公开(公告)号：US20190180030A1

公开(公告)日：2019-06-13

申请号：US15839839

申请日：2017-12-12

Applicant: Institute For Information Industry

Inventor： Te-EN WEI ,  Chih-Hung HSIEH ,  Hsiang-Tsung KUNG

IPC: G06F21/56 ,  G06N99/00

Abstract: An abnormal behavior detection model building apparatus and an abnormal behavior detection model building method thereof are provided. The abnormal behavior detection model building apparatus analyzes the parts of speech of a plurality of program operation sequences in a plurality of program operation sequence data associated with abnormal behaviors to generate a plurality of word vectors and cluster the word vectors. Based on the result of the clustering, the abnormal behavior detection model building apparatus obtains a feature vector of each of the program operation sequence data, and perform a supervised learning for a classification algorithm by using the feature vectors so as to build an abnormal behavior detection model.

公开(公告)号：US20180159878A1

公开(公告)日：2018-06-07

申请号：US15372235

申请日：2016-12-07

Applicant: Institute For Information Industry

Inventor： Chia-Min LAI ,  Ching-Hao MAO ,  Chih-Hung HSIEH ,  Te-EN WEI ,  Chi-Ping LAI

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/55 ,  G06F2221/2135 ,  H04L63/1408 ,  H04L63/1433 ,  H04L63/1441

Abstract: An attacking node detection apparatus, method, and computer program product thereof are provided. The attacking node detection apparatus is stored with a plurality of access records of an application, wherein each access record includes a network address of a host and an access content. The attacking node detection apparatus filters the access records into a plurality of filtered access records according to a predetermined rule so that the access content of each filtered access record conforms to the predetermined rule. The attacking node detection apparatus creates at least one access relation of each of the network addresses according to the filtered access records, wherein each access relation is defined by one of the network addresses and one of the access contents. The attacking node detection apparatus identifies a specific network address as an attacking node according to the access relations.

公开(公告)号：US20180159868A1

公开(公告)日：2018-06-07

申请号：US15372294

申请日：2016-12-07

Applicant: Institute For Information Industry

Inventor： Chia-Min LAI ,  Ching-Hao MAO ,  Chih-Hung HSIEH ,  Te-EN WEI ,  Chi-Ping LAI

IPC: H04L29/06 ,  H04L9/32

Abstract: A network attack pattern determination apparatus, method, and non-transitory computer readable storage medium thereof are provided. The apparatus is stored with several attack patterns and access records. Each access record includes a network address, time stamp, and access content. Each attack pattern corresponds to at least one attack access relation. Each attack access relation is defined by a network address and access content. The apparatus retrieves several attack records according to at least one attack address. The network address of each attack record is one of the attack address(s). The apparatus divides the attack records into several groups according to the time stamps and performs the following operations for each group: (a) creating at least one access relation for each attack address included in the group and (b) determining that the group corresponds to one of the attack patterns according to the at least one access relation of the group.