CN114244611B - Abnormal attack detection method, device, equipment and storage medium - Google Patents
Abnormal attack detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114244611B CN114244611B CN202111554213.5A CN202111554213A CN114244611B CN 114244611 B CN114244611 B CN 114244611B CN 202111554213 A CN202111554213 A CN 202111554213A CN 114244611 B CN114244611 B CN 114244611B
- Authority
- CN
- China
- Prior art keywords
- detection result
- target
- anomaly
- identification information
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- Algebra (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The embodiment of the application provides a method, a device, equipment and a storage medium for detecting abnormal attack, which relate to the technical field of artificial intelligence and comprise the following steps: invoking an anomaly detection model to perform anomaly detection on the target identification information to obtain a first anomaly detection result; and carrying out statistical analysis on the vehicle insurance log information in the preset detection time window, determining a second abnormal detection result, and determining a target abnormal detection result based on the first abnormal detection result and the second abnormal detection result. The first abnormal detection result can be determined based on the target identification information, and the second abnormal detection result can be determined based on the vehicle risk log information, so that the target abnormal detection result determined based on the first abnormal detection result and the second abnormal detection result is more accurate, and the crawler attack behavior in the vehicle risk service can be accurately identified. The present application may relate to blockchain techniques, such as writing target exception detection results to a blockchain.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting an abnormal attack.
Background
With the development of internet technology, the competition of the same industry in the car insurance industry is also increasing. Acquiring quotation data of other merchants through crawler attack is a main means of competition of the same industry. In order to ensure the safety of vehicle insurance business data, how to accurately identify the attack behavior of a crawler in the vehicle insurance business so as to perform anticreeper processing is a problem to be solved urgently.
Disclosure of Invention
The embodiment of the application provides a method, a device, equipment and a storage medium for detecting abnormal attack. The first abnormal detection result can be determined based on the target identification information, and the second abnormal detection result can be determined based on the vehicle risk log information, so that the target abnormal detection result determined based on the first abnormal detection result and the second abnormal detection result is more accurate, and abnormal attack behaviors (namely crawler attack behaviors) in the vehicle risk service can be accurately identified.
In a first aspect, an embodiment of the present application provides a method for detecting a attack anomaly, where the method for detecting a attack anomaly includes:
acquiring target identification information corresponding to a target account, and calling an anomaly detection model to perform anomaly detection on the target identification information to obtain a first anomaly detection result;
acquiring the vehicle insurance log information of the target account in a preset detection time window, and carrying out statistical analysis on the vehicle insurance log information in the preset detection time window to obtain statistical information in the preset detection time window;
Determining a second abnormal detection result according to the statistical information in the preset detection time window and a reference threshold value;
a target abnormality detection result is determined based on the first abnormality detection result and the second abnormality detection result.
In a second aspect, an embodiment of the present application provides a device for detecting a anomaly attack, including:
the abnormality detection unit is used for acquiring target identification information corresponding to the target account number, and calling an abnormality detection model to perform abnormality detection on the target identification information to obtain a first abnormality detection result;
the statistical analysis unit is used for acquiring the vehicle insurance journal information of the target account in the preset detection time window, and carrying out statistical analysis on the vehicle insurance journal information in the preset detection time window to obtain the statistical information in the preset detection time window;
the determining unit is used for determining a second abnormal detection result according to the statistical information in the preset detection time window and the reference threshold value;
the determining unit is further configured to determine a target abnormality detection result based on the first abnormality detection result and the second abnormality detection result.
In a third aspect, an embodiment of the present application further provides a device for detecting a abnormal attack, including an input interface and an output interface, where the device for detecting a abnormal attack further includes:
A processor adapted to implement one or more instructions; the method comprises the steps of,
a computer storage medium storing one or more instructions adapted to be loaded by a processor and to perform the method of the first aspect.
In a fourth aspect, embodiments of the present application also provide a computer readable storage medium storing computer program instructions for performing the method of the first aspect when the computer program instructions are executed by a processor.
In the embodiment of the application, the anomaly attack detection device can perform anomaly detection on the target identification information based on the anomaly detection model to obtain a first anomaly detection result, perform statistical analysis on the vehicle risk log information in the preset detection time window to obtain statistical information in the preset detection time window, and determine a second anomaly detection result according to the statistical information in the preset detection time window and the reference threshold value. When the crawler attack behavior of the vehicle insurance business data is identified, the abnormality attack detection equipment considers the abnormality corresponding to the target identification information and the abnormality corresponding to the vehicle insurance log information, so that the target abnormality detection result is determined more accurately based on the first abnormality detection result and the second abnormality detection result, namely, the crawler attack behavior indicated by the target abnormality detection result is more accurate, and the anti-crawler strategy executed based on the target abnormality detection result is also accurate. The crawler attack behavior in the vehicle insurance business can be accurately identified so as to perform anticreeper processing.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an architecture of a vehicle insurance service system according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a method for detecting an abnormal attack according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of a preprocessing provided by an embodiment of the present application;
FIG. 4 is a flowchart of another method for detecting an abnormal attack according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an apparatus for detecting an abnormal attack according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an apparatus for detecting a anomaly attack according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In today's big data age, data has become one of the core assets of enterprises. With the increasing demand for various enterprise network data, malicious crawler attacks are also rapidly increasing. The crawler attack is based on the fact that the crawler technology illegally crawls unauthorized platform data, and a large number of crawler attacks not only can influence access of normal users, but also can bring great threat to enterprises. For the car insurance industry, car insurance business data can be stolen maliciously. In order to ensure the safety of vehicle insurance business data, how to accurately identify the attack behavior of a crawler in the vehicle insurance business so as to perform anticreeper processing is a problem to be solved urgently.
Based on the above, the embodiment of the application provides an abnormal attack detection method, wherein an abnormal attack detection device can acquire target identification information corresponding to a target account, call an abnormal detection model to perform abnormal detection on the target identification information to obtain a first abnormal detection result, acquire vehicle risk log information of the target account in a preset detection time window, and perform statistical analysis on the vehicle risk log information in the preset detection time window to obtain statistical information in the preset detection time window; determining a second abnormal detection result according to the statistical information in the preset detection time window and a reference threshold value; a target abnormality detection result is determined based on the first abnormality detection result and the second abnormality detection result. The first abnormal detection result can be determined based on the target identification information, and the second abnormal detection result can be determined based on the vehicle risk log information, so that the target abnormal detection result determined based on the first abnormal detection result and the second abnormal detection result is more accurate, and abnormal attack behaviors (namely crawler attack behaviors) in the vehicle risk service can be accurately identified.
It should be noted that, the anomaly detection model mentioned in the present application may be constructed based on a machine learning algorithm in artificial intelligence (Artificial Intelligence, AI) technology. Wherein artificial intelligence is the intelligence of simulating, extending and expanding a person using a digital computer or a machine controlled by a digital computer, sensing the environment, obtaining knowledge, and using knowledge to obtain optimal results. Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
In one embodiment, the abnormal attack detection method provided by the application can be applied to a vehicle risk service system. As shown in fig. 1, the vehicle risk service system may include at least a anomaly attack detection device 11 and a data storage device 12. The abnormal attack detection device 11 may be a device having data processing capability, and may execute the abnormal attack detection method mentioned in the embodiment of the present application. As shown in fig. 1, the abnormal attack detection device may be a terminal device, which may include, but is not limited to: smart phones, tablet computers, laptop computers, wearable devices, desktop computers, and the like. It should be noted that the anomaly attack detection device may also be a server, where the server may be an independent physical server, may be a server cluster or a distributed system formed by a plurality of physical servers, and may also be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, a content delivery network (Content Delivery Network, CDN), middleware services, domain name services, security services, basic cloud computing services such as big data and an artificial intelligence platform, and so on. The data storage device 12 may be any device having a data storage function, and may be used to store vehicle insurance service data. As shown in FIG. 1, the data storage device 12 may be a server, and in other embodiments, the data storage device 12 may be other devices, such as a disk.
Based on the above description, the abnormality attack detection method of the embodiment of the present application is explained in detail below. Referring to fig. 2, fig. 2 shows a flow chart of a method for detecting an abnormal attack. As shown in fig. 2, the abnormal attack detection method includes S201 to S204:
s201: and acquiring target identification information corresponding to the target account number, and calling an anomaly detection model to perform anomaly detection on the target identification information to obtain a first anomaly detection result.
Wherein the identification information may be used to identify the target account number, which may include, but is not limited to, a login account number and/or a device identification. The login account may be a login account of the target account in the car insurance service system, and the login account may include, but is not limited to, one or more of a user ID number, a mobile phone number, an identification card number, and a mailbox address. The device identifier may be a device identifier corresponding to the target account login vehicle insurance service system using a device, where the device identifier may include, but is not limited to, one or more of an IP address, a MAC address, and a device fingerprint generated according to the IP address and/or the MAC address.
Optionally, the abnormal attack detection device may acquire target identification information corresponding to the target account number from a database of the data storage device. The database may store identification information within the vehicle insurance service system, for example, the data storage device is deployed with a KafKa platform, and the database within the KafKa platform may store identification information within the vehicle insurance service system. Specifically, a data collection component (such as a Rate SDK) can be integrated in the vehicle insurance service system, and when a user logs in the vehicle insurance service system through an account, the data collection component can be called to collect corresponding identification information, and the identification information is stored in a database.
In one embodiment, the anomaly detection model may include a classification task, and invoking the anomaly detection model to perform anomaly detection on the target identification information to obtain a first anomaly detection result, including: and acquiring a vector expression corresponding to the target identification information, calling an anomaly detection model to classify the vector expression corresponding to the target identification information, determining a target identification subset to which the vector expression belongs, and taking the anomaly type indicated by the target identification subset as a first anomaly detection result.
Among them, the anomaly type may have various forms. For example, exception types include: with and without anomaly attacks. For another example, the exception types include: high risk exception attacks, general exception attacks, no exception attacks, etc. The application is not limited in this regard. It should be noted that, the anomaly type mentioned in the present application may correspond to a crawler attack behavior, for example, a presence of an anomaly attack may refer to a presence of a crawler attack behavior, and a non-anomaly attack may refer to a non-presence of a crawler attack behavior. For another example, a high-risk exception attack may refer to having severe crawler attack behavior, a general exception attack may refer to having suspicious crawler attack behavior, a no exception attack may refer to the absence of crawler attack behavior, and so on.
Optionally, the abnormal attack detection device may use an encoding method to respectively encode the target login account id and the target device id included in the target identification information, and construct a first sub-vector corresponding to the target login account id and a second word vector corresponding to the target device id. And then, carrying out feature extraction on the first sub-vector and the second word vector to obtain a vector expression corresponding to the target identification information.
The present application is not limited to the Encoding method, and the Encoding method may be One-Hot Encoding (One-Hot Encoding), embedded Encoding, hard Encoding (Label Encoding), target variable Encoding (Target Encoding), and the like.
The first sub-vector and the second word vector can be subjected to feature processing through a feature extraction layer to obtain a vector expression corresponding to the target identification information. The feature extraction layer may include a concatenation unit and a crossover unit. The cascade unit is used for splicing the first sub-vector and the second sub-vector to obtain a spliced vector. The intersecting unit is used for processing the spliced vector based on an intersecting characteristic algorithm (such as an FM algorithm) to obtain an intersecting vector, and the intersecting vector can be used as a vector expression corresponding to the target identification information. The feature extraction layer comprises a cascading unit and a crossing unit, and vector expressions corresponding to the target identification information are more accurate and comprehensive through the feature extraction layer.
In one embodiment, before invoking the anomaly detection model to classify the vector expression corresponding to the target identification information and determining the target identification subset corresponding to the vector expression, a plurality of sample identification subsets corresponding to the target identification subset are further determined. Comprising the following steps: acquiring a sample identification set, performing vector conversion on each sample identification information in the sample identification set, and determining a sample vector corresponding to each sample identification information in the sample identification set; classifying the sample identification information sets according to the sample vectors corresponding to each sample identification information to obtain sample identification subsets under different categories, wherein the sample vectors corresponding to the sample identification information in the sample identification subsets under one category correspond to one type of abnormality to be selected.
It should be noted that, the specific implementation manner of vector conversion for each sample identification information in the sample identification set may refer to the related embodiment of vector conversion for the target identification information, which is not described herein.
The classification task in the anomaly detection model may be trained based on an artificial intelligence-based machine learning algorithm, which may include, but is not limited to, one or more of Decision Tree (DT) algorithm, rocchio algorithm, extreme gradient boost (Xtreme Gradient Boosting, XGBooste) algorithm, naive Bayes (NB) algorithm, linear discriminant analysis (Linear Discriminant Analysis, LDA) support vector machine (Support Vector Machine, SVM) algorithm, random Forest (RF) algorithm, and logistic regression (Logistic Regression, LR) algorithm.
S202: acquiring the vehicle insurance log information of the target account in a preset detection time window, and carrying out statistical analysis on the vehicle insurance log information in the preset detection time window to obtain statistical information in the preset detection time window.
Optionally, the acquiring the vehicle insurance journal information of the target account in the preset detection time window specifically includes: the method comprises the steps of obtaining initial log information of a target account in a preset detection time window, preprocessing the initial log information of the target account in the preset detection time window, and obtaining vehicle insurance log information of the target account in the preset detection time window. As shown in fig. 3, fig. 3 shows a schematic flow chart of preprocessing, specifically, the abnormal attack detection device may perform data screening on initial log information of the target account in a preset detection time window, and perform data cleaning to obtain vehicle risk log information of the target account in the preset detection time window.
Data screening: the vehicle insurance log information acquired by the embodiment of the application is log information which is helpful for acquiring statistical information, namely the vehicle insurance log information acquired by the embodiment of the application is vehicle insurance log information related to a vehicle insurance business system and is of a specific type. However, the initial log information obtained by the abnormal attack detection apparatus may include log information not belonging to the specific type described above. Such as a boot log, etc. The abnormal attack detection device needs to screen out the vehicle risk log information from the initial log information.
Data cleaning: aiming at the car insurance log information, the data cleaning is mainly used for cleaning useless information. For example, the abnormality attack-detection-device may clear a special symbol (e.g., ' # ', ' < ' > ', ' and @ ', ' - | ',' (', ') ', ' x ',' _ ' etc.), and for example, the abnormality attack-detection-device may clear format information (e.g., digital format, english format, etc.).
Alternatively, the data screening and data cleaning processes described above may be implemented through a flink platform. The flink platform is an open source stream processing framework developed by the Apache software foundation, can execute data stream programs in a data parallel and pipeline mode by utilizing a distributed data stream engine written by Java and Scala, and can execute batch processing and data stream processing programs in a pipeline mode to screen and clean real-time initial log information.
Optionally, the abnormal attack detection device may acquire initial log information of the target account number in a preset time window from the database. For example, a database within the KafKa platform may store initial log information. Specifically, each service system can send log information to the kafKa platform in a continuous flow mode through syslog service, and initial log information corresponding to the target account number can be obtained through the kafKa platform in a preset detection time window. The log information is stored through the KafKa platform, can be multiplexed, can be applied to other analysis scenes, and can save storage resources.
Alternatively, the format of the vehicle insurance log information may include, but is not limited to, csv, log, txt, or the like. The vehicle insurance log information may include inquiry time and vehicle identification information for each inquiry of the vehicle insurance resource. Wherein the vehicle identification information may be used to query the vehicle insurance resource, including, but not limited to, one or more of license plate number, frame number, and engine number.
In one embodiment, performing statistical analysis on the vehicle insurance log information in the preset detection time window, and obtaining the statistical information in the preset detection time window includes: acquiring vehicle identification information for inquiring vehicle insurance resources from the vehicle insurance log information, counting the number of the vehicle identification information in a preset detection time window, and taking the number of the vehicle identification information as the statistical information.
In the embodiment of the application, the vehicle insurance log information belongs to a detection time window. The vehicle insurance log information in any detection time window is the vehicle insurance log information of which the inquiry time for inquiring the vehicle insurance resource belongs to any detection time window. Wherein the detection time window has a fixed window width. Alternatively, the preset detection time window may be a detection time window including the vehicle risk log information newly generated before S202 is performed, that is, the latest detection time window.
For example, the window width of each detection time window is 4 minutes. The abnormal attack detection device extracts 7 pieces of vehicle risk log information, namely log information 1 to log information 7. The inquiry time for inquiring the vehicle insurance resource in the vehicle insurance log information 1 is time 1 (9:01:00). The inquiry time for inquiring the vehicle insurance resource in the vehicle insurance log information 2 is time 2 (9:03:00). The inquiry time for inquiring the vehicle insurance resource in the vehicle insurance log information 3 is time 3 (9:05:00). The inquiry time for inquiring the vehicle insurance resource in the vehicle insurance log information 4 is time 4 (9:06:00). The inquiry time for inquiring the vehicle insurance resource in the vehicle insurance log information 5 is time 5 (9:08:00). The inquiry time for inquiring the vehicle insurance resource in the vehicle insurance log information 6 is time 6 (9:09:00). The inquiry time for inquiring the vehicle insurance resource in the vehicle insurance log information 7 is time 7 (9:10:00). Detection time window 1 corresponds to 9:01:00-9:04:00, detection time window 2 corresponds to 9:04:01-9:08:00, and detection time window 3 corresponds to 9:08:01-9:12:00. Because the inquiry time 1 to the inquiry time 3 in the vehicle insurance log information 1 to the vehicle insurance log information 3 belong to the detection time window 1, the inquiry time 4 to the inquiry time 5 in the vehicle insurance log information 4 to the vehicle insurance log information 5 belong to the detection time window 2, and the inquiry time 6 to the inquiry time 7 in the vehicle insurance log information 6 to the vehicle insurance log information 7 belong to the detection time window 3. Therefore, the detection time window 1 includes the vehicle risk log information 1 to the vehicle risk log information 3, the detection time window 2 includes the vehicle risk log information 4 to the vehicle risk log information 5, and the detection time window 3 includes the vehicle risk log information 5 to the vehicle risk log information 7.
In the embodiment of the present application, the statistical information corresponding to the preset detection time window may include the number of the vehicle identification information in the preset detection time window. For example, how many different license plate numbers are used when the vehicle insurance resource is queried within the preset detection time window, for example, how many different frame numbers are used when the vehicle insurance resource is queried within the preset detection time window, and for example, how many different vehicle engine numbers are used when the vehicle insurance resource is queried within the preset detection time window. Etc.
S203: and determining a second abnormal detection result according to the statistical information in the preset detection time window and the reference threshold value.
In one embodiment, the abnormal attack detection apparatus may compare the statistical information in the preset detection time window with the reference threshold, and determine that the second abnormal detection result is of the first type when the statistical information in the preset detection time window is greater than the reference threshold. And when the statistical information corresponding to the preset detection time window is smaller than or equal to the reference threshold value, determining that the second abnormal detection result is of a second type. It should be noted that the first type and the second type may be set according to experience and service requirements, for example, the first type may be set to have an abnormal attack, and the second type may be set to have no abnormal attack. For another example, the first type may be set to be high-risk anomalies, the second type may be set to be anomaly-free attacks, and so on.
Wherein the reference threshold may be determined based on population characteristics. Alternatively, the reference threshold may be determined based on JStorm. Wherein JStorm is a system like Hadoop MapReduce. From an application perspective, a JStorm application is a distributed application that complies with some programming specification. From the system perspective, JStorm is a set of scheduling systems resembling MapReduce. From a data perspective, is a set of pipeline-based message processing mechanisms. And the JSTRAM is used for analyzing the vehicle insurance log information of all user accounts in the vehicle insurance service system, so that the real-time and efficient effects can be achieved. JStorm can determine population characteristics within a preset detection time window. For example, the number of vehicle identification information of the group in a preset detection time window. For example, eighty percent of the population uses the vehicle identification information less than or equal to 5 when querying the vehicle risk resource within the preset detection time window, then 5 may be used as the reference threshold, and the reference threshold determined based on the population data is more representative, so that the accuracy of the second anomaly detection result determined based on the reference threshold is higher.
S204: a target abnormality detection result is determined based on the first abnormality detection result and the second abnormality detection result.
In one embodiment, the attention weight of the first abnormality detection result and the attention weight of the second abnormality detection result may be acquired, attention processing may be performed on the first abnormality detection result and the second abnormality detection result based on the attention weight of the first abnormality detection result and the attention weight of the second abnormality detection result, and the target abnormality detection result may be determined.
Wherein the attention processing means that the attention weight of the first abnormality detection result may be set to be greater than the attention weight of the second abnormality detection result when the first abnormality detection result is important based on the attention weight focusing on the more important feature. When the second abnormality detection result is important, the attention weight of the second abnormality detection result may be set to be greater than the attention weight of the first abnormality detection result.
In another embodiment, an or operation may be performed on the first anomaly detection result and the second anomaly detection result to obtain the target anomaly detection result. For example, when the first abnormality detection result or the second abnormality detection result indicates that there is an abnormality attack, the target abnormality detection result is an abnormality attack.
Further, the target abnormality detection result may be further classified into more levels. And performing AND operation on the first abnormal detection result and the second abnormal detection result to obtain a target abnormal detection result. For example, when the first abnormality detection result includes two types (abnormal attack and abnormal attack-free), and the second abnormality detection result includes two types (abnormal attack-free and abnormal attack-free), the target abnormality detection result may be divided into three types (high-risk abnormality attack, general abnormality attack, and abnormal attack-free), when both the first abnormality detection result and the second abnormality detection result are abnormal attacks, the target abnormality detection result may be determined to be a high-risk abnormality, when one of the first abnormality detection result and the second abnormality detection result is abnormal attack-free, the target abnormality detection result may be determined to be a general abnormality attack, and when both the first abnormality detection result and the second abnormality detection result are abnormal attack-free, the target abnormality detection result may be determined to be abnormal attack-free.
In one embodiment, after determining the target anomaly detection result, the anomaly attack detection device may execute an anticreeper policy based on the target anomaly detection result. The anticreep policy includes, but is not limited to, blackening the target account number, or restricting target access behavior of the target account number, etc. Different anomaly detection results may correspond to different anticreeper policies, for example, when the target anomaly detection result of the target account is a high-risk anomaly attack, the target account may be directly blacked out. When the target anomaly detection result of the target account is a general anomaly attack, the behavior of the target account for inquiring the vehicle insurance resource can be limited.
Furthermore, a target abnormality detection result corresponding to the target account number can be stored as evidence, so that subsequent data analysis is facilitated. For example, the anomaly attack detection device may upload a target anomaly detection result corresponding to the target account number to the blockchain network. Specifically, the anomaly attack detection device may upload the target anomaly detection result corresponding to the target account number to a consensus node in the blockchain network, where the consensus node performs consensus verification on the target anomaly detection result corresponding to the target account number, and if the consensus verification is passed, encapsulates the target anomaly detection result corresponding to the target account number into a block, and transmits the block to the blockchain network.
The block chain is a chain type data structure which is formed by combining data blocks in a sequential connection mode according to time sequence, and the data cannot be tampered and counterfeited in a cryptographic mode. Multiple independent distributed nodes maintain the same record. Blockchain technology enables decentralization, becoming a cornerstone for trusted digital asset storage, transfer, and transactions.
In the embodiment of the application, the anomaly attack detection device can perform anomaly detection on the target identification information based on the anomaly detection model to obtain a first anomaly detection result, perform statistical analysis on the vehicle risk log information in the preset detection time window to obtain statistical information in the preset detection time window, and determine a second anomaly detection result according to the statistical information in the preset detection time window and the reference threshold value. When the crawler attack behavior of the vehicle insurance business data is identified, the abnormality attack detection equipment considers the abnormality corresponding to the target identification information and the abnormality corresponding to the vehicle insurance log information, so that the target abnormality detection result is determined more accurately based on the first abnormality detection result and the second abnormality detection result, namely, the crawler attack behavior indicated by the target abnormality detection result is more accurate, and the anti-crawler strategy executed based on the target abnormality detection result is also accurate. The crawler attack behavior in the vehicle insurance business can be accurately identified so as to perform anticreeper processing.
Referring to the related description of the embodiment of the method shown in fig. 2, the anomaly detection model includes a classification task, and the anomaly detection model may be called to classify the vector expression corresponding to the target identification information, so as to obtain a first anomaly detection result. Referring to fig. 4, fig. 4 shows a flow chart of another anomaly attack detection method. As shown in fig. 4, the abnormal attack detection method may include S401 to S403:
s401: and acquiring a list, and searching a reference abnormal type corresponding to the target login account in the list.
The list is used for indicating the association relation between the login account and the abnormal type. Optionally, when the anomaly type includes: the list may be a blacklist when there is an anomaly attack and no anomaly attack, the blacklist including a plurality of login account numbers with anomaly type being an anomaly attack. Determining the reference anomaly type according to the list and the target login account comprises the following steps: and matching the target login account with each login account in the blacklist, when the matching is successful, determining that the reference abnormal type is abnormal attack, and when the matching is failed, determining that the reference abnormal type is abnormal attack-free.
Similarly, the list may be a whitelist comprising a plurality of login account numbers with anomaly type that are free of anomaly attacks. Determining the reference anomaly type according to the list and the target login account comprises the following steps: and matching the target login account with each login account in the white list, when the matching is successful, determining that the reference abnormal type is abnormal attack free, and when the matching is failed, determining that the reference abnormal type is abnormal attack.
Optionally, the relationship between the login account and the anomaly type may also be directly indicated in the list. For example, the list may include a login account list item and an anomaly type list item, where the login account list item is used to store a login account, the anomaly type list item is used to store an anomaly type, the login account is stored at a first location of the login account list item, and the anomaly type is stored at a location corresponding to the first location in the anomaly type list item. Determining the reference anomaly type according to the list and the target login account comprises the following steps: searching a target login account in a login account list item of a list, determining a target position of the target login account in the login account list item, and determining an abnormal type stored in a position corresponding to the target position in the abnormal type list item as a reference abnormal type.
S402: and acquiring historical behavior data of the target account number from target equipment indicated by the target equipment identifier, calling an anomaly detection model to perform tag identification processing on the historical behavior data, and determining a reference anomaly tag.
The target device indicated by the target device identifier may refer to a device that a target user logs in to a target account. The target device may be determined according to the target device identification, and historical behavior data of the target account number may be obtained from the target device. The historical behavior data may include, but is not limited to, one or more of, upload/download data of the target device, system update data of the target device, and battery data of the target device, among others.
The anomaly detection model comprises a tag identification task, and the tag identification task can be used for carrying out tag identification processing on historical behavior data to determine a reference anomaly tag. Specifically, feature extraction can be performed on the historical behavior data to obtain feature vectors, an anomaly detection model is called to perform tag identification processing on the feature vectors, and a reference anomaly tag is determined from candidate anomaly tags.
Optionally, since a judgment needs to be performed for each label, the label identification task included in the anomaly detection model may be at least two classification tasks, where each classification task corresponds to one candidate anomaly label. And respectively calling each classification task in the risk anomaly detection model to perform label identification processing on the feature vector, and determining a reference risk anomaly label from the candidate anomaly labels. That is, the classification task corresponding to each candidate abnormal label is used for judging whether the target device comprises the candidate abnormal label. If so, the candidate anomaly tag is determined to be a reference anomaly tag.
S403: the first abnormality detection result is determined based on the reference abnormality type and the reference abnormality label.
In one embodiment, the first anomaly detection result may be determined based on processing the reference anomaly type and the reference anomaly tag by an attention mechanism. Wherein attention mechanism refers to focusing attention on more important features based on attention weights.
In the embodiment of the application, when the first abnormality detection result is determined, the abnormality attack detection device considers the reference abnormality type indicated by the target login account in the target identification information and the reference abnormality label indicated by the historical behavior data in the target device, so that the first abnormality detection result determined based on the reference abnormality type and the reference abnormality label is more accurate.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an anomaly attack detection apparatus according to an embodiment of the present application, where the anomaly attack detection apparatus may be the anomaly attack detection device mentioned in the foregoing method embodiment, and the anomaly attack detection apparatus may include an anomaly detection unit 501, a statistical analysis unit 502, and a determination unit 503.
The anomaly detection unit 501 is configured to obtain target identification information corresponding to a target account, and call an anomaly detection model to perform anomaly detection on the target identification information, so as to obtain a first anomaly detection result;
The statistical analysis unit 502 is configured to obtain the vehicle risk log information of the target account in a preset detection time window, and perform statistical analysis on the vehicle risk log information in the preset detection time window to obtain statistical information in the preset detection time window;
a determining unit 503, configured to determine a second abnormal detection result according to the statistical information and the reference threshold value in the preset detection time window;
the determining unit 503 is further configured to determine a target abnormality detection result based on the first abnormality detection result and the second abnormality detection result.
In one embodiment, the anomaly detection unit 501 is configured to invoke an anomaly detection model to perform anomaly detection on the target identifier information, to obtain a first anomaly detection result, and includes:
acquiring a vector expression corresponding to the target identification information;
invoking an anomaly detection model to classify the vector expression corresponding to the target identification information, and determining a target identification subset to which the vector expression belongs;
and taking the type of the abnormality indicated by the target identifier subset as a first abnormality detection result.
In one embodiment, the target identifier subset corresponds to a plurality of sample identifier subsets, and the anomaly detection unit 501 is further configured to determine the plurality of sample identifier subsets:
Acquiring a sample identification set, performing vector conversion on each sample identification information in the sample identification set, and determining a sample vector corresponding to each sample identification information in the sample identification set;
classifying the sample identification sets according to the sample vectors corresponding to each sample identification information to obtain sample identification subsets under different categories, wherein the sample vectors corresponding to the sample identification information in the sample identification subsets under one category correspond to one type of abnormality to be selected.
In one embodiment, the target identification information includes a target login account id and a target device identification, and the anomaly detection unit 501 is configured to invoke an anomaly detection model to perform anomaly detection on the target identification information, to obtain a first anomaly detection result, where the first anomaly detection result includes:
acquiring a list, and searching a reference abnormal type corresponding to the target login account in the list;
acquiring historical behavior data of a target account number from target equipment indicated by a target equipment identifier, calling an anomaly detection model to perform tag identification processing on the historical behavior data, and determining a reference anomaly tag;
the first abnormality detection result is determined based on the reference abnormality type and the reference abnormality label.
In one embodiment, the anomaly detection model includes at least two classification tasks, each of which corresponds to a candidate anomaly tag, and the anomaly detection unit 501 is configured to invoke the anomaly detection model to perform tag identification processing on historical behavior data, and determine a reference anomaly tag, where the determining includes:
Extracting features of the historical behavior data to obtain feature vectors;
and respectively calling each classification task in the anomaly detection model to perform label identification processing on the feature vector, and determining a reference anomaly label from the candidate labels.
In one embodiment, the statistical analysis unit 502 is configured to perform statistical analysis on the vehicle risk log information in the preset detection time window to obtain statistical information in the preset detection time window, and includes:
acquiring vehicle identification information for inquiring vehicle insurance resources from the vehicle insurance log information; and counting the number of the vehicle identification information in a preset detection time window, and taking the number of the vehicle identification information as the statistical information.
In one embodiment, the determining unit 503 is configured to determine a target abnormality detection result based on the first abnormality detection result and the second abnormality detection result, including:
acquiring the attention weight of the first abnormality detection result and the attention weight of the second abnormality detection result;
and performing attention processing on the first abnormality detection result and the second abnormality detection result based on the attention weight of the first abnormality detection result and the attention weight of the second abnormality detection result, and determining a target abnormality detection result.
According to another embodiment of the present application, each unit in the abnormal attack detection apparatus shown in fig. 5 may be separately or completely combined into one or several other units, or some unit(s) thereof may be further split into a plurality of units with smaller functions, which may achieve the same operation without affecting the implementation of the technical effects of the embodiments of the present application. The above units are divided based on logic functions, and in practical applications, the functions of one unit may be implemented by a plurality of units, or the functions of a plurality of units may be implemented by one unit. In other embodiments of the present application, the device for detecting a attack from a anomaly may also include other units, and in practical applications, these functions may also be implemented with assistance of other units, and may be implemented by cooperation of multiple units.
According to another embodiment of the present application, the processing elements and the storage elements may be implemented by including a central processing unit (Central Processing Unit, CPU), a random access storage medium (RAM), a read only storage medium (ROM), or the like. A general-purpose computing device such as a computer runs a computer program (including program code) capable of executing steps involved in the respective methods as shown in fig. 2 or 4 to construct an abnormal attack detection apparatus as shown in fig. 5, and to implement the abnormal attack detection method of the embodiment of the present application. The computer program may be recorded on, for example, a computer-readable recording medium, and loaded into and run in the above-described abnormality attack detection device via the computer-readable recording medium.
In the embodiment of the application, the anomaly attack detection device can perform anomaly detection on the target identification information based on the anomaly detection model to obtain a first anomaly detection result, perform statistical analysis on the vehicle risk log information in the preset detection time window to obtain statistical information in the preset detection time window, and determine a second anomaly detection result according to the statistical information in the preset detection time window and the reference threshold value. When the crawler attack behavior of the vehicle insurance business data is identified, the anomaly corresponding to the target identification information and the anomaly corresponding to the vehicle insurance log information are considered, so that the target anomaly detection result is determined more accurately based on the first anomaly detection result and the second anomaly detection result, namely, the crawler attack behavior indicated by the target anomaly detection result is more accurate, and the anti-crawler strategy executed based on the target anomaly detection result is also accurate. The crawler attack behavior in the vehicle insurance business can be accurately identified so as to perform anticreeper processing.
Referring to fig. 6, fig. 6 is a schematic structural diagram of an apparatus for detecting an abnormal attack according to an embodiment of the present application. The abnormal attack detection device may include: one or more processors 601; one or more input interfaces 602, one or more output interfaces 603, and a computer storage medium 604. The processor 601, input interface 602, output interface 603, and computer storage medium 604 are connected by a bus or other means. The computer storage medium 604 is a memory device in the abnormality attack detection device for storing programs and data. It will be appreciated that the computer storage media 604 herein may include both built-in storage media of the anomaly attack detection device and extended storage media supported by the anomaly attack detection device. The computer storage medium 604 provides a storage space that stores the operating system of the abnormal attack detection apparatus. Also stored in this memory space are one or more instructions, which may be one or more computer programs (including program code), adapted to be loaded and executed by the processor 601. Note that the computer storage medium herein may be a high-speed RAM memory; optionally, the system may further be at least one computer storage medium remote from the foregoing processor, where the processor may be referred to as a central processing unit (Central Processing Unit, CPU), and is a core of the anomaly attack detection device and a control center, and adapted to be implemented with one or more instructions, and specifically load and execute the one or more instructions to implement a corresponding method flow or function.
In one embodiment, one or more instructions stored in the computer storage medium 604 may be loaded and executed by the processor 601 to implement the steps involved in performing the corresponding method as shown in fig. 2 or 4, in a specific implementation, one or more instructions in the computer storage medium 604 are loaded and executed by the processor 601 to:
acquiring target identification information corresponding to a target account, and calling an anomaly detection model to perform anomaly detection on the target identification information to obtain a first anomaly detection result;
acquiring the vehicle insurance log information of the target account in a preset detection time window, and carrying out statistical analysis on the vehicle insurance log information in the preset detection time window to obtain statistical information in the preset detection time window;
determining a second abnormal detection result according to the statistical information in the preset detection time window and a reference threshold value;
a target abnormality detection result is determined based on the first abnormality detection result and the second abnormality detection result.
In one embodiment, the processor 601 is configured to invoke an anomaly detection model to perform anomaly detection on the target identifier information to obtain a first anomaly detection result, including:
acquiring a vector expression corresponding to the target identification information;
Invoking an anomaly detection model to classify the vector expression corresponding to the target identification information, and determining a target identification subset to which the vector expression belongs;
and taking the type of the abnormality indicated by the target identifier subset as a first abnormality detection result.
In one embodiment, the target identification subset corresponds to a plurality of sample identification subsets, and the processor 601 is further configured to determine the plurality of sample identification subsets:
acquiring a sample identification set, performing vector conversion on each sample identification information in the sample identification set, and determining a sample vector corresponding to each sample identification information in the sample identification set;
classifying the sample identification sets according to the sample vectors corresponding to each sample identification information to obtain sample identification subsets under different categories, wherein the sample vectors corresponding to the sample identification information in the sample identification subsets under one category correspond to one type of abnormality to be selected.
In one embodiment, the target identification information includes a target login account id and a target device identifier, and the processor 601 is configured to invoke an anomaly detection model to perform anomaly detection on the target identification information to obtain a first anomaly detection result, where the first anomaly detection result includes:
acquiring a list, and searching a reference abnormal type corresponding to the target login account in the list;
Acquiring historical behavior data of a target account number from target equipment indicated by a target equipment identifier, calling an anomaly detection model to perform tag identification processing on the historical behavior data, and determining a reference anomaly tag;
the first abnormality detection result is determined based on the reference abnormality type and the reference abnormality label.
In one embodiment, the anomaly detection model includes at least two sub-class tasks, each sub-class task corresponding to a candidate anomaly tag, and the processor 601 is configured to invoke the anomaly detection model to perform tag identification processing on historical behavior data, and determine a reference anomaly tag, including:
extracting features of the historical behavior data to obtain feature vectors;
and respectively calling each classification task in the anomaly detection model to perform label identification processing on the feature vector, and determining a reference anomaly label from the candidate labels.
In one embodiment, the processor 601 is configured to perform statistical analysis on the vehicle risk log information in the preset detection time window to obtain statistical information in the preset detection time window, including:
acquiring vehicle identification information for inquiring vehicle insurance resources from the vehicle insurance log information;
and counting the number of the vehicle identification information in a preset detection time window, and taking the number of the vehicle identification information as the statistical information.
In one embodiment, the processor 601 is configured to determine a target anomaly detection result based on the first anomaly detection result and the second anomaly detection result, including:
acquiring the attention weight of the first abnormality detection result and the attention weight of the second abnormality detection result;
and performing attention processing on the first abnormality detection result and the second abnormality detection result based on the attention weight of the first abnormality detection result and the attention weight of the second abnormality detection result, and determining a target abnormality detection result.
In the embodiment of the application, the anomaly attack detection device can perform anomaly detection on the target identification information based on the anomaly detection model to obtain a first anomaly detection result, perform statistical analysis on the vehicle risk log information in the preset detection time window to obtain statistical information in the preset detection time window, and determine a second anomaly detection result according to the statistical information in the preset detection time window and the reference threshold value. When the crawler attack behavior of the vehicle insurance business data is identified, the abnormality attack detection equipment considers the abnormality corresponding to the target identification information and the abnormality corresponding to the vehicle insurance log information, so that the target abnormality detection result is determined more accurately based on the first abnormality detection result and the second abnormality detection result, namely, the crawler attack behavior indicated by the target abnormality detection result is more accurate, and the anti-crawler strategy executed based on the target abnormality detection result is also accurate. The crawler attack behavior in the vehicle insurance business can be accurately identified so as to perform anticreeper processing.
Embodiments of the present application also provide a computer readable storage medium storing computer program instructions. The computer program instructions, when executed by the processor, may perform the steps performed in the embodiments of the anomaly attack detection method described above.
Embodiments of the present application also provide a computer program product comprising computer program code for causing a computer to carry out the steps carried out in the embodiments of the anomaly attack detection method described above when said computer program code is run on the computer.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like. The computer readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created from the use of blockchain nodes, and the like.
The above disclosure is only a preferred embodiment of the present application, and it should be understood that the scope of the application is not limited thereto, and those skilled in the art will appreciate that all or part of the procedures described above can be performed according to the equivalent changes of the claims, and still fall within the scope of the present application.
Claims (9)
1. An anomaly attack detection method, comprising:
acquiring target identification information corresponding to a target account, and calling an anomaly detection model to perform anomaly detection on the target identification information to obtain a first anomaly detection result;
acquiring the vehicle insurance journal information of the target account in a preset detection time window, and carrying out statistical analysis on the vehicle insurance journal information in the preset detection time window to obtain statistical information in the preset detection time window; the vehicle insurance log information comprises inquiry time for inquiring vehicle insurance resources each time and vehicle identification information, wherein the vehicle identification information is used for inquiring the vehicle insurance resources and comprises one or more of license plate numbers, frame numbers and engine numbers;
determining a second abnormal detection result according to the statistical information in the preset detection time window and a reference threshold value; determining a target abnormality detection result based on the first abnormality detection result and the second abnormality detection result;
The statistical analysis of the vehicle insurance log information in the preset detection time window, and the obtaining of the statistical information in the preset detection time window includes:
acquiring vehicle identification information for inquiring vehicle insurance resources from the vehicle insurance log information, counting the number of the vehicle identification information in a preset detection time window, and taking the number of the vehicle identification information as the statistical information.
2. The method of claim 1, wherein invoking the anomaly detection model to perform anomaly detection on the target identification information to obtain a first anomaly detection result comprises:
acquiring a vector expression corresponding to the target identification information;
invoking the anomaly detection model to classify the vector expression corresponding to the target identification information, and determining a target identification subset to which the vector expression belongs;
and taking the abnormality type indicated by the target identifier subset as the first abnormality detection result.
3. The method of claim 2, wherein the target identification subset corresponds to a plurality of sample identification subsets, and determining the plurality of sample identification subsets comprises:
acquiring a sample identification set, performing vector conversion on each sample identification information in the sample identification set, and determining a sample vector corresponding to each sample identification information in the sample identification set;
And classifying the sample identification sets according to the sample vectors corresponding to each sample identification information to obtain sample identification subsets under different categories, wherein the sample vectors corresponding to the sample identification information in the sample identification subsets under one category correspond to one type of abnormality to be selected.
4. The method of claim 1, wherein the target identification information includes a target login account number and a target device identification, and the invoking the anomaly detection model to perform anomaly detection on the target identification information to obtain a first anomaly detection result comprises:
acquiring a list, and searching a reference abnormal type corresponding to the target login account in the list;
acquiring historical behavior data of the target account number from target equipment indicated by the target equipment identifier, calling the anomaly detection model to perform tag identification processing on the historical behavior data, and determining a reference anomaly tag;
and determining the first abnormality detection result based on the reference abnormality type and the reference abnormality label.
5. The method of claim 4, wherein the anomaly detection model includes at least two sub-class tasks, each sub-class task corresponding to a candidate anomaly tag, and the invoking the anomaly detection model to perform tag identification processing on the historical behavior data to determine a reference anomaly tag comprises:
Extracting features of the historical behavior data to obtain feature vectors;
and respectively calling each classification task in the anomaly detection model to perform label identification processing on the feature vector, and determining the reference anomaly label from the candidate anomaly labels.
6. The method of any of claims 1-5, wherein the determining a target anomaly detection result based on the first anomaly detection result and the second anomaly detection result comprises:
acquiring the attention weight of the first abnormality detection result and the attention weight of the second abnormality detection result;
and performing attention processing on the first abnormality detection result and the second abnormality detection result based on the attention weight of the first abnormality detection result and the attention weight of the second abnormality detection result, and determining the target abnormality detection result.
7. An anomaly attack detection device, comprising:
the abnormality detection unit is used for acquiring target identification information corresponding to the target account number, and calling an abnormality detection model to perform abnormality detection on the target identification information to obtain a first abnormality detection result;
The statistical analysis unit is used for acquiring the vehicle insurance log information of the target account in a preset detection time window, and carrying out statistical analysis on the vehicle insurance log information in the preset detection time window to obtain the statistical information in the preset detection time window; the vehicle insurance log information comprises inquiry time for inquiring vehicle insurance resources each time and vehicle identification information, wherein the vehicle identification information is used for inquiring the vehicle insurance resources and comprises one or more of license plate numbers, frame numbers and engine numbers;
the determining unit is used for determining a second abnormal detection result according to the statistical information in the preset detection time window and a reference threshold value;
the determining unit is further configured to determine a target abnormality detection result based on the first abnormality detection result and the second abnormality detection result;
the statistical analysis unit performs statistical analysis on the vehicle insurance log information in the preset detection time window to obtain statistical information in the preset detection time window, and is specifically used for:
acquiring vehicle identification information for inquiring vehicle insurance resources from the vehicle insurance log information, counting the number of the vehicle identification information in a preset detection time window, and taking the number of the vehicle identification information as the statistical information.
8. An abnormal attack detection device, comprising an input interface and an output interface, and further comprising:
a processor adapted to implement one or more instructions; the method comprises the steps of,
a computer storage medium storing one or more instructions adapted to be loaded by the processor to perform the anomaly attack detection method of any of claims 1-6.
9. A computer storage medium storing one or more instructions adapted to be loaded by a processor and to perform the anomaly attack detection method according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111554213.5A CN114244611B (en) | 2021-12-17 | 2021-12-17 | Abnormal attack detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111554213.5A CN114244611B (en) | 2021-12-17 | 2021-12-17 | Abnormal attack detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114244611A CN114244611A (en) | 2022-03-25 |
| CN114244611B true CN114244611B (en) | 2023-10-13 |
Family
ID=80758311
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111554213.5A Active CN114244611B (en) | 2021-12-17 | 2021-12-17 | Abnormal attack detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114244611B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115118473B (en) * | 2022-06-20 | 2023-07-14 | 中国联合网络通信集团有限公司 | Data processing method, device, equipment and storage medium |
| CN115914052B (en) * | 2022-10-28 | 2024-05-17 | 京东科技信息技术有限公司 | Domain name health condition detection method and device |
| CN115941322B (en) * | 2022-12-07 | 2024-05-24 | 中国平安财产保险股份有限公司 | Attack detection method, device, equipment and storage medium based on artificial intelligence |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109299135A (en) * | 2018-11-26 | 2019-02-01 | 平安科技(深圳)有限公司 | Abnormal inquiry recognition methods, identification equipment and medium based on identification model |
| CN112035775A (en) * | 2020-09-01 | 2020-12-04 | 中国平安财产保险股份有限公司 | User identification method and device based on random forest model and computer equipment |
| CN112417439A (en) * | 2019-08-21 | 2021-02-26 | 北京达佳互联信息技术有限公司 | Account detection method, device, server and storage medium |
| CN113255842A (en) * | 2021-07-05 | 2021-08-13 | 平安科技(深圳)有限公司 | Vehicle replacement prediction method, device, equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8126742B2 (en) * | 2003-05-09 | 2012-02-28 | Accenture Global Services Limited | Automated assignment of insurable events |
| US11106789B2 (en) * | 2019-03-05 | 2021-08-31 | Microsoft Technology Licensing, Llc | Dynamic cybersecurity detection of sequence anomalies |
-
2021
- 2021-12-17 CN CN202111554213.5A patent/CN114244611B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109299135A (en) * | 2018-11-26 | 2019-02-01 | 平安科技(深圳)有限公司 | Abnormal inquiry recognition methods, identification equipment and medium based on identification model |
| CN112417439A (en) * | 2019-08-21 | 2021-02-26 | 北京达佳互联信息技术有限公司 | Account detection method, device, server and storage medium |
| CN112035775A (en) * | 2020-09-01 | 2020-12-04 | 中国平安财产保险股份有限公司 | User identification method and device based on random forest model and computer equipment |
| CN113255842A (en) * | 2021-07-05 | 2021-08-13 | 平安科技(深圳)有限公司 | Vehicle replacement prediction method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114244611A (en) | 2022-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11184380B2 (en) | Security weakness and infiltration detection and repair in obfuscated website content | |
| CN114244611B (en) | Abnormal attack detection method, device, equipment and storage medium | |
| US11645515B2 (en) | Automatically determining poisonous attacks on neural networks | |
| US11538236B2 (en) | Detecting backdoor attacks using exclusionary reclassification | |
| US11093774B2 (en) | Optical character recognition error correction model | |
| CN113011889B (en) | Account anomaly identification method, system, device, equipment and medium | |
| US11514054B1 (en) | Supervised graph partitioning for record matching | |
| US11663329B2 (en) | Similarity analysis for automated disposition of security alerts | |
| Abubaker et al. | Exploring permissions in android applications using ensemble-based extra tree feature selection | |
| US11568344B2 (en) | Systems and methods for automated pattern detection in service tickets | |
| CN114463138A (en) | Risk monitoring method, device, equipment and storage medium | |
| Jan et al. | Semi-supervised labeling: a proposed methodology for labeling the twitter datasets | |
| Čeponis et al. | Evaluation of deep learning methods efficiency for malicious and benign system calls classification on the AWSCTD | |
| CN111259207A (en) | Short message identification method, device and equipment | |
| CN116662987A (en) | Service system monitoring method, device, computer equipment and storage medium | |
| US20200125636A1 (en) | Cognitive Hierarchical Content Distribution | |
| Zhong et al. | A security log analysis scheme using deep learning algorithm for IDSs in social network | |
| Sokolov | Applied Machine Learning for Cybersecurity in Spam Filtering and Malware Detection | |
| US11892986B2 (en) | Activated neural pathways in graph-structured data models | |
| Kumar et al. | Malicious Social Bots Detection in the Twitter Network Using Learning Automata with URL Features | |
| Sethi et al. | Leveraging Classification and Detection of Malware: A Robust Machine Learning-Based Framework | |
| CN117112395A (en) | API abnormal access detection method, device, equipment and medium | |
| Soltani et al. | Robust intrusion detection for network communication on the Internet of Things: a hybrid machine learning approach | |
| Dalal et al. | 0A Comprehensive Review on Anomaly Detection Techniques for Web Data Logging | |
| Tu et al. | AdEye: Recognize Advertising Android Apps |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |