US 12,177,233 B2
Information security incident diagnosis system for assisting in intrusion detection and related computer program
Ming-Chang Chiu, New Taipei (TW); Ming-Wei Wu, New Taipei (TW); Pei-Kan Tsung, New Taipei (TW); Che-Yu Lin, New Taipei (TW); and Cheng-Lin Yang, New Taipei (TW)
Assigned to CyCarrier Technology Co., Ltd., New Taipei (TW)
Filed by CyCarrier Technology Co., Ltd., New Taipei (TW)
Filed on Jul. 18, 2022, as Appl. No. 17/867,058.
Claims priority of provisional application 63/223,619, filed on Jul. 20, 2021.
Claims priority of application No. 111126131 (TW), filed on Jul. 12, 2022.
Prior Publication US 2023/0022709 A1, Jan. 26, 2023
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1416 (2013.01) [H04L 63/1425 (2013.01)] 10 Claims
OG exemplary drawing
 
1. An information security incident diagnosis system, for assisting in detecting whether a target network system has been hacked, the information security incident diagnosis system comprising:
an activities record collection device, coupled to the target network system and configured to collect a plurality of activities records associated with a plurality of computing devices in the target network system and process the plurality of activities records to generate return data; and
a suspicious incident determination device, configured to receive, through a network, the return data generated by the activities record collection device, acquire the plurality of activities records from the return data, generate a discrete space metric tree according to the plurality of activities records, and perform a clustering operation on the discrete space metric tree to generate one or more event clusters associated with one or more suspicious event categories,
wherein the suspicious incident determination device is further configured to perform single linkage clustering analysis on an event cluster and establish a guide tree corresponding to the event cluster to indicate a merging order from high to low similarity;
the suspicious incident determination device is further configured to perform a graph generating operation on a plurality of activities records corresponding to the one or more event clusters according to the merging order to generate a hierarchical directed acyclic graph (HDAG), the HDAG comprising a hierarchical structure formed by connecting a plurality of common nodes and a plurality of branch nodes to correspondingly represent similar features and differential features of the plurality of activities records;
the suspicious incident determination device comprises a display device configured to display the HDAG as visual auxiliary information for diagnosing whether there are intrusions or abnormalities in the target network system;
the discrete space metric tree comprises a plurality of nodes, each node represents an activities record, and every two nodes are connected by an edge with a weighting coefficient;
the suspicious incident determination device is further configured to perform a hierarchical similarity analysis operation to calculate a hierarchical edit distance (HED) between two to-be-analyzed activities records; and
the operation of generating the discrete space metric tree further comprises:
performing a hierarchical similarity analysis operation on two to-be-analyzed activities records corresponding to nodes at both ends of each edge in the discrete space metric tree to generate an HED; and
setting the HED as a weighting coefficient of the edge,
wherein the hierarchical similarity analysis operation comprises:
interpreting the two to-be-analyzed activities records into a plurality of first tokens and a plurality of second tokens;
calculating a normalized edit distance (NED) between each first token and each second token, the NED being a numerical value between 0 and 1; and
calculating the HED of the two to-be-analyzed activities records according to the NED between each first token and each second token.