CN111343161A - Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment - Google Patents

Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment Download PDF

Info

Publication number
CN111343161A
CN111343161A CN202010092140.1A CN202010092140A CN111343161A CN 111343161 A CN111343161 A CN 111343161A CN 202010092140 A CN202010092140 A CN 202010092140A CN 111343161 A CN111343161 A CN 111343161A
Authority
CN
China
Prior art keywords
information processing
processing node
node
label
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010092140.1A
Other languages
Chinese (zh)
Other versions
CN111343161B (en
Inventor
侯方舟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN202010092140.1A priority Critical patent/CN111343161B/en
Publication of CN111343161A publication Critical patent/CN111343161A/en
Priority to PCT/CN2020/134941 priority patent/WO2021159834A1/en
Application granted granted Critical
Publication of CN111343161B publication Critical patent/CN111343161B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application relates to an abnormal information processing node analysis method, an abnormal information processing node analysis device, an abnormal information processing node analysis medium and electronic equipment, and belongs to the technical field of computers, wherein the method comprises the following steps: classifying the information processing nodes according to the attribute of the abnormal information processing event; acquiring abnormal feature labels of all information processing nodes, and constructing a node label set; labels with the probability lower than a preset threshold value in the node label set are removed to obtain a frequent item label set; acquiring the same label in a frequent item label set of the information processing node group corresponding to the associated class according to the preset class association relation of the class of the information processing node group to obtain a same label subset; associating feature tags for the same tag subset association group to obtain an association relation tag set; and inputting the related information of the abnormal information processing event in the abnormal node analysis request and the incidence relation label set into the risk node analysis model to obtain the abnormal information processing node relation. The method and the device can efficiently and accurately analyze the abnormal information processing node relation.

Description

Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment
Technical Field
The present application relates to the field of computer technologies, and in particular, to an abnormal information processing node analysis method, an abnormal information processing node analysis device, an abnormal information processing node analysis medium, and an electronic device.
Background
The abnormal information processing node analysis is to analyze nodes which perform information processing in related subjects (such as enterprises) when abnormal information processing events (such as information leakage, loss, management errors and the like) occur, and determine the joint relation among suspected nodes in all the abnormal information processing events.
At present, when abnormal information processing node analysis is carried out, non-quantitative analysis such as individual case induction analysis which only stays in experience and dispersion aiming at security incident risk analysis cannot mine implicit risk rules, the analysis efficiency of abnormal information processing nodes is low, and predictability of occurring abnormal events is lacked.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present application and therefore may include information that does not constitute prior art known to a person of ordinary skill in the art.
Disclosure of Invention
The application aims to provide an abnormal information processing node analysis scheme, and further, the abnormal information processing node relation is efficiently and accurately analyzed at least to a certain extent.
According to an aspect of the present application, there is provided an abnormal information processing node analysis method, including:
when an abnormal node analysis request in an abnormal information processing event is received, classifying all information processing nodes in an abnormal information association processing node library according to the attribute of the abnormal information processing event to obtain a plurality of categories of information processing node groups;
acquiring abnormal feature tags of all information processing nodes in the information processing node group, and constructing a node tag set of the information processing node group;
removing labels with the probability lower than a preset threshold value in the node label set of each information processing node group to obtain a frequent item label set of each information processing node group;
acquiring the same labels in a frequent item label set of the information processing node group corresponding to the associated class according to the preset class association relation of the class of the information processing node group to obtain a same label subset;
associating a group association feature tag for the same tag subset according to an association relationship between the associated classes corresponding to the same tag subset to obtain an association relationship tag set, wherein the group association feature tag does not belong to the node tag set;
and inputting the related information of the abnormal information processing event in the abnormal node analysis request and the incidence relation label set into a risk node analysis model to obtain the abnormal information processing node relation.
In an exemplary embodiment of the present application, the rejecting tags whose probability of appearing in the node tag set of each information processing node group is lower than a predetermined threshold to obtain a frequent item tag set of each information processing node group includes:
removing labels with the probability lower than a preset threshold value in the node label set of the information processing node group to obtain a second node label set;
and after calculating the probability of each label in the second node label set, removing the labels lower than the preset threshold value to obtain a third node label set, and when the probability of all the labels in the third node label set is higher than the preset threshold value, obtaining a frequent item label set of the information processing node group.
In an exemplary embodiment of the present application, the associating feature tags of the association group for the same tag subset according to the association relationship between the associated classes corresponding to the same tag subset to obtain an association relationship tag set includes:
acquiring an incidence relation label template corresponding to the incidence relation between the associated classes corresponding to the same label subset, wherein the incidence relation label template comprises a group incidence characteristic label and a characteristic label of an information processing node;
searching an incidence relation label template comprising the feature labels consistent with the same label subset from an incidence relation label template library to obtain a matched incidence relation label template;
and acquiring an incidence relation label set based on the matched incidence relation label template.
In an exemplary embodiment of the present application, the obtaining an association relation tag set based on the matched association relation tag template includes:
and acquiring an incidence relation label template with the number of labels exceeding a preset threshold value from the matched incidence relation label template to serve as the incidence relation label set.
In an exemplary embodiment of the present application, the obtaining an association relation tag set based on the matched association relation tag template includes:
and acquiring the incidence relation label template with the least number of labels from the matched incidence relation label templates to serve as the incidence relation label set.
In an exemplary embodiment of the present application, after associating a group association feature tag for the same tag subset according to an association relationship between associated classes corresponding to the same tag subset to obtain an association relationship tag set, where the group association feature tag does not belong to the node tag set, the method further includes:
and determining risk information processing nodes of the target risk information processing node group according to the incidence relation tag sets corresponding to the target risk information processing node group and the frequent item tag sets.
In an exemplary embodiment of the present application, the determining a risk information processing node of a target risk information processing node group according to the association relationship tag set and the frequent item tag set corresponding to the target risk information processing node group includes:
determining a first risk information processing node set in the target risk information processing node group according to the incidence relation tag set corresponding to the target risk information processing node group;
determining a second risk information processing node set of the target risk information processing node group according to the frequent item tag set corresponding to the target risk information processing node group;
acquiring a third risk information processing node set of a risk information processing node group corresponding to a class associated with the target risk information processing node group according to the association relationship tag set corresponding to the target risk information processing node group;
and acquiring risk information processing nodes which have risk connection with risk information processing nodes in the third risk information processing node set in the risk information processing node intersection of the first risk information processing node set and the second risk information processing node set as risk information processing nodes of the target risk information processing node group.
According to an aspect of the present application, there is provided an abnormal information processing node analysis apparatus including:
the classification module is used for classifying all information processing nodes in the abnormal information association processing node library according to the attribute of the abnormal information processing event when an abnormal node analysis request in the abnormal information processing event is received, so as to obtain a plurality of categories of information processing node groups;
the construction module is used for acquiring the abnormal feature tags of all information processing nodes in the information processing node group and constructing a node tag set of the information processing node group;
the rejecting module is used for rejecting tags with the probability lower than a preset threshold value in the node tag set of each information processing node group to obtain a frequent item tag set of each information processing node group;
an obtaining module, configured to obtain, according to a predetermined class association relationship of the classes of the information processing node groups, the same tag in a frequent item tag set of the information processing node groups corresponding to the associated class, to obtain a same tag subset;
the association module is used for associating the same label subset with the group association feature labels according to the association relationship between the associated classes corresponding to the same label subset to obtain an association relationship label set, wherein the group association feature labels do not belong to the node label set;
and the analysis module is used for inputting the related information of the abnormal information processing event in the abnormal node analysis request and the incidence relation label set into a risk node analysis model to obtain the abnormal information processing node relation.
According to an aspect of the present application, there is provided a computer-readable storage medium having an abnormal information processing node analysis program stored thereon, wherein the abnormal information processing node analysis program, when executed by a processor, implements the method of any one of the above.
According to an aspect of the present application, there is provided an electronic device, comprising:
a processor; and
a memory for storing an exception information handling node analysis program of the processor; wherein the processor is configured to perform any of the methods described above via execution of the exception information handling node analysis program.
According to the abnormal information processing node analysis method and device, based on the related information of the abnormal information processing event and the constructed incidence relation label set corresponding to the node, the abnormal information processing node relation can be efficiently and accurately analyzed by utilizing the risk node analysis model.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 schematically shows a flowchart of an abnormal information processing node analysis method.
Fig. 2 schematically shows an application scenario example diagram of an abnormal information processing node analysis method.
Fig. 3 schematically shows a flow chart of a method for association tag set acquisition.
Fig. 4 schematically shows a block diagram of an abnormal information processing node analysis apparatus.
Fig. 5 schematically shows an example block diagram of an electronic device for implementing the above-described abnormal information processing node analysis method.
Fig. 6 schematically illustrates a computer-readable storage medium for implementing the above-described abnormal information processing node analysis method.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the application. One skilled in the relevant art will recognize, however, that the subject matter of the present application can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present application.
Furthermore, the drawings are merely schematic illustrations of the present application and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
In the present exemplary embodiment, an abnormal information processing node analysis method is first provided, and the abnormal information processing node analysis method may be executed on a server, or may also be executed on a server cluster or a cloud server, and the like. Referring to fig. 1, the abnormal information processing node analysis method may include the steps of:
step S110, when an abnormal node analysis request in an abnormal information processing event is received, classifying all information processing nodes in an abnormal information association processing node library according to the attribute of the abnormal information processing event to obtain a plurality of categories of information processing node groups;
step S120, obtaining abnormal feature labels of all information processing nodes in the information processing node group, and constructing a node label set of the information processing node group;
step S130, eliminating the labels with the probability lower than a preset threshold value in the node label set of each information processing node group to obtain the frequent item label set of each information processing node group;
step S140, obtaining the same label in the frequent item label set of the information processing node group corresponding to the associated class according to the preset class association relation of the class of the information processing node group, and obtaining the same label subset;
step S150, associating a group association feature tag for the same tag subset according to the association relationship between the associated classes corresponding to the same tag subset to obtain an association relationship tag set, wherein the group association feature tag does not belong to the node tag set;
step S160, inputting the relevant information of the abnormal information processing event in the abnormal node analysis request and the incidence relation tag set into a risk node analysis model to obtain the abnormal information processing node relation.
In the abnormal information processing node analysis method, firstly, when an abnormal node analysis request in an abnormal information processing event is received, all information processing nodes in an abnormal information association processing node library are classified according to the attribute of the abnormal information processing event to obtain a plurality of categories of information processing node groups; the nodes are classified according to the attributes of the nodes in the abnormal information processing event. Then, acquiring abnormal feature labels of all information processing nodes in the information processing node group, and constructing a node label set of the information processing node group; node label sets of abnormal features of different classes of information handling node clusters can be constructed. Then, by removing the labels with the probability lower than a preset threshold value appearing in the node label set of each information processing node group, obtaining a frequent item label set of each information processing node group; a tag set of high probability outlier features corresponding to each type of information handling node cluster can be derived. Then, according to the preset class association relation of the classes of the information processing node groups, obtaining the same tags in the frequent item tag set of the information processing node groups corresponding to the associated classes, and obtaining the same tag subsets; the tags that are all present between a plurality of information processing node groups having an association relationship, that is, the same tag subset, may be obtained according to the association relationship between the information processing node groups. Then, associating the same label subset with a group association feature label according to the association relationship between the associated classes corresponding to the same label subset to obtain an association relationship label set, wherein the group association feature label does not belong to the node label set; the group association feature tags can be supplemented to the same tag subset according to the association relationship, and an association relationship tag set with a plurality of strong association features is obtained. And finally, inputting the related information of the abnormal information processing event in the abnormal node analysis request and the incidence relation label set into the risk node analysis model to obtain the abnormal information processing node relation. The method and the device realize that the abnormal information processing node relation in the abnormal information processing event is efficiently and accurately analyzed on the basis of a risk node analysis model under the condition that the related information of the abnormal information processing event is restrained by the incidence relation label with strong incidence characteristics.
Hereinafter, each step in the above-described abnormal information processing node analysis method in the present exemplary embodiment will be explained and explained in detail with reference to the drawings.
In step S110, when an abnormal node analysis request in an abnormal information processing event is received, all information processing nodes in the abnormal information association processing node library are classified according to the attribute of the abnormal information processing event, so as to obtain a plurality of categories of information processing node groups.
In the embodiment of the present example, referring to fig. 2, when the server 201 receives an abnormal node analysis request in an abnormal information processing event sent by the server 202, all information processing nodes in the abnormal information association processing node library on the server 201 are classified according to the attribute of the abnormal information processing event, so as to obtain a plurality of categories of information processing node groups. This makes it possible to analyze, by the server 201, abnormal information processing node relationships from a plurality of categories of information processing node groups in subsequent steps. It is understood that, the server 201 and the server 202 may be any devices with processing capability, such as computers, microprocessors, etc., and are not limited thereto.
The abnormal information related processing node library stores working records of all information processing nodes when abnormal information processing events occur, for example, related information of each node identification and corresponding each information processing event is stored in a related mode through a relational information library. Abnormal information handling events such as information leakage events, information handling error events, and the like.
The information processing node is, for example, an information storage node of an enterprise or any node having a task association relationship with the information storage node of the enterprise, and the node may be any node having an information processing function, such as a server, an application, or a computer. The attributes of an exception information handling event are attributes of nodes associated with the event in different exception events. For example, classification by attribute in a leak event: preliminary attribute classifications, such as: the system comprises a first-level management node, a second-level management node, an information conversion node, an information sending node, an information receiving node and the like; classifying the information fusion error events according to attributes: the system comprises an information acquisition node, an information processing node, an information storage node, an information management node and the like. Corresponding node attributes may be set for different events to ensure that the nodes corresponding to each event are accurately classified according to each event.
In step S120, the abnormal feature tags of all information processing nodes in the information processing node group are obtained, and a node tag set of the information processing node group is constructed.
In the embodiment of the present example, by crawling a keyword (abnormal feature tag) in the related information of each node, it is possible to obtain whether the feature tag exists in the related information when each node performs information processing, and the number of times of existence. The abnormal feature label can be all the corresponding keyword features for analyzing the abnormal node, such as information management authority (type a information), node joint time (1 year-2 years), and the like.
Constructing a node label set for a cluster of information processing nodes, e.g., determining the information node category: and a secondary management node. Then, quantitatively disassembling the feature labels: the information management authority (type A information) is quantized to 1, the information management authority (type B information) is quantized to 2, the enterprise internal node 3, the external enterprise node 4, the node joint time (1 year-2 years) 5 and the like, and a feature set {1 … 25} which is disassembled based on the label quantification is obtained. Constructing a node label set aiming at secondary management nodes in all abnormal information processing events in the past period, for example: and a node A: {1,4,6,8,13,15,17,18,20}, node B: {2,5,7,9,11,12,17,19,21}, node C: {1,3,6,8,10,13,16}. In this way, node label sets of abnormal characteristics of different classes of information processing node groups can be constructed.
In step S130, labels with a probability of appearing in the node label set of each information processing node group being lower than a predetermined threshold are removed, and a frequent item label set of each information processing node group is obtained.
In the embodiment of the present example, the labels with the probability lower than the predetermined threshold value appearing in the node label set of each information processing node group are removed, so that the labels with low appearance probability can be removed, and the accuracy of the labels in analyzing the abnormal events is ensured. For example, the frequency of occurrence of items within the statistical node tag set may be scanned: {1} 65; {2} 35; {3} 10; {4} 30; {5} 60; {6} 90; {7}10, and the like, and then eliminating items with the occurrence probability lower than 50% to obtain: {1} 65; {5} 60; {6}90, and the like. Therefore, a frequent item label set with high characterization accuracy for the abnormal features of each information processing node group can be obtained.
In an embodiment of this example, the culling labels with a probability of occurrence in the node label set of each information processing node group being lower than a predetermined threshold to obtain a frequent item label set of each information processing node group includes:
removing labels with the probability lower than a preset threshold value in the node label set of the information processing node group to obtain a second node label set;
and after calculating the probability of each label in the second node label set, removing the labels lower than the preset threshold value to obtain a third node label set, and when the probability of all the labels in the third node label set is higher than the preset threshold value, obtaining a frequent item label set of the information processing node group.
For example, the second node tag set is obtained by removing the items with the occurrence probability lower than 50%: {1} 65; {5} 60; {6}90, and the like. And then calculating the probability of occurrence of each label in the second node label set, and continuously removing the items with the probability of occurrence lower than 50% to obtain a third node label set. At this time, the probability of occurrence of each tag in the third tag set is calculated, and when no tag with the probability of occurrence lower than 50% in the third tag set is obtained, the frequent item tag set of the information processing node group is obtained. It is understood that culling continues if less than 50% of the tags in the third set of tags are present until a frequent item set of tags is available.
In step S140, according to a predetermined class association relationship of the classes of the information processing node groups, the same tag in the frequent item tag set of the information processing node group corresponding to the associated class is obtained, so as to obtain a same tag subset.
In the embodiment of the present example, the predetermined type of association relationship, that is, the information processing node association relationship in the information processing event between different information processing node clusters, for example, in the information processing event, the information processing event is usually completed by the information processing nodes belonging to two or more information processing node clusters cooperating with each other. When the cooperation between information processing nodes belonging to different information processing node groups completes a risk event, the matched information processing nodes have the same characteristics of the core in the aspect of information processing node characteristics, for example, when the stealing of a certain type of information is completed, the information needs to be sent from a first-level management node to a second-level management node to an information sending node, and the like, and meanwhile, the nodes need to have information management authority (type-A information), enterprise internal nodes, node management time is 3-5 years, and the like.
In this way, by acquiring the same tag in the frequent item tag set of the information processing node group corresponding to the associated class, the information processing node feature tag of the information processing node group core corresponding to the associated class can be determined. The core tags are obtained through the association relation based on the risk information processing node group, the number of the tags is reduced, and meanwhile the analysis accuracy is guaranteed.
In step S150, associating a group association feature tag with the same tag subset according to an association relationship between associated classes corresponding to the same tag subset, so as to obtain an association relationship tag set, where the group association feature tag does not belong to the node tag set.
The association relationship between the associated classes corresponding to the same tag subsets, for example, if the associated classes corresponding to the same tag subsets include a primary management node, a secondary management node, and an information fusion node, the association relationship is a primary management node-a secondary management node-an information fusion node.
The group association feature tags are information processing node association tags between different information processing node groups, and are used to indicate that the information processing nodes cooperate to complete association relationship feature tags of risk events, such as controlling lower nodes, being controlled by upper nodes, cooperating with each other, being attacked (for example, only one of the two nodes is attacked, information is revealed), and the like. The associated feature tag can be found from the information processing node related information recorded in the information associated processing node library. Therefore, by associating the cluster characteristic tags with the same tag subset corresponding to the core information processing node tags, a relatively complete association relation tag set of an abnormal information processing event can be accurately described, and the accuracy and reliability of analysis of the abnormal information processing node are ensured.
In an implementation manner of this example, associating feature tags for the same tag subset association group according to an association relationship between associated classes corresponding to the same tag subset to obtain an association relationship tag set, as shown in fig. 3, includes:
step S310, acquiring an incidence relation label template corresponding to the incidence relation between the associated classes corresponding to the same label subset, wherein the incidence relation label template comprises a group incidence characteristic label and a characteristic label of an information processing node;
step S320, searching an incidence relation label template comprising the feature labels consistent with the same label subset from the incidence relation label template library to obtain a matched incidence relation label template;
and step S330, acquiring an association relation label set based on the matched association relation label template.
An association relation label template corresponding to each association relation is preset, and the association relation label template can comprise a group association feature label and a feature label of an information processing node, namely the association relation template comprises feature labels of a plurality of information processing nodes and a typical group association feature label corresponding to a joint relation feature of completing a risk event by matching the information processing nodes represented by the feature labels. Furthermore, an incidence relation label template comprising feature labels consistent with the same label subset can be searched from the incidence relation label template library to obtain a matched incidence relation label template; and acquiring a relatively complete incidence relation label set of the abnormal information processing event based on the matched incidence relation label template.
In an implementation manner of this example, the obtaining an association relationship tag set based on the matched association relationship tag template includes:
and acquiring an incidence relation label template with the number of labels exceeding a preset threshold value from the matched incidence relation label template to serve as the incidence relation label set.
The number of the matched association relation label templates may be multiple, and an association relation label template in which the number of the obtained labels exceeds a predetermined threshold is obtained, for example, an association relation label template including at least 50 labels is obtained as an association relation label, and the association relation label set includes both the same label subset and the group association feature label.
In an implementation manner of this example, obtaining an association relationship tag set based on the matched association relationship tag template includes:
and acquiring the incidence relation label template with the least number of labels from the matched incidence relation label templates to serve as the incidence relation label set.
In step S160, the related information of the abnormal information processing event in the abnormal node analysis request and the association relation tag set are input into a risk node analysis model, so as to obtain an abnormal information processing node relation.
The incidence relation label set can simply and accurately describe the incidence relation of relatively complete node information of the historical abnormal information processing event. The related information of the exception information handling event may include: suspect node information of an exception information handling event, for example, node information that may be involved in the event; the information in the event is related to content, such as a business node to which the information may relate. The abnormal information processing node relationship is a joint relationship among a plurality of nodes with risks in the predicted abnormal information processing event, for example, a primary management node cooperates with an external node to attack a secondary management node in an internal management node, and the like. Wherein the set of association tags is the information handling node corresponding to each category, i.e., the set of association tags input to the risk node analysis model is at least one.
Through a risk node analysis model trained in advance, the abnormal information processing node relation of the abnormal event can be predicted quickly and accurately under the constraint of the corresponding incidence relation label set according to the abnormal information processing event.
In an embodiment of the present example, the method for training the risk node analysis model may include:
collecting an abnormal information processing event information sample set, wherein the abnormal information processing event information sample comprises an incidence relation label set and an abnormal information processing node relation corresponding to the incidence relation label set;
inputting the incidence relation label set of each sample in the sample set into a risk node analysis model to obtain the corresponding predicted abnormal information processing node relation of each sample;
when the predicted abnormal information processing node relation corresponding to the sample obtained after the sample is input into the risk node analysis model is inconsistent with the abnormal information processing node relation calibrated in advance for the sample, the coefficient of the business risk node analysis model is adjusted until the predicted abnormal information processing node relation is consistent with the abnormal information processing node relation calibrated in advance for the sample;
and when the similarity between the predicted abnormal information processing node relation obtained after all the samples are input into the risk node analysis model and the abnormal information processing node relation calibrated in advance for the samples is greater than a preset threshold value, finishing training.
In an implementation manner of this example, after associating, according to an association relationship between associated classes corresponding to the same tag subset, a group association feature tag for the same tag subset to obtain an association relationship tag set, where the group association feature tag does not belong to the node tag set, the method further includes:
and determining risk information processing nodes of the target risk information processing node group according to the incidence relation tag sets corresponding to the target risk information processing node group and the frequent item tag sets.
The target risk information processing node group is a node group which is classified according to the attribute of the abnormal information processing event and one or more users want to analyze in the multiple categories of information processing node groups. And each information processing node group can obtain a corresponding association relation tag set and a frequent item tag set after processing. Therefore, risk information processing nodes with the risk of the abnormal information processing event in the target group can be analyzed according to the incidence relation tag sets and the frequent item tag sets corresponding to the target risk information processing node group.
In an embodiment of this example, determining a risk information processing node of a target risk information processing node group according to the association relationship tag set and the frequent item tag set corresponding to the target risk information processing node group includes:
determining a first risk information processing node set in the target risk information processing node group according to the incidence relation tag set corresponding to the target risk information processing node group;
determining a second risk information processing node set of the target risk information processing node group according to the frequent item tag set corresponding to the target risk information processing node group;
acquiring a third risk information processing node set of a risk information processing node group corresponding to a class associated with the target risk information processing node group according to the association relationship tag set corresponding to the target risk information processing node group;
and acquiring risk information processing nodes which have risk connection with risk information processing nodes in the third risk information processing node set in the risk information processing node intersection of the first risk information processing node set and the second risk information processing node set as risk information processing nodes of the target risk information processing node group.
Determining information processing nodes with all or a predetermined plurality of labels in an association relationship label set in a target risk information processing node group according to the association relationship label set to obtain a first risk information processing node set; therefore, a first risk information processing node set with complete abnormal information processing characteristic suspicion can be determined based on the incidence relation label set. Then, according to the frequent item tag set corresponding to the target risk information processing node group, information processing nodes with all or a predetermined number of tags in the frequent item tag set in the target risk information processing node group can be determined, and a second risk information processing node set is obtained; this allows a second set of risk information processing nodes to be determined that have strong abnormal information processing characteristics based on the frequent item tag set. Then, based on the intersection of the first risk information processing node set and the second risk information processing node set, an information processing node which has both a strong feature and a complete suspect abnormal information processing feature can be determined.
Through the association relation tag set corresponding to the target risk information processing node group, a third risk information processing node set of a risk information processing node group corresponding to a class association class of the target risk information processing node group (namely, a risk information processing node group having a predetermined class association relation with the target information processing node group) is obtained, and a third risk information processing node set which is suspected of having complete abnormal information processing characteristics and also represented by the association relation tag set corresponding to the target risk information processing node group in other risk information processing node groups having the predetermined class association relation can be obtained. At this time, risk information processing nodes of the target risk information processing node group can be determined by acquiring risk information processing nodes having risk connection with risk information processing nodes in the third risk information processing node set in the risk information processing node intersection of the first risk information processing node set and the second risk information processing node set, that is, by searching nodes having an interaction relation in an abnormal information processing event.
The application also provides an abnormal information processing node analysis device. Referring to fig. 4, the abnormal information processing node analysis apparatus may include a classification module 410, a construction module 420, a culling module 430, an acquisition module 440, an association module 450, and an analysis module 460. Wherein:
the classification module 410 is configured to, when an abnormal node analysis request in an abnormal information processing event is received, classify all information processing nodes in the abnormal information association processing node library according to an attribute of the abnormal information processing event, so as to obtain a plurality of categories of information processing node groups;
the constructing module 420 is configured to obtain abnormal feature tags of all information processing nodes in the information processing node group, and construct a node tag set of the information processing node group;
the eliminating module 430 is configured to eliminate tags whose probability of appearing in the node tag set of each information processing node group is lower than a predetermined threshold value, so as to obtain a frequent item tag set of each information processing node group;
the obtaining module 440 is configured to obtain, according to a predetermined class association relationship of the classes of the information processing node groups, the same tag in the frequent item tag set of the information processing node group corresponding to the associated class, to obtain a same tag subset;
the association module 450 is configured to associate a group association feature tag with the same tag subset according to an association relationship between associated classes corresponding to the same tag subset, so as to obtain an association relationship tag set, where the group association feature tag does not belong to the node tag set;
the analysis module 460 is configured to input the relevant information of the abnormal information processing event in the abnormal node analysis request and the association relation tag set into a risk node analysis model, so as to obtain an abnormal information processing node relation.
The specific details of each module in the above abnormal information processing node analysis apparatus have been described in detail in the corresponding abnormal information processing node analysis method, and therefore are not described herein again.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Moreover, although the steps of the methods herein are depicted in the drawings in a particular order, this does not require or imply that the steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which can be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present application.
In an exemplary embodiment of the present application, there is also provided an electronic device capable of implementing the above method.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 500 according to this embodiment of the invention is described below with reference to fig. 5. The electronic device 500 shown in fig. 5 is only an example and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 5, the electronic device 500 is embodied in the form of a general purpose computing device. The components of the electronic device 500 may include, but are not limited to: the at least one processing unit 510, the at least one memory unit 520, and a bus 530 that couples various system components including the memory unit 520 and the processing unit 510.
Wherein the storage unit stores program code that is executable by the processing unit 510 to cause the processing unit 510 to perform steps according to various exemplary embodiments of the present invention as described in the above section "exemplary methods" of the present specification. For example, the processing unit 510 may perform the steps as shown in fig. 1.
The memory unit 520 may include a readable medium in the form of a volatile memory unit, such as a random access memory unit (RAM)5201 and/or a cache memory unit 5202, and may further include a read only memory unit (ROM) 5203.
Storage unit 520 may also include a program/utility 5204 having a set (at least one) of program modules 5205, such program modules 5205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 530 may be one or more of any of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 500 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a client to interact with the electronic device 500, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 500 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 550. A display unit 540 coupled to an input/output (I/O) interface 550 may also be included, and the electronic device 500 may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via a network adapter 560. As shown, the network adapter 560 communicates with the other modules of the electronic device 500 over the bus 530. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 500, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to make a computing device (which can be a personal computer, a server, a terminal device, or a network device, etc.) execute the method according to the embodiments of the present application.
In an exemplary embodiment of the present application, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
Referring to fig. 6, a program product 600 for implementing the above method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the client computing device, partly on the client device, as a stand-alone software package, partly on the client computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the client computing device over any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., over the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.

Claims (10)

1. An abnormal information processing node analysis method is characterized by comprising the following steps:
when an abnormal node analysis request in an abnormal information processing event is received, classifying all information processing nodes in an abnormal information association processing node library according to the attribute of the abnormal information processing event to obtain a plurality of categories of information processing node groups;
acquiring abnormal feature tags of all information processing nodes in the information processing node group, and constructing a node tag set of the information processing node group;
removing labels with the probability lower than a preset threshold value in the node label set of each information processing node group to obtain a frequent item label set of each information processing node group;
acquiring the same labels in a frequent item label set of the information processing node group corresponding to the associated class according to the preset class association relation of the class of the information processing node group to obtain a same label subset;
associating a group association feature tag for the same tag subset according to an association relationship between the associated classes corresponding to the same tag subset to obtain an association relationship tag set, wherein the group association feature tag does not belong to the node tag set;
and inputting the related information of the abnormal information processing event in the abnormal node analysis request and the incidence relation label set into a risk node analysis model to obtain the abnormal information processing node relation.
2. The method according to claim 1, wherein said culling labels with a probability of occurrence in the node label set of each information processing node group lower than a predetermined threshold to obtain a frequent item label set of each information processing node group comprises:
removing labels with the probability lower than a preset threshold value in the node label set of the information processing node group to obtain a second node label set;
and after calculating the probability of each label in the second node label set, removing the labels lower than the preset threshold value to obtain a third node label set, and when the probability of all the labels in the third node label set is higher than the preset threshold value, obtaining a frequent item label set of the information processing node group.
3. The method according to claim 1, wherein the associating feature tags for the same tag subset association group according to the association relationship between the associated classes corresponding to the same tag subset to obtain an association relationship tag set, comprises:
acquiring an incidence relation label template corresponding to the incidence relation between the associated classes corresponding to the same label subset, wherein the incidence relation label template comprises a group incidence characteristic label and a characteristic label of an information processing node;
searching an incidence relation label template comprising the feature labels consistent with the same label subset from an incidence relation label template library to obtain a matched incidence relation label template;
and acquiring an incidence relation label set based on the matched incidence relation label template.
4. The method of claim 3, wherein obtaining the set of incidence relation labels based on the matched incidence relation label template comprises:
and acquiring an incidence relation label template with the number of labels exceeding a preset threshold value from the matched incidence relation label template to serve as the incidence relation label set.
5. The method of claim 3, wherein obtaining the set of incidence relation labels based on the matched incidence relation label template comprises:
and acquiring the incidence relation label template with the least number of labels from the matched incidence relation label templates to serve as the incidence relation label set.
6. The method according to claim 1, wherein after associating a group association feature tag for the same tag subset according to an association relationship between the associated classes corresponding to the same tag subset to obtain an association relationship tag set, wherein the group association feature tag does not belong to the node tag set, the method further comprises:
and determining risk information processing nodes of the target risk information processing node group according to the incidence relation tag sets corresponding to the target risk information processing node group and the frequent item tag sets.
7. The method according to claim 6, wherein the determining risk information processing nodes of a target risk information processing node group according to the association relationship tag set and the frequent item tag set corresponding to the target risk information processing node group comprises:
determining a first risk information processing node set in the target risk information processing node group according to the incidence relation tag set corresponding to the target risk information processing node group;
determining a second risk information processing node set of the target risk information processing node group according to the frequent item tag set corresponding to the target risk information processing node group;
acquiring a third risk information processing node set of a risk information processing node group corresponding to a class associated with the target risk information processing node group according to the association relationship tag set corresponding to the target risk information processing node group;
and acquiring risk information processing nodes which have risk connection with risk information processing nodes in the third risk information processing node set in the risk information processing node intersection of the first risk information processing node set and the second risk information processing node set as risk information processing nodes of the target risk information processing node group.
8. An abnormal information processing node analysis device, comprising:
the classification module is used for classifying all information processing nodes in the abnormal information association processing node library according to the attribute of the abnormal information processing event when an abnormal node analysis request in the abnormal information processing event is received, so as to obtain a plurality of categories of information processing node groups;
the construction module is used for acquiring the abnormal feature tags of all information processing nodes in the information processing node group and constructing a node tag set of the information processing node group;
the rejecting module is used for rejecting tags with the probability lower than a preset threshold value in the node tag set of each information processing node group to obtain a frequent item tag set of each information processing node group;
an obtaining module, configured to obtain, according to a predetermined class association relationship of the classes of the information processing node groups, the same tag in a frequent item tag set of the information processing node groups corresponding to the associated class, to obtain a same tag subset;
the association module is used for associating the same label subset with the group association feature labels according to the association relationship between the associated classes corresponding to the same label subset to obtain an association relationship label set, wherein the group association feature labels do not belong to the node label set;
and the analysis module is used for inputting the related information of the abnormal information processing event in the abnormal node analysis request and the incidence relation label set into a risk node analysis model to obtain the abnormal information processing node relation.
9. A computer-readable storage medium on which an abnormal information processing node analysis program is stored, wherein the abnormal information processing node analysis program, when executed by a processor, implements the method of any one of claims 1 to 7.
10. An electronic device, comprising:
a processor; and
a memory for storing an exception information handling node analysis program of the processor; wherein the processor is configured to perform the method of any of claims 1-7 via execution of the exception information handling node analysis program.
CN202010092140.1A 2020-02-14 2020-02-14 Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment Active CN111343161B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010092140.1A CN111343161B (en) 2020-02-14 2020-02-14 Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment
PCT/CN2020/134941 WO2021159834A1 (en) 2020-02-14 2020-12-09 Abnormal information processing node analysis method and apparatus, medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010092140.1A CN111343161B (en) 2020-02-14 2020-02-14 Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN111343161A true CN111343161A (en) 2020-06-26
CN111343161B CN111343161B (en) 2021-12-10

Family

ID=71186867

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010092140.1A Active CN111343161B (en) 2020-02-14 2020-02-14 Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment

Country Status (2)

Country Link
CN (1) CN111343161B (en)
WO (1) WO2021159834A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021159834A1 (en) * 2020-02-14 2021-08-19 平安科技(深圳)有限公司 Abnormal information processing node analysis method and apparatus, medium and electronic device
CN113992429A (en) * 2021-12-22 2022-01-28 支付宝(杭州)信息技术有限公司 Event processing method, device and equipment
CN114039744A (en) * 2021-09-29 2022-02-11 中孚信息股份有限公司 Abnormal behavior prediction method and system based on user characteristic label

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113850499B (en) * 2021-09-23 2024-04-09 平安银行股份有限公司 Data processing method and device, electronic equipment and storage medium
CN114528005B (en) * 2021-11-29 2023-06-23 深圳市千源互联网科技服务有限公司 Grabbing label updating method, grabbing label updating device, grabbing label updating equipment and storage medium
CN114697143B (en) * 2022-06-02 2022-08-23 苏州英博特力信息科技有限公司 Information processing method based on fingerprint attendance system and fingerprint attendance service system
CN115277163A (en) * 2022-07-22 2022-11-01 杭州安司源科技有限公司 Mimicry transformation method based on label
CN115829192B (en) * 2023-02-23 2023-04-21 中建安装集团有限公司 Digital management system and method for realizing engineering information security supervision
CN116503023B (en) * 2023-05-06 2024-01-05 国网浙江省电力有限公司 Power abnormality information checking method based on power marketing management system

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105376193A (en) * 2014-08-15 2016-03-02 中国电信股份有限公司 Intelligent association analysis method and intelligent association analysis device for security events
CN107276851A (en) * 2017-06-26 2017-10-20 中国信息安全测评中心 A kind of method for detecting abnormality of node, device, network node and console
CN107454089A (en) * 2017-08-16 2017-12-08 北京科技大学 A kind of network safety situation diagnostic method based on multinode relevance
US20180063177A1 (en) * 2016-08-26 2018-03-01 Fujitsu Limited Non-transitory recording medium recording cyber-attack analysis supporting program, cyber-attack analysis supporting method, and cyber-attack analysis supporting apparatus
US10121000B1 (en) * 2016-06-28 2018-11-06 Fireeye, Inc. System and method to detect premium attacks on electronic networks and electronic devices
CN109462646A (en) * 2018-11-12 2019-03-12 平安科技(深圳)有限公司 A kind of method and apparatus of exception response
CN109617887A (en) * 2018-12-21 2019-04-12 咪咕文化科技有限公司 A kind of information processing method, device and storage medium
CN110022311A (en) * 2019-03-18 2019-07-16 北京工业大学 A kind of cloud outsourcing service leaking data safety test use-case automatic generating method based on attack graph
CN110365674A (en) * 2019-07-11 2019-10-22 武汉思普崚技术有限公司 A kind of method, server and system for predicting network attack face
CN110442498A (en) * 2019-06-28 2019-11-12 平安科技(深圳)有限公司 Localization method, device, storage medium and the computer equipment of abnormal data node
CN110602101A (en) * 2019-09-16 2019-12-20 北京三快在线科技有限公司 Method, device, equipment and storage medium for determining network abnormal group

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10592666B2 (en) * 2017-08-31 2020-03-17 Micro Focus Llc Detecting anomalous entities
US11055407B2 (en) * 2017-09-30 2021-07-06 Oracle International Corporation Distribution-based analysis of queries for anomaly detection with adaptive thresholding
CN110210227B (en) * 2019-06-11 2021-05-14 百度在线网络技术(北京)有限公司 Risk detection method, device, equipment and storage medium
CN110659799A (en) * 2019-08-14 2020-01-07 深圳壹账通智能科技有限公司 Attribute information processing method and device based on relational network, computer equipment and storage medium
CN110716868B (en) * 2019-09-16 2022-02-25 腾讯科技(深圳)有限公司 Abnormal program behavior detection method and device
CN111343161B (en) * 2020-02-14 2021-12-10 平安科技(深圳)有限公司 Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105376193A (en) * 2014-08-15 2016-03-02 中国电信股份有限公司 Intelligent association analysis method and intelligent association analysis device for security events
US10121000B1 (en) * 2016-06-28 2018-11-06 Fireeye, Inc. System and method to detect premium attacks on electronic networks and electronic devices
US20180063177A1 (en) * 2016-08-26 2018-03-01 Fujitsu Limited Non-transitory recording medium recording cyber-attack analysis supporting program, cyber-attack analysis supporting method, and cyber-attack analysis supporting apparatus
CN107276851A (en) * 2017-06-26 2017-10-20 中国信息安全测评中心 A kind of method for detecting abnormality of node, device, network node and console
CN107454089A (en) * 2017-08-16 2017-12-08 北京科技大学 A kind of network safety situation diagnostic method based on multinode relevance
CN109462646A (en) * 2018-11-12 2019-03-12 平安科技(深圳)有限公司 A kind of method and apparatus of exception response
CN109617887A (en) * 2018-12-21 2019-04-12 咪咕文化科技有限公司 A kind of information processing method, device and storage medium
CN110022311A (en) * 2019-03-18 2019-07-16 北京工业大学 A kind of cloud outsourcing service leaking data safety test use-case automatic generating method based on attack graph
CN110442498A (en) * 2019-06-28 2019-11-12 平安科技(深圳)有限公司 Localization method, device, storage medium and the computer equipment of abnormal data node
CN110365674A (en) * 2019-07-11 2019-10-22 武汉思普崚技术有限公司 A kind of method, server and system for predicting network attack face
CN110602101A (en) * 2019-09-16 2019-12-20 北京三快在线科技有限公司 Method, device, equipment and storage medium for determining network abnormal group

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021159834A1 (en) * 2020-02-14 2021-08-19 平安科技(深圳)有限公司 Abnormal information processing node analysis method and apparatus, medium and electronic device
CN114039744A (en) * 2021-09-29 2022-02-11 中孚信息股份有限公司 Abnormal behavior prediction method and system based on user characteristic label
CN114039744B (en) * 2021-09-29 2024-02-27 中孚信息股份有限公司 Abnormal behavior prediction method and system based on user feature labels
CN113992429A (en) * 2021-12-22 2022-01-28 支付宝(杭州)信息技术有限公司 Event processing method, device and equipment

Also Published As

Publication number Publication date
WO2021159834A1 (en) 2021-08-19
CN111343161B (en) 2021-12-10

Similar Documents

Publication Publication Date Title
CN111343161B (en) Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment
US9459950B2 (en) Leveraging user-to-tool interactions to automatically analyze defects in IT services delivery
CN113238922B (en) Log analysis method and device, electronic equipment and medium
CN109872230B (en) Test method and device of financial data analysis system, medium and electronic equipment
US10679230B2 (en) Associative memory-based project management system
CN110688536A (en) Label prediction method, device, equipment and storage medium
CN113326247A (en) Cloud data migration method and device and electronic equipment
CA2793400C (en) Associative memory-based project management system
CN115346686A (en) Relation map generation method and device, storage medium and electronic equipment
CN116383193A (en) Data management method and device, electronic equipment and storage medium
CN110162518B (en) Data grouping method, device, electronic equipment and storage medium
CN109582906B (en) Method, device, equipment and storage medium for determining data reliability
US20120078912A1 (en) Method and system for event correlation
CN111831750A (en) Block chain data analysis method and device, computer equipment and storage medium
CN108768742B (en) Network construction method and device, electronic equipment and storage medium
CN115913710A (en) Abnormality detection method, apparatus, device and storage medium
CN113742450B (en) Method, device, electronic equipment and storage medium for user data grade falling label
CN115470034A (en) Log analysis method, device and storage medium
CN112346938B (en) Operation auditing method and device, server and computer readable storage medium
Abdelaal et al. SAGED: Few-Shot Meta Learning for Tabular Data Error Detection.
CN114492364A (en) Same vulnerability judgment method, device, equipment and storage medium
CN113095589A (en) Population attribute determination method, device, equipment and storage medium
CN113553309A (en) Log template determination method and device, electronic equipment and storage medium
CN112416713A (en) Operation auditing system and method, computer readable storage medium and electronic equipment
CN112465149A (en) Same-city part identification method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40032027

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant