CN112491872A - Abnormal network access behavior detection method and system based on equipment image - Google Patents
Abnormal network access behavior detection method and system based on equipment image Download PDFInfo
- Publication number
- CN112491872A CN112491872A CN202011344793.0A CN202011344793A CN112491872A CN 112491872 A CN112491872 A CN 112491872A CN 202011344793 A CN202011344793 A CN 202011344793A CN 112491872 A CN112491872 A CN 112491872A
- Authority
- CN
- China
- Prior art keywords
- network access
- portrait
- behavior
- access behavior
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2465—Query processing support for facilitating data mining operations in structured databases
Abstract
The application provides a method and a system for detecting abnormal network access behaviors based on device images, wherein the method comprises the following steps: acquiring network access behavior logs and attribute information of a large number of terminal devices; forming a portrait model of the terminal equipment based on the attribute information and the behavior information of the terminal equipment in the acquired network access behavior log, wherein the portrait model comprises an attribute portrait and a behavior portrait of the terminal equipment; and detecting abnormal network access behaviors based on a pattern matching algorithm and an image model of the terminal equipment. Compared with the prior art, the method and the device can remarkably improve the network access safety protection capability of the power internet of things terminal layer.
Description
Technical Field
The present disclosure relates to the field of computer application technologies, and in particular, to a system and method for detecting abnormal network access behavior based on device images.
Background
The power internet of things terminals are widely distributed, access environments are complex and various, abnormal network access behaviors such as counterfeit terminal access are faced, normal terminal network access is interfered, meanwhile, safety problems such as data stealing and network attack can be caused, timely and effective monitoring and identification are difficult to carry out, great network security threats are easy to generate, and timely monitoring and discovery are needed. The method is a key technology for safety protection of a terminal layer of the power internet of things.
Disclosure of Invention
One of the purposes of the disclosure is to improve the network access safety protection capability of the power internet of things terminal layer.
In order to achieve the above object, according to a first aspect of the embodiments of the present disclosure, there is provided a method for detecting abnormal network access behavior based on a device image, including: acquiring network access behavior logs and attribute information of a large number of terminal devices; forming a portrait model of the terminal equipment based on the attribute information and the behavior information of the terminal equipment in the acquired network access behavior log, wherein the portrait model comprises an attribute portrait and a behavior portrait of the terminal equipment; and detecting abnormal network access behaviors based on a pattern matching algorithm and an image model of the terminal equipment.
Optionally, the step of obtaining the network access behavior logs and the attribute information of a large number of terminal devices includes: carrying out data cleaning or/and structuring processing on the acquired network access behavior log or/and the attribute information; acquiring portrait data of the terminal equipment from a network access behavior log or/and attribute information which is subjected to data cleaning or/and structuring according to a preset portrait data acquisition rule; a portrait label of the device is extracted based on the acquired portrait data, wherein the portrait label includes a device attribute label and a behavior label.
Optionally, the portrait label of the device is represented as a vector in feature space.
Optionally, the step of obtaining the portrait data of the terminal device from the network access behavior log or/and the attribute information that has been subjected to data cleansing or/and structuring includes: extracting feature field information corresponding to a preset feature field aiming at a network access behavior log or/and attribute information subjected to data cleaning or/and structuring; sampling the extracted characteristic field information, wherein at least one part of data in the sampling is used as a training data set of an image model of the terminal equipment, and at least another part of data is used as a testing data set of the image model of the terminal equipment; the step of forming the portrait model of the terminal device based on the attribute information and the behavior information of the terminal device in the obtained network access behavior log comprises the following steps: and performing frequent sequence pattern mining on the training data set by adopting a Prefix span algorithm sequence pattern mining algorithm to form an image model of the terminal equipment.
Optionally, the pattern matching algorithm comprises an AC-BM algorithm.
Optionally, the step of detecting abnormal network access behavior based on the pattern matching algorithm and the representation model of the terminal device includes: extracting normal network access behavior information of the terminal equipment according to the portrait model of the terminal equipment; and based on a pattern matching algorithm, performing pattern matching on the network access behavior information to be detected of the terminal equipment and the extracted normal network access behavior information, if the matching is correct, judging that the network access behavior to be detected is a normal behavior, and if not, judging that the network access behavior to be detected is an abnormal behavior.
Optionally, the detected abnormal network access behavior includes a point abnormality, a context abnormality, and an aggregate abnormality.
According to a second aspect of the embodiments of the present disclosure, there is provided a system for detecting abnormal network access behavior based on a device image, including: the information acquisition unit is used for acquiring network access behavior logs and attribute information of a large number of terminal devices; the portrait model forming unit is used for forming a portrait model of the terminal equipment based on the attribute information and the behavior information of the terminal equipment in the acquired network access behavior log, wherein the portrait model comprises an attribute portrait and a behavior portrait of the terminal equipment; and the anomaly detection unit is used for detecting the abnormal network access behavior based on the pattern matching algorithm and the portrait model of the terminal equipment.
The technical scheme provided by the embodiment of the disclosure can realize the following beneficial effects:
according to the method and the system for detecting the abnormal network access behavior based on the equipment portrait, the attribute information and the behavior information of the equipment are mined from the network access original data record, the characteristic track of the equipment is abstracted, and an equipment portrait model is formed; the abnormal network access behaviors are detected by adopting a mode matching method based on the equipment portrait model, the abnormal network access behaviors such as counterfeit terminal access and the like are timely and accurately monitored and identified through matching of the terminal network access behaviors and the portrait, and the network access safety protection capability of a terminal layer is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
fig. 1 is a schematic flowchart of a method for detecting abnormal network access behavior based on an apparatus image according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating step S101 in fig. 1 according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart illustrating step S103 in fig. 1 according to an embodiment of the present disclosure;
FIG. 4 is a schematic block diagram of a system for detecting abnormal network access behavior based on device images according to an embodiment of the present application;
the same or similar reference numbers in the drawings identify the same or similar structures.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and includes any and all possible combinations of one or more of the associated listed items.
According to an aspect of the present application, a method for detecting an abnormal network access behavior based on an apparatus image is provided, an execution subject of the method of this embodiment may be an independent electronic entity, please refer to fig. 1, and fig. 1 is a schematic flow diagram of the method for detecting an abnormal network access behavior based on an apparatus image according to an embodiment of the present application.
As shown in fig. 1, the method for detecting abnormal network access behavior based on device images may include the following steps:
step S101, obtaining network access behavior logs and attribute information of a large number of terminal devices.
Wherein, the terminal device includes, but is not limited to, at least one of the following: office terminals, production terminals, internet access terminals, test terminals, ATM, etc. The network access behavior log and attribute information of the terminal device may be provided or obtained from a plurality of known data sources or data collection channels.
The network access behavior log of the terminal device comprises at least one of software installation information, operation behavior trend information on a mobile access medium, weak password trend information, presence sensitive file trend information, sensitive file and read-write behavior association information, forbidden software trend information, account number change information, user group change information, restart times and frequency, process detailed information, alarm conditions and flow trend.
The attribute information of the terminal device includes, for example, a static attribute and a dynamic attribute, where the static attribute includes at least one of a type, a brand, a model, an SN code, an MAC address, a person to which the terminal device belongs, a department to which the terminal device belongs, a unit to which the terminal device belongs, a device operating system type or version, a number of CPUs, a memory size, a hard disk size, or a serial number of the terminal device, and the dynamic attribute includes at least one of an IP address, an IP usage period, a user, and a usage time of the terminal device.
According to the embodiment, the current situation of network access is mined by analysis methods such as statistics, classification and clustering, a normal access model is established, an access base line and an equipment portrait are calculated, abnormal access is found through the equipment portrait, and alarm display can be performed on the abnormality and detailed access information of abnormal behaviors can be extracted.
In this embodiment, various machine learning algorithms such as decision trees, bayesian networks, cluster analysis, and the like in the prior art may be used to mine the network access behavior logs and attribute information of a large number of terminal devices, that is, the logs of the network access classes are mined and analyzed, and logs of access targets are screened from the network access logs, where the logs mainly include at least one of access time, access device IP, device MAC address, host name, user, unit to which the user belongs, department to which the user belongs, user telephone, corresponding policy name, access content, access result, and the like.
The decision tree (decision tree) is a common learning method in machine learning, and achieves good effects in the aspects of classification, prediction and rule extraction. The decision tree algorithm establishes a decision tree in a recursive manner by dividing a training set into purer subsets. The C4.5 algorithm is the most widely used one in the decision tree algorithm, and can process continuous and discrete attribute data, and can also process data sets with missing values. The random forest algorithm is an expansion of a decision tree algorithm and is an integrated learning algorithm. The principle is based on a decision tree algorithm, random attribute selection is added, and the method is well represented on a data set, can process a high-dimensional data set, is high in training speed and simple to implement, and can detect influence relations among features in the training process, so that the method is valued by a plurality of machine learning researchers.
The Bayesian network provides a method for capturing prior knowledge of a specific field by using a graphic model, and can encode the dependency relationship among variables; once the network structure is determined, it is easier to add new variables; incomplete data can be processed, and the instances with attribute omission can be processed by summing or integrating the probabilities of all possible values of the attribute; the overfitting problem of the model is solved by combining the data and the prior knowledge in a probabilistic way.
The clustering analysis method is a multivariate statistical method and is also an important branch of unsupervised pattern recognition. A disordered sample set is divided into a plurality of subclasses with obvious characteristic differences according to a certain rule, so that samples with similar characteristic quantities are classified into one class as much as possible, and samples with dissimilar characteristic quantities are divided into different classes as much as possible. In the case of clustering methods, there are many established mathematical methods, such as: a systematic clustering method and a stepwise clustering method in statistics; fuzzy c-means clustering method and fuzzy equivalent relation clustering method in fuzzy mathematics; in addition, there are neural network pattern recognition clustering methods in artificial intelligence, and the like. Regardless of the clustering method employed, the similarity between the samples and the variables must be measured. Sample distance is often used to measure the similarity between samples, and the similarity coefficient is often used to measure the similarity between variables. For the feature vectors of the samples in the cluster, the feature vectors must be extracted by combining the characteristics of the required load characteristics. For a clustering problem, the selection of feature vectors must follow the following principle: i.e. the feature vector must be able to reflect the essential features of the sample.
Because a large amount of redundant, invalid, non-compliant, missing, erroneous and other noise data exist in the collected massive network access logs, for example, an inaccessible web page exists in an analyzed and arrived access website, and the noise data affect the establishment and verification of a model and the judgment of new access behaviors. After the network access log is collected, subsequent data analysis needs to be performed on the network access log, and in order to improve the efficiency of performing subsequent analysis and calculation on the network access behavior logs and the attribute information of a large number of acquired terminal devices, please refer to fig. 2, where fig. 2 is a schematic flowchart of a process for describing step S101 in fig. 1 according to an embodiment of the present application. According to fig. 2, the step S101 of acquiring the network access behavior logs and the attribute information of a large number of terminal devices may include:
step S201, performing data cleaning or/and structuring on the acquired network access behavior log or/and attribute information.
Specifically, in order to guarantee the analysis result, deduplication, filtering, incomplete association, and the like, i.e., data cleansing, are required to be performed on the mass data to ensure data consistency. That is, the obtained network access behavior log or/and the attribute information are reexamined and verified to obtain the attribute information and the behavior characteristic information related to the corresponding terminal device. For example, if there are multiple pieces of device ID information in the same device, duplicate device ID information may be deleted by data cleansing, and only one piece of device ID information is retained. Further, the mass data may be structured, i.e., represented and stored using, for example, a database of a particular type, based on the acquired data. For example, a structured data table is formed by taking the device ID as a unit for the mass data which is cleaned, so as to perform operations such as updating and modifying on the data of each device in the database.
Step S202, according to the preset image data acquisition rule, the image data of the terminal device is acquired from the network access behavior log or/and the attribute information which are subjected to data cleaning or/and structuring processing.
Specifically, the preset portrait data acquisition rule includes, for example: the image data is classified into, for example, a behavior log type, an attribute information type, and other types according to the content of the image data, and the other types of data are filtered to retain the image data of the log type and the attribute information type.
Specifically, the step S202 may include the following sub-steps:
extracting feature field information corresponding to a preset feature field aiming at the network access behavior log or/and the attribute information subjected to data cleaning or/and structured processing;
-sampling the extracted feature field information, wherein at least a part of the data in the sampling is for a training data set as a representation model of the terminal device and at least another part of the data is for a testing data set as a representation model of the terminal device. For example, 80% of the sampled data is used for normal access image model training, and the remaining 20% is used for verification and tuning of the image model, establishing a final image model, and judging abnormal access.
Step S203, extracting portrait labels of the equipment according to the acquired portrait data, wherein the portrait labels comprise equipment attribute labels and behavior labels.
Specifically, the portrait data is data describing the terminal device in different data dimensions, and corresponding portrait tags are marked on the terminal device by performing data analysis on the portrait data, that is, specific behaviors, interest preferences and the like of the device are abstracted into multiple tags, and each terminal device entity is represented by a plurality of tags. For example, a device may be tagged with a fixed device or a mobile device based on a status attribute of the device; based on the service attribute of the equipment, the equipment can be labeled with a voice terminal, a video terminal or a sensing terminal; based on the application type attribute of the equipment, the equipment can be marked with labels of a power utilization acquisition terminal, a power distribution scheduling terminal or a charging management terminal and the like.
The process of extracting the portrait label of the device according to the acquired portrait data includes, for example: acquiring the image data of the operation function dimension of the terminal equipment according to the acquired ID of the terminal equipment, counting the frequency of the operation function of the terminal equipment and the ratio of each function according to the image data of the operation function dimension, and forming a function label of the terminal equipment based on the statistical data.
The device attribute tag is mainly obtained based on the attribute information of the device, namely mainly corresponding to the attribute information of the device; for example, a "basic tag", a "function tag", and a "level tag" are some kind of attribute that identifies a terminal device, and such tags are called "attribute tags" and indicate the inherent, static state of the terminal device. More specifically, each terminal device role is established with some common attributes that uniquely identify the terminal, such as "terminal ID" and "IP address". The service function of each terminal is different, and functional labels such as 'office', 'production', 'test' and the like are correspondingly provided according to the different service functions of the terminals.
Similarly, the behavior label of the device is obtained mainly based on the behavior feature of the device, that is, mainly corresponding to the behavior feature of the device. With respect to the behavior of a device, the operation behavior of the same device must be time-sequenced, i.e., a series of operations of the device are time-ordered, referred to as a sequence of device behaviors. Normally, each device repeats the same operation in a large number, because the normal operation of the device is generally to complete a certain service, and it is often necessary to operate some pages according to a certain operation sequence to complete the service. If the device operation sequence is expressed by graph theory in the data structure, the device operation sequence can be visually expressed as a directed graph. If the frequent sequence mining is directly carried out on the graph, the dead cycle can be directly entered, and the method cannot be realized. Therefore, before frequent sequence mining, the directed graph needs to be "untwisted" into a tree, each branch of the tree is a complete operation sequence, the tree is analyzed again to generate an operation sequence list, and frequent sequence mining is performed on the sequences, so that a frequent sequence of the device can be obtained.
Therefore, through the analysis of the acquired network access behavior log, including the analysis of the equipment behavior and equipment attribute information, the portrait label is marked on the behavior or the attribute of the equipment according to the analysis result, and therefore portrait data of the equipment is obtained.
According to a preferred embodiment of the present application, the portrait tags of the device may be represented as vectors in feature space. Specifically, the terminal device is described by using an abstract mathematical model, the terminal device representation can be represented by a set of labels, and from the perspective of a computer, the terminal representation is characterized and the computer is convenient to calculate, wherein the labels are dimension variables of a feature space. Tags are symbolic representations of terminal features, terminal representations can be represented by a set of tags, tags are dimensions in a feature space, and terminal representations are sparse vectors in the feature space. For example, if the full set of labels is { A, B, C, D, E, F }, and the terminal image is { C, E, F }, then the full set of labels in the mathematical sense is equivalent to the feature space { A × B × C × D × E × F }, and the terminal image is equivalent to the sparse vector of {0, 0, 1, 0, 1, 1 }.
Referring back to fig. 1, the method for detecting abnormal network access behavior based on device images further includes the following steps:
and step S102, forming an portrait model of the terminal equipment based on the attribute information and the behavior information of the terminal equipment in the acquired network access behavior log, wherein the portrait model comprises an attribute portrait and a behavior portrait of the terminal equipment.
The attribute portrait and the behavior portrait of the terminal device are described with respect to attribute information, behavior characteristics and the like of the terminal device, specifically, the attribute portrait and the behavior portrait both belong to a device portrait, the attribute information and the behavior characteristic information of the device are extracted through data analysis, and a corresponding label (which may be referred to as a portrait label herein) is marked on the device according to an analysis result, so as to obtain a device portrait, and the device portrait is regarded as abstract representation of concrete behavior of the device, semantic interest and preference and the like. The labelsets of the device may correspond to a feature space when computed by a computer. As described in the embodiments above, the portrait tags of the device may be represented as vectors in feature space.
In an embodiment, a PrefixSpan algorithm sequence pattern mining algorithm may be used to mine behavior information of the device, or in other words, when the behavior sequence of the device is obtained, a PrefixSpan algorithm sequence pattern mining algorithm is used to mine a sequence pattern of operation behaviors of the device with a time sequence. The sequence mode of the behavior can be regarded as a sequence of function points of the device for completing the operation required by the service.
Or, performing frequent sequence pattern mining on the training data set by adopting a Prefix span algorithm sequence pattern mining algorithm to obtain related information for forming an image model of the terminal device, so as to form the image model of the terminal device according to the mined related information.
The Prefix span algorithm is a sequence pattern mining algorithm based on sequence pattern growth, and the mining idea is as follows: and finding out all frequent items, generating a set formed by projection databases associated with each frequent item, and mining each projection database independently. The algorithm mainly comprises the following steps: scanning a sequence database to obtain all frequent items n to form a frequent sequence set with the length of 1; dividing the frequent sequence set into n subsets according to different prefixes; a corresponding projection database is constructed and a subset of the frequent sequences are recursively mined in the database.
And step S103, detecting abnormal network access behaviors based on a pattern matching algorithm and an image model of the terminal equipment.
Wherein the pattern matching algorithm includes, but is not limited to, an AC-BM algorithm.
The AC BM algorithm is a matching algorithm that is a combination of the AC algorithm and the BM algorithm. The AC _ BM algorithm firstly uses the same prefixes of a plurality of modes as root nodes to construct a mode tree, and then compares the characters of the object to be detected and the mode tree one by one, wherein the comparison direction is from the root nodes to the leaf nodes of the mode tree. The movement of the pattern tree in the algorithm matching process follows the following two movement rules: 1) bad character movement rules. If the characters are found not to match, the pattern tree is moved so that the character in a branch of the tree that matches the current character is moved to the same position as the character being compared. If at the current depth, the character being compared does not appear in any pattern, the length of the shortest pattern string in the pattern tree is moved. 2) Good prefix movement rules. When mismatch occurs, if there is a part successfully matched, the same character string in the pattern tree is searched. If the matching is not matched, the pattern tree is moved to be aligned with the same part, and then matching is restarted from the root node of the pattern tree. The maximum distance that the pattern tree moves must also not exceed the length of the shortest pattern string.
Wherein the detected abnormal network access behavior comprises a point abnormality, a context abnormality and an aggregate abnormality.
Specifically, for point anomalies: if a single piece of data is anomalous with other data, then this instance of data is a point anomaly. For contextual anomalies: if a piece of data is considered abnormal in a particular context but is not placed in another context, then the piece of data is a contextual abnormality, which is also referred to as a conditional abnormality. To detect a contextual anomaly, context attributes are required in addition to behavior attributes in the data, and the anomalous behavior is determined by the values of the behavior attributes in a particular context. For aggregate exceptions: if a contiguous data set is anomalous with respect to the entire data set, then the set is said to be anomalous. A single datum in a set exception may not be a point exception, but the sequential placement of those data together violates normal behavior patterns. Aggregate anomalies occur in the continuous data, the image data, and the spatial data.
Referring to fig. 3, fig. 3 is a flowchart illustrating step S103 in fig. 1 according to an embodiment of the present application. According to fig. 3, the step S103 may specifically include:
step S301, extracting normal network access behavior information of the terminal equipment according to the portrait model of the terminal equipment;
step S302, based on a pattern matching algorithm, performing pattern matching on the network access behavior information to be detected of the terminal equipment and the extracted normal network access behavior information, if the matching is correct, judging that the network access behavior to be detected is a normal behavior, otherwise, judging that the network access behavior is an abnormal behavior.
Specifically, according to an image model of the terminal equipment, particularly according to a behavior image in the image model, a normal behavior mode of the equipment can be accurately extracted, the extracted normal behavior mode (including normal network access behavior) of the equipment is used as a characteristic of abnormal detection, a behavior sequence mode in network access behavior information to be detected of the terminal equipment is subjected to mode matching with the extracted normal behavior mode, and if the matching is correct, the network access behavior to be detected is judged to be normal behavior; if the matching cannot be carried out or the matching degree is low, the abnormal behavior is judged, and an alarm is sent out.
Wherein the extracted normal behavior pattern of the device may be stored in a database of a computer system in the form of a sequence pattern feature library. The pattern matching process for detecting abnormal network access behaviors is specifically described as follows:
(1) and inputting the behavior sequence to be detected, wherein the input format of the behavior sequence is consistent with the corresponding behavior sequence in the sequence mode feature library, and the pattern matching detection is directly carried out without carrying out data conversion processing.
(2) And (6) detecting. Firstly, a pattern tree is constructed by using the behavior pattern of the sequence pattern feature library, and then the pattern tree is used for carrying out pattern matching with the input sequence pattern to be detected. The technology for constructing the pattern tree based on the behavior pattern can be realized by adopting the prior art.
(3) And outputting the result. If the sequence pattern to be detected is successfully matched with the pattern tree, the sequence pattern is a normal sequence pattern, the offset position of the matched feature in the sequence to be detected is output, namely the matching of the second character in the feature is successful, and the offset of the sequence pattern in the feature pattern library, the feature pattern successfully matched and the matching time are output simultaneously.
(4) If the matching fails, it indicates that the behavior sequence pattern to be tested cannot find a matching item in the feature sequence pattern library, and the behavior sequence is an abnormal behavior sequence. At this time, the output matching fails and an alarm is sent out. And identifying and monitoring the counterfeit terminal through abnormal behavior analysis.
Based on the embodiment of the application, the equipment portrait model is built, the behavior tendency of the equipment and the equipment are expressed visually according to the attribute and the characteristic of the equipment, the difference between the network access behaviors of the counterfeit terminal and the normal terminal is utilized, the abnormal network access behavior is detected based on the pattern matching algorithm, and the counterfeit terminal can be effectively judged.
It should be noted that while the operations of the disclosed methods are depicted in the drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Rather, the steps depicted in the flowcharts may change the order of execution. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
According to a general inventive concept of the present application, embodiments of the present application further provide a system for detecting abnormal network access behavior based on device images.
Referring to fig. 4, fig. 4 is a schematic block diagram of a system for detecting abnormal network access behavior based on a device image according to an embodiment of the present application. According to fig. 4, the system for detecting abnormal network access behavior based on device images may include:
an information acquisition unit 101, configured to acquire network access behavior logs and attribute information of a large number of terminal devices;
a portrait model forming unit 102, configured to form a portrait model of the terminal device based on the attribute information and the behavior information of the terminal device in the acquired network access behavior log, where the portrait model includes an attribute portrait and a behavior portrait of the terminal device;
and the abnormal detection unit 103 is used for detecting abnormal network access behaviors based on a pattern matching algorithm and an image model of the terminal equipment.
Alternatively, the information acquisition unit 101 may include the following modules:
the data processing module is used for carrying out data cleaning or/and structuring processing on the acquired network access behavior log or/and the attribute information;
-a portrait data acquisition module for acquiring portrait data of the terminal device from the network access behavior log or/and the attribute information that has been data-cleaned or/and structured according to preset portrait data acquisition rules;
-a portrait label extraction module for extracting a portrait label of a device from the acquired portrait data, wherein the portrait label comprises a device attribute label and a behavior label.
Further optionally, the portrait data acquisition module includes a characteristic field information extraction module and a sampling module, where the characteristic field information extraction module is configured to extract, for a network access behavior log or/and attribute information that has been subjected to data cleaning or/and structured processing, characteristic field information corresponding to a preset characteristic field; the sampling module is used for sampling the extracted characteristic field information, wherein at least one part of data in the sampling is used as a training data set of an image model of the terminal equipment, and at least another part of data is used as a testing data set of the image model of the terminal equipment;
the portrait model forming unit is specifically configured to: and performing frequent sequence pattern mining on the training data set by adopting a Prefix span algorithm sequence pattern mining algorithm to form an image model of the terminal equipment.
It should be understood that the above system may be preset in the electronic device, and may also be loaded into the electronic device by downloading or the like. The corresponding modules in the above system may be implemented in cooperation with modules in the electronic device. The electronic device comprises a computer device that may include, for example, a processor and a memory storing computer program instructions.
For the system embodiment, since it basically corresponds to the method embodiment, reference may be made to the partial description of the method embodiment for relevant points. The above-described system embodiments are merely illustrative, in that the elements described as separate components may or may not be physically separate. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the disclosure. One of ordinary skill in the art can understand and implement it without inventive effort.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (10)
1. An abnormal network access behavior detection method based on device images is characterized by comprising the following steps:
acquiring network access behavior logs and attribute information of a large number of terminal devices;
forming a portrait model of the terminal equipment based on the attribute information and the behavior information of the terminal equipment in the acquired network access behavior log, wherein the portrait model comprises an attribute portrait and a behavior portrait of the terminal equipment;
and detecting abnormal network access behaviors based on a pattern matching algorithm and an image model of the terminal equipment.
2. The method according to claim 1, wherein the step of obtaining logs of network access behaviors and attribute information of a plurality of terminal devices comprises:
carrying out data cleaning or/and structuring processing on the acquired network access behavior log or/and the attribute information;
acquiring portrait data of the terminal equipment from a network access behavior log or/and attribute information which is subjected to data cleaning or/and structuring according to a preset portrait data acquisition rule;
a portrait label of the device is extracted based on the acquired portrait data, wherein the portrait label includes a device attribute label and a behavior label.
3. The method of claim 2, wherein the portrait label of the device is represented by a vector in a feature space.
4. The abnormal network access behavior detection method according to claim 2, wherein the step of obtaining the portrait data of the terminal device from the network access behavior log or/and the attribute information which has been subjected to data cleansing or/and structuring comprises:
extracting feature field information corresponding to a preset feature field aiming at a network access behavior log or/and attribute information subjected to data cleaning or/and structuring;
sampling the extracted characteristic field information, wherein at least one part of data in the sampling is used as a training data set of an image model of the terminal equipment, and at least another part of data is used as a testing data set of the image model of the terminal equipment;
the step of forming the portrait model of the terminal device based on the attribute information and the behavior information of the terminal device in the obtained network access behavior log comprises the following steps:
and performing frequent sequence pattern mining on the training data set by adopting a Prefix span algorithm sequence pattern mining algorithm to form an image model of the terminal equipment.
5. The method of detecting abnormal network access behavior of claim 1, wherein the pattern matching algorithm comprises an AC-BM algorithm.
6. The abnormal network access behavior detection method according to claim 1 or 5, wherein the step of detecting the abnormal network access behavior based on the pattern matching algorithm and the portrait model of the terminal device comprises:
extracting normal network access behavior information of the terminal equipment according to the portrait model of the terminal equipment;
and based on a pattern matching algorithm, performing pattern matching on the network access behavior information to be detected of the terminal equipment and the extracted normal network access behavior information, if the matching is correct, judging that the network access behavior to be detected is a normal behavior, and if not, judging that the network access behavior to be detected is an abnormal behavior.
7. The method according to claim 1, wherein the detected abnormal network access behavior comprises a point abnormality, a context abnormality and an aggregate abnormality.
8. An abnormal network access behavior detection system based on device images, comprising:
the information acquisition unit is used for acquiring network access behavior logs and attribute information of a large number of terminal devices;
the portrait model forming unit is used for forming a portrait model of the terminal equipment based on the attribute information and the behavior information of the terminal equipment in the acquired network access behavior log, wherein the portrait model comprises an attribute portrait and a behavior portrait of the terminal equipment;
and the anomaly detection unit is used for detecting the abnormal network access behavior based on the pattern matching algorithm and the portrait model of the terminal equipment.
9. The system according to claim 8, wherein the information acquisition unit includes:
the data processing module is used for carrying out data cleaning or/and structuralization processing on the acquired network access behavior log or/and the attribute information;
the portrait data acquisition module is used for acquiring portrait data of the terminal equipment from a network access behavior log or/and attribute information which is subjected to data cleaning or/and structuring processing according to a preset portrait data acquisition rule;
and the portrait label extraction module is used for extracting a portrait label of the equipment according to the acquired portrait data, wherein the portrait label comprises an equipment attribute label and a behavior label.
10. The system for detecting abnormal network access behavior according to claim 9, wherein the representation data acquisition module comprises a feature field information extraction module and a sampling module, the feature field information extraction module is used for extracting feature field information corresponding to a preset feature field for a network access behavior log or/and attribute information which is subjected to data cleaning or/and structuring processing; the sampling module is used for sampling the extracted characteristic field information, wherein at least one part of data in the sampling is used as a training data set of an image model of the terminal equipment, and at least another part of data is used as a testing data set of the image model of the terminal equipment;
the portrait model forming unit is specifically configured to: and performing frequent sequence pattern mining on the training data set by adopting a Prefix span algorithm sequence pattern mining algorithm to form an image model of the terminal equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011344793.0A CN112491872A (en) | 2020-11-25 | 2020-11-25 | Abnormal network access behavior detection method and system based on equipment image |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011344793.0A CN112491872A (en) | 2020-11-25 | 2020-11-25 | Abnormal network access behavior detection method and system based on equipment image |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112491872A true CN112491872A (en) | 2021-03-12 |
Family
ID=74934881
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011344793.0A Pending CN112491872A (en) | 2020-11-25 | 2020-11-25 | Abnormal network access behavior detection method and system based on equipment image |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112491872A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113055409A (en) * | 2021-05-31 | 2021-06-29 | 杭州海康威视数字技术股份有限公司 | Video Internet of things equipment portrait and anomaly detection method, device and system |
| CN113157652A (en) * | 2021-05-12 | 2021-07-23 | 中电福富信息科技有限公司 | User line image and abnormal behavior detection method based on user operation audit |
| CN113705714A (en) * | 2021-09-03 | 2021-11-26 | 上海观安信息技术股份有限公司 | Power distribution Internet of things equipment abnormal behavior detection method and device based on behavior sequence |
| CN114039777A (en) * | 2021-11-09 | 2022-02-11 | 国家工业信息安全发展研究中心 | Intelligent threat perception method |
| WO2022242524A1 (en) * | 2021-05-19 | 2022-11-24 | 中兴通讯股份有限公司 | Modeling method, network element data processing method and apparatus, electronic device, and medium |
| CN115484266A (en) * | 2022-11-14 | 2022-12-16 | 深圳市乙辰科技股份有限公司 | Load balancing-based data distribution processing method and system and cloud platform |
| CN115801330A (en) * | 2022-10-26 | 2023-03-14 | 国网天津市电力公司 | Security attribute portrait construction method of power Internet of things terminal |
| CN116095683A (en) * | 2023-04-11 | 2023-05-09 | 微网优联科技(成都)有限公司 | Network security protection method and device for wireless router |
| CN117150403A (en) * | 2023-08-22 | 2023-12-01 | 国网湖北省电力有限公司营销服务中心(计量中心) | Decision node behavior anomaly detection method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107315810A (en) * | 2017-06-27 | 2017-11-03 | 济南浪潮高新科技投资发展有限公司 | A kind of internet of things equipment behavior portrait method |
| US20180293377A1 (en) * | 2015-10-13 | 2018-10-11 | Nec Corporation | Suspicious behavior detection system, information-processing device, method, and program |
| CN111565390A (en) * | 2020-07-16 | 2020-08-21 | 深圳市云盾科技有限公司 | Internet of things equipment risk control method and system based on equipment portrait |
| CN111563190A (en) * | 2020-04-07 | 2020-08-21 | 中国电子科技集团公司第二十九研究所 | Multi-dimensional analysis and supervision method and system for user behaviors of regional network |
-
2020
- 2020-11-25 CN CN202011344793.0A patent/CN112491872A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180293377A1 (en) * | 2015-10-13 | 2018-10-11 | Nec Corporation | Suspicious behavior detection system, information-processing device, method, and program |
| CN107315810A (en) * | 2017-06-27 | 2017-11-03 | 济南浪潮高新科技投资发展有限公司 | A kind of internet of things equipment behavior portrait method |
| CN111563190A (en) * | 2020-04-07 | 2020-08-21 | 中国电子科技集团公司第二十九研究所 | Multi-dimensional analysis and supervision method and system for user behaviors of regional network |
| CN111565390A (en) * | 2020-07-16 | 2020-08-21 | 深圳市云盾科技有限公司 | Internet of things equipment risk control method and system based on equipment portrait |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113157652A (en) * | 2021-05-12 | 2021-07-23 | 中电福富信息科技有限公司 | User line image and abnormal behavior detection method based on user operation audit |
| WO2022242524A1 (en) * | 2021-05-19 | 2022-11-24 | 中兴通讯股份有限公司 | Modeling method, network element data processing method and apparatus, electronic device, and medium |
| CN113055409A (en) * | 2021-05-31 | 2021-06-29 | 杭州海康威视数字技术股份有限公司 | Video Internet of things equipment portrait and anomaly detection method, device and system |
| CN113055409B (en) * | 2021-05-31 | 2021-09-21 | 杭州海康威视数字技术股份有限公司 | Video Internet of things equipment portrait and anomaly detection method, device and system |
| CN113705714A (en) * | 2021-09-03 | 2021-11-26 | 上海观安信息技术股份有限公司 | Power distribution Internet of things equipment abnormal behavior detection method and device based on behavior sequence |
| CN114039777A (en) * | 2021-11-09 | 2022-02-11 | 国家工业信息安全发展研究中心 | Intelligent threat perception method |
| CN114039777B (en) * | 2021-11-09 | 2022-09-20 | 国家工业信息安全发展研究中心 | Intelligent threat perception method |
| CN115801330A (en) * | 2022-10-26 | 2023-03-14 | 国网天津市电力公司 | Security attribute portrait construction method of power Internet of things terminal |
| CN115484266A (en) * | 2022-11-14 | 2022-12-16 | 深圳市乙辰科技股份有限公司 | Load balancing-based data distribution processing method and system and cloud platform |
| CN115484266B (en) * | 2022-11-14 | 2023-03-24 | 深圳市乙辰科技股份有限公司 | Load balancing-based data distribution processing method and system and cloud platform |
| CN116095683A (en) * | 2023-04-11 | 2023-05-09 | 微网优联科技(成都)有限公司 | Network security protection method and device for wireless router |
| CN117150403A (en) * | 2023-08-22 | 2023-12-01 | 国网湖北省电力有限公司营销服务中心(计量中心) | Decision node behavior anomaly detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112491872A (en) | Abnormal network access behavior detection method and system based on equipment image | |
| Boukerche et al. | Outlier detection: Methods, models, and classification | |
| Yu et al. | A survey on social media anomaly detection | |
| Bindu et al. | Mining social networks for anomalies: Methods and challenges | |
| Cheng et al. | Time2graph: Revisiting time series modeling with dynamic shapelets | |
| US7089250B2 (en) | Method and system for associating events | |
| Yang et al. | Detecting communities and their evolutions in dynamic social networks—a Bayesian approach | |
| US10679135B2 (en) | Periodicity analysis on heterogeneous logs | |
| Atallah et al. | Detection of significant sets of episodes in event sequences | |
| US11194906B2 (en) | Automated threat alert triage via data provenance | |
| CN107315956B (en) | It is a kind of for quick and precisely detecting the Graph-theoretical Approach of Malware on the zero | |
| CN112765603A (en) | Abnormity tracing method combining system log and origin graph | |
| CN111143838B (en) | Database user abnormal behavior detection method | |
| CN1938702A (en) | Processing data in a computerised system | |
| CN116305168B (en) | Multi-dimensional information security risk assessment method, system and storage medium | |
| CN111585955A (en) | HTTP request abnormity detection method and system | |
| Xia et al. | LogGAN: A sequence-based generative adversarial network for anomaly detection based on system logs | |
| Wurzenberger et al. | Complex log file synthesis for rapid sandbox-benchmarking of security-and computer network analysis tools | |
| Cai et al. | A real-time trace-level root-cause diagnosis system in alibaba datacenters | |
| Zhu et al. | Change point detection in dynamic networks based on community identification | |
| WO2018182829A1 (en) | Automated meta-parameter search for invariant-based anomaly detectors in log analytics | |
| De La Torre-Abaitua et al. | On the application of compression-based metrics to identifying anomalous behaviour in web traffic | |
| Wilson et al. | The motif tracking algorithm | |
| Li et al. | Incomplete mixed data-driven outlier detection based on local–global neighborhood information | |
| Tang et al. | A multi-resolution approach to learning with overlapping communities |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210312 |