Abstract: A method for predicting an attacked path on enterprise networks includes: obtaining a plurality of accounts, a plurality of machines and network resource data, where the plurality of machines include at least one attacked target; calculating, according to the network resource data, a plurality of evaluated values of executing access on other machines of each account logging in at least one machine; and presenting an attacked path where a machine at least one account logs in accesses the attacked target directly, or indirectly by connecting to other machines, and the machine the at least one account logs in points to the attacked target directly, or indirectly by connecting to other machines.

Abstract: A method for predicting an attacked path on enterprise networks includes: obtaining a plurality of accounts, a plurality of machines and network resource data, where the plurality of machines include at least one attacked target; calculating, according to the network resource data, a plurality of evaluated values of executing access on other machines of each account logging in at least one machine; and presenting an attacked path where a machine at least one account logs in accesses the attacked target directly, or indirectly by connecting to other machines, and the machine the at least one account logs in points to the attacked target directly, or indirectly by connecting to other machines.

Abstract: The present invention provides an information security incident diagnosis system for assisting in detecting whether a target network system has been hacked. First, a plurality of activities records of one or more computing devices in a target network system are collected. Then, a discrete space metric tree is generated according to the plurality of activities records, and a clustering operation is performed on the discrete space metric tree to generate one or more event clusters associated with one or more suspicious event categories. Each event cluster may form a guide tree corresponding to the event cluster through single linkage clustering analysis to indicate a merging order from high to low similarity. The merging order is used for recursively performing a graph generating operation to convert a plurality of activities records corresponding to the one or more event clusters into a hierarchical directed acyclic graph (HDAG).

Abstract: The present invention provides an event visualization device configured to generate one or more directed acyclic graphs (DAGs) that can be used as a basis for diagnosing whether a target network system has been hacked according to a plurality of activities records. The plurality of activities records pertain to an event cluster associated with a suspicious event category. The event visualization device performs a graph generating operation on the plurality of activities records in a recursive manner to generate a hierarchical directed acyclic graph (HDAG). The graph generating operation includes: interpreting an activities record into a target DAG, and performing a hierarchical partial order alignment (HPOA) operation on the target DAG and a reference DAG to obtain a merging condition of each node; and merging the target DAG and the reference DAG into the HDAG according to the merging condition.

Abstract: The present invention provides a log classification system configured to perform a hierarchical similarity analysis operation according to a plurality of activities records to generate a discrete space metric tree, and perform a clustering operation on the discrete space metric tree to generate one or more event clusters associated with one or more suspicious event categories. The log classification system includes an output device configured to output the one or more event clusters to an information security incident diagnosis system, and allow the information security incident diagnosis system to calculate similar feature information and differential feature information of a plurality of activities records in the one or more event clusters as auxiliary information for diagnosing whether there are intrusions or abnormalities in a target network system.

Abstract: A method for predicting an attacked path on enterprise networks includes: obtaining a plurality of accounts, a plurality of machines and network resource data, where the plurality of machines include at least one attacked target; calculating, according to the network resource data, a plurality of evaluated values of executing access on other machines of each account logging in at least one machine; and presenting an attacked path where a machine at least one account logs in accesses the attacked target directly, or indirectly by connecting to other machines, and the machine the at least one account logs in points to the attacked target directly, or indirectly by connecting to other machines.

Abstract: The present invention provides an event visualization device configured to generate one or more directed acyclic graphs (DAGs) that can be used as a basis for diagnosing whether a target network system has been hacked according to a plurality of activities records. The plurality of activities records pertain to an event cluster associated with a suspicious event category. The event visualization device performs a graph generating operation on the plurality of activities records in a recursive manner to generate a hierarchical directed acyclic graph (HDAG). The graph generating operation includes: interpreting an activities record into a target DAG, and performing a hierarchical partial order alignment (HPOA) operation on the target DAG and a reference DAG to obtain a merging condition of each node; and merging the target DAG and the reference DAG into the HDAG according to the merging condition.

Abstract: The present invention provides a log classification system configured to perform a hierarchical similarity analysis operation according to a plurality of activities records to generate a discrete space metric tree, and perform a clustering operation on the discrete space metric tree to generate one or more event clusters associated with one or more suspicious event categories. The log classification system includes an output device configured to output the one or more event clusters to an information security incident diagnosis system, and allow the information security incident diagnosis system to calculate similar feature information and differential feature information of a plurality of activities records in the one or more event clusters as auxiliary information for diagnosing whether there are intrusions or abnormalities in a target network system.

Abstract: The present invention provides an information security incident diagnosis system for assisting in detecting whether a target network system has been hacked. First, a plurality of activities records of one or more computing devices in a target network system are collected. Then, a discrete space metric tree is generated according to the plurality of activities records, and a clustering operation is performed on the discrete space metric tree to generate one or more event clusters associated with one or more suspicious event categories. Each event cluster may form a guide tree corresponding to the event cluster through single linkage clustering analysis to indicate a merging order from high to low similarity. The merging order is used for recursively performing a graph generating operation to convert a plurality of activities records corresponding to the one or more event clusters into a hierarchical directed acyclic graph (HDAG).

Abstract: The present invention discloses a method for fabricating a porous spherical iron-based alloy powder, a powder thereof and a sintered body thereof. The method comprises steps: mixing an iron oxide powder and an alloying powder to form a mixed powder; spray-granulating the mixed powder to form a spherical spray-granulated powder; and placing the spherical spray-granulated powder in a reducing environment and heating it to a temperature of lower than 700° C. to obtain a porous spherical iron-based alloy powder having high flowability, high compressibility, superior sinterability and low cost.

Abstract: The present invention discloses a method for fabricating a porous spherical iron-based alloy powder, a powder thereof and a sintered body thereof. The method comprises steps: mixing an iron oxide powder and an alloying powder to form a mixed powder; spray-granulating the mixed powder to form a spherical spray-granulated powder; and placing the spherical spray-granulated powder in a reducing environment and heating it to a temperature of lower than 700° C. to obtain a porous spherical iron-based alloy powder having high flowability, high compressibility, superior sinterability and low cost.

Abstract: A method for recognizing disguised malicious document, carried out by a computer system including a central processing unit (CPU), a memory, and a database storing rules for defining executable file and non-executable file, comprising steps of: receiving a static file through a network and an input/out interface; scanning the static file for a file header to determine if it is a non-executable file; analyzing file body of the non-executable file to locate components of an executable file and mark these positions; extracting components of the executable file from the non-executable file; concatenating the extracted components in accordance with a default rule or a heuristic rule to form a new file; and obtaining a new file that is executable, such that the received static file is a non-executable file having an embedded executable file, thus labeling the static file as a disguised malicious document.

Abstract: A method for recognizing malicious file has steps: receiving a static file through a network or an input/out interface to be stored in the memory; defining suspicious positions where components of a malware are possibly encrypted in the static file; decrypting the suspicious positions to identify a PE header and a shellcode; extracting the PE header and the shellcode terms in segments; and determining whether the PE header and the shellcode terms can be assembled into an executable binary which indicates a recognition of the malicious file.

Abstract: A method for extracting the genetic fingerprinting of a malicious document file includes the steps of establishing a database to store a plurality of genetic fingerprinting data of the first malicious document, then retrieving a document file sent via the Internet, and then proceeding with multi-point detection and extraction to the document file, so as to obtain a multi-point section, then comparing and analyzing the multi-point section with the plurality of genetic fingerprinting data of the first malicious document to confirm whether the multi-point section program code of the document file matches a malicious feature, thereby achieves the goal of extracting the content information of the document file and converts it into the genetic fingerprinting data of a new malicious document.

Abstract: A method for producing a sputtering target containing boron has steps of providing cobalt-chromium (Co·Cr) prealloy powder, mixing Co·Cr prealloy powder and raw material powder containing boron and oxide to form a mixture, preforming the mixture to form a green compact, and sintering the green compact to obtain the sputtering target containing boron. Because Co·Cr prealloy powder is provided, then is mixed with boron, oxide or the like, size and distribution of boride particles can be efficiently controlled. Therefore, Co, Cr, B or the like are uniformly distributed in the sputtering target.