CN114785579B - Network attack analysis method and server applied to cloud side-end computing - Google Patents

Network attack analysis method and server applied to cloud side-end computing Download PDF

Info

Publication number
CN114785579B
CN114785579B CN202210386658.5A CN202210386658A CN114785579B CN 114785579 B CN114785579 B CN 114785579B CN 202210386658 A CN202210386658 A CN 202210386658A CN 114785579 B CN114785579 B CN 114785579B
Authority
CN
China
Prior art keywords
attack
analyzed
suspected
tendency
under
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210386658.5A
Other languages
Chinese (zh)
Other versions
CN114785579A (en
Inventor
刘强
黄英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Shida Group Co ltd
Original Assignee
Fujian Shida Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Shida Group Co ltd filed Critical Fujian Shida Group Co ltd
Priority to CN202210386658.5A priority Critical patent/CN114785579B/en
Publication of CN114785579A publication Critical patent/CN114785579A/en
Application granted granted Critical
Publication of CN114785579B publication Critical patent/CN114785579B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network attack analysis method and a server applied to cloud edge computing.A suspected attack tendency description distribution matched with a plurality of edge computing service ends to be analyzed in an abnormal Yun Bianduan interactive session is determined to determine a network attack emphasis theme distributed under an integral service session process by the suspected attack tendency description of each edge computing service end to be analyzed; the suspected attack tendency description distribution of the abnormal cloud edge interactive session can be determined on at least one network attack side-focusing topic/focusing expression level, the network attack side-focusing topic/focusing expression deviation of the suspected attack tendency description distribution of the edge computing service end to be analyzed is weakened, network attack analysis at different angles is enriched as much as possible, the integrity, the accuracy and the reliability of the obtained suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session are ensured, and omission of the suspected attack tendency description distribution of the abnormal cloud edge interactive session on an individual analysis level is avoided.

Description

Network attack analysis method and server applied to cloud side-end computing
Technical Field
The invention relates to the technical field of cloud computing, in particular to a network attack analysis method and a server applied to cloud side-end computing.
Background
Edge computing refers to an open platform integrating network, computing, storage and application core capabilities at one side close to an object or a data source to provide nearest-end services nearby. As cloud computing power sinks from the center to the edge, edge computing will push the formation of a "cloud, edge, end" integrated collaborative computing system. Under the cloud side system, the cloud center and the edge can respectively play the roles, so that the efficiency and the quality of the data information interaction service are effectively improved. At present, although edge computing can generate faster network service response and meet the requirements of various industries on real-time services, application intelligence, safety, privacy protection and the like, the quality of network attack analysis for cloud edge ends is difficult to guarantee along with the continuous increase of system scale.
Disclosure of Invention
The invention provides a network attack analysis method and a server applied to cloud side computing, and adopts the following technical scheme in order to achieve the technical purpose.
The first aspect is a network attack analysis method applied to cloud-edge computing, applied to a cloud server, and the method includes: collecting cloud edge service interaction records corresponding to the target network attack early warning prompt; the cloud border service interaction records cover at least one group of visual sensory service records obtained by performing interaction record capture on the abnormal Yun Bianduan interaction session; according to the cloud edge end service interaction record, determining suspected attack tendency description distribution matched with each of a plurality of edge computing service ends to be analyzed in the abnormal Yun Bianduan interaction session; for each edge computing service end to be analyzed in the edge computing service ends to be analyzed, determining a suspected attack tendency description of the edge computing service end to be analyzed to be distributed on a network attack emphasis theme under the whole service session process; and determining the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session according to the network attack emphasis theme of the suspected attack tendency description distribution of each edge computing service end to be analyzed under the whole service session process and the suspected attack tendency description distribution matched with each edge computing service end to be analyzed.
By means of the design, through the determined suspected attack tendency description distribution matched with each of the edge computing service ends to be analyzed in the abnormal Yun Bianduan interactive session, the network attack emphasis theme of the suspected attack tendency description distribution of each edge computing service end to be analyzed under the whole service session process is determined; by means of the suspected attack tendency description distribution of each edge computing service end to be analyzed under the whole service session process, the suspected attack tendency description distribution of the abnormal cloud edge interactive session can be determined on at least one network attack side weight theme/attention expression level, the network attack side weight theme/attention expression offset of the suspected attack tendency description distribution of the edge computing service end to be analyzed is weakened, network attack analyses at different angles are enriched as much as possible, the integrity, the accuracy and the reliability of the obtained suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session are guaranteed, and omission of the suspected attack tendency description distribution of the abnormal cloud edge interactive session on an individual analysis level is avoided.
In an independent embodiment, the determining, according to the cloud-edge service interaction record, a suspected attack tendency description distribution matched for each of a plurality of edge computing service ends to be analyzed in the anomaly Yun Bianduan interaction session includes: performing visual behavior event analysis on the abnormal Yun Bianduan interactive session according to the cloud edge service interaction record to obtain visual behavior event information of the abnormal Yun Bianduan interactive session; the visualized behavior event information comprises a plurality of visualized behavior events and the upstream and downstream relative relation of each visualized behavior event in the abnormal Yun Bianduan interaction session; performing event keyword extraction operation on the visual behavior event information to obtain event keywords matched with the visual behavior events respectively; and determining the suspected attack tendency description distribution matched with each of the edge computing service ends to be analyzed in the abnormal Yun Bianduan interactive session according to the visualized behavior event information and the event keywords matched with each of the plurality of visualized behavior events.
By means of the design, according to the cloud side service interaction record, visual behavior event analysis is carried out on abnormal Yun Bianduan interaction sessions, event keywords are extracted from obtained visual behavior event information, a visual behavior event relation network which can reflect the actual interaction relation of each edge computing service end to be analyzed in the abnormal Yun Bianduan interaction sessions and the network attack emphasis theme matched with each edge computing service end to be analyzed is determined, and a credible analysis basis is provided for subsequently determining rich, complete and accurate suspected attack tendency description distribution of the abnormal Yun Bianduan interaction sessions.
In an independent embodiment, the edge computing service end to be analyzed includes one or more of the following: a service platform system corresponding to the exception Yun Bianduan interactive session, a portable digital terminal accessed to the exception Yun Bianduan interactive session, and an intelligent robot corresponding to the exception Yun Bianduan interactive session.
In an independent embodiment, the cyber attack emphasis theme includes one or more of the following: the network attack is focused on the time interval, the network attack is focused on the mode and the network attack is focused on the target under the whole service session process.
In an independent embodiment, the determining, for each of the edge computing service ends to be analyzed, a suspected attack tendency description of the edge computing service end to be analyzed, which is distributed under an overall service session process, includes: for each edge calculation service end to be analyzed in the plurality of edge calculation service ends to be analyzed, determining a plurality of local attack tendency characteristics matched with the edge calculation service end to be analyzed from the suspected attack tendency description distribution of the edge calculation service end to be analyzed; and determining the suspected attack tendency description of the edge computing service end to be analyzed to be distributed on the network attack emphasis theme under the whole service session process according to the attention expressions of the local attack tendency characteristics under the whole service session process.
By the design, aiming at the suspected attack tendency description distribution of each edge computing service end to be analyzed, the suspected attack tendency description of each edge computing service end to be analyzed is determined to be the network attack side weight theme of each of a plurality of local attack tendency characteristics in the suspected attack tendency description distribution of the edge computing service end to be analyzed under the whole service session process, so that the deviation caused by the network attack side weight theme shift of individual number of local attack tendency characteristics under the whole service session process can be avoided as much as possible, the precision and the credibility of the suspected attack tendency description of the edge computing service end to be analyzed under the whole service session process are improved, the network attack side weight theme distributed under the whole service session process is described according to the suspected attack tendency description of each edge computing service end to be analyzed, the network attack side weight theme distributed under the whole service session process is determined, the suspected attack tendency description of the abnormal Yun Bianduan interactive session where the edge computing service end to be analyzed is located is determined to be the network attack side weight theme distributed under the whole service session process, and the credible analysis basis is provided for ensuring the credible analysis basis of the suspected attack tendency description of the network attack tendency description of the abnormal 8978 zxft Interactive session under the whole service session description under the whole service session process.
In an independent embodiment, the cyber attack emphasis topic comprises a cyber attack emphasis period under the whole business session process; the determining, according to the attention expressions of the local attack tendency characteristics under the overall service session process, a suspected attack tendency description of the edge computing service end to be analyzed distributed on a network attack emphasis theme under the overall service session process includes: determining a network attack side-weight time period of each of the plurality of local attack tendency characteristics under the overall business session process according to the suspected attack tendency description distribution and the attention expression under the overall business session process when the interaction record capturing system captures the cloud edge business interaction record; determining the overall network attack emphasis time interval of the network attack emphasis time intervals matched with the local attack tendency characteristics respectively; and determining the overall network attack emphasis time interval as a network attack emphasis time interval in which the suspected attack tendency description of the edge computing service end to be analyzed is distributed under the overall service session process.
By the design, aiming at the suspected attack tendency description distribution of each edge computing service end to be analyzed, the network attack side weight time period of the suspected attack tendency description distribution of the edge computing service end to be analyzed under the whole service session process is determined by determining the thought of the average value of the network attack side weight time periods of a plurality of local attack tendency characteristics in the suspected attack tendency description distribution of the edge computing service end to be analyzed under the whole service session process, so that the deviation caused by the network attack side weight time period shift of individual number of local attack tendency characteristics under the whole service session process can be avoided as much as possible, the precision and the credibility of the network attack side weight time period of the suspected attack tendency description distribution of the edge computing service end to be analyzed under the whole service session process are improved, the credible analysis basis is provided for the subsequent network attack side weight time period of the suspected attack tendency description distribution under the whole service session process according to the suspected attack tendency description of each edge computing service end to be analyzed under the whole service session process, and the credible analysis basis is determined to ensure the credible analysis basis 3262 of the network attack side weight period of the determined abnormal 3238 zxft Interaction session description distribution under the whole service session process.
In an independent embodiment, the network attack emphasis theme comprises a network attack emphasis mode; the determining, according to the attention expressions of the local attack tendency characteristics under the overall service session process, a suspected attack tendency description of the edge computing service end to be analyzed distributed on a network attack emphasis theme under the overall service session process includes: determining a network attack side-weight mode matched with each of the local attack tendency characteristics according to the suspected attack tendency description distribution and the attention expression under the whole service session process when the interaction record capturing system captures the cloud edge service interaction record; determining a global network attack emphasis mode of network attack emphasis modes matched with the local attack tendency characteristics respectively; and determining the global network attack side-load mode as a network attack side-load mode of which the suspected attack tendency of the edge computing service end to be analyzed describes and distributes under the whole service session process.
By the design, aiming at the suspected attack tendency description distribution of each edge computing service end to be analyzed, the network attack side weight mode of the suspected attack tendency description distribution of the edge computing service end to be analyzed under the whole service session process is determined by determining the mean value of the network attack side weight modes of a plurality of local attack tendency characteristics in the suspected attack tendency description distribution of the edge computing service end to be analyzed under the whole service session process, so that the deviation caused by the network attack side weight mode deviation of individual number of local attack tendency characteristics under the whole service session process can be avoided as much as possible, the precision and the credibility of the network attack side weight mode of the suspected attack tendency description distribution of the edge computing service end to be analyzed under the whole service session process are improved, the credible analysis basis is provided for the subsequent network attack side weight mode of the suspected attack tendency description distribution under the whole service session process according to the suspected attack tendency description of each edge computing service end to be analyzed, and the credible analysis basis is determined by ensuring the credible attack side weight mode of the suspected attack tendency description distribution of the abnormal 3238 zxft Interaction session under the whole service session process.
In an independent embodiment, the cyber attack emphasis topic comprises a cyber attack emphasis target; the determining, according to the attention expressions of the local attack tendency characteristics under the overall service session process, a suspected attack tendency description of the edge computing service end to be analyzed distributed on a network attack emphasis theme under the overall service session process includes: determining network attack side emphasis targets matched with the local attack tendency characteristics according to the suspected attack tendency description distribution and the attention expression under the whole service session process when the interaction record capturing system captures the cloud side service interaction record; determining a depolarization network attack side weight target of the network attack side weight targets matched with the local attack tendency characteristics respectively; and determining the depolarization network attack side heavy target as a network attack side heavy target of which the suspected attack tendency of the edge computing service end to be analyzed is distributed under the whole service session process.
By the design, aiming at the suspected attack tendency description distribution of each edge computing service end to be analyzed, the thought of the average value of the network attack side heavy targets of the local attack tendency characteristics under the whole service session process in the suspected attack tendency description distribution of the edge computing service end to be analyzed is determined, the network attack side heavy targets of the suspected attack tendency description distribution of the edge computing service end to be analyzed under the whole service session process are determined, the deviation caused by the network attack side heavy target shift of the individual number of local attack tendency characteristics under the whole service session process can be avoided as much as possible, the precision and the credibility of the network attack side heavy targets of the suspected attack tendency description distribution under the whole service session process of the edge computing service end to be analyzed are improved, the credible analysis basis is provided for the subsequent network attack side heavy targets distributed under the whole service session process according to the suspected attack tendency description of each edge computing service end to be analyzed, the credible analysis basis is determined, and the credible analysis basis is provided for the network attack side heavy targets distributed under the whole service session process of the abnormal 3238 zxft Interaction session of the abnormal attack description distribution 3262 under the whole service session process.
In an independent embodiment, the determining, according to the suspected attack tendency description distribution of each edge computing service end to be analyzed under the overall service session process, a network attack emphasis topic and a suspected attack tendency description distribution matched with each of a plurality of edge computing service ends to be analyzed, the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session includes: determining the suspected attack tendency description of a plurality of edge computing service ends to be analyzed in the abnormal Yun Bianduan interactive session to be the current network attack emphasis theme of the network attack emphasis theme distributed under the whole service session process; determining the current network attack emphasis theme as a suspected attack tendency description of the abnormal Yun Bianduan interactive session distributed under the whole service session process; and determining the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session according to the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session under the whole service session process, and the suspected attack tendency description distribution matched with each of the plurality of edge computing service ends to be analyzed.
By means of the design, aiming at the suspected attack tendency description distribution of the abnormal cloud edge-side interactive session, the thought of averaging the suspected attack tendency descriptions of the edge computing service ends to be analyzed in the abnormal cloud edge-side interactive session under the whole service session process is used for determining the network attack side weight topics of the abnormal cloud edge-side interactive session under the whole service session process, and the deviation caused by the fact that the suspected attack tendency descriptions of the edge computing service ends to be analyzed in individual numbers are distributed under the whole service session process and are shifted can be avoided as much as possible, so that the precision and the reliability of the suspected attack tendency descriptions of the abnormal Yun Bianduan interactive session under the whole service session process are improved.
In an independent embodiment, the determining, according to the suspected attack tendency description distribution of the abnormal Yun Bianduan interaction session under the whole service session process, the network attack emphasis topic and the suspected attack tendency description distribution matched by each of the plurality of edge computing service ends to be analyzed, the suspected attack tendency description distribution of the abnormal Yun Bianduan interaction session includes: according to the suspected attack tendency description of the abnormal Yun Bianduan interactive session, the network attack emphasis themes are distributed under the whole service session process, and the suspected attack tendency description of each edge calculation service end to be analyzed is distributed under the whole service session process, and the edge calculation service end to be analyzed triggering attack tendency optimization conditions is determined from the edge calculation service ends to be analyzed; according to the suspected attack tendency description of the abnormal Yun Bianduan interactive session distributed under the whole service session process and the suspected attack tendency description corresponding to the edge computing service end to be analyzed of the trigger attack tendency optimization condition distributed under the whole service session process, updating the relative relationship and/or the characteristic weight of the suspected attack tendency description of the edge computing service end to be analyzed of the trigger attack tendency optimization condition distributed in the abnormal Yun Bianduan interactive session, and obtaining the optimized suspected attack tendency description distribution of the edge computing service end to be analyzed of the trigger attack tendency optimization condition; and determining the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session according to the optimized suspected attack tendency description distribution of the edge computing service end to be analyzed under the attack tendency triggering optimization condition and the suspected attack tendency description distribution of the edge computing service end to be analyzed under the attack tendency non-triggering optimization condition.
By the design, according to the suspected attack tendency description of the abnormal cloud edge interactive session, the network attack emphasis subjects distributed under the whole service session process are realized, attention expression and error correction are carried out on the suspected attack tendency description distribution of the edge computing service end to be analyzed, which has network attack analysis errors in the abnormal Yun Bianduan interactive session, so that the accuracy and the credibility of the determined suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session are improved, the determined suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session is more complete and accurate, and the network attack analysis condition under the whole session process can be comprehensively expressed.
A second aspect is a cloud server comprising a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the cloud server to perform the method of the first aspect.
A third aspect is a computer-readable storage medium having stored thereon a computer program which, when executed, performs the method of the first aspect.
Drawings
Fig. 1 is a schematic flowchart of a network attack analysis method applied to cloud-edge computing according to an embodiment of the present invention.
Fig. 2 is a block diagram of a network attack analysis apparatus applied to cloud-edge computing according to an embodiment of the present invention.
Detailed Description
In the following, the terms "first", "second" and "third", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or to imply that the number of indicated technical features is significant. Thus, a feature defined as "first," "second," or "third," etc., may explicitly or implicitly include one or more of that feature.
Fig. 1 is a schematic flowchart illustrating a network attack analysis method applied to cloud edge computing according to an embodiment of the present invention, where the network attack analysis method applied to cloud edge computing may be implemented by a cloud server, and the cloud server may include a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the cloud server to perform the following steps.
Step 101, collecting cloud edge service interaction records corresponding to the target network attack early warning prompt.
In the embodiment of the present invention, the target network attack early warning prompt may be understood as early warning information sent by a network attack detection node (a preset attack protection mechanism), for example, when the network attack detection node detects a cloud edge service interaction record with an attack risk, the target network attack early warning prompt may be triggered, so as to inform a cloud server to collect a corresponding cloud edge service interaction record.
In the embodiment of the invention, the cloud-edge service interaction record includes a visual sensory service record (such as a service record in a text list form) or a mixed sensory service record (such as a service record in a graphical form) obtained by capturing an interaction record of the abnormal Yun Bianduan interaction session, and the like. Further, the mixed sensory business records may include, but are not limited to, global mixed sensory business records, the visual sensory business records may cover one or more groups, and the visual sensory business records may also be global visual sensory business records; the interaction record capture system may be a business interaction record capturer or a business interaction record capture thread. Illustratively, a cloud-edge business interaction record or sets of visual sensory business records may be obtained in view of the interaction record capture system when capturing an exception Yun Bianduan interaction session.
It is understood that the exception Yun Bianduan interactive session can be understood as a session environment or a session scenario of the cloud server and the edge computing service, for example, the exception Yun Bianduan interactive session can be an electronic payment session environment, a digital office session environment or a remote education session environment, which is not exemplified herein.
In some examples, the exception Yun Bianduan interactive session for business interaction record acquisition may cover several dimensions. In addition, the abnormal cloud edge interaction session further includes at least one edge computing service end to be analyzed, and the edge computing service end to be analyzed may be at least one of a service platform system in the abnormal cloud edge interaction session, a portable digital terminal accessed in the abnormal Yun Bianduan interaction session, and an intelligent robot in the abnormal cloud edge interaction session, but is not limited thereto.
It can be understood that, when capturing the cloud edge service interaction record of the abnormal Yun Bianduan interaction session, in order to enrich the feature identification of the abnormal cloud edge interaction session as much as possible, the interaction record capture system may be instructed to capture the interaction record under different attention expressions (which may also be understood as a targeted attention state) to determine the cloud edge service interaction record corresponding to the abnormal Yun Bianduan interaction session.
It can be appreciated that whereas cloud-edge business interaction records captured via an interaction record capture system need to be applied to interaction record analysis, such as: the method can be used for suspected attack tendency description distribution analysis, so that the attention expression of an interaction record capturing system in an abnormal cloud side interaction session needs to be determined. Based on this, for example: the performance of the interactive record capturing system can be detected before the interactive record capturing is carried out on the abnormal Yun Bianduan interactive session by means of the interactive record capturing system, so that the attention expression of the interactive record capturing system in the abnormal cloud side interactive session is determined; it is to be appreciated that, for example, system parameters of the interaction record capture system can be updated to correspond to the anomalous cloud-side interaction session.
Further, after the performance of the interaction record capturing system is detected, cloud edge service interaction record capturing can be performed by screening a cloud edge service interaction record capturing strategy of the interaction record capturing system, and a cloud edge service interaction record corresponding to the abnormal Yun Bianduan interaction session is obtained.
Based on the technical solution recorded in step 101, the network attack analysis method applied to cloud-edge computing according to the embodiment of the present invention may further include the following steps.
Step 102, according to the cloud edge service interaction record, determining suspected attack tendency description distribution matched with each of a plurality of edge computing service ends to be analyzed in the abnormal Yun Bianduan interaction session.
In the embodiment of the invention, the edge computing service end to be analyzed can be understood as a participant which is communicated with the cloud server and is in the abnormal cloud edge end interactive session, and can also be understood as intelligent equipment on the application side. The suspected attack tendency description distribution matched with each edge computing service end to be analyzed can be understood as a suspected attack risk characteristic diagram corresponding to the edge computing service end to be analyzed, and the suspected attack risk characteristic diagram can be recorded in a characteristic model, such as a pyramid model.
For some embodiments that can be implemented independently, when determining, according to the cloud edge service interaction record, the suspected attack tendency description distribution matched with each of the multiple edge computing services to be analyzed that are in the abnormal cloud edge interaction session, the exemplary method can be implemented through the following ideas: performing visual behavior event analysis on the abnormal Yun Bianduan interactive session according to the cloud side service interaction record to obtain visual behavior event information of the abnormal Yun Bianduan interactive session; performing event keyword extraction operation on the visual behavior event information to obtain event keywords matched with the visual behavior events; according to the visualized behavior event information and event keywords matched with the visualized behavior events, suspected attack tendency description distribution matched with the edge computing service ends to be analyzed in the abnormal Yun Bianduan interactive session is determined.
In the embodiment of the invention, the visual behavior event information comprises a plurality of visual behavior events and the upstream and downstream relative relation of each visual behavior event in the abnormal cloud side interaction session. The upstream and downstream relative relationship can be understood as the position information of each visual behavior event in the abnormal cloud edge-side interaction session. The event keyword extraction operation on the visual behavior event information can be understood as the identification of the category information of the visual behavior event information.
In some examples, the visual behavior event analysis of the exception Yun Bianduan interaction session according to the cloud-edge business interaction record can be realized through at least one of the following ideas (1) and (2), so as to obtain the visual behavior event information of the exception Yun Bianduan interaction session.
The idea (1) is that if the interaction record capturing system comprises a service capturing module, security levels do not exist in all service interaction events in visual sense service records in cloud edge service interaction records corresponding to abnormal cloud edge interaction sessions. Illustratively, the visual sensory business records obtained by capturing different dimensions of the abnormal Yun Bianduan interaction session through a plurality of groups can determine the actual distribution state of each visual behavior event in the abnormal Yun Bianduan interaction session in the abnormal cloud edge-side interaction session, so that the visual behavior event corresponding to the abnormal Yun Bianduan interaction session can be analyzed, and the visual behavior event information of the abnormal Yun Bianduan interaction session is obtained.
According to the idea (2), if the interaction record capturing system comprises an integral service capturing module, security levels correspondingly exist in all service interaction events in visual sense service records in cloud edge side service interaction records corresponding to the collected abnormal Yun Bianduan interaction sessions, and then by means of the visual sense service records containing the security levels, network attack emphasis time periods of all visual behavior events in the abnormal cloud edge side interaction sessions can be determined, and visual behavior event information of the abnormal cloud edge side interaction sessions is determined.
Further, after the visual behavior event information of the abnormal cloud edge-side interaction session is determined, event keywords of each visual behavior event can be determined through a thought of event keyword extraction (for example, semantic analysis extraction is performed through a neural network model). After the event keywords of each visual behavior event are determined, the suspected attack tendency description distribution matched with each of a plurality of edge computing service ends to be analyzed in the abnormal cloud edge-side interaction session can be determined according to the upstream-downstream relative relationship of each visual behavior event in the abnormal cloud edge-side interaction session and the event keywords corresponding to each visual behavior event.
It can be understood that after the event keywords respectively matched with each visualization behavior event are determined, the visualization behavior events associated with the upstream and downstream relative relationships (such as distribution positions) and having the same event keywords may be regarded as the visualization behavior events corresponding to the same edge computing service end to be analyzed. After the visual behavior events adjusted to be the same at the edge computing service end to be analyzed are determined, determining the suspected attack tendency description distribution corresponding to the edge computing service end to be analyzed according to the visual behavior events matched with the edge computing service ends to be analyzed; it can be understood that event keywords matched with each visual behavior event can be recorded in the suspected attack tendency description distribution corresponding to each edge computing service end to be analyzed.
After determining the suspected attack tendency description distribution matched with each of the plurality of edge computing service ends to be analyzed in the abnormal cloud edge-side interactive session, determining the suspected attack tendency description distribution of each edge computing service end to be analyzed in the abnormal cloud edge-side interactive session under the whole service session process according to the content recorded in the following step 103.
103, for each edge computing service end to be analyzed in the plurality of edge computing service ends to be analyzed, determining that the suspected attack tendency of the edge computing service end to be analyzed describes a network attack emphasis theme distributed under the whole service session process.
In the embodiment of the invention, the network attack emphasis theme comprises one or more than one of the following: network attack side-weight time period, network attack side-weight mode and network attack side-weight target under the whole service session process; the network attack bias time period under the whole service session process included in the network attack bias topic may include, for example, but is not limited to, a network attack bias time period under the whole service session process of a basic service session distributed by suspected attack tendency description of an edge computing service end to be analyzed; the network attack bias mode may include, but is not limited to, a suspected attack tendency description of the edge computing service end to be analyzed distributed in a regional network attack bias period in the whole service session process. For example, the overall business session process may be understood as a global session scenario or a global session context, and the business session process can be expressed from an overall layer.
In practical implementation, when determining that the suspected attack tendency of each edge computing service end to be analyzed describes a network attack emphasis theme distributed under the whole service session process for each edge computing service end to be analyzed in a plurality of edge computing service ends to be analyzed, the following may be exemplarily implemented: for each edge calculation service end to be analyzed in a plurality of edge calculation service ends to be analyzed, determining a plurality of local attack tendency characteristics matched with the edge calculation service end to be analyzed from the suspected attack tendency description distribution of the edge calculation service end to be analyzed; and determining the suspected attack tendency description of the edge computing service end to be analyzed to be distributed on the network attack emphasis theme under the whole service session process according to the attention expressions of the local attack tendency characteristics under the whole service session process.
In practical implementation, when the network attack emphasis theme comprises a network attack emphasis time period in the whole service session process, H local attack tendency characteristics can be screened in suspected attack tendency description distribution of each edge calculation service end to be analyzed aiming at each edge calculation service end to be analyzed; and analyzing to obtain the network attack side weight time period of the basic service session distributed by the suspected attack tendency description of the edge computing service end to be analyzed in the whole service session process according to the network attack side weight time period of the H local attack tendency characteristics in the whole service session process.
When the network attack emphasis theme comprises a network attack emphasis mode, W local attack tendency characteristics can be screened in suspected attack tendency description distribution of each edge calculation service end to be analyzed; according to the network attack emphasis mode of the W local attack tendency characteristics under the whole service session process, the suspected attack tendency description of the edge computing service end to be analyzed is obtained by analysis and distributed under the whole service session process.
When the network attack emphasis theme comprises the network attack emphasis target, Q local attack tendency characteristics can be screened in the suspected attack tendency description distribution of the edge calculation service end to be analyzed aiming at each edge calculation service end to be analyzed; and analyzing to obtain suspected attack tendency descriptions of the edge computing service end to be analyzed, which are distributed on the attacked target in the whole service session process, according to the network attack side-focused targets matched with the Q local attack tendency characteristics respectively.
Further, when determining that the suspected attack tendency of the edge computing service end to be analyzed describes the distributed basic service session in the network attack side time period under the whole service session process, the number H of the screened local attack tendency features and the number W of the screened local attack tendency features and the number Q of the screened local attack tendency features may be the same or different when determining that the suspected attack tendency of the edge computing service end to be analyzed describes the distributed network attack side time mode under the whole service session process, and determining that the suspected attack tendency of the edge computing service end to be analyzed describes the attacked target under the whole service session process; in addition, when the suspected attack tendency description of the edge computing service end to be analyzed is distributed in the network attack side time period under the whole service session process, the screened local attack tendency characteristics and the screened attacked target distributed under the whole service session process are determined when the suspected attack tendency description of the edge computing service end to be analyzed is distributed in the network attack side time period under the whole service session process, and the screened local attack tendency characteristics can be consistent local attack tendency characteristics or different local attack tendency characteristics.
In some examples, the determination of the suspected attack tendency of the edge computing service end to be analyzed describing the network attack emphasis topic distributed under the whole service session process can be implemented by at least one of the following ideas (3) -5.
According to the thought (3), on the premise that the network attack emphasis theme comprises the network attack emphasis time period in the whole service session process, the network attack emphasis time period of each of a plurality of local attack inclination characteristics in the whole service session process can be determined according to suspected attack inclination description distribution and attention expression in the whole service session process when the interactive record capture system captures the cloud side service interactive record; determining the whole network attack emphasis time interval of the network attack emphasis time intervals matched with the local attack tendency characteristics respectively; and determining the whole network attack emphasis time interval as the network attack emphasis time interval of the suspected attack tendency description of the edge computing service end to be analyzed, which is distributed under the whole service session process.
It can be understood that, according to the content recorded in step 102 in the embodiment of the present invention, the determined upstream-downstream relative relationship of each visual behavior event in the suspected attack tendency description distribution of each edge computing service end to be analyzed includes the upstream-downstream relative relationship of each visual behavior event under the service session node, in order to make the suspected attack tendency description distribution more complete and accurate, a network attack side-weight time period of a basic service session under the suspected attack tendency description distribution of the edge computing service end to be analyzed under the whole service session process needs to be analyzed, so that a change relationship between the service session node and the whole service session process needs to be determined according to an attention expression under the whole service session process when the interaction record capturing system captures the cloud edge service interaction record; and determining the network attack side-weight time interval of each local attack tendency characteristic under the whole service session process according to the upstream and downstream relative relationship of each local attack tendency characteristic under the service session node in the suspected attack tendency description distribution and the change relation between the service session node and the whole service session process.
After the network attack side-weight time period of each local attack tendency characteristic in the overall service session process is determined, the overall network attack side-weight time period of each local attack tendency characteristic in the overall service session process can be determined, and the overall network attack side-weight time period is regarded as the network attack side-weight time period of the suspected attack tendency description distribution basic service session of the edge computing service end to be analyzed in the overall service session process.
According to the thought (4), on the premise that the network attack emphasis theme comprises a network attack emphasis mode, the network attack emphasis mode matched with each of a plurality of local attack tendency characteristics can be determined according to suspected attack tendency description distribution and attention expression in the whole service session process when an interaction record capturing system captures cloud side service interaction records; determining a global network attack emphasis mode of network attack emphasis modes matched with the local attack tendency characteristics respectively; and determining the global network attack side-load mode as a suspected attack tendency description of the edge computing service end to be analyzed, wherein the suspected attack tendency description is distributed in the network attack side-load mode under the whole service session process.
It can be understood that, according to the content recorded in step 102 in the embodiment of the present invention, the determined upstream-downstream relative relationship of each visual behavior event in the suspected attack tendency description distribution of each edge computing service end to be analyzed includes a network attack side-weighted manner of each visual behavior event under the service session node, in order to make the suspected attack tendency description distribution more complete and accurate, the suspected attack tendency description of the edge computing service end to be analyzed needs to be analyzed to obtain the network attack side-weighted manner of the suspected attack tendency description distribution under the whole service session process, so that the change relation between the service session node and the whole service session process needs to be determined according to the attention expression under the whole service session process when the interaction record of the cloud edge service is captured by the interaction record capture system; and determining the network attack side-weighing modes of the local attack tendency characteristics under the whole service session progress according to the network attack side-weighing modes of the local attack tendency characteristics under the service session nodes in the suspected attack tendency description distribution and the change relation between the service session nodes and the whole service session progress.
After the network attack side-weight mode of each local attack tendency characteristic under the whole service session process is determined, the global network attack side-weight mode of each local attack tendency characteristic under the whole service session process can be determined, and the global network attack side-weight mode is regarded as the network attack side-weight mode of the suspected attack tendency description distributed basic service session under the whole service session process of the edge computing service end to be analyzed.
According to the thought (5), on the premise that the network attack emphasis theme comprises a network attack emphasis target, the network attack emphasis target matched with each of a plurality of local attack tendency characteristics can be determined according to suspected attack tendency description distribution and attention expression in the whole service session process when the interactive record capturing system captures the cloud edge service interactive record; determining a depolarization network attack side emphasis target of the network attack side emphasis targets matched with the local attack tendency characteristics respectively; and determining the depolarization network attack side heavy target as a suspected attack tendency description of the edge computing service end to be analyzed, wherein the suspected attack tendency description is distributed in the network attack side heavy target under the whole service session process.
It can be understood that, according to the content recorded in step 102 in the embodiment of the present invention, the determined upstream-downstream relative relationship of each visual behavior event in the suspected attack tendency description distribution of each edge computing service end to be analyzed includes a network attack side heavy target of each visual behavior event under the service session node, in order to make the suspected attack tendency description distribution more complete and accurate, the suspected attack tendency description of the edge computing service end to be analyzed needs to be analyzed to obtain the network attack side heavy target under the whole service session process, so that the change relation between the service session node and the whole service session process needs to be determined according to the attention expression under the whole service session process when the interaction record of the cloud edge service is captured by the interaction record capture system; and determining the network attack side weight targets of the local attack tendency characteristics under the whole service session progress according to the network attack side weight targets of the local attack tendency characteristics under the service session nodes in the suspected attack tendency description distribution and the change relation between the service session nodes and the whole service session progress.
After determining the network attack side weight targets of the local attack tendency characteristics under the whole service session process, determining a depolarization network attack side weight target of the local attack tendency characteristics under the whole service session process, and regarding the depolarization network attack side weight target as the network attack side weight target of the basic service session under the whole service session process, wherein the suspected attack tendency of the edge computing service end to be analyzed describes and distributes, namely the suspected attack tendency of the edge computing service end to be analyzed describes and distributes the attacked target under the whole service session process.
In the embodiment of the invention, aiming at the suspected attack tendency description distribution of each edge computing service end to be analyzed, considering that the visual behavior events in the suspected attack tendency description distribution are determined by means of the cloud edge service interaction records, and the corresponding attention expressions are different when the interaction record capturing system captures the visual sensory service records in the cloud edge service interaction records, supposing that the attention expressions have differences which can be quoted into different visual behavior events of the suspected attack tendency description distribution, in this way, by calculating the network attack side weight theme calculation mean value of each of a plurality of local attack tendency characteristics in the suspected attack tendency description distribution of the edge computing service end to be analyzed under the whole service session process, the network attack side weight theme of the suspected attack tendency description distribution of the edge computing service end to be analyzed under the whole service session process is determined, the method can weaken the deviation caused by the network attack side weight theme/attention expression deviation considering the visual behavior event as much as possible, and give the suspected attack tendency description of the abnormal Yun Bianduan interactive session the attention expression of the suspected attack tendency description distribution under the whole service session process, thereby improving the precision and the credibility of the network attack side weight theme distributed under the whole service session process according to the suspected attack tendency description of each edge computing service end to be analyzed, providing credible analysis basis for the network attack side weight theme distributed under the whole service session process according to the suspected attack tendency description of each edge computing service end to be analyzed, determining the network attack side weight theme distributed under the whole service session process of the abnormal Yun Bianduan interactive session where the edge computing service end to be analyzed is located, the accuracy and the credibility of the network attack emphasis theme distributed under the whole service session process are ensured to ensure the determined suspected attack tendency of the abnormal Yun Bianduan interaction session.
Based on the content described in step 103, the network attack analysis method applied to cloud-edge computing according to the embodiment of the present invention may further include the following content.
Step 104, determining the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session according to the suspected attack tendency description distribution of each edge computing service end to be analyzed under the overall service session process and the suspected attack tendency description distribution matched with each edge computing service end to be analyzed.
In the embodiment of the invention, in order to make the analyzed suspected attack tendency description distribution more complete and accurate, the suspected attack tendency description distribution of each edge computing service end to be analyzed in the abnormal cloud edge-side interactive session is distributed under the whole service session process, and the suspected attack tendency description distribution of the abnormal cloud edge-side interactive session is determined under the whole service session process.
It can be understood that the suspected attack tendency of a plurality of edge computing service ends to be analyzed in the abnormal cloud edge-side interactive session can be determined to describe the current network attack emphasis theme of the network attack emphasis theme distributed under the whole service session process, and the current network attack emphasis theme is determined to be the suspected attack tendency description of the abnormal cloud edge-side interactive session distributed under the whole service session process.
In some examples, determining the suspected attack propensity of the anomalous cloud-edge-side interaction session may be implemented by at least one of the following concepts (6) - (8) to describe a cyber attack-oriented topic distributed under the overall business session process.
The thought (6) can determine the suspected attack tendency descriptions of a plurality of edge computing service ends to be analyzed in the abnormal cloud edge end interactive session to be distributed in the overall network attack side time period under the overall service session process on the premise that the network attack side time period under the overall service session process is included in the network attack side topic; and regarding the whole network attack side time period as a network attack side time period of the suspected attack tendency description distributed basic service session of the abnormal cloud side end interactive session under the whole service session process.
The thinking (7) can determine the suspected attack tendency of a plurality of edge computing service ends to be analyzed in the abnormal cloud edge end interactive session to describe the global network attack side-focusing mode distributed under the whole service session process on the premise that the network attack side-focusing theme comprises the network attack side-focusing mode under the whole service session process; and regarding the global network attack side-load mode as a network attack side-load mode in which the suspected attack tendency of the abnormal cloud edge-side interactive session describes the distributed basic service session in the whole service session process.
The thought (8) can determine that suspected attack tendencies of a plurality of edge computing service ends to be analyzed in the abnormal cloud edge end interactive session describe depolarized network attack side-weight targets distributed under the whole service session process on the premise that the network attack side-weight theme comprises the network attack side-weight targets under the whole service session process; and regarding the depolarization network attack side weight target as a network attack side weight target of a suspected attack tendency description distributed basic service session of the abnormal cloud edge-side interactive session under the whole service session process, namely, the suspected attack tendency description of the edge computing service end to be analyzed is distributed under the whole service session process.
In the embodiment of the invention, for the suspected attack tendency description distribution of the abnormal Yun Bianduan interaction session, considering that the visual behavior events in the suspected attack tendency description distribution are determined by means of cloud-edge service interaction records, and when an interaction record capture system captures the visual sensory service records in the cloud-edge service interaction records, the corresponding attention expressions are different, assuming that there is a difference in the attention expressions, the difference is referred to different visual behavior events of the suspected attack tendency description distribution, so by means of an idea that the suspected attack tendency description of each edge computing service end to be analyzed in the abnormal Yun Bianduan interaction session is distributed in the network attack side weight topic calculation mean value under the whole service session process, the suspected attack tendency description of the abnormal cloud-edge interaction session is distributed under the whole service session process, the network attack side weight topic/expression shift of the suspected attack tendency description distribution under the whole service session process is determined, the suspected attack tendency description distribution of each edge computing service end to be analyzed matched under the abnormal 3532 zxft Is distributed under the whole service session process, and the overall attack tendency description distribution of the network attack under the abnormal 3525 is improved, thereby improving the overall attack tendency of the network attack description distribution 3425.
For some application examples, after the suspected attack tendency description of the abnormal cloud edge-side interactive session is determined to be distributed in the network attack emphasis theme in the whole service session process, the suspected attack tendency description distribution of the abnormal cloud edge-side interactive session can be determined according to the suspected attack tendency description of the abnormal cloud edge-side interactive session, the network attack emphasis theme distributed in the whole service session process, and the suspected attack tendency description distribution matched with each of the plurality of edge computing service sides to be analyzed.
It can be understood that, in order to make the final suspected attack tendency description of the abnormal Yun Bianduan interactive session complete and accurate, the suspected attack tendency description of the abnormal Yun Bianduan interactive session may be distributed under the whole service session process according to the determined suspected attack tendency description of the abnormal Yun Bianduan interactive session and the suspected attack tendency description of each edge calculation service end to be analyzed may be distributed under the whole service session process, and an edge calculation service end to be analyzed that triggers an attack tendency optimization condition is determined from a plurality of edge calculation service ends to be analyzed; according to the suspected attack tendency description of the abnormal cloud edge interactive session, the network attack side weight theme distributed under the whole service session process and the suspected attack tendency description corresponding to the edge computing service end to be analyzed triggering the attack tendency optimization condition are distributed under the whole service session process, the suspected attack tendency description of the edge computing service end to be analyzed triggering the attack tendency optimization condition is distributed in the abnormal cloud edge interactive session, and the optimized suspected attack tendency description distribution of the edge computing service end to be analyzed triggering the attack tendency optimization condition is obtained; determining the suspected attack tendency description distribution of the abnormal cloud edge interactive session according to the optimized suspected attack tendency description distribution of the edge computing service end to be analyzed triggering the attack tendency optimization condition and the suspected attack tendency description distribution of the edge computing service end to be analyzed without triggering the attack tendency optimization condition; therefore, attention expression error correction is carried out on suspected attack tendency description distribution of the edge computing service end to be analyzed, which has network attack analysis errors in the abnormal Yun Bianduan interactive session, and accuracy and reliability of attention expression of the determined suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session are improved.
It can be understood that the idea of the determined suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session includes the respective matched suspected attack tendency description distribution, and the suspected attack tendency description topic of the abnormal cloud edge-end interactive session is distributed under the whole service session process, and further, the suspected attack tendency description topic of the abnormal Yun Bianduan interactive session includes the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session under the whole service session process, and the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session describes the network attack tendency description distribution of the basic service session under the whole service session process, and the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session under the whole service session process, and the attack tendency description distribution of the abnormal Yun Bianduan suspected attack tendency description distribution.
For a stand-alone embodiment, the idea of a suspected attack tendency description distribution determination can be further illustratively implemented as follows.
Step 301, collecting cloud edge service interaction records corresponding to the target network attack early warning prompt.
Step 302, performing visual behavior event analysis on the abnormal Yun Bianduan interactive session according to the cloud edge service interactive record to obtain visual behavior event information of the abnormal Yun Bianduan interactive session; the visual behavior event information comprises a plurality of visual behavior events and the upstream and downstream relative relation of each visual behavior event in the abnormal cloud side interaction session.
Step 303, performing event keyword extraction operation on the visual behavior event information of the abnormal Yun Bianduan interactive session to obtain event keywords matched with the multiple visual behavior events in the visual behavior event information of the abnormal Yun Bianduan interactive session.
And step 304, determining suspected attack tendency description distribution matched with each of a plurality of edge computing service ends to be analyzed in the abnormal cloud edge-side interactive session according to the upstream-downstream relative relationship of each of the plurality of visual behavior events in the abnormal cloud edge-side interactive session and event keywords matched with each of the plurality of visual behavior events.
Step 305, for each edge calculation service end to be analyzed in the plurality of edge calculation service ends to be analyzed, determining a plurality of local attack tendency characteristics matched with the edge calculation service end to be analyzed from the suspected attack tendency description distribution of the edge calculation service end to be analyzed.
Step 306, according to suspected attack tendency description distribution of an edge computing service end to be analyzed and attention expression under an overall service session process when an interaction record capturing system captures the cloud edge service interaction record, determining a network attack emphasis theme of each of a plurality of local attack tendency characteristics under the overall service session process; after determining that the network attack emphasis theme of each of the plurality of local attack tendency characteristics is under the whole service session process, one of the steps 307 to 309 can be skipped.
Step 307, on the premise that the network attack side emphasis theme of each of the multiple local attack tendency characteristics in the overall service session process includes the network attack side emphasis time period, determining the overall network attack side emphasis time period of the network attack side emphasis time period matched with each of the multiple local attack tendency characteristics; determining the whole network attack emphasis time interval as a suspected attack tendency description of an edge computing service end to be analyzed, wherein the suspected attack tendency description is distributed in the network attack emphasis time interval under the whole service session process; after determining that the suspected attack tendency description of the edge computing service end to be analyzed is distributed in the network attack emphasis time period of the whole service session process, the step 310 is skipped.
308, on the premise that the network attack emphasis theme of each local attack tendency characteristic in the whole service session process comprises a network attack emphasis mode, determining a global network attack emphasis mode of a network attack emphasis time period matched with each local attack tendency characteristic; determining the whole network attack emphasis time interval as a suspected attack tendency description of an edge computing service end to be analyzed, wherein the suspected attack tendency description is distributed in a network attack emphasis mode under the whole service session process; after determining that the suspected attack tendency of the edge computing service end to be analyzed describes the network attack side-weight mode distributed in the whole service session process, the step 311 is skipped.
Step 309, on the premise that the network attack side weight topic of each of the multiple local attack tendency characteristics in the whole service session process includes a network attack side weight target, determining a depolarization network attack side weight target of a network attack side weight time period matched with each of the multiple local attack tendency characteristics; determining a depolarization network attack emphasis target as a network attack emphasis target distributed under the whole service session process for the suspected attack tendency description of the edge computing service end to be analyzed; after determining that the suspected attack tendency of the edge computing service end to be analyzed describes the network attack side-weight mode distributed in the whole service session process, the process skips to step 312.
Step 310, according to the suspected attack tendency descriptions of the edge computing service ends to be analyzed, the network attack side weight time periods distributed under the whole service session process, and determining the whole network attack side weight time periods of the suspected attack tendency descriptions of the edge computing service ends to be analyzed, which are distributed under the whole service session process, in the abnormal cloud edge interaction session; determining the whole network attack emphasis time interval as a suspected attack tendency description of the abnormal cloud side interactive session distributed in the network attack emphasis time interval under the whole service session process; and after determining that the suspected attack tendency description of the abnormal cloud side interactive session is distributed in the network attack emphasis time interval in the whole service session process, jumping to step 313.
311, according to the suspected attack tendency description of each edge computing service end to be analyzed, determining a global network attack side-weighing mode of the network attack side-weighing modes distributed under the whole service session process of the suspected attack tendency description of a plurality of edge computing service ends to be analyzed in the abnormal cloud edge-side interaction session; determining the global network attack side-load mode as a suspected attack tendency description of the abnormal cloud side-end interactive session distributed under the whole service session process; and after determining that the suspected attack tendency of the abnormal cloud side interactive session describes the network attack side-weight mode distributed in the whole service session process, jumping to step 313.
Step 312, according to the suspected attack tendency description of each edge computing service end to be analyzed, the network attack side weight targets distributed under the whole service session process, and determining the depolarized network attack side weight targets of the network attack side weight targets distributed under the whole service session process, which are described by the suspected attack tendency of the plurality of edge computing service ends to be analyzed in the abnormal cloud edge-end interaction session; determining a depolarization network attack side weight target as a suspected attack tendency description of the abnormal cloud edge-end interactive session distributed in a network attack side weight target under the whole service session process; and after determining that the suspected attack tendency of the abnormal cloud side interactive session describes the network attack side-weight targets distributed under the whole service session process, jumping to step 313.
Step 313, according to the suspected attack tendency description distribution of the abnormal cloud edge interactive session in the network attack side weight time period of the whole business session process, the suspected attack tendency description of the abnormal Yun Bianduan interactive session in the network attack side weight mode of the whole business session process, the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session in the network attack side weight target of the whole business session process, and the suspected attack tendency description distribution matched with each of the plurality of edge computing business ends to be analyzed, determining the suspected attack tendency description distribution of the abnormal cloud edge interactive session.
Reference may be made to the above for an exemplary description of steps 301-313.
For an independently implementable embodiment, after determining the suspected attack propensity profile of the anomaly Yun Bianduan interactive session, the method may comprise the following: determining an overall network attack evaluation result through the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session; and generating an attack protection coping scheme aiming at the abnormal Yun Bianduan interactive session based on the overall network attack evaluation result.
In the embodiment of the invention, because the suspected attack tendency description of the abnormal cloud edge-side interactive session is distributed in a wider attention angle, the loss condition of the network attack suffered by the interactive session can be completely evaluated, and a targeted attack protection corresponding scheme is generated according to the corresponding overall network attack evaluation result.
For an independently implementable embodiment, determining the overall cyber attack evaluation result through the suspected attack tendency description distribution of the anomaly Yun Bianduan interactive session may include the following: determining loss evaluation information corresponding to each stage type network attack based on the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session; based on the relevance of at least part of the stage type network attacks, fusing the loss evaluation information corresponding to at least part of the stage type network attacks to obtain fused evaluation information; and obtaining an overall network attack evaluation result based on the fusion evaluation information and the loss evaluation information which is not fused yet.
Therefore, by considering the time-space domain relevance of at least part of stage type network attacks, the fusion analysis of part of loss evaluation information can be realized, and the integrity and the accuracy of the obtained overall network attack evaluation result are ensured.
For an independently implementable embodiment, determining loss evaluation information corresponding to each stage type network attack based on the suspected attack tendency description distribution of the abnormal Yun Bianduan interaction session may include the following: acquiring suspected attack tendency description distributed attack tendency distribution information of the abnormal Yun Bianduan interactive session and characteristics of each attack event; on the basis of determining that the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session contains a secondary attack tendency according to the attack tendency distribution information, determining a common index between each attack event characteristic under the key attack tendency description distribution of the suspected attack tendency of the abnormal Yun Bianduan interactive session and each attack event characteristic under the secondary attack tendency description distribution of the suspected attack tendency of the abnormal Yun Bianduan interactive session according to the attack event characteristics and the attack tendency annotations thereof under the secondary attack tendency description distribution of the prior attack tendency description distribution of a plurality of reference sessions, and transferring the attack event characteristics under the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session, which are similar to the attack event characteristics under the secondary attack tendency, to the corresponding secondary attack tendency; on the basis that the suspected attack tendency of the abnormal Yun Bianduan interactive session describes a plurality of attack event characteristics under the current key attack tendency of distribution, determining a common index among the attack event characteristics under the suspected attack tendency of the abnormal Yun Bianduan interactive session describes the current key attack tendency of distribution according to the attack event characteristics under the prior attack tendency of the plurality of reference sessions and the attack tendency comments thereof, and performing feature analysis on the attack event characteristics under the current key attack tendency according to the common index among the attack event characteristics; adding a secondary attack trend annotation to each cluster of attack event characteristics obtained by characteristic analysis according to the attack event characteristics under the secondary attack trend of the prior attack trend description distribution of a plurality of reference sessions and the attack trend annotation thereof, and transferring each cluster of attack event characteristics to the secondary attack trend corresponding to the secondary attack trend annotation; and determining loss evaluation information corresponding to each stage type network attack based on the attack event characteristics under the key attack trend.
In the embodiment of the invention, the attack event characteristics under different attack trends can be classified and adjusted in advance, so that the loss evaluation information corresponding to each stage type network attack is determined according to the attack event characteristics under the key attack trend, so that more important attack trends can be focused, limited server resources are effectively utilized, and the efficiency of determining the loss evaluation information corresponding to each stage type network attack is improved.
Based on the same inventive concept, fig. 2 shows a block diagram of a network attack analysis apparatus applied to cloud edge computing according to an embodiment of the present invention, and the network attack analysis apparatus applied to cloud edge computing may include the following modules for implementing the relevant method steps shown in fig. 1.
And the record collection module 210 is configured to collect a cloud-edge service interaction record corresponding to the target network attack early warning prompt.
The description obtaining module 220 is configured to determine, according to the cloud edge service interaction record, suspected attack tendency description distribution matched with each of the multiple edge computing service ends to be analyzed in the abnormal Yun Bianduan interaction session.
The theme determining module 230 is configured to determine, for each edge computing service end to be analyzed in the multiple edge computing service ends to be analyzed, that the suspected attack tendency of the edge computing service end to be analyzed describes a network attack emphasis theme distributed in an overall service session process.
The session analysis module 240 is configured to determine the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session according to the suspected attack tendency description distribution of each edge computing service end to be analyzed, which is respectively a network attack emphasis theme in the overall service session process, and the suspected attack tendency description distribution matched with each of the plurality of edge computing service ends to be analyzed.
The related embodiment applied to the invention can achieve the following technical effects: determining the suspected attack tendency description distribution of each edge computing service end to be analyzed under the whole service session process through the determined suspected attack tendency description distribution matched with each edge computing service end to be analyzed in the abnormal Yun Bianduan interactive session; by means of the suspected attack tendency description distribution of each edge computing service end to be analyzed under the whole service session process, the suspected attack tendency description distribution of the abnormal cloud edge interactive session can be determined on at least one network attack side weight theme/attention expression level, the network attack side weight theme/attention expression offset of the suspected attack tendency description distribution of the edge computing service end to be analyzed is weakened, network attack analyses at different angles are enriched as much as possible, the integrity, the accuracy and the reliability of the obtained suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session are guaranteed, and omission of the suspected attack tendency description distribution of the abnormal cloud edge interactive session on an individual analysis level is avoided.
The foregoing is only illustrative of the present invention. Those skilled in the art will appreciate that various modifications and substitutions can be made in the present invention based on the specific embodiments of the present invention, and the present invention is intended to cover the scope of the present invention.

Claims (8)

1. A network attack analysis method applied to cloud side-end computing is characterized by being applied to a cloud server, and the method comprises the following steps:
collecting cloud edge service interaction records corresponding to the target network attack early warning prompt; the cloud border service interaction record covers a visual sense service record or a mixed sense service record obtained by performing interaction record capture on abnormal Yun Bianduan interaction sessions;
according to the cloud edge end service interaction record, determining suspected attack tendency description distribution matched with each of a plurality of edge computing service ends to be analyzed in the abnormal Yun Bianduan interaction session; for each edge computing service end to be analyzed in the edge computing service ends to be analyzed, determining a suspected attack tendency description of the edge computing service end to be analyzed to be distributed in a network attack emphasis theme under the whole service session process;
determining the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session according to the network attack emphasis theme of the suspected attack tendency description distribution of each edge computing service end to be analyzed under the whole service session process and the suspected attack tendency description distribution matched with each edge computing service end to be analyzed;
wherein, the determining the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session according to the suspected attack tendency description distribution of each edge computing service end to be analyzed under the overall service session process and the suspected attack tendency description distribution matched with each edge computing service end to be analyzed comprises: determining the suspected attack tendency description of a plurality of edge computing service ends to be analyzed in the abnormal Yun Bianduan interactive session to be distributed in the current network attack emphasis theme of the network attack emphasis theme under the whole service session process; determining the current network attack emphasis theme as a suspected attack tendency description of the abnormal Yun Bianduan interactive session distributed network attack emphasis theme under the whole service session process; determining the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session according to the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session under the whole service session process, and the suspected attack tendency description distribution matched with each of the plurality of edge computing service ends to be analyzed;
the determining the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session according to the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session under the overall service session process and the suspected attack tendency description distribution matched with the edge computing service ends to be analyzed includes: according to the suspected attack tendency description of the abnormal Yun Bianduan interactive session, the network attack emphasis themes are distributed under the whole service session process, and the suspected attack tendency description of each edge calculation service end to be analyzed is distributed under the whole service session process, and the edge calculation service end to be analyzed triggering attack tendency optimization conditions is determined from the edge calculation service ends to be analyzed; according to the suspected attack tendency description of the abnormal Yun Bianduan interactive session distributed under the whole service session process and the suspected attack tendency description corresponding to the edge computing service end to be analyzed of the trigger attack tendency optimization condition distributed under the whole service session process, updating the relative relationship and/or the characteristic weight of the suspected attack tendency description of the edge computing service end to be analyzed of the trigger attack tendency optimization condition distributed in the abnormal Yun Bianduan interactive session, and obtaining the optimized suspected attack tendency description distribution of the edge computing service end to be analyzed of the trigger attack tendency optimization condition; and determining the suspected attack tendency description distribution of the abnormal Yun Bianduan interactive session according to the optimized suspected attack tendency description distribution of the edge computing service end to be analyzed under the attack tendency triggering optimization condition and the suspected attack tendency description distribution of the edge computing service end to be analyzed under the attack tendency non-triggering optimization condition.
2. The method according to claim 1, wherein the determining, according to the cloud-frontend service interaction record, a suspected attack tendency description distribution that is matched with each of a plurality of edge computing service ends to be analyzed in the abnormal Yun Bianduan interaction session includes:
performing visual behavior event analysis on the abnormal Yun Bianduan interactive session according to the cloud frontier service interaction record to obtain visual behavior event information of the abnormal Yun Bianduan interactive session; the visualized behavior event information comprises a plurality of visualized behavior events and the upstream and downstream relative relation of each visualized behavior event in the abnormal Yun Bianduan interaction session;
performing event keyword extraction operation on the visual behavior event information to obtain event keywords matched with the visual behavior events respectively;
according to the visualized behavior event information and event keywords matched with the visualized behavior events respectively, determining suspected attack tendency description distribution matched with the edge computing service ends to be analyzed in the abnormal Yun Bianduan interactive session respectively.
3. The method of claim 2, wherein the edge computation service to be analyzed comprises one or more of the following: a service platform system corresponding to the abnormality Yun Bianduan interactive session, a portable digital terminal accessed to the abnormality Yun Bianduan interactive session, and an intelligent robot corresponding to the abnormality Yun Bianduan interactive session; wherein, the network attack emphasis theme comprises one or more than one of the following: the network attack is focused on the time interval, the network attack is focused on the mode and the network attack is focused on the target under the whole service session process.
4. The method according to claim 1, wherein the determining, for each of the edge computing service ends to be analyzed, a suspected attack tendency description of the edge computing service end to be analyzed on a network attack-oriented topic distributed under an overall service session process includes:
for each edge calculation service end to be analyzed in the plurality of edge calculation service ends to be analyzed, determining a plurality of local attack tendency characteristics matched with the edge calculation service end to be analyzed from the suspected attack tendency description distribution of the edge calculation service end to be analyzed;
and determining the suspected attack tendency description of the edge computing service end to be analyzed to be distributed on the network attack emphasis theme under the whole service session process according to the attention expressions of the local attack tendency characteristics under the whole service session process.
5. The method of claim 4, wherein the cyber attack emphasis topic comprises a cyber attack emphasis period under an overall traffic session progress; the determining, according to the attention expressions of the local attack tendency characteristics under the overall service session process, a suspected attack tendency description of the edge computing service end to be analyzed distributed on a network attack emphasis theme under the overall service session process includes:
determining a network attack side weight time interval of each of the plurality of local attack tendency characteristics under the whole business conversation process according to the suspected attack tendency description distribution and the attention expression under the whole business conversation process when the interaction record capturing system captures the cloud edge business interaction record;
determining the overall network attack emphasis time interval of the network attack emphasis time intervals matched with the local attack tendency characteristics respectively;
and determining the overall network attack emphasis time interval as a network attack emphasis time interval in which the suspected attack tendency description of the edge computing service end to be analyzed is distributed under the overall service session process.
6. The method of claim 5, wherein the cyber-attack-lateralization topic comprises a cyber-attack-lateralization manner; the determining, according to the attention expressions of the local attack tendency characteristics under the overall service session process, a suspected attack tendency description of the edge computing service end to be analyzed distributed on a network attack emphasis theme under the overall service session process includes:
determining a network attack side-weight mode matched with each of the local attack tendency characteristics according to the suspected attack tendency description distribution and the attention expression under the whole service session process when the interaction record capturing system captures the cloud edge service interaction record;
determining a global network attack emphasis mode of the network attack emphasis modes matched with the local attack tendency characteristics respectively;
and determining the global network attack side-load mode as a network attack side-load mode of which the suspected attack tendency of the edge computing service end to be analyzed describes and distributes under the whole service session process.
7. The method of claim 6, wherein the cyber-attack-laterality theme comprises a cyber-attack-laterality target; the determining, according to the attention expressions of the local attack tendency characteristics under the overall service session process, a suspected attack tendency description of the edge computing service end to be analyzed distributed on a network attack emphasis theme under the overall service session process includes:
determining network attack side emphasis targets matched with the local attack tendency characteristics according to the suspected attack tendency description distribution and the attention expression under the whole service session process when the interaction record capturing system captures the cloud side service interaction record;
determining a depolarization network attack side weight target of the network attack side weight targets matched with the local attack tendency characteristics respectively;
and determining the depolarization network attack emphasis target as a network attack emphasis target distributed under the whole service session process for the suspected attack tendency description of the edge computing service end to be analyzed.
8. A cloud server, comprising: a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the cloud server to perform the method of any of claims 1-7.
CN202210386658.5A 2022-04-14 2022-04-14 Network attack analysis method and server applied to cloud side-end computing Active CN114785579B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210386658.5A CN114785579B (en) 2022-04-14 2022-04-14 Network attack analysis method and server applied to cloud side-end computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210386658.5A CN114785579B (en) 2022-04-14 2022-04-14 Network attack analysis method and server applied to cloud side-end computing

Publications (2)

Publication Number Publication Date
CN114785579A CN114785579A (en) 2022-07-22
CN114785579B true CN114785579B (en) 2022-11-25

Family

ID=82429109

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210386658.5A Active CN114785579B (en) 2022-04-14 2022-04-14 Network attack analysis method and server applied to cloud side-end computing

Country Status (1)

Country Link
CN (1) CN114785579B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101803305A (en) * 2007-09-28 2010-08-11 日本电信电话株式会社 Network monitoring device, network monitoring method, and network monitoring program
CN110868403A (en) * 2019-10-29 2020-03-06 泰康保险集团股份有限公司 Method and equipment for identifying advanced persistent Attack (APT)

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6786960B2 (en) * 2016-08-26 2020-11-18 富士通株式会社 Cyber attack analysis support program, cyber attack analysis support method and cyber attack analysis support device
US11641365B2 (en) * 2019-10-10 2023-05-02 Honeywell International Inc. Hybrid intrusion detection model for cyberattacks in avionics internet gateways using edge analytics
CN110740143B (en) * 2019-11-22 2020-11-17 南京邮电大学 Network attack emergency coping method based on attack tracing
CN110868326B (en) * 2019-11-27 2022-07-19 武汉虹旭信息技术有限责任公司 Network service quality analysis method, edge device and central server
CN113452651B (en) * 2020-03-24 2022-10-21 百度在线网络技术(北京)有限公司 Network attack detection method, device, equipment and storage medium
CN112887326A (en) * 2021-02-23 2021-06-01 昆明理工大学 Intrusion detection method based on edge cloud cooperation
CN113709114A (en) * 2021-08-05 2021-11-26 浪潮云信息技术股份公司 Edge node safety monitoring method under edge computing scene
CN113949577A (en) * 2021-10-19 2022-01-18 广州酷风技术开发有限公司 Data attack analysis method applied to cloud service and server

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101803305A (en) * 2007-09-28 2010-08-11 日本电信电话株式会社 Network monitoring device, network monitoring method, and network monitoring program
CN110868403A (en) * 2019-10-29 2020-03-06 泰康保险集团股份有限公司 Method and equipment for identifying advanced persistent Attack (APT)

Also Published As

Publication number Publication date
CN114785579A (en) 2022-07-22

Similar Documents

Publication Publication Date Title
Horsman et al. A case-based reasoning method for locating evidence during digital forensic device triage
CN109587125B (en) Network security big data analysis method, system and related device
Kotenko et al. Systematic literature review of security event correlation methods
CN112165462A (en) Attack prediction method and device based on portrait, electronic equipment and storage medium
CN103905440A (en) Network security situation awareness analysis method based on log and SNMP information fusion
CN112560029A (en) Website content monitoring and automatic response protection method based on intelligent analysis technology
Faiella et al. Enriching Threat Intelligence Platforms Capabilities.
CN111934954A (en) Broadband detection method and device, electronic equipment and storage medium
Salah et al. Fusing information from tickets and alerts to improve the incident resolution process
CN106961441B (en) User dynamic access control method for Hadoop cloud platform
Angelini et al. An attack graph-based on-line multi-step attack detector
Las-Casas et al. A big data architecture for security data and its application to phishing characterization
Li et al. Distributed threat intelligence sharing system: a new sight of P2P botnet detection
de Riberolles et al. Anomaly detection for ICS based on deep learning: a use case for aeronautical radar data
CN114785579B (en) Network attack analysis method and server applied to cloud side-end computing
Sen et al. Towards an approach to contextual detection of multi-stage cyber attacks in smart grids
CN115659351B (en) Information security analysis method, system and equipment based on big data office
CN115706669A (en) Network security situation prediction method and system
Tse et al. Risks facing smart city information security in Hangzhou
CN112733170A (en) Active trust evaluation method based on evidence sequence extraction
CN115168828A (en) Account security login method and device and electronic equipment
Pina Automatic detection of anomalous user access patterns to sensitive data
Nucci et al. Artificial intelligence against disinformation: the fandango practical case
Liao et al. Evidential reasoning for forensic readiness
Ghosh et al. Catching Lies in the Act: A Framework for Early Misinformation Detection on Social Media

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220915

Address after: No. 85, Guangshun Street, Taoshan District, Qitaihe City, Heilongjiang Province, 154600

Applicant after: Liu Qiang

Address before: 154600 No.4 Caiyun street, Taonan Street (Baisheng era), Taoshan District, Qitaihe City, Heilongjiang Province

Applicant before: Qitaihe dabulu Network Technology Co.,Ltd.

TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20221107

Address after: 350003 Standard Factory Building C, Community A, Science and Technology Industrial Park, Fuzhou Economic and Technological Development Zone, Fujian Province

Applicant after: Fujian Shida Group Co.,Ltd.

Address before: No. 85, Guangshun Street, Taoshan District, Qitaihe City, Heilongjiang Province, 154600

Applicant before: Liu Qiang

GR01 Patent grant
GR01 Patent grant