| US12143389B1 (en) | 2022-02-04 | 2024-11-12 | Wells Fargo Bank, N.A. | 3rd party data explorer |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104881783A (en) * | 2015-05-14 | 2015-09-02 | 中国科学院信息工程研究所 | E-bank account fraudulent conduct and risk detecting method and system |
| CN107276982A (en) * | 2017-05-08 | 2017-10-20 | 微梦创科网络科技(中国)有限公司 | A kind of abnormal login detecting method and device |
| CN108965346A (en) * | 2018-10-10 | 2018-12-07 | 上海工程技术大学 | One kind is fallen Host Detection method |
| CN109064175A (en) * | 2018-06-11 | 2018-12-21 | 阿里巴巴集团控股有限公司 | A kind of account takeover risk prevention system method and device |
| US20190068627A1 (en) * | 2017-08-28 | 2019-02-28 | Oracle International Corporation | Cloud based security monitoring using unsupervised pattern recognition and deep learning |
| CN110198305A (en) * | 2019-05-05 | 2019-09-03 | 平安科技(深圳)有限公司 | It attends a banquet method for detecting abnormality, system, computer equipment and the storage medium of IP |
-
2019
- 2019-09-19 CN CN201910884661.8A patent/CN110708296B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104881783A (en) * | 2015-05-14 | 2015-09-02 | 中国科学院信息工程研究所 | E-bank account fraudulent conduct and risk detecting method and system |
| CN107276982A (en) * | 2017-05-08 | 2017-10-20 | 微梦创科网络科技(中国)有限公司 | A kind of abnormal login detecting method and device |
| US20190068627A1 (en) * | 2017-08-28 | 2019-02-28 | Oracle International Corporation | Cloud based security monitoring using unsupervised pattern recognition and deep learning |
| CN109064175A (en) * | 2018-06-11 | 2018-12-21 | 阿里巴巴集团控股有限公司 | A kind of account takeover risk prevention system method and device |
| CN108965346A (en) * | 2018-10-10 | 2018-12-07 | 上海工程技术大学 | One kind is fallen Host Detection method |
| CN110198305A (en) * | 2019-05-05 | 2019-09-03 | 平安科技(深圳)有限公司 | It attends a banquet method for detecting abnormality, system, computer equipment and the storage medium of IP |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230300165A1 (en) * | 2020-04-08 | 2023-09-21 | Wells Fargo Bank, N.A. | Security model utilizing multi-channel data |
| US12015630B1 (en) | 2020-04-08 | 2024-06-18 | Wells Fargo Bank, N.A. | Security model utilizing multi-channel data with vulnerability remediation circuitry |
| US12143389B1 (en) | 2022-02-04 | 2024-11-12 | Wells Fargo Bank, N.A. | 3rd party data explorer |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110708296B (en) | 2022-03-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108881194B (en) | Method and device for detecting abnormal behaviors of users in enterprise | |
| CN111475804B (en) | Alarm prediction method and system | |
| US11582249B2 (en) | Computer-implemented method and arrangement for classifying anomalies | |
| US9479518B1 (en) | Low false positive behavioral fraud detection | |
| Ektefa et al. | Intrusion detection using data mining techniques | |
| CN110620759A (en) | Network security event hazard index evaluation method and system based on multidimensional correlation | |
| Hosseini et al. | Anomaly process detection using negative selection algorithm and classification techniques | |
| CN105471882A (en) | Behavior characteristics-based network attack detection method and device | |
| CN111953697B (en) | APT attack recognition and defense method | |
| CN105376193B (en) | The intelligent association analysis method and device of security incident | |
| Dhakar et al. | A novel data mining based hybrid intrusion detection framework | |
| CN110708296B (en) | VPN account number collapse intelligent detection model based on long-time behavior analysis | |
| CN103532760A (en) | Equipment, system and method for analyzing commands executed on hosts | |
| CN116846633A (en) | Network threat monitoring and analyzing method and system based on artificial intelligence | |
| CN109657119A (en) | A kind of web crawlers detection method based on access log IP analysis | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN118133274A (en) | Information security management and monitoring method and system based on big data | |
| CN113282920B (en) | Log abnormality detection method, device, computer equipment and storage medium | |
| CN109962916B (en) | Multi-attribute-based industrial internet security situation evaluation method | |
| CN114500122B (en) | Specific network behavior analysis method and system based on multi-source data fusion | |
| CN110740111A (en) | data leakage-proof method, device and computer readable storage medium | |
| CN109359197B (en) | Tax type authentication method, device and computer readable storage medium | |
| CN114039837A (en) | Alarm data processing method, device, system, equipment and storage medium | |
| Munson et al. | Reframing threat detection: Inside esINSIDER | |
| Dhakar et al. | A new model for intrusion detection based on reduced error pruning technique |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |