| CPC H04L 63/1441 (2013.01) [G06N 7/01 (2023.01); G06N 20/00 (2019.01); H04L 63/1416 (2013.01)] | 17 Claims |
|
1. An attack path detection method, comprising:
establishing a connecting relationship among a plurality of hosts according to a host log set to generate a host association graph, wherein the host log set comprises a log corresponding to each of the plurality of hosts;
labeling at least one host with an abnormal condition on the host association graph, further comprising establishing a file association graph of each of the plurality of hosts according to the host log set, wherein each of the file association graph comprises a file connecting relationship among a plurality of files corresponding to each of the plurality of hosts, and each of the plurality of files corresponds to a hash value, utilizing the hash value to determine whether corresponding file has a malicious data;
calculating a risk value corresponding to each of the plurality of hosts;
in a host without the abnormal condition, determining whether the risk value corresponding to the host without the abnormal condition is greater than a first threshold, and utilizing a host with the risk value greater than the first threshold as a high-risk host; and
searching at least one host attach path from the high-risk host and the at least one host with the abnormal condition according to the connecting relationship of the host association graph.
|