CN117978435A

CN117978435A - Data security detection method and device, computer equipment and storage medium

Info

Publication number: CN117978435A
Application number: CN202311783255.5A
Authority: CN
Inventors: 吴韧韬; 高硕�; 相欣; 王淑慧; 薛春旭
Original assignee: China Electronics Technology Eastern Communication Group Co ltd
Current assignee: China Electronics Technology Eastern Communication Group Co ltd
Priority date: 2023-12-22
Filing date: 2023-12-22
Publication date: 2024-05-03

Abstract

The invention relates to the technical field of data security, and discloses a data security detection method, a device, computer equipment and a storage medium, wherein the method comprises the following steps: receiving flow data, and performing preliminary filtration on the flow data to obtain filtered flow data; performing feature detection on the filtered flow data to obtain a feature detection result, and extracting metadata of the filtered flow data; the metadata is subjected to generalization treatment through middleware, and the metadata subjected to generalization treatment is subjected to diversified detection, so that a diversified detection result is obtained; and determining a target detection result of the flow data based on the diversified detection result and the characteristic detection result. The safety of the flow data is determined by carrying out safety detection on the acquired flow data at a plurality of angles, and the data safety is comprehensively and efficiently detected.

Description

Data security detection method and device, computer equipment and storage medium

Technical Field

The present invention relates to the field of data security detection technologies, and in particular, to a data security detection method, apparatus, computer device, and storage medium.

Background

In the prior art, when data security detection is performed, only a single technical means is often adopted to perform the data security detection, for example, the data security detection is performed by means of dynamic isolation, security storage, change tracing, data sandboxes, quick recovery and the like, so that the effect of data security detection is not good enough, and an automatic attack for disguising normal behaviors cannot be efficiently screened. There is therefore a strong need for an efficient, comprehensive security detection method.

Disclosure of Invention

In view of the above, the present invention provides a data security detection method, apparatus, computer device and storage medium, so as to solve the problem that data security cannot be detected comprehensively and effectively when data security detection is performed.

In a first aspect, the present invention provides a data security detection method, the method comprising:

Receiving flow data, and performing preliminary filtration on the flow data to obtain filtered flow data;

Performing feature detection on the filtered flow data to obtain a feature detection result;

extracting metadata of the filtered flow data, performing generalization treatment on the metadata through middleware, and performing diversified detection on the metadata subjected to the generalization treatment to obtain a diversified detection result;

And determining a target detection result of the flow data based on the diversified detection result and the characteristic detection result.

The safety of the flow data is finally determined according to the diversified detection result and the characteristic detection result by performing characteristic detection on the received flow data and performing diversified detection on metadata corresponding to the flow data, so that the safety of the data detection can be comprehensively and effectively ensured.

In an optional implementation manner, the performing feature detection on the filtered flow data to obtain a feature detection result includes:

extracting characteristics of the filtered flow data;

and if the characteristics of the filtered flow data are matched with the characteristics in the attack characteristic engine, determining that the filtered flow data are attack flow data.

Whether the flow data are attack data or not is judged through the trained engine capable of identifying the attack characteristics, so that the safety of the flow data can be rapidly judged, and the safety of the flow data is ensured.

In an optional embodiment, the performing a multiple detection on metadata after the generalization processing to obtain a multiple detection result includes: detecting the metadata after the generalization processing based on an artificial intelligent detection engine to obtain a first detection result; detecting the metadata subjected to the generalization processing based on an abnormal behavior detection engine to obtain a second detection result; detecting the metadata after the generalization processing based on a threat information detection engine to obtain a third detection result; and obtaining a multi-element detection result based on the first detection result, the second detection result and the third detection result.

When the metadata is subjected to diversified detection, the metadata is subjected to safety detection at a plurality of angles through a plurality of detection engines, so that the safety of the flow data is comprehensively detected, and the accuracy of the data detection is ensured.

In an alternative embodiment, the method further comprises: extracting an original file of the filtered flow data; the method comprises the steps that the original file is subjected to generalization processing through a middleware, and the original file subjected to the generalization processing is detected based on a file detection engine to obtain a corresponding file detection result; and updating the multi-element detection result based on the file detection result.

The original file corresponding to the flow data is obtained by extracting the file of the flow data, and the original file is detected, so that the diversified detection result is updated, the comprehensiveness of the diversified detection result is further ensured, and the accuracy of the detection result is ensured.

In an alternative embodiment, the method further comprises: and displaying the target detection result based on the form of the log and/or the alarm.

After the final target detection result is obtained, the result is displayed in a log and/or warning mode, so that a user can be effectively helped to know the safety condition of the data.

In an alternative embodiment, the determining the target detection result of the flow data based on the multiple detection results and the feature detection result includes:

judging whether the number of abnormal detection results in the diversified detection results and the characteristic detection results is larger than a preset value or not;

And if the number of the abnormal detection results is larger than a preset value, determining that the target detection result of the flow data is abnormal.

The diversified detection results comprise detection results corresponding to a plurality of detection modes, and the safety of the flow data is determined by determining the number of abnormal detection results in the detection results, so that the accuracy of the detection results can be effectively ensured.

In an alternative embodiment, the method further comprises: and if the number of the abnormal detection results is smaller than a preset value, determining that the target detection result of the flow data is normal.

In a second aspect, the present invention provides a data security detection device, the device comprising:

The data filtering module is used for receiving the flow data and performing preliminary filtering on the flow data to obtain filtered flow data;

The characteristic detection module is used for carrying out characteristic detection on the filtered flow data to obtain a characteristic detection result;

The metadata detection module is used for extracting metadata of the filtered flow data, performing generalization processing on the metadata through middleware, and performing diversified detection on the metadata subjected to the generalization processing to obtain a diversified detection result;

and the result determining module is used for determining a target detection result of the flow data based on the diversified detection result and the characteristic detection result.

In a third aspect, the present invention provides a computer device comprising: the data security detection method comprises the steps of storing computer instructions in a memory and a processor, wherein the memory and the processor are in communication connection, and the processor executes the computer instructions, so that the data security detection method of the first aspect or any corresponding implementation mode of the first aspect is executed.

In a fourth aspect, the present invention provides a computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the data security detection method of the first aspect or any of its corresponding embodiments.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow chart of a data security detection method according to an embodiment of the present invention;

FIG. 2 is a flow chart of another data security detection method according to an embodiment of the present invention;

FIG. 3 is an exemplary diagram of a data security detection system architecture according to an embodiment of the present invention;

FIG. 4 is a block diagram of a data security detection device according to an embodiment of the present invention;

Fig. 5 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

When data security detection is performed, only a single technical means is often adopted to perform data security detection, for example, the data security detection is performed by means of dynamic isolation, security storage, change tracing, data sandbox, quick recovery and the like, so that the effect of data security detection is not good enough, and an automatic attack for efficiently screening camouflage normal behaviors cannot be performed. There is therefore a strong need for an efficient, comprehensive security detection method.

Therefore, the embodiment of the invention provides a data security detection method, which is used for obtaining a plurality of corresponding detection results by filtering the received flow data and carrying out a plurality of detection modes on the filtered flow data, and finally determining the security of the flow data based on the plurality of detection results, so that the security of the flow data can be comprehensively and efficiently ensured.

In accordance with an embodiment of the present invention, there is provided a data security detection method embodiment, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order other than that shown or described herein.

In this embodiment, a data security detection method is provided, which may be used for the above data security detection, and fig. 1 is a flowchart of a data security detection method according to an embodiment of the present invention, as shown in fig. 1, where the flowchart includes the following steps:

Step S101, receiving flow data, and performing preliminary filtration on the flow data to obtain filtered flow data.

When detecting the flow data, the data safety detection system can receive the flow data such as mirror image flow or beam split flow collected by the flow collection paths such as a bypass mirror image or a beam splitter through the monitoring port, and perform preliminary screening on the flow data to filter out the flow data which is not concerned, so that the efficiency of flow data detection can be greatly improved. For example, some of the traffic data are conventional data, such as traffic data generated by network activities such as movie watching, game playing, social interaction, etc., which are generally safe, so that attention may not be paid, and the traffic data of this type may be filtered by a trained filtering engine to obtain filtered traffic data.

Step S102, performing feature detection on the filtered flow data to obtain a feature detection result.

After the filtered flow data is obtained, the characteristics of the filtered flow data are extracted, the characteristics are compared with the characteristics of the existing attack flow data, and whether the characteristics are the characteristics of the attack flow data or not is judged, so that the corresponding characteristic detection result is obtained.

And step S103, extracting metadata of the filtered flow data, performing generalization processing on the metadata through middleware, and performing diversified detection on the metadata subjected to the generalization processing to obtain a diversified detection result.

After the filtered flow data are obtained, metadata of the filtered flow data are extracted, wherein the metadata are structured data which are extracted from information resources and are used for explaining characteristics and contents of the structured data, and detailed extraction modes of the metadata are omitted. Then, metadata is subjected to generalization processing through middleware in the data security detection system so as to carry out subsequent diversified detection, wherein the generalization processing can be understood as processing the metadata in a form which enables the format of the metadata to meet the specific requirements during data security detection. And performing security detection on the metadata subjected to the generalization treatment at various angles, thereby obtaining corresponding diversified detection results.

Step S104, determining a target detection result of the flow data based on the diversified detection result and the characteristic detection result.

After safety detection is performed on the flow data at a plurality of angles, whether the flow data is safety flow data is judged based on a diversified detection result and a characteristic detection result. For example, the feature detection result indicates that the flow data has no attack feature, that is, the flow data is safe, and among the multiple detection results, the detection result corresponding to most of the safety detection methods indicates that the flow data is dangerous, so that it can be determined that the flow data is dangerous. The determination of whether the flow data is safe or not may be determined according to a preset rule, for example, the safety of the flow data may be determined according to the number of dangers represented by the detection results, different weights are set for the detection results corresponding to the various detection methods, and the like, where no limitation is imposed.

According to an embodiment of the present invention, another embodiment of a data security detection method is provided, which may be used for the above data security detection, and fig. 2 is a flowchart of another data security detection method according to an embodiment of the present invention, and as shown in fig. 2, the flowchart includes the following steps:

Step S201, receiving flow data, and performing preliminary filtration on the flow data to obtain filtered flow data. Please refer to step S101 in the embodiment shown in fig. 1 in detail, which is not described herein.

Step S202, performing feature detection on the filtered flow data to obtain a feature detection result.

Specifically, in the step S202, feature detection is performed on the filtered flow data to obtain a feature detection result, which includes: extracting characteristics of the filtered flow data; if the characteristics of the filtered traffic data are matched with the characteristics in the attack characteristic engine, determining the filtered traffic data as attack traffic data.

It can be understood that when the feature detection is performed on the filtered flow data, that is, the filtered flow data, features of the flow data can be extracted and compared with features of an attack feature engine, the attack feature engine can be obtained by training according to historical attack flow data, features of various historical attack flows are stored in the attack feature engine, if the features of the flow data are matched with the features in the attack feature engine, it is indicated that the flow data have the same features as the historical attack flow data, and therefore the filtered flow data are determined to be the attack flow data. Regarding specific feature extraction manners, various types of feature extraction manners in the prior art are not repeated here. Whether the flow data are attack data or not is judged through the trained engine capable of identifying the attack characteristics, so that the safety of the flow data can be rapidly judged, and the safety of the flow data is ensured.

And step S203, extracting metadata of the filtered flow data, performing generalization processing on the metadata through middleware, and performing diversified detection on the metadata subjected to the generalization processing to obtain a diversified detection result.

Specifically, performing diversified detection on metadata after generalization treatment to obtain a diversified detection result, including: detecting the metadata subjected to generalization processing based on an artificial intelligent detection engine to obtain a first detection result; detecting the metadata subjected to the generalization processing based on the abnormal behavior detection engine to obtain a second detection result; detecting the metadata subjected to the generalization processing based on a threat information detection engine to obtain a third detection result; and obtaining a multi-element detection result based on the first detection result, the second detection result and the third detection result.

It can be understood that the security detection is performed on metadata after the generalization processing in a plurality of detection modes, the artificial intelligent detection engine is a security detection engine which is obtained by training a large amount of training data in advance, the input flow data can be judged in a judgment mode obtained by training, and whether the flow data is safe or not is determined, namely, a first detection result; the abnormal behavior detection engine can be understood as detecting the behavior of the flow data, judging whether the behavior of the flow data is abnormal, and determining whether the flow data is safe or not through the abnormal behavior of the flow data, namely a second detection result; the threat information detection engine can be understood as whether the information such as a domain name, an ip address and the like corresponding to the flow data has a threat or not to judge the security of the flow data, so as to determine whether the flow data is secure or not, namely a third detection result. And forming a plurality of detection results by the detection results corresponding to the detection engines, namely the first detection result, the second detection result and the third detection result.

In an alternative example, the security of the flow data may also be detected by a (Yara/JA 3/SSL) detection engine, which is a conventional security detection engine, and the corresponding detection result is added to the multiple detection results, so as to more comprehensively determine the security of the flow data.

Step S204, extracting an original file of the filtered flow data; the method comprises the steps that the original file is subjected to generalization processing through a middleware, and the original file subjected to generalization processing is detected based on a file detection engine to obtain a corresponding file detection result; and updating the multi-element detection result based on the file detection result.

It can be understood that the processing is performed on the filtered flow data, the original files corresponding to the filtered flow data are extracted, and the extracting of the original files corresponding to the data is a conventional technology, which is not described herein. The original files are subjected to generalization processing through middleware of the system, so that the formats of the original files are changed into formats capable of carrying out file detection, and therefore the file detection engine is adopted to carry out file detection on the original files, and corresponding detection results are obtained.

In detecting an original file, it can be understood by, for example, identifying a malicious file by dynamic execution behavior of the file, using a virtualization technology to simulate an operating system and an application environment commonly used by an organization, then using a virtual execution means to run the file and capture the influence of the file on the system, such as releasing the file, encrypting the file, adding a start item, an API call, and the like, and evaluating the influence to identify a malicious file that has damaged the system, thereby determining the security of the original file.

After the detection result corresponding to the original file is obtained, updating the multi-element detection result based on the file detection result, which can be understood that the detection result corresponding to the file detection mode is added in the multi-element detection result, so that the dimension of the detection result in the multi-element detection result is more, the detection is more comprehensive, and the accuracy of the detection result is ensured.

S205, determining a target detection result of the flow data based on the multiple detection result and the characteristic detection result.

Specifically, in the above step S205, determining the target detection result of the flow data based on the multiple detection result and the feature detection result includes: judging whether the number of abnormal detection results in the multiple detection results and the characteristic detection results is larger than a preset value or not; if the number of the abnormal detection results is larger than a preset value, determining that the target detection result of the flow data is abnormal.

It can be understood that the multiple detection structures have detection results corresponding to multiple different detection modes and feature detection results obtained through feature comparison, so that multiple detection results are formed together, and whether the flow data is dangerous data or not is determined according to whether the number of detection results determined to be abnormal in the detection results exceeds a certain value, namely, whether the target detection result of the flow data is abnormal.

For example, in the multiple detection results, the detection result corresponding to the artificial intelligence engine is abnormal, namely, the flow data is considered to be dangerous data; the detection result corresponding to the abnormal behavior detection engine is normal, namely the flow data is considered to be safe data; the detection result corresponding to the threat information detection engine is abnormal, namely the flow data is considered to be dangerous data; meanwhile, the detection result obtained by the feature comparison is abnormal, namely the flow data is considered to be dangerous data. At this time, since most of the detection results consider the flow data as dangerous data, that is, most of the detection results are abnormal, the target detection result of the flow data is considered to be abnormal. It should be noted that, as an example of knowledge of the abnormal confirmation manner of the traffic data, different weights may be set according to different accuracies corresponding to different detection manners, so as to determine whether the final detection result is abnormal, for example, the security of the traffic data is determined mainly according to the abnormal behavior detection result and the threat intelligence detection result, and the specific determination manner may be set according to specific situations, which is not limited herein.

Specifically, if the number of abnormal detection results is smaller than a preset value, determining that the target detection result of the flow data is normal. Referring to the above example, if the number of anomalies in the detection results corresponding to these different detection modes is too small, for example, only one detection result is anomalous, or no detection result is anomalous, it may be determined that the target detection result corresponding to the flow data is normal.

Step S206, displaying the target detection result based on the form of the log and/or the alarm.

It can be understood that the final target detection result is displayed in a log and/or alarm mode to remind the user of the safety of the flow data. The user experience is ensured, and the user can be effectively helped to know the safety condition of the data.

According to the data security detection method provided by the embodiment of the invention, the filtered flow data is obtained by performing preliminary filtration on the flow data; performing feature detection on the filtered flow data to obtain a feature detection result, and extracting metadata of the filtered flow data; the metadata is subjected to generalization treatment through middleware, and the metadata subjected to generalization treatment is subjected to diversified detection, so that a diversified detection result is obtained; and determining a target detection result of the flow data based on the diversified detection result and the characteristic detection result. The safety of the flow data is determined by carrying out safety detection on the acquired flow data at a plurality of angles, and the data safety is comprehensively and efficiently detected.

The embodiment of the invention also provides a data security detection system related to the method, as shown in fig. 3, which is an example diagram of a data security detection system architecture, wherein a monitoring port of the data security detection system receives mirror image/light splitting flow, and a flow acquisition engine is used for fast processing data packets and scheduling hardware resources. The data which is not concerned is filtered through a screening engine, and the filtered data is subjected to secondary processing, such as feature detection, metadata extraction, file extraction, flow storage processing and the like. The known attack based on the characteristics is detected by the characteristic detection engine, the detection data preprocessing is realized by metadata and file extraction, and the data retention evidence is realized by flow storage. And then, the metadata and the event are subjected to generalization processing through middleware, the processed data are submitted to an AI detection engine, an abnormal behavior detection engine, a file detection engine, a threat information detection engine and a (Yara/JA 3/SSL) detection engine, centralized detection is carried out by combining with an association engine, and finally, the detection result is output in a log/alarm form and is displayed in a large screen mode.

The network traffic can be acquired through bypass mirror image and high performance, the acquired network traffic can be analyzed and stored in a metadata form, and a complete log, protocol and data packet full field index library is built through network protocol real-time decoding and metadata extraction, so that multi-dimensional network metadata can be conveniently and rapidly extracted for detection and analysis, and a firm foundation is established for subsequent abnormal data mining, analysis and evidence collection. The intelligent data security detection and emergency response system supports the identification and metadata extraction of the 2-7 layer protocol, can analyze and restore various protocols, such as DNS, HTTP, IMAP, POP protocols and the like, and stores the protocols in a metadata form for tracing the threat and obtaining evidence.

Meanwhile, the system supports and identifies HTTP, SMTP, IMAP, POP and other protocols in network traffic, extracts original files in the traffic, such as DOC, DOCX, PPT, PPTX, XLS, and the like, and detects and analyzes dynamic sandbox detection by a multi-dimensional detection module, which is a detection technology for identifying malicious files through dynamic execution behaviors of the files, which utilizes a virtualization technology to simulate an operating system and an application environment commonly used by organizations, and then utilizes a virtual execution means to enable the files to run and capture the influence of the files on the system, such as releasing the files, encrypting the files, adding starting items, API calls and the like, and evaluates the influence to identify the malicious files which damage the system; the dynamic sandbox supports behavior signature detection, judges whether the dynamic sandbox is a malicious file according to the host or network behavior, supports various sandboxes in operation modes, including Windows, android types of sandboxes such as Linux, supports at least 10 sandboxes for single equipment, supports detection of flow of samples in the sandboxes, supports anti-virtual machine and anti-debugging behavior detection, supports malicious code and variety detection, and discovers unknown network attacks such as APT to the maximum extent.

The method comprises the steps of collecting, analyzing, verifying and managing the life cycle of massive information data, generating threat information, embedding the threat information into an intelligent data safety detection and emergency response system to form an information center, carrying out association comparison on domain names, IP, URL and the like extracted from traffic and system built-in information, further confirming network threat, supporting JA3, JA3S and SSL malicious encryption fingerprint detection, and assisting safety operators in various industries to carry out operation decisions.

The embodiment also provides a data security detection device, which is used for implementing the above embodiment and the preferred implementation manner, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.

The present embodiment provides a data security detection device, as shown in fig. 4, including:

The data filtering module 401 is configured to receive the flow data, and perform preliminary filtering on the flow data to obtain filtered flow data;

The feature detection module 402 is configured to perform feature detection on the filtered flow data to obtain a feature detection result;

The metadata detection module 403 is configured to extract metadata of the filtered flow data, perform generalization processing on the metadata through middleware, and perform diversified detection on the metadata after the generalization processing to obtain a diversified detection result;

The result determining module 404 is configured to determine a target detection result of the flow data based on the multiple detection results and the feature detection result.

In some alternative embodiments, the feature detection module 402, when configured to perform feature detection on the filtered flow data, includes: extracting characteristics of the filtered flow data; if the characteristics of the filtered traffic data are matched with the characteristics in the attack characteristic engine, determining the filtered traffic data as attack traffic data.

In some optional embodiments, the metadata detection module 403 performs a multiple detection on the metadata after the generalization processing to obtain a multiple detection result, where the multiple detection result includes: detecting the metadata subjected to generalization processing based on an artificial intelligent detection engine to obtain a first detection result; detecting the metadata subjected to the generalization processing based on the abnormal behavior detection engine to obtain a second detection result; detecting the metadata subjected to the generalization processing based on a threat information detection engine to obtain a third detection result; and obtaining a multi-element detection result based on the first detection result, the second detection result and the third detection result.

In some alternative embodiments, the apparatus further comprises: the file extraction module is used for extracting an original file of the filtered flow data; the method comprises the steps that the original file is subjected to generalization processing through a middleware, and the original file subjected to generalization processing is detected based on a file detection engine to obtain a corresponding file detection result; and updating the multi-element detection result based on the file detection result.

In some alternative embodiments, determining the target detection result of the flow data based on the multiple detection results and the feature detection results includes: judging whether the number of abnormal detection results in the multiple detection results and the characteristic detection results is larger than a preset value or not; if the number of the abnormal detection results is larger than a preset value, determining that the target detection result of the flow data is abnormal; if the number of the abnormal detection results is smaller than the preset value, determining that the target detection result of the flow data is normal.

In some alternative embodiments, the apparatus further comprises: and the display module is used for displaying the target detection result based on the form of the log and/or the alarm.

Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.

The data security detection device in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC (Application SPECIFIC INTEGRATED Circuit) Circuit, a processor and a memory that execute one or more software or firmware programs, and/or other devices that can provide the above functions.

The embodiment of the invention also provides computer equipment, which is provided with the data security detection device shown in the figure 4.

Referring to fig. 5, fig. 5 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention, as shown in fig. 5, the computer device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 5.

The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.

Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform a method for implementing the embodiments described above.

The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.

The computer device further comprises input means 30 and output means 40. The processor 10, memory 20, input device 30, and output device 40 may be connected by a bus or other means, for example in fig. 5.

The input device 30 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the computer apparatus, such as a touch screen, a keypad, a mouse, a trackpad, a touchpad, a pointer stick, one or more mouse buttons, a trackball, a joystick, and the like. The output means 40 may include a display device, auxiliary lighting means (e.g., LEDs), tactile feedback means (e.g., vibration motors), and the like. Such display devices include, but are not limited to, liquid crystal displays, light emitting diodes, displays and plasma displays. In some alternative implementations, the display device may be a touch screen.

The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.

Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.

Claims

1. A method of data security detection, the method comprising:

2. The method of claim 1, wherein the performing feature detection on the filtered traffic data to obtain a feature detection result comprises:

extracting characteristics of the filtered flow data;

3. The method of claim 1, wherein the performing a multiple detection on the metadata after the generalization processing to obtain a multiple detection result includes:

Detecting the metadata after the generalization processing based on an artificial intelligent detection engine to obtain a first detection result;

Detecting the metadata subjected to the generalization processing based on an abnormal behavior detection engine to obtain a second detection result;

Detecting the metadata after the generalization processing based on a threat information detection engine to obtain a third detection result;

and obtaining a multi-element detection result based on the first detection result, the second detection result and the third detection result.

4. The method according to claim 1, wherein the method further comprises:

Extracting an original file of the filtered flow data;

the method comprises the steps that the original file is subjected to generalization processing through a middleware, and the original file subjected to the generalization processing is detected based on a file detection engine to obtain a corresponding file detection result;

And updating the multi-element detection result based on the file detection result.

5. The method according to claim 1, wherein the method further comprises:

and displaying the target detection result based on the form of the log and/or the alarm.

6. The method of any of claims 1-5, wherein the determining a target detection result for the flow data based on the diversification detection result and the feature detection result comprises:

7. The method of claim 6, wherein the method further comprises:

and if the number of the abnormal detection results is smaller than a preset value, determining that the target detection result of the flow data is normal.

8. A data security detection device, the device comprising:

9. A computer device, comprising:

a memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the data security detection method of any of claims 1 to 7.

10. A computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the data security detection method of any of claims 1 to 7.