| CPC H04L 63/1425 (2013.01) [G06N 20/00 (2019.01); H04L 63/1416 (2013.01); H04L 63/20 (2013.01)] | 17 Claims |
|
1. An analysis method for an operational technology system, comprising:
acquiring first data related to the operational technology system from a data storage area, and parsing out first features of the first data;
identifying an abnormal feature from the first features; and
acquiring second data related to the abnormal feature from the data storage area, and generating an algorithm model based on the second data, wherein the algorithm model is usable for identifying an attack behavior related to the abnormal feature, and wherein the generating of the algorithm model based on the second data comprises:
determining a first statistical feature of an abnormal security event related to the abnormal feature;
determining a second statistical feature of an abnormal security behavior related to the abnormal feature;
determining fingerprints of an attack behavior related to the abnormal feature;
determining, based on an artificial customization method, an artificial customization algorithm for detecting the abnormal security event related to the abnormal feature;
determining, based on a machine learning method, a classification and identification algorithm for detecting the abnormal security event related to the abnormal feature; and
generating the algorithm model by aggregating at least the first statistical feature, the second statistical feature, the fingerprints, the artificial customization algorithm, and the classification and identification algorithm.
|