CN114826707B - Method, apparatus, electronic device and computer readable medium for handling user threats - Google Patents
Method, apparatus, electronic device and computer readable medium for handling user threats Download PDFInfo
- Publication number
- CN114826707B CN114826707B CN202210387010.XA CN202210387010A CN114826707B CN 114826707 B CN114826707 B CN 114826707B CN 202210387010 A CN202210387010 A CN 202210387010A CN 114826707 B CN114826707 B CN 114826707B
- Authority
- CN
- China
- Prior art keywords
- target user
- feature
- behavior
- determining
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Embodiments of the present disclosure disclose a method, apparatus, electronic device, and computer-readable medium for handling user threats. One embodiment of the method comprises: acquiring target user information; determining the behavior characteristics of the target user according to the target user information; determining feature importance of the behavior feature; constructing an event chain of the target user according to the feature importance; determining the threat type of a target user according to the event chain; and processing the target user according to the threat type. The implementation method effectively utilizes the behavior characteristics of the users, realizes the screening of abnormal users and the behavior characteristic analysis of the abnormal users, and reduces the possibility of internal threats.
Description
Technical Field
Embodiments of the present disclosure relate to the field of computer technologies, and in particular, to a method, an apparatus, an electronic device, and a computer-readable medium for handling a user threat.
Background
In the field of network security, a network threat environment which is continuously evolved creates a more complex attack scenario, and the concept of an attack chain is deeply conscious. A defense-thought based attack chain divides an attack into multiple attack phases, with each attack phase containing multiple different malicious activities.
The existing internal threat detection technology mainly comprises data preprocessing, feature vector generation, anomaly detection and the like. However, such a detection process can only realize the screening of abnormal users, and lacks a specific analysis of operation behaviors for the users, so that the internal threat detection result has inexplicability.
Disclosure of Invention
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
Some embodiments of the present disclosure propose methods, apparatuses, electronic devices and computer readable media for handling user threats to solve the technical problems mentioned in the background section above.
In a first aspect, some embodiments of the present disclosure provide a method for handling a user threat, the method comprising: acquiring target user information; determining the behavior characteristics of the target user according to the target user information; determining the feature importance of the behavior features; constructing an event chain of the target user according to the feature importance; determining the threat type of the target user according to the event chain; and processing the target user according to the threat type.
In a second aspect, some embodiments of the present disclosure provide an apparatus for handling user threats, the apparatus comprising: an acquisition unit configured to acquire target user information; a first determining unit configured to determine behavior characteristics of a target user according to the target user information; a second determination unit configured to determine a feature importance of the behavior feature; a construction unit configured to construct an event chain of the target user according to the feature importance; a third determining unit configured to determine a threat type of the target user according to the event chain; and the processing unit is configured to process the target user according to the threat type.
In a third aspect, an embodiment of the present application provides an electronic device, where the network device includes: one or more processors; storage means for storing one or more programs; when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the method as described in any implementation of the first aspect.
In a fourth aspect, the present application provides a computer readable medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the method as described in any implementation manner of the first aspect.
One of the above-described various embodiments of the present disclosure has the following advantageous effects: the method comprises the steps of determining behavior characteristics of a target user by obtaining information of the target user, determining feature importance of the behavior characteristics, further constructing an event chain of the target user according to the determined feature importance, determining a threat type of the target user according to the event chain, and finally processing the target user based on the threat type. Therefore, the behavior characteristics of the users are effectively utilized, the screening of abnormal users and the behavior characteristic analysis of the abnormal users are realized, and the possibility of internal threats is reduced.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and elements are not necessarily drawn to scale.
FIG. 1 is a schematic diagram of one application scenario of a method of handling user threats according to some embodiments of the present disclosure;
FIG. 2 is a flow diagram of some embodiments of a method of handling user threats according to the present disclosure;
FIG. 3 is an example diagram of a feature evaluation model structure, according to some embodiments of the present disclosure;
FIG. 4 is a schematic block diagram view of some embodiments of a device for handling user threats according to the present disclosure;
FIG. 5 is a schematic structural diagram of an electronic device suitable for use in implementing some embodiments of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings. The embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence of the functions performed by the devices, modules or units.
It is noted that references to "a" or "an" in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will appreciate that references to "one or more" are intended to be exemplary and not limiting unless the context clearly indicates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
FIG. 1 is a schematic diagram of one application scenario of a method of handling user threats according to some embodiments of the present disclosure.
As shown in fig. 1, an executing agent server 101 may obtain target user information 102, then determine behavior characteristics 103 of a target user according to the target user information 102, then determine characteristic importance 104 of the behavior characteristics 103, then construct an event chain 105 of the target user according to the characteristic importance 104, then determine a threat type 106 of the target user according to the event chain 105, and finally process the target user according to the threat type.
It is understood that the method for handling user threats may be executed by a terminal device or by the server 101, and the execution subject of the method may also include a device formed by integrating the terminal device and the server 101 through a network, or may also be executed by various software programs. The terminal device may be various electronic devices with information processing capability, including but not limited to a smart phone, a tablet computer, an e-book reader, a laptop portable computer, a desktop computer, and the like. The execution body may also be embodied as the server 101, software, or the like. When the execution subject is software, the software can be installed in the electronic device listed above. It may be implemented, for example, as multiple software or software modules to provide distributed services, or as a single software or software module. And is not particularly limited herein.
It should be understood that the number of servers in fig. 1 is merely illustrative. There may be any number of servers, as desired for implementation.
With continued reference to fig. 2, a flow 200 of some embodiments of a method of handling user threats according to the present disclosure is shown. The method for processing the user threat comprises the following steps:
In some embodiments, the execution subject of the method for handling user threats (e.g., the server shown in fig. 1) may obtain the target user information through a wired connection or a wireless connection. It is noted that the wireless connection means may include, but is not limited to, a 3G/4G connection, a WiFi connection, a bluetooth connection, a WiMAX connection, a Zigbee connection, a UWB (ultra wideband) connection, and other wireless connection means now known or developed in the future.
Here, the target user is generally referred to as a behavioral abnormality user.
And 202, determining the behavior characteristics of the target user according to the target user information.
In some embodiments, based on the target user information obtained in step 201, the execution subject (e.g., the server shown in fig. 1) may determine the behavior characteristics of the target user. Here, the target user information generally refers to behavior log information of the target user.
As an example, the execution subject may perform feature extraction from the behavior log information of the target user to obtain a behavior feature. Here, the behavior characteristics generally include information such as a time domain, a behavior domain, a device, an operation, and an attribute. There are various ways of extracting the above features, which are not described herein again.
In step 203, the feature importance of the behavior feature is determined.
In some embodiments, the execution principal may determine a feature importance of the behavior feature. Here, the feature importance generally refers to the degree of importance to the behavior feature. The importance of the behavior feature may be judged in various ways, and the judgment criterion may be, for example, the occurrence frequency, the occurrence time, or the like of the behavior feature.
In some alternative implementations of some embodiments, the characteristic importance of the behavior feature is determined according to the following formula:
wherein S represents the feature importance of the behavior feature; ω represents the weight of the behavior feature; the subscript s of ω represents the s-th behavioral characteristic; q represents the number of neurons in the first hidden layer; k represents a preset parameter and takes the value from 1 to q; var (omega) s,k ) The weight running variance representing the behavior feature described above.
Here, the above weight running variance may be determined by the following formula:
wherein x is n Which represents the n-th sample of the sample,
representing a sample x of length n 1 ,x 2 ,…,x n N represents the number of samples, d n 2 Represents a corrected sum of squares, determined according to the following equation:
wherein S is n 2 Representing the sample variance, is determined according to the following equation:
in some optional implementations of some embodiments, the weight of the behavior feature may be determined according to the following steps: and inputting the behavior characteristics into a pre-trained characteristic evaluation model to obtain the weight of the behavior characteristics. As an example, the above-described feature evaluation model may be a neural network model composed of the structure shown in fig. 3.
In some optional implementations of some embodiments, the feature evaluation model is trained according to the following steps: acquiring a training sample set, wherein the training sample set comprises sample behavior characteristics and sample characteristic importance corresponding to the sample behavior characteristics; inputting the sample behavior characteristics into a model to be trained to obtain characteristic importance; comparing the feature importance with the sample feature importance to obtain a comparison result, and determining a loss value of the comparison result; judging whether the model to be trained is trained or not according to the loss value of the comparison result; and if the training of the model to be trained is judged to be finished, determining the model to be trained as a feature evaluation model.
In some optional implementation manners of some embodiments, in response to determining that the model to be trained is not trained, the executing entity may further adjust relevant parameters in the model to be trained, and repeat the training process.
And step 204, constructing an event chain of the target user according to the feature importance.
In some embodiments, the execution agent may construct the event chain of the target user according to feature importance. Here, the event chain generally refers to an event chain in which a plurality of events are nodes and a logical relationship between the plurality of events is a line. By way of example, the above-mentioned event chain may be composed of an a node (event 1: device a working time browsing non-working related websites), a B node (event 2: device a working time unplugging and plugging a storage device), and a logical relationship (behavior that does not occur until the user starts to appear, i.e., the user may risk data leakage by using a removable storage device and uploading or downloading data to some websites).
In some optional implementations of some embodiments, the execution subject may determine the target behavior feature from the behavior features according to the feature importance. As an example, the execution subject may select a behavior feature with the highest feature importance as the target behavior feature.
And comparing the target behavior characteristics with preset target characteristics to obtain a comparison result. Here, the preset target feature generally refers to a previous historical behavior feature of the target user. Here, there are various comparison methods. As an example, the target behavior feature and the feature importance of the target feature may be compared or the number and frequency of occurrences may be compared, etc.
And responding to the fact that the comparison result meets a preset condition, and establishing a node according to the target behavior characteristics. Here, the preset condition generally means that the comparison result is a large difference or a low similarity. And generating an event chain of the target user according to the nodes.
In some optional implementations of some embodiments, the execution subject may detect whether there are at least two nodes having a dependency relationship in the node. As an example, the dependency relationship may be a time similarity, an IP address similarity, an occurrence precedence relationship, and the like of events in the node.
And responding to the at least two nodes with the dependency relationship, and determining the logic association of the at least two nodes. By way of example, the above logical association may refer to or be a causal relationship in which an event in the node a occurs in turn as an event in the node B, or an association relationship in which an event in the node a and an event in the node B occur simultaneously, or the like.
And establishing a connection relation between the at least two nodes according to the logic association of the at least two nodes. As an example, the above-described connection relationship may be a causal relationship expressed by an arrow, a management relationship expressed by a connector, or the like. And generating an event chain of the target user according to the node and the connection relation.
In some embodiments, the executive agent may determine the threat type of the target user based on the event chain constructed in step 204. As an example, the execution principal may store at least one sample event chain and a threat type corresponding to the sample event chain in advance, find a similar sample event chain in the stored database by using the event chain constructed in step 204, and use the threat type corresponding to the sample event chain as the threat type of the target user.
And step 206, processing the target user according to the threat type.
In some embodiments, the execution agent may process the target user according to a threat type. Here, there are various manners of the above-described processing. As examples, it may be to disable network connection of the target user, close the authority of the target user, or monitor the behavior of the target user, etc. As an example, when the threat type is a light threat, the enforcement agent may monitor the target user, and when the threat type is a moderate threat, the enforcement agent may close the authority of the target user.
One of the above-described various embodiments of the present disclosure has the following advantageous effects: the method comprises the steps of determining behavior characteristics of a target user by obtaining information of the target user, determining feature importance of the behavior characteristics, further constructing an event chain of the target user according to the determined feature importance, determining a threat type of the target user according to the event chain, and finally processing the target user based on the threat type. Therefore, the behavior characteristics of the users are effectively utilized, the screening of abnormal users and the behavior characteristic analysis of the abnormal users are realized, and the possibility of internal threats is reduced.
With further reference to fig. 4, as an implementation of the methods illustrated in the above figures, the present disclosure provides some embodiments of an apparatus for handling user threats, which correspond to those of the method embodiments illustrated in fig. 2, which may be particularly applicable in various electronic devices.
As shown in fig. 4, the user threat processing apparatus 400 of some embodiments includes: an acquisition unit 401, a first determination unit 402, a second determination unit 403, a construction unit 404, a third determination unit 405, and a processing unit 406. Wherein, the obtaining unit 401 is configured to obtain target user information; a first determining unit 402 configured to determine behavior characteristics of a target user according to the target user information; a second determination unit 403 configured to determine feature importance of the behavior feature; a building unit 404 configured to build an event chain of the target user according to the feature importance; a third determining unit 405 configured to determine a threat type of the target user according to the event chain; a processing unit 406 configured to process the target user according to the threat type.
In an alternative implementation of some embodiments, the feature importance of the behavior feature is determined according to the following formula:
wherein S represents the feature importance of the behavior feature; w represents the weight of the behavior feature; the subscript s of ω represents the s-th behavioral characteristic; q represents the number of neurons in the first hidden layer; k represents a preset parameter and takes the value from 1 to q; var (omega) s,k ) The weight running variance representing the behavior feature described above.
In an alternative implementation of some embodiments, the weight of the behavior feature is determined according to the following steps: and inputting the behavior characteristics into a pre-trained characteristic evaluation model to obtain the weight of the behavior characteristics.
In an alternative implementation of some embodiments, the feature evaluation model is trained according to the following steps: acquiring a training sample set, wherein the training sample set comprises sample behavior characteristics and sample characteristic importance corresponding to the sample behavior characteristics; inputting the sample behavior characteristics into a model to be trained to obtain characteristic importance; comparing the feature importance with the sample feature importance to obtain a comparison result, and determining a loss value of the comparison result; judging whether the model to be trained is trained or not according to the loss value of the comparison result; and if the training of the model to be trained is judged to be finished, determining the model to be trained as a feature evaluation model.
In an optional implementation manner of some embodiments, the apparatus further includes an adjusting unit configured to: and if the model to be trained is judged not to be trained, adjusting the relevant parameters in the model to be trained, and repeating the training process.
In an optional implementation of some embodiments, the building unit is further configured to: determining target behavior characteristics from the behavior characteristics according to the characteristic importance; comparing the target behavior characteristics with preset target characteristics to obtain a comparison result; responding to the comparison result meeting a preset condition, and establishing a node according to the target behavior characteristic; and generating an event chain of the target user according to the nodes.
In an optional implementation of some embodiments, the building unit is further configured to: detecting whether the nodes have at least two nodes with dependency relationship; in response to determining that at least two nodes with dependency relationships exist among the nodes, determining a logical association of the at least two nodes; establishing a connection relation between the at least two nodes according to the logic association of the at least two nodes; and generating an event chain of the target user according to the node and the connection relation.
It will be understood that the units described in the apparatus 400 correspond to the various steps in the method described with reference to fig. 2. Thus, the operations, features and advantages described above with respect to the method are also applicable to the apparatus 400 and the units included therein, and are not described herein again.
One of the above-described various embodiments of the present disclosure has the following advantageous effects: the method comprises the steps of determining behavior characteristics of a target user by obtaining target user information, determining feature importance of the behavior characteristics, further constructing an event chain of the target user according to the determined feature importance, determining a threat type of the target user according to the event chain, and finally processing the target user based on the threat type. Therefore, the behavior characteristics of the users are effectively utilized, the screening of abnormal users and the behavior characteristic analysis of the abnormal users are realized, and the possibility of internal threats is reduced.
Referring now to fig. 5, a schematic diagram of an electronic device (e.g., the server of fig. 1) 500 suitable for use in implementing some embodiments of the present disclosure is shown. The electronic device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 5, electronic device 500 may include a processing means (e.g., central processing unit, graphics processor, etc.) 501 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage means 508 into a Random Access Memory (RAM) 503. In the RAM503, various programs and data necessary for the operation of the electronic apparatus 500 are also stored. The processing device 501, the ROM502, and the RAM503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
Generally, the following devices may be connected to the I/O interface 505: input devices 506 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 507 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; and a communication device 509. The communication means 509 may allow the electronic device 500 to communicate with other devices wirelessly or by wire to exchange data. While fig. 5 illustrates an electronic device 500 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided. Each block shown in fig. 5 may represent one device or may represent multiple devices as desired.
In particular, according to some embodiments of the present disclosure, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, some embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In some such embodiments, the computer program may be downloaded and installed from a network via the communication means 509, or installed from the storage means 508, or installed from the ROM 502. The computer program, when executed by the processing device 501, performs the above-described functions defined in the methods of some embodiments of the present disclosure.
It should be noted that the computer readable medium described above in some embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In some embodiments of the disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In some embodiments of the present disclosure, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring target user information; determining the behavior characteristics of the target user according to the target user information; determining the feature importance of the behavior features; constructing an event chain of the target user according to the characteristic importance; determining the threat type of the target user according to the event chain; and processing the target user according to the threat type.
Computer program code for carrying out operations for embodiments of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in some embodiments of the present disclosure may be implemented by software, and may also be implemented by hardware. The described units may also be provided in a processor, and may be described as: a processor includes an acquisition unit, a first determination unit, a second determination unit, a construction unit, a third determination unit, and a processing unit. Here, the names of these units do not constitute a limitation to the unit itself in some cases, and for example, the acquisition unit may also be described as a "unit that acquires target user information".
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems on a chip (SOCs), complex Programmable Logic Devices (CPLDs), and the like.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the embodiments of the present disclosure is not limited to the specific combinations of the above-mentioned features, and other embodiments in which the above-mentioned features or their equivalents are combined arbitrarily without departing from the spirit of the invention are also encompassed. For example, the above features and (but not limited to) the features with similar functions disclosed in the embodiments of the present disclosure are mutually replaced to form the technical solution.
Claims (9)
1. A method for handling user threats, comprising:
acquiring target user information;
determining the behavior characteristics of the target user according to the target user information;
determining feature importance of the behavioral features;
constructing an event chain of the target user according to the feature importance, wherein the event chain comprises the following steps:
determining target behavior characteristics from the behavior characteristics according to the characteristic importance;
comparing the target behavior characteristics with preset target characteristics to obtain a comparison result;
responding to the comparison result meeting a preset condition, and establishing a node according to the target behavior characteristic;
generating an event chain of a target user according to the node;
determining the threat type of the target user according to the event chain;
and processing the target user according to the threat type.
2. The method of claim 1, wherein the feature importance of the behavioral feature is determined according to the following formula:
wherein S represents the feature importance of the behavior feature;
ω represents the weight of the behavior feature;
the subscript s of ω denotes the s-th behavioral characteristic;
q represents the number of neurons in the first hidden layer;
k represents a preset parameter and takes the value from 1 to q;
Var(ω s,k ) A weight running variance representing the behavior feature.
3. The method of claim 2, wherein the weight of the behavioral characteristic is determined according to the following steps:
and inputting the behavior characteristics into a pre-trained characteristic evaluation model to obtain the weight of the behavior characteristics.
4. The method of claim 3, wherein the feature evaluation model is trained according to the following steps:
acquiring a training sample set, wherein the training sample set comprises sample behavior characteristics and sample characteristic importance corresponding to the sample behavior characteristics;
inputting the sample behavior characteristics to a model to be trained to obtain characteristic importance;
comparing the feature importance with the sample feature importance to obtain a comparison result, and determining a loss value of the comparison result;
judging whether the model to be trained is trained or not according to the loss value of the comparison result; and if the training of the model to be trained is judged to be completed, determining the model to be trained as a feature evaluation model.
5. The method of claim 4, wherein the method further comprises:
and if the model to be trained is judged not to be trained, adjusting the relevant parameters in the model to be trained, and repeating the training process.
6. The method of claim 1, wherein the generating an event chain for a target user from the node comprises:
detecting whether at least two nodes with dependency relationship exist in the nodes;
in response to determining that at least two of the nodes with a dependency relationship exist, determining a logical association of the at least two nodes;
establishing a connection relation between the at least two nodes according to the logic association of the at least two nodes;
and generating an event chain of the target user according to the node and the connection relation.
7. An apparatus for handling user threats, comprising:
an acquisition unit configured to acquire target user information;
a first determination unit configured to determine a behavior feature of a target user according to the target user information;
a second determination unit configured to determine a feature importance of the behavior feature;
a building unit configured to build an event chain of the target user according to the feature importance, including:
determining target behavior characteristics from the behavior characteristics according to the characteristic importance;
comparing the target behavior characteristics with preset target characteristics to obtain a comparison result;
responding to the fact that the comparison result meets a preset condition, and establishing a node according to the target behavior feature;
generating an event chain of a target user according to the node;
a third determining unit configured to determine a threat type of the target user according to the event chain;
a processing unit configured to process the target user according to the threat type.
8. An electronic device, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
9. A computer-readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210387010.XA CN114826707B (en) | 2022-04-13 | 2022-04-13 | Method, apparatus, electronic device and computer readable medium for handling user threats |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210387010.XA CN114826707B (en) | 2022-04-13 | 2022-04-13 | Method, apparatus, electronic device and computer readable medium for handling user threats |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114826707A CN114826707A (en) | 2022-07-29 |
| CN114826707B true CN114826707B (en) | 2022-11-25 |
Family
ID=82535767
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210387010.XA Active CN114826707B (en) | 2022-04-13 | 2022-04-13 | Method, apparatus, electronic device and computer readable medium for handling user threats |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114826707B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110191113A (en) * | 2019-05-24 | 2019-08-30 | 新华三信息安全技术有限公司 | A kind of user behavior methods of risk assessment and device |
| CN110493264A (en) * | 2019-09-18 | 2019-11-22 | 北京工业大学 | It is a kind of that method is found based on the inside threat of Intranet entity relationship and behavioral chain |
| CN110809010A (en) * | 2020-01-08 | 2020-02-18 | 浙江乾冠信息安全研究院有限公司 | Threat information processing method, device, electronic equipment and medium |
| CN112087452A (en) * | 2020-09-09 | 2020-12-15 | 北京元心科技有限公司 | Abnormal behavior detection method and device, electronic equipment and computer storage medium |
| CN112291272A (en) * | 2020-12-24 | 2021-01-29 | 鹏城实验室 | Network threat detection method, device, equipment and computer readable storage medium |
| CN113162888A (en) * | 2020-01-22 | 2021-07-23 | 华为技术有限公司 | Security threat event processing method and device and computer storage medium |
| CN113328976A (en) * | 2020-02-28 | 2021-08-31 | 华为技术有限公司 | Security threat event identification method, device and equipment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| RU2011138462A (en) * | 2011-09-20 | 2013-04-10 | Закрытое акционерное общество "Лаборатория Касперского" | USE OF USER SOLUTIONS TO DETECT UNKNOWN COMPUTER THREATS |
| CN113132306A (en) * | 2019-12-31 | 2021-07-16 | 苏州三六零智能安全科技有限公司 | Threat event processing method and device |
-
2022
- 2022-04-13 CN CN202210387010.XA patent/CN114826707B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110191113A (en) * | 2019-05-24 | 2019-08-30 | 新华三信息安全技术有限公司 | A kind of user behavior methods of risk assessment and device |
| CN110493264A (en) * | 2019-09-18 | 2019-11-22 | 北京工业大学 | It is a kind of that method is found based on the inside threat of Intranet entity relationship and behavioral chain |
| CN110809010A (en) * | 2020-01-08 | 2020-02-18 | 浙江乾冠信息安全研究院有限公司 | Threat information processing method, device, electronic equipment and medium |
| CN113162888A (en) * | 2020-01-22 | 2021-07-23 | 华为技术有限公司 | Security threat event processing method and device and computer storage medium |
| CN113328976A (en) * | 2020-02-28 | 2021-08-31 | 华为技术有限公司 | Security threat event identification method, device and equipment |
| CN112087452A (en) * | 2020-09-09 | 2020-12-15 | 北京元心科技有限公司 | Abnormal behavior detection method and device, electronic equipment and computer storage medium |
| CN112291272A (en) * | 2020-12-24 | 2021-01-29 | 鹏城实验室 | Network threat detection method, device, equipment and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114826707A (en) | 2022-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11792229B2 (en) | AI-driven defensive cybersecurity strategy analysis and recommendation system | |
| US10594713B2 (en) | Systems and methods for secure propagation of statistical models within threat intelligence communities | |
| US20220210200A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20220078210A1 (en) | System and method for collaborative cybersecurity defensive strategy analysis utilizing virtual network spaces | |
| US11848966B2 (en) | Parametric analysis of integrated operational technology systems and information technology systems | |
| US20190141079A1 (en) | Systems and methods for sharing, distributing, or accessing security data and/or security applications, models, or analytics | |
| US10547618B2 (en) | Method and apparatus for setting access privilege, server and storage medium | |
| US11012454B1 (en) | Detecting abnormal user behavior via temporally regularized tensor factorization | |
| CN113268761B (en) | Information encryption method and device, electronic equipment and computer readable medium | |
| CN110825589B (en) | Abnormality detection method and device for micro-service system and electronic equipment | |
| CN114372586A (en) | Internet of things data service method, device, equipment and medium based on joint learning | |
| CN115471307A (en) | Audit evaluation information generation method and device based on knowledge graph and electronic equipment | |
| CN112685799B (en) | Device fingerprint generation method and device, electronic device and computer readable medium | |
| CN111858381B (en) | Application fault tolerance capability test method, electronic device and medium | |
| CN110705635B (en) | Method and apparatus for generating an isolated forest | |
| CN114826707B (en) | Method, apparatus, electronic device and computer readable medium for handling user threats | |
| CN111967584A (en) | Method, device, electronic equipment and computer storage medium for generating countermeasure sample | |
| CN111628938A (en) | Branch merging method and device, electronic equipment and computer storage medium | |
| CN114553555B (en) | Malicious website identification method and device, storage medium and electronic equipment | |
| CN116361121A (en) | Abnormal interface alarm method, device, electronic equipment and computer readable medium | |
| CN112507676B (en) | Method and device for generating energy report, electronic equipment and computer readable medium | |
| US20170163676A1 (en) | Security and Authentication Daisy Chain Analysis and Warning System | |
| CN111782549A (en) | Test method and device and electronic equipment | |
| CN111371745B (en) | Method and apparatus for determining SSRF vulnerability | |
| CN117057681B (en) | Software quality assessment method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |