CN113452685B - Processing method, system, storage medium and electronic equipment for recognition rule - Google Patents
Processing method, system, storage medium and electronic equipment for recognition rule Download PDFInfo
- Publication number
- CN113452685B CN113452685B CN202110690968.1A CN202110690968A CN113452685B CN 113452685 B CN113452685 B CN 113452685B CN 202110690968 A CN202110690968 A CN 202110690968A CN 113452685 B CN113452685 B CN 113452685B
- Authority
- CN
- China
- Prior art keywords
- rule
- identification
- identification rule
- abnormal
- rules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 18
- 238000003860 storage Methods 0.000 title claims abstract description 11
- 230000002159 abnormal effect Effects 0.000 claims abstract description 89
- 238000012545 processing Methods 0.000 claims abstract description 31
- 238000000034 method Methods 0.000 claims abstract description 18
- 238000004590 computer program Methods 0.000 claims description 11
- 238000010276 construction Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 description 8
- 230000002776 aggregation Effects 0.000 description 4
- 238000004220 aggregation Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000008034 disappearance Effects 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000012067 mathematical method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computing Systems (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computer Security & Cryptography (AREA)
- Evolutionary Biology (AREA)
- Biomedical Technology (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses a processing method, a system, a storage medium and electronic equipment for identifying rules, wherein the processing method comprises the following steps: encoding: vectorizing and encoding the identified abnormal traffic; learning: obtaining a plurality of abnormal flow clusters by adopting unsupervised learning on the encoded abnormal flow; matching: matching an identification rule for each of the abnormal traffic in the abnormal traffic cluster; judging: judging the number of the identification rules of the abnormal traffic clusters and outputting a judgment result; the identification rule processing step: and identifying the identification rule according to the judging result to obtain an identification rule classification label. The invention provides a method system for automatically classifying and predicting a rule base, so that various rules can be managed and maintained more effectively.
Description
Technical Field
The invention belongs to the field of recognition rule processing, and particularly relates to a recognition rule processing method, a recognition rule processing system, a storage medium and electronic equipment.
Background
The advertisement abnormal flow identification mainly depends on rules based on experience to judge, and the rule judging system has the defect that some new cheating modes cannot be actively and timely identified, namely, various information collection and feedback are needed for a certain time, and then summarization is carried out, so that new rules are added.
Meanwhile, as the internet advertising industry develops, anti-cheating and anti-cheating are becoming more common, so that more and more recognition rules of abnormal traffic are introduced and used, the used rule set is more and more complex, the rule set is difficult to uniformly manage and classify, and manual labeling and classifying are time-consuming and labor-consuming and efficient and underground.
Disclosure of Invention
The embodiment of the application provides a processing method, a system, a storage medium and electronic equipment for identification rules, which are used for at least solving the problem that the existing processing method for identification rules is low in efficiency.
The invention provides a process for identifying rules, which comprises the following steps:
encoding: vectorizing and encoding the identified abnormal traffic;
learning: obtaining a plurality of abnormal flow clusters by adopting unsupervised learning on the encoded abnormal flow;
matching: matching an identification rule for each of the abnormal traffic in the abnormal traffic cluster;
judging: judging the number of the identification rules of the abnormal traffic clusters and outputting a judgment result;
the identification rule processing step: and identifying the identification rule according to the judging result to obtain an identification rule classification label.
The processing method comprises the following steps:
when the judgment result is that the number of the identification rules is 1, identifying the identification rules to obtain the identification rule classification labels; and when the judging result is that the number of the identification rules is greater than 1, voting is carried out, the identification rule with the largest occurrence in the abnormal traffic cluster is selected, and the identification rule is identified to obtain the identification rule classification label.
The processing method further comprises the following steps:
and a prediction step: and predicting the newly generated abnormal flow through a prediction model to obtain a corresponding new recognition rule, and updating the existing rule base according to the new recognition rule.
The processing method, wherein the predicting step includes:
rule coding: coding the identification rule to obtain an identification rule coding result;
a common feature encoding step: coding the common characteristics of the abnormal traffic in each abnormal traffic cluster to obtain a common characteristic coding result;
a prediction model construction step: constructing a prediction model according to the identification rule coding result and the common characteristic coding result;
updating a rule base: and predicting the newly generated abnormal flow through the prediction model to obtain a new identification rule, decoding the new identification rule to obtain a corresponding rule description, and updating the existing rule base through the rule description.
The invention also provides a processing system for identifying the rule, which comprises:
the coding module is used for vectorizing and coding the identified abnormal traffic;
the learning module is used for acquiring a plurality of abnormal flow clusters by adopting unsupervised learning on the encoded abnormal flow;
the matching module matches the identification rule for each abnormal flow in the abnormal flow cluster;
the judging module judges the number of the identification rules of the abnormal flow clusters and outputs a judging result;
and the identification rule processing module is used for identifying the identification rule according to the judging result to obtain an identification rule classification label.
The processing system, wherein the recognition rule processing module includes:
when the judgment result is that the number of the identification rules is 1, identifying the identification rules to obtain the identification rule classification labels; and when the judging result is that the number of the identification rules is greater than 1, voting is carried out, the identification rule with the largest occurrence in the abnormal traffic cluster is selected, and the identification rule is identified to obtain the identification rule classification label.
The processing system further comprises:
and the prediction module predicts the newly generated abnormal flow through a prediction model to obtain a corresponding new identification rule, and updates the existing rule base according to the new identification rule.
The processing system above, wherein the prediction module includes:
the rule coding unit codes the identification rule to obtain an identification rule coding result;
the common feature coding unit codes the common features of the abnormal traffic in each abnormal traffic cluster to obtain a common feature coding result;
the prediction model construction unit is used for constructing a prediction model according to the identification rule coding result and the common characteristic coding result;
and the rule base updating unit predicts the newly generated abnormal flow through the prediction model to obtain a new identification rule, decodes the new identification rule to obtain corresponding rule description, and updates the existing rule base through the rule description.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and operable on the processor, wherein the processor implements any of the processing methods when executing the computer program.
The present invention also provides a storage medium having stored thereon a computer program, wherein the program when executed by a processor implements any of the processing methods described herein.
The invention has the beneficial effects that:
the invention belongs to the field of data mining in data capacity, and provides a method system for automatically classifying and predicting a rule base so as to more effectively manage and maintain various rules. Meanwhile, the invention also provides a method theory for coding and calculating the rules, so as to realize the effective calculation and processing of various rules by using a more mathematical method.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application.
In the drawings:
FIG. 1 is a flow chart of a method of processing an identification rule of the present invention;
FIG. 2 is a flow chart of substep S6 in FIG. 1;
FIG. 3 is a schematic diagram of the processing system of the recognition rules of the present invention;
fig. 4 is a frame diagram of an electronic device according to an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described and illustrated below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden on the person of ordinary skill in the art based on the embodiments provided herein, are intended to be within the scope of the present application.
It is apparent that the drawings in the following description are only some examples or embodiments of the present application, and it is possible for those of ordinary skill in the art to apply the present application to other similar situations according to these drawings without inventive effort. Moreover, it should be appreciated that while such a development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as having the benefit of this disclosure.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly and implicitly understood by those of ordinary skill in the art that the embodiments described herein can be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar terms herein do not denote a limitation of quantity, but rather denote the singular or plural. The terms "comprising," "including," "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to only those steps or elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein refers to two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. The terms "first," "second," "third," and the like, as used herein, are merely distinguishing between similar objects and not representing a particular ordering of objects.
The present invention will be described in detail below with reference to the embodiments shown in the drawings, but it should be understood that the embodiments are not limited to the present invention, and functional, method, or structural equivalents and alternatives according to the embodiments are within the scope of protection of the present invention by those skilled in the art.
Before explaining the various embodiments of the invention in detail, the core inventive concepts of the invention are summarized and described in detail by the following examples.
Embodiment one:
the invention provides a processing method of identification rules, and aims to provide a method logic for automatically classifying labels of various existing and newly added abnormal flow identification rules, so that automatic classification management of complex rules can be further optimized.
Different rules can identify different abnormal flows, after vectorization is carried out on various abnormal flows, an unsupervised learning model is adopted to carry out class aggregation, then corresponding identification rules are found for each cluster after class aggregation, the rules are constructed into corresponding rule clusters, and then expert discrimination is introduced to refine. The method comprises the following specific steps:
referring to fig. 1, fig. 1 is a flowchart of a processing method for identifying a rule. As shown in fig. 1, the method for processing the identification rule of the present invention includes:
encoding step S1: vectorizing and encoding the identified abnormal traffic;
learning step S2: obtaining a plurality of abnormal flow clusters by adopting unsupervised learning on the encoded abnormal flow;
matching step S3: matching an identification rule for each of the abnormal traffic in the abnormal traffic cluster;
judging step S4: judging the number of the identification rules of the abnormal traffic clusters and outputting a judgment result;
the recognition rule processing step S5: identifying the identification rule according to the judging result to obtain an identification rule classification label;
wherein, the identifying rule processing step S5 includes:
when the judgment result is that the number of the identification rules is 1, identifying the identification rules to obtain the identification rule classification labels; and when the judging result is that the number of the identification rules is greater than 1, voting is carried out, the identification rule with the largest occurrence in the abnormal traffic cluster is selected, and the identification rule is identified to obtain the identification rule classification label.
Prediction step S6: and predicting the newly generated abnormal flow through a prediction model to obtain a corresponding new recognition rule, and updating the existing rule base according to the new recognition rule.
Referring to fig. 2, fig. 2 is a flowchart of the prediction step S6. As shown in fig. 2, the prediction step S6 of the present invention includes:
rule encoding step S61: coding the identification rule to obtain an identification rule coding result;
common feature encoding step S62: coding the common characteristics of the abnormal traffic in each abnormal traffic cluster to obtain a common characteristic coding result;
a prediction model construction step S63: constructing a prediction model according to the identification rule coding result and the common characteristic coding result;
rule base updating step S64: and predicting the newly generated abnormal flow through the prediction model to obtain a new identification rule, decoding the new identification rule to obtain a corresponding rule description, and updating the existing rule base through the rule description.
Specifically, firstly, vectorizing encoding is carried out on the identified abnormal traffic;
then, performing classification aggregation on the coded abnormal traffic by adopting unsupervised learning, such as class aggregation, so as to form a plurality of abnormal traffic clusters;
then, finding out a corresponding identification rule for each abnormal flow in each abnormal flow cluster;
if each cluster has more than one corresponding rule, voting is carried out, and the rule with the largest number of the corresponding abnormal traffic is selected;
if each cluster has only one corresponding rule, the rules are properly coded;
further, the common characteristics of the abnormal traffic of each cluster are encoded;
and then taking the regular coding result of the clusters as a model output, taking the common characteristic of the abnormal flow of each cluster as a model input, establishing a prediction model, and performing training verification.
The rule with the largest number of the corresponding abnormal traffic is selected, namely the classification label of the rule used for identifying the existing abnormal traffic is completed, when new abnormal traffic is identified (an irregular type identification system (for example, a model-based identification method) is possibly used, the corresponding rule can be predicted by using the model output by the eighth step, the predicted rule is coded and decoded into a rule description by using a decoding method, and finally, an expert checks and confirms the rule description and updates a rule base.
Embodiment two:
referring to fig. 3, fig. 3 is a schematic structural diagram of a processing system for identifying rules according to the present invention. The processing system for identifying rules of the present invention as shown in fig. 3 includes:
the coding module is used for vectorizing and coding the identified abnormal traffic;
the learning module is used for acquiring a plurality of abnormal flow clusters by adopting unsupervised learning on the encoded abnormal flow;
the matching module matches the identification rule for each abnormal flow in the abnormal flow cluster;
the judging module judges the number of the identification rules of the abnormal flow clusters and outputs a judging result;
and the identification rule processing module is used for identifying the identification rule according to the judging result to obtain an identification rule classification label.
Wherein, the recognition rule processing module includes:
when the judgment result is that the number of the identification rules is 1, identifying the identification rules to obtain the identification rule classification labels; and when the judging result is that the number of the identification rules is greater than 1, voting is carried out, the identification rule with the largest occurrence in the abnormal traffic cluster is selected, and the identification rule is identified to obtain the identification rule classification label.
Wherein, still include:
and the prediction module predicts the newly generated abnormal flow through a prediction model to obtain a corresponding new identification rule, and updates the existing rule base according to the new identification rule.
Wherein the prediction module comprises:
the rule coding unit codes the identification rule to obtain an identification rule coding result;
the common feature coding unit codes the common features of the abnormal traffic in each abnormal traffic cluster to obtain a common feature coding result;
the prediction model construction unit is used for constructing a prediction model according to the identification rule coding result and the common characteristic coding result;
and the rule base updating unit predicts the newly generated abnormal flow through the prediction model to obtain a new identification rule, decodes the new identification rule to obtain corresponding rule description, and updates the existing rule base through the rule description.
Embodiment III:
referring to fig. 4, a specific implementation of an electronic device is disclosed in this embodiment. The electronic device may include a processor 81 and a memory 82 storing computer program instructions.
In particular, the processor 81 may include a Central Processing Unit (CPU), or an application specific integrated circuit (Application Specific Integrated Circuit, abbreviated as ASIC), or may be configured to implement one or more integrated circuits of embodiments of the present application.
Memory 82 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 82 may comprise a Hard Disk Drive (HDD), floppy Disk Drive, solid state Drive (Solid State Drive, SSD), flash memory, optical Disk, magneto-optical Disk, tape, or universal serial bus (Universal Serial Bus, USB) Drive, or a combination of two or more of the foregoing. The memory 82 may include removable or non-removable (or fixed) media, where appropriate. The memory 82 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 82 is a Non-Volatile (Non-Volatile) memory. In a particular embodiment, the Memory 82 includes Read-Only Memory (ROM) and random access Memory (Random Access Memory, RAM). Where appropriate, the ROM may be a mask-programmed ROM, a programmable ROM (Programmable Read-Only Memory, abbreviated PROM), an erasable PROM (Erasable Programmable Read-Only Memory, abbreviated EPROM), an electrically erasable PROM (Electrically Erasable Programmable Read-Only Memory, abbreviated EEPROM), an electrically rewritable ROM (Electrically Alterable Read-Only Memory, abbreviated EAROM), or a FLASH Memory (FLASH), or a combination of two or more of these. The RAM may be Static Random-Access Memory (SRAM) or dynamic Random-Access Memory (Dynamic Random Access Memory DRAM), where the DRAM may be a fast page mode dynamic Random-Access Memory (Fast Page Mode Dynamic Random Access Memory FPMDRAM), extended data output dynamic Random-Access Memory (Extended Date Out Dynamic Random Access Memory EDODRAM), synchronous dynamic Random-Access Memory (Synchronous Dynamic Random-Access Memory SDRAM), or the like, as appropriate.
Memory 82 may be used to store or cache various data files that need to be processed and/or communicated, as well as possible computer program instructions for execution by processor 81.
The processor 81 reads and executes the computer program instructions stored in the memory 82 to implement any one of the processing methods of the identification rule in the above-described embodiments.
In some of these embodiments, the electronic device may also include a communication interface 83 and a bus 80. As shown in fig. 4, the processor 81, the memory 82, and the communication interface 83 are connected to each other through the bus 80 and perform communication with each other.
The communication interface 83 is used to implement communications between various modules, devices, units, and/or units in embodiments of the present application. Communication port 83 may also enable communication with other components such as: and the external equipment, the image/data acquisition equipment, the database, the external storage, the image/data processing workstation and the like are used for data communication.
Bus 80 includes hardware, software, or both that couple components of the electronic device to one another. Bus 80 includes, but is not limited to, at least one of: data Bus (Data Bus), address Bus (Address Bus), control Bus (Control Bus), expansion Bus (Expansion Bus), local Bus (Local Bus). By way of example, and not limitation, bus 80 may include a graphics acceleration interface (Accelerated Graphics Port), abbreviated AGP, or other graphics Bus, an enhanced industry standard architecture (Extended Industry Standard Architecture, abbreviated EISA) Bus, a Front Side Bus (FSB), a HyperTransport (HT) interconnect, an industry standard architecture (Industry Standard Architecture, ISA) Bus, a radio Bandwidth (InfiniBand) interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a micro channel architecture (Micro Channel Architecture, abbreviated MCA) Bus, a peripheral component interconnect (Peripheral Component Interconnect, abbreviated PCI) Bus, a PCI-Express (PCI-X) Bus, a serial advanced technology attachment (Serial Advanced Technology Attachment, abbreviated SATA) Bus, a video electronics standards association local (Video Electronics Standards Association Local Bus, abbreviated VLB) Bus, or other suitable Bus, or a combination of two or more of the foregoing. Bus 80 may include one or more buses, where appropriate. Although embodiments of the present application describe and illustrate a particular bus, the present application contemplates any suitable bus or interconnect.
The electronic device may implement the method described in connection with fig. 1-2 based on the processing of the recognition rules.
In addition, in combination with the processing method of the identification rule in the above embodiment, the embodiment of the application may be implemented by providing a computer readable storage medium. The computer readable storage medium has stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement a method of processing any of the identification rules of the above embodiments.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
In summary, the advertisement anti-fraud model to be adopted by the scheme is a multi-input-single-output model, the characteristics do not need to be manually constructed, the problems of gradient disappearance and gradient explosion during model training can be effectively relieved through a depth residual error network, and various abnormal flow types can be effectively identified.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. The scope of the invention should, therefore, be determined with reference to the appended claims.
Claims (4)
1. A method of processing an identification rule, comprising:
encoding: vectorizing and encoding the identified abnormal traffic;
learning: obtaining a plurality of abnormal flow clusters by adopting unsupervised learning on the encoded abnormal flow;
matching: matching an identification rule for each of the abnormal traffic in the abnormal traffic cluster;
judging: judging the number of the identification rules of the abnormal traffic clusters and outputting a judgment result;
the identification rule processing step: identifying the identification rule according to the judging result to obtain an identification rule classification label;
and a prediction step: predicting the newly generated abnormal flow through a prediction model to obtain a corresponding new recognition rule, and updating the existing rule base according to the new recognition rule;
the identification rule processing step comprises the following steps:
when the judgment result is that the number of the identification rules is 1, identifying the identification rules to obtain the identification rule classification labels; when the judging result is that the number of the identification rules is greater than 1, voting is carried out, the identification rule with the largest occurrence in the abnormal traffic cluster is selected, and the identification rule is identified to obtain the identification rule classification label;
the predicting step includes:
rule coding: coding the identification rule to obtain an identification rule coding result;
a common feature encoding step: coding the common characteristics of the abnormal traffic in each abnormal traffic cluster to obtain a common characteristic coding result;
a prediction model construction step: constructing a prediction model according to the identification rule coding result and the common characteristic coding result;
updating a rule base: and predicting the newly generated abnormal flow through the prediction model to obtain a new identification rule, decoding the new identification rule to obtain a corresponding rule description, and updating the existing rule base through the rule description.
2. A processing system for identifying rules, comprising:
the coding module is used for vectorizing and coding the identified abnormal traffic;
the learning module is used for acquiring a plurality of abnormal flow clusters by adopting unsupervised learning on the encoded abnormal flow;
the matching module matches the identification rule for each abnormal flow in the abnormal flow cluster;
the judging module judges the number of the identification rules of the abnormal flow clusters and outputs a judging result;
the identification rule processing module is used for identifying the identification rule according to the judging result to obtain an identification rule classification label;
the prediction module predicts the newly generated abnormal flow through a prediction model to obtain a corresponding new identification rule, and updates the existing rule base according to the new identification rule;
wherein, the recognition rule processing module includes:
when the judgment result is that the number of the identification rules is 1, identifying the identification rules to obtain the identification rule classification labels; when the judging result is that the number of the identification rules is greater than 1, voting is carried out, the identification rule with the largest occurrence in the abnormal traffic cluster is selected, and the identification rule is identified to obtain the identification rule classification label;
the prediction module includes:
the rule coding unit codes the identification rule to obtain an identification rule coding result;
the common feature coding unit codes the common features of the abnormal traffic in each abnormal traffic cluster to obtain a common feature coding result;
the prediction model construction unit is used for constructing a prediction model according to the identification rule coding result and the common characteristic coding result;
and the rule base updating unit predicts the newly generated abnormal flow through the prediction model to obtain a new identification rule, decodes the new identification rule to obtain corresponding rule description, and updates the existing rule base through the rule description.
3. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the processing method of claim 1 when executing the computer program.
4. A storage medium having stored thereon a computer program which, when executed by a processor, implements the processing method of claim 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110690968.1A CN113452685B (en) | 2021-06-22 | 2021-06-22 | Processing method, system, storage medium and electronic equipment for recognition rule |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110690968.1A CN113452685B (en) | 2021-06-22 | 2021-06-22 | Processing method, system, storage medium and electronic equipment for recognition rule |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113452685A CN113452685A (en) | 2021-09-28 |
| CN113452685B true CN113452685B (en) | 2024-04-09 |
Family
ID=77812100
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110690968.1A Active CN113452685B (en) | 2021-06-22 | 2021-06-22 | Processing method, system, storage medium and electronic equipment for recognition rule |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113452685B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107800684A (en) * | 2017-09-20 | 2018-03-13 | 贵州白山云科技有限公司 | A kind of low frequency reptile recognition methods and device |
| CN108090216A (en) * | 2017-12-29 | 2018-05-29 | 咪咕文化科技有限公司 | A kind of Tag Estimation method, apparatus and storage medium |
| CN111031071A (en) * | 2019-12-30 | 2020-04-17 | 杭州迪普科技股份有限公司 | Malicious traffic identification method and device, computer equipment and storage medium |
| CN111708887A (en) * | 2020-06-15 | 2020-09-25 | 国家计算机网络与信息安全管理中心 | Bad call identification method for multi-model fusion of user-defined rules |
| CN111740923A (en) * | 2020-06-22 | 2020-10-02 | 北京神州泰岳智能数据技术有限公司 | Method and device for generating application identification rule, electronic equipment and storage medium |
| CN111914905A (en) * | 2020-07-09 | 2020-11-10 | 北京人人云图信息技术有限公司 | Anti-crawler system based on semi-supervision and design method |
| CN112311803A (en) * | 2020-11-06 | 2021-02-02 | 杭州安恒信息技术股份有限公司 | Rule base updating method and device, electronic equipment and readable storage medium |
| CN112532633A (en) * | 2020-11-30 | 2021-03-19 | 安徽工业大学 | Industrial network firewall rule generation method and device based on machine learning |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10140576B2 (en) * | 2014-08-10 | 2018-11-27 | Palo Alto Research Center Incorporated | Computer-implemented system and method for detecting anomalies using sample-based rule identification |
| US10410135B2 (en) * | 2015-05-21 | 2019-09-10 | Software Ag Usa, Inc. | Systems and/or methods for dynamic anomaly detection in machine sensor data |
-
2021
- 2021-06-22 CN CN202110690968.1A patent/CN113452685B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107800684A (en) * | 2017-09-20 | 2018-03-13 | 贵州白山云科技有限公司 | A kind of low frequency reptile recognition methods and device |
| CN108090216A (en) * | 2017-12-29 | 2018-05-29 | 咪咕文化科技有限公司 | A kind of Tag Estimation method, apparatus and storage medium |
| CN111031071A (en) * | 2019-12-30 | 2020-04-17 | 杭州迪普科技股份有限公司 | Malicious traffic identification method and device, computer equipment and storage medium |
| CN111708887A (en) * | 2020-06-15 | 2020-09-25 | 国家计算机网络与信息安全管理中心 | Bad call identification method for multi-model fusion of user-defined rules |
| CN111740923A (en) * | 2020-06-22 | 2020-10-02 | 北京神州泰岳智能数据技术有限公司 | Method and device for generating application identification rule, electronic equipment and storage medium |
| CN111914905A (en) * | 2020-07-09 | 2020-11-10 | 北京人人云图信息技术有限公司 | Anti-crawler system based on semi-supervision and design method |
| CN112311803A (en) * | 2020-11-06 | 2021-02-02 | 杭州安恒信息技术股份有限公司 | Rule base updating method and device, electronic equipment and readable storage medium |
| CN112532633A (en) * | 2020-11-30 | 2021-03-19 | 安徽工业大学 | Industrial network firewall rule generation method and device based on machine learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113452685A (en) | 2021-09-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112070138A (en) | Multi-label mixed classification model construction method, news classification method and system | |
| CN111984792A (en) | Website classification method and device, computer equipment and storage medium | |
| CN112800292A (en) | Cross-modal retrieval method based on modal specificity and shared feature learning | |
| CN112686301A (en) | Data annotation method based on cross validation and related equipment | |
| CN112232070A (en) | Natural language processing model construction method, system, electronic device and storage medium | |
| CN113869464B (en) | Training method of image classification model and image classification method | |
| CN113452685B (en) | Processing method, system, storage medium and electronic equipment for recognition rule | |
| CN112732920A (en) | BERT-based multi-feature fusion entity emotion analysis method and system | |
| CN113919905A (en) | Risk user identification method, system, equipment and storage medium | |
| CN112966754A (en) | Sample screening method, sample screening device and terminal equipment | |
| CN115546601B (en) | Multi-target recognition model and construction method, device and application thereof | |
| CN111179129A (en) | Courseware quality evaluation method and device, server and storage medium | |
| CN113569704B (en) | Segmentation point judging method, system, storage medium and electronic equipment | |
| CN112182164B (en) | High-dimensional data feature processing method and system | |
| CN113722471A (en) | Text abstract generation method, system, electronic equipment and medium | |
| CN113204706B (en) | Data screening and extracting method and system based on MapReduce | |
| CN113626605A (en) | Information classification method and device, electronic equipment and readable storage medium | |
| CN113255334A (en) | Method, system, electronic device and storage medium for calculating word vector | |
| CN113961725A (en) | Automatic label labeling method, system, equipment and storage medium | |
| CN113934857A (en) | Apparatus and method for populating a knowledge graph by means of policy data splitting | |
| CN113569703A (en) | Method and system for judging true segmentation point, storage medium and electronic equipment | |
| CN113052635A (en) | Population attribute label prediction method, system, computer device and storage medium | |
| CN113761167B (en) | Session information extraction method, system, electronic equipment and storage medium | |
| CN112650837B (en) | Text quality control method and system combining classification algorithm and unsupervised algorithm | |
| CN114372150B (en) | Knowledge graph construction method, system, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |