CN101902366A - Method and system for detecting abnormal service behaviors - Google Patents
Method and system for detecting abnormal service behaviors Download PDFInfo
- Publication number
- CN101902366A CN101902366A CN2009100850325A CN200910085032A CN101902366A CN 101902366 A CN101902366 A CN 101902366A CN 2009100850325 A CN2009100850325 A CN 2009100850325A CN 200910085032 A CN200910085032 A CN 200910085032A CN 101902366 A CN101902366 A CN 101902366A
- Authority
- CN
- China
- Prior art keywords
- monitored object
- record
- occurrences
- monitoring type
- frequency
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Alarm Systems (AREA)
Abstract
The invention provides a method for detecting abnormal service behaviors, which comprises the following steps of: establishing a model of normal service system access behaviors of users according to historical audit records prior to a current detection point of safety audit equipment; and analyzing real-time audit records of the safety audit equipment, comparing the real-time audit records with the normal behavior model, and judging whether the service access behaviors of the users are abnormal or not. The invention also provides a system for detecting abnormal service behaviors. The method and the system for detecting abnormal service behaviors can detect attack behaviors, which are legal in terms of service flow, but still bring about destruction to a service system actually, according to audit records of the safety audit equipment.
Description
Technical field
The present invention relates to information security field, relate in particular to a kind of business conduct method for detecting abnormality and system.
Background technology
Along with the development of information technology, be core with the database server, obtained increasingly extensive application towards the operation system of the Internet, as bank system of web, electronics seat reservation system etc.Since stored the critical data of operation system in the database server, closely related with the whole service flow process again, ensure that the information security of database server is particularly important.To database server implementation protection, network security audit equipment has obtained using widely for better.It can be monitored and the visit information of recording user to server in real time, in case find that visit behavior (for example visit of unauthenticated, unauthorized access) is in violation of rules and regulations arranged, can block unlawful practice.
Though utilize security audit equipment can the behavior of violating operation flow in time be detected and block, have the attack that on operation flow, not in violation of rules and regulations, in fact still brings destruction in a large number in actual applications to operation system.For example in certain operation system, the account information registering service system that the internal staff usurps other staff once occurs, repeatedly revised the information security events that the record in the database is made profit.Because the implementation process of this attack pattern meets operation flow fully, existing security audit product can't detect and report to the police or block.
In the present prior art, the solution that has is according to the security configuration rule database Visitor Logs to be analyzed, and database access is write down with warning/non-alarm triage.This scheme can detect the partial service abnormal behavior, but have the following disadvantages: at first, it is too loaded down with trivial details to rely on administrative staff to formulate a cover complete safe configuration rule, in case the attack that rule does not comprise occurs, will cause failing to report such attack; Secondly, some attack can't be from once or several times finding the database access behavior record, for example at the modification frequency of certain bar Visitor Logs in 24 hours, just can't formulate rational security configuration rule for such attack, detect by analysis to one or several database access record.
Summary of the invention
Technical problem to be solved by this invention is to be to provide a kind of business conduct abnormality detection system and method, be used for record of the audit, detect the attack that on operation flow, not in violation of rules and regulations, in fact still brings destruction to operation system according to security audit equipment.
In order to address the above problem, the invention provides a kind of business conduct method for detecting abnormality, comprising:
According to the historical auditing record before the security audit equipment current detection point, set up the normal behaviour model of user capture operation system;
Real-time auditing record to security audit equipment is analyzed, and compares with described normal behaviour model, judges whether the behavior of user capture operation system is unusual.
Further, said method also can have following characteristics, and the described step of setting up the normal behaviour model of user capture operation system comprises:
Set monitored object and corresponding monitoring type thereof;
Set the beginning and ending time in self study stage;
Historical auditing in the beginning and ending time of setting record is carried out self study, according to its corresponding monitoring type of monitored object the information of this monitored object is added up, thereby set up the normal behaviour model.
Further, said method also can have following characteristics,
When setting monitored object, set the database table name that needs monitoring, and corresponding action type and field name; Setting monitoring type is the span and/or the frequency of occurrences;
When the record of the historical auditing in the beginning and ending time of setting is learnt, the historical auditing record is resolved, extract database table name, action type, field name and operating value;
Judge whether described historical auditing record comprises the monitored object of setting, for the described historical auditing record that comprises described monitored object, according to its corresponding monitoring type of monitored object the operating value of this monitored object is added up, if the corresponding monitoring type of this monitored object is the frequency of occurrences, then calculate the average frequency of occurrences of its assigned operation value in the fixed time; If the corresponding monitoring type of this monitored object is a span, calculate the average and the variance of its operating value.
Further, said method also can have following characteristics, if the field of monitored object character type by name, only allowing to set monitoring type is the frequency of occurrences; If the field of monitored object is called numeric type, then setting monitoring type is the span and/or the frequency of occurrences.
Further, said method also can have following characteristics, and the described current record of the audit that security audit equipment is obtained is analyzed, and compares with described normal behaviour model, judges whether the behavior of user capture operation system unusually specifically comprises:
The real-time auditing record is resolved, extract database table name, action type, field name and operating value, judge whether described real-time auditing record comprises the monitored object of setting;
For the described real-time auditing record that comprises described monitored object, according to the corresponding monitoring type of monitored object the operating value of monitored object is handled, judge whether to have departed from the normal behaviour model, if depart from, the abnormal behavior of then user capture operation system;
Wherein, describedly judge whether to have departed from the normal behaviour model and be meant, when the corresponding monitoring type of described monitored object is the frequency of occurrences, then add up the described monitored object frequency of occurrences at the appointed time, relatively whether the frequency of occurrences of its assigned operation value of monitored object and the departure degree of normal behaviour model have surpassed setting threshold; When the monitoring type of described monitored object was span, whether the operating value of more described monitored object had then surpassed setting threshold with the departure degree of normal behaviour model.
The present invention also proposes a kind of business conduct abnormality detection system, comprising:
Memory module is used to store the record of the audit of described security audit equipment, comprises the real-time auditing record of current observation station, and the historical auditing record before the described current detection point;
Model building module links to each other with evaluation module with described memory module, according to described historical auditing record, sets up the normal behaviour model of user capture operation system;
Evaluation module links to each other with model building module with described memory module, is used for the real-time auditing record of described security audit equipment is analyzed, and compares with described normal behaviour model, judges whether the behavior of user capture operation system is unusual.
Further, said system also can have following characteristics, and described system also comprises:
Module is set, links to each other, be used to set monitored object and monitoring type with described model building module and evaluation module; Also be used to set the beginning and ending time in self study stage;
Described model building module is used for carrying out self study according to the record of the historical auditing in the beginning and ending time that module settings is set, and according to its corresponding monitoring type of monitored object the information of this monitored object is added up, thereby sets up the normal behaviour model.
Further, said system also can have following characteristics,
The described module that is provided with when setting monitored object, is set the database table name that needs monitoring, and corresponding action type and field name, and also setting monitoring type is the span and/or the frequency of occurrences;
Described model building module comprises resolution unit and statistic unit:
Resolution unit, when the record of the historical auditing in the beginning and ending time of setting is learnt, the historical auditing record is resolved, extract database table name, action type, field name and operating value, judge whether described historical auditing record comprises the monitored object of setting;
Statistic unit, be used for comprising the described historical auditing record of described monitored object, when the information of this monitored object being added up according to its corresponding monitoring type of monitored object, if the corresponding monitoring type of this monitored object is the frequency of occurrences, then calculate the average frequency of occurrences of its assigned operation value in the fixed time; If the corresponding monitoring type of this monitored object is a span, calculate the average and the variance of its operating value.
Further, said system also can have following characteristics, and is described when the module settings monitoring type is set, if the field of monitored object character type by name, only allowing to set a monitoring type is the frequency of occurrences; If the field of monitored object is called numeric type, then setting monitoring type is the span and/or the frequency of occurrences.
Further, said system also can have following characteristics, and described evaluation module comprises:
Resolution unit is used for the real-time auditing record is resolved, and extracts database table name, action type, field name and operating value, judges whether described real-time auditing record comprises the monitored object of setting;
Judging unit, be used for according to the corresponding monitoring type of monitored object the information of monitored object being handled, judge whether to have departed from the normal behaviour model comprising the described real-time auditing record of described monitored object, if depart from, the abnormal behavior of then user capture operation system;
Wherein, describedly judge whether to have departed from the normal behaviour model and be meant, when the corresponding monitoring type of described monitored object is the frequency of occurrences, then add up the described monitored object frequency of occurrences at the appointed time, relatively whether the frequency of occurrences of monitored object and the departure degree of normal behaviour model have surpassed setting threshold; When the monitoring type of described monitored object was span, whether the operating value of more described monitored object had then surpassed setting threshold with the departure degree of normal behaviour model.
Business conduct abnormality detection system and method that the present invention proposes can detect the attack that not in violation of rules and regulations, in fact still brings destruction on operation flow to operation system according to the record of the audit of security audit equipment.Compared with prior art, the present invention sets up the normal behaviour model of user capture operation system by the mode of self study, has avoided relying on the complicated processes that administrative staff set the security configuration rule, also more can reflect the truth of operation system.The present invention is by setting monitoring type, can be to the detecting unusually of frequency of occurrences type, again can be to the detecting unusually of span type, and make for can't also accurately detecting by the service exception that simple security configuration rule detects is set.
Description of drawings
Fig. 1 is the schematic flow sheet of business conduct method for detecting abnormality embodiment among the present invention.
Fig. 2 forms schematic diagram for business conduct abnormality detection system embodiment among the present invention.
Embodiment
Describe embodiments of the present invention in detail below with reference to drawings and Examples, how the application technology means solve technical problem to the present invention whereby, and the implementation procedure of reaching technique effect can fully understand and implements according to this.
Fig. 1 is the schematic flow sheet of business conduct method for detecting abnormality embodiment among the present invention.As shown in Figure 1, this method embodiment mainly comprises the steps:
Step S110, the record of the audit of storage security audit equipment comprises the real-time auditing record of current observation station and the historical auditing record before the current observation station;
Step S120, the monitored object that setting need be monitored, and the corresponding monitoring type of monitored object;
Monitored object comprises the database table name, and corresponding action type, field name;
Monitoring type is the span and/or the frequency of occurrences, if the field of monitored object character type by name only allows the monitoring frequency of occurrences; If the field of monitored object is called numeric type, can select to monitor the span and/or the frequency of occurrences;
Step S130 learns by the historical auditing record to security audit equipment, sets up the normal behaviour model of user capture operation system;
Concrete method for building up is:
Set the beginning and ending time in self study stage;
According to the monitoring type of setting, the historical auditing record of setting in the beginning and ending time is learnt; The historical auditing record is carried out SQL statement resolve, extract database table name, action type, field name, operating value;
Judge whether described historical auditing record comprises the monitored object of setting;
Concrete determination methods is: database table name, action type and field name and monitored object are compared, if identical, then comprise described monitored object in the historical auditing record.
For the described historical auditing record that comprises described monitored object, according to its corresponding monitoring type of monitored object the information of this monitored object is added up, set up the normal behaviour model, wherein:
If the monitoring type of monitored object is the frequency of occurrences, then calculate its fixed time the average frequency of occurrences of its assigned operation value in (such as 24 hours, can be other fixed times, the present invention does not limit this yet); If the monitoring type of monitored object is a span, then calculate the average and the variance of its each operating value.
Step S140 analyzes the real-time auditing record of security audit equipment, compares with the normal behaviour model, judges whether the behavior of user capture operation system is unusual, specifically comprises:
The real-time auditing record is carried out SQL statement resolve, extract database table name, action type, field name and operating value;
Judge whether described real-time auditing record comprises the monitored object of setting;
Concrete determination methods is: database table name, action type and field name and monitored object are compared, if identical, then comprise described monitored object in the historical auditing record.
For the described real-time auditing record that comprises described monitored object, according to the corresponding monitoring type of monitored object the information of monitored object is handled, judge whether to have departed from the normal behaviour model, whether the operation of promptly assessing monitored object has departed from the normal behaviour model; If depart from, the abnormal behavior of then user capture operation system;
Wherein, judging whether to have departed from the normal behaviour model specifically is meant, if the frequency of occurrences of monitored object is monitored (being that the corresponding monitoring type of monitored object is the frequency of occurrences), whether the frequency of occurrences of then more described monitored object in has at the appointed time surpassed setting threshold with the departure degree of normal behaviour model; If the span of monitored object is monitored (being that the corresponding monitoring type of monitored object is a span), whether the operating value of more described monitored object has then surpassed setting threshold with the departure degree of normal behaviour model.
Step S150 is if detect the abnormal behavior of user capture operation system, to reporting to the police unusually.Also alert if can be set, when arriving alert if, just report to the police, just report to the police such as after repeatedly unusual.Can also will carry out record unusually, generate abnormal log, to carry out follow-up statistical management.
Need to prove that whole evaluation process is divided into two stages, self study stage and detection-phase.Carry out the self study stage earlier, set up the normal behaviour model of user capture operation system by the self study stage, utilize this normal behaviour model to carry out the unusual detection of business conduct again, promptly carry out second stage.After finishing in the self study stage, the testing process during practical application has carried out self study again with regard to not needing, and directly utilizes the normal behaviour model of the operation system that the self study stage sets up to detect and gets final product, without repetition learning and set up the normal behaviour model.Certainly because the change of user's operation behavior, user's increase or minimizing etc. also can be upgraded the normal behaviour model as required at set intervals.
Below be an application example of business conduct abnormality detection system, so as to more clearly describing embodiments of the present invention.
Suppose in certain business conduct of user, need sign in to a certain data of revising oneself in the operation system.Suppose this business conduct of user Bob, can cause carrying out in the database server following SQL (Structured Query Language, SQL) statement:
update?userscore?set?score=2000?where?username=‘Bob’;
In the above-mentioned SQL statement, " userscore " is the database table name, and " socre ", " username " are the Database field name, and " update " is action type, and " 2000 ", " Bob " are operating value.
Suppose that monitored object and monitoring type that administrative staff set are respectively:
Monitored object 1: action type " update ", database table name " userscore ", Database field name " username ", monitoring type: the frequency of occurrences.
Monitored object 2: action type " update ", database table name " userscore ", Database field name " socre ", monitoring type: span.
The beginning and ending time of supposing the self study stage of setting is 2009.1.1 0:0:0 to 2009.1.31 24:0:0, then in the self study stage, described business conduct abnormality detection system will be learnt the historical record in this time period, calculate the average and the variance of monitored object 1 frequency of occurrences of its assigned operation value in 24 hours, and the average of the span of the operating value of monitored object 2 and variance.
Suppose that the business conduct normal model that the self study stage obtains is: the average of monitored object 1 is 10, and variance is 2; The average of monitored object 2 is 3000, and variance is 100.Its practical significance is: user Bob uses this business conduct 10 times average every day, and average each operating value is 3000.Suppose that administrative staff's preset threshold is: the deviation of customer service behavior and normal model is reported to the police during greater than 2 times of variances.
Suppose that after finishing self study described business conduct abnormality detection system detects a business conduct, cause carrying out in the database server following SQL statement:
update?userscore?set?score=4000?where?username=‘Bob’;
Resolve by this SQL statement being carried out SQL, can find that the behavior has comprised monitored object 1 and the monitored object 2 set.Suppose further to detect to find that in the monitored object 1, " Bob " reached 12 times 24 hours the frequency of occurrences.Owing to the deviation with normal model is 2, and 2 times of variance yields are 2 * 2=4, so monitored object 1 does not depart from normal model.
For monitored object 2, its value is 4000, with the deviation of normal model be 1000, and 2 times of variance yields are 100 * 2=200, so monitored object 2 departed from normal model, described business conduct abnormality detection system will be reported to the police to this time behavior.
Fig. 2 forms schematic diagram for business conduct abnormality detection system one embodiment among the present invention.As shown in Figure 2, this business conduct abnormality detection system comprises memory module 210, module 220 is set, model building module 230 and evaluation module 240, wherein:
Further, described model building module 230 comprises resolution unit and statistic unit:
Resolution unit, when the record of the historical auditing in the beginning and ending time of setting is learnt, the historical auditing record is resolved, extract database table name, action type, field name and operating value, judge whether described historical auditing record comprises the monitored object of setting;
Statistic unit, be used for comprising the described historical auditing record of described monitored object, when the information of this monitored object being added up according to its corresponding monitoring type of monitored object, if the corresponding monitoring type of this monitored object is the frequency of occurrences, then calculate the average frequency of occurrences of its assigned operation value in the fixed time; If the corresponding monitoring type of this monitored object is a span, calculate the average and the variance of its operating value.
Further, described evaluation module 240 comprises:
Resolution unit is used for the real-time auditing record is resolved, and extracts database table name, action type, field name and operating value, judges whether described real-time auditing record comprises the monitored object of setting;
Judging unit, be used for according to the corresponding monitoring type of monitored object the information of monitored object being handled, judge whether to have departed from the normal behaviour model comprising the described real-time auditing record of described monitored object, if depart from, the abnormal behavior of then user capture operation system;
Wherein, describedly judge whether to have departed from the normal behaviour model and be meant, when the corresponding monitoring type of described monitored object is the frequency of occurrences, then add up the described monitored object frequency of occurrences at the appointed time, relatively whether the frequency of occurrences of monitored object and the departure degree of normal behaviour model have surpassed setting threshold; When the monitoring type of described monitored object was span, whether the operating value of more described monitored object had then surpassed setting threshold with the departure degree of normal behaviour model.
Though the disclosed execution mode of the present invention as above, the execution mode that described content just adopts for the ease of understanding the present invention is not in order to limit the present invention.Technical staff in any the technical field of the invention; under the prerequisite that does not break away from the disclosed spirit and scope of the present invention; can do any modification and variation what implement in form and on the details; but scope of patent protection of the present invention still must be as the criterion with the scope that appending claims was defined.
Claims (10)
1. a business conduct method for detecting abnormality is characterized in that, comprising:
According to the historical auditing record before the security audit equipment current detection point, set up the normal behaviour model of user capture operation system;
Real-time auditing record to security audit equipment is analyzed, and compares with described normal behaviour model, judges whether the behavior of user capture operation system is unusual.
2. the method for claim 1 is characterized in that, the described step of setting up the normal behaviour model of user capture operation system comprises:
Set monitored object and corresponding monitoring type thereof;
Set the beginning and ending time in self study stage;
Historical auditing in the beginning and ending time of setting record is carried out self study, according to its corresponding monitoring type of monitored object the information of this monitored object is added up, thereby set up the normal behaviour model.
3. method as claimed in claim 2 is characterized in that,
When setting monitored object, set the database table name that needs monitoring, and corresponding action type and field name; Setting monitoring type is the span and/or the frequency of occurrences;
When the record of the historical auditing in the beginning and ending time of setting is learnt, the historical auditing record is resolved, extract database table name, action type, field name and operating value;
Judge whether described historical auditing record comprises the monitored object of setting, for the described historical auditing record that comprises described monitored object, according to its corresponding monitoring type of monitored object the operating value of this monitored object is added up, if the corresponding monitoring type of this monitored object is the frequency of occurrences, then calculate the average frequency of occurrences of its assigned operation value in the fixed time; If the corresponding monitoring type of this monitored object is a span, calculate the average and the variance of its operating value.
4. method as claimed in claim 3 is characterized in that, if the field of monitored object character type by name, only allowing to set monitoring type is the frequency of occurrences; If the field of monitored object is called numeric type, then setting monitoring type is the span and/or the frequency of occurrences.
5. as claim 3 or 4 described methods, it is characterized in that the described current record of the audit that security audit equipment is obtained is analyzed, compare, judge whether the behavior of user capture operation system unusually specifically comprises with described normal behaviour model:
The real-time auditing record is resolved, extract database table name, action type, field name and operating value, judge whether described real-time auditing record comprises the monitored object of setting;
For the described real-time auditing record that comprises described monitored object, according to the corresponding monitoring type of monitored object the operating value of monitored object is handled, judge whether to have departed from the normal behaviour model, if depart from, the abnormal behavior of then user capture operation system;
Wherein, describedly judge whether to have departed from the normal behaviour model and be meant, when the corresponding monitoring type of described monitored object is the frequency of occurrences, then add up the described monitored object frequency of occurrences at the appointed time, relatively whether the frequency of occurrences of its assigned operation value of monitored object and the departure degree of normal behaviour model have surpassed setting threshold; When the monitoring type of described monitored object was span, whether the operating value of more described monitored object had then surpassed setting threshold with the departure degree of normal behaviour model.
6. a business conduct abnormality detection system is characterized in that, comprising:
Memory module is used to store the record of the audit of described security audit equipment, comprises the real-time auditing record of current observation station, and the historical auditing record before the described current detection point;
Model building module links to each other with evaluation module with described memory module, according to described historical auditing record, sets up the normal behaviour model of user capture operation system;
Evaluation module links to each other with model building module with described memory module, is used for the real-time auditing record of described security audit equipment is analyzed, and compares with described normal behaviour model, judges whether the behavior of user capture operation system is unusual.
7. system as claimed in claim 6 is characterized in that, described system also comprises:
Module is set, links to each other, be used to set monitored object and monitoring type with described model building module and evaluation module; Also be used to set the beginning and ending time in self study stage;
Described model building module is used for carrying out self study according to the record of the historical auditing in the beginning and ending time that module settings is set, and according to its corresponding monitoring type of monitored object the information of this monitored object is added up, thereby sets up the normal behaviour model.
8. system as claimed in claim 7 is characterized in that,
The described module that is provided with when setting monitored object, is set the database table name that needs monitoring, and corresponding action type and field name, and also setting monitoring type is the span and/or the frequency of occurrences;
Described model building module comprises resolution unit and statistic unit:
Resolution unit, when the record of the historical auditing in the beginning and ending time of setting is learnt, the historical auditing record is resolved, extract database table name, action type, field name and operating value, judge whether described historical auditing record comprises the monitored object of setting;
Statistic unit, be used for comprising the described historical auditing record of described monitored object, when the information of this monitored object being added up according to its corresponding monitoring type of monitored object, if the corresponding monitoring type of this monitored object is the frequency of occurrences, then calculate the average frequency of occurrences of its assigned operation value in the fixed time; If the corresponding monitoring type of this monitored object is a span, calculate the average and the variance of its operating value.
9. system as claimed in claim 8 is characterized in that, and is described when the module settings monitoring type is set, if the field of monitored object character type by name, only allowing to set a monitoring type is the frequency of occurrences; If the field of monitored object is called numeric type, then setting monitoring type is the span and/or the frequency of occurrences.
10. system as claimed in claim 8 or 9 is characterized in that described evaluation module comprises:
Resolution unit is used for the real-time auditing record is resolved, and extracts database table name, action type, field name and operating value, judges whether described real-time auditing record comprises the monitored object of setting;
Judging unit, be used for according to the corresponding monitoring type of monitored object the information of monitored object being handled, judge whether to have departed from the normal behaviour model comprising the described real-time auditing record of described monitored object, if depart from, the abnormal behavior of then user capture operation system;
Wherein, describedly judge whether to have departed from the normal behaviour model and be meant, when the corresponding monitoring type of described monitored object is the frequency of occurrences, then add up the described monitored object frequency of occurrences at the appointed time, relatively whether the frequency of occurrences of monitored object and the departure degree of normal behaviour model have surpassed setting threshold; When the monitoring type of described monitored object was span, whether the operating value of more described monitored object had then surpassed setting threshold with the departure degree of normal behaviour model.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910085032.5A CN101902366B (en) | 2009-05-27 | 2009-05-27 | Method and system for detecting abnormal service behaviors |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910085032.5A CN101902366B (en) | 2009-05-27 | 2009-05-27 | Method and system for detecting abnormal service behaviors |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101902366A true CN101902366A (en) | 2010-12-01 |
CN101902366B CN101902366B (en) | 2014-03-12 |
Family
ID=43227585
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200910085032.5A Expired - Fee Related CN101902366B (en) | 2009-05-27 | 2009-05-27 | Method and system for detecting abnormal service behaviors |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101902366B (en) |
Cited By (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102609346A (en) * | 2012-01-16 | 2012-07-25 | 深信服网络科技(深圳)有限公司 | Monitoring method and monitoring device on basis of service operation |
CN102945254A (en) * | 2012-10-18 | 2013-02-27 | 福建省海峡信息技术有限公司 | Method for detecting abnormal data among TB-level mass audit data |
CN103685161A (en) * | 2012-09-03 | 2014-03-26 | 北京千橡网景科技发展有限公司 | Abnormal user behavior processing method and equipment |
CN104392297A (en) * | 2014-10-27 | 2015-03-04 | 普元信息技术股份有限公司 | Method and system for realizing non-business process irregularity detection in large data environment |
CN104468466A (en) * | 2013-09-12 | 2015-03-25 | 深圳市腾讯计算机系统有限公司 | Operation management method and device for network account |
CN104636874A (en) * | 2015-02-12 | 2015-05-20 | 北京嘀嘀无限科技发展有限公司 | Method and equipment for detecting business exception |
CN104731816A (en) * | 2013-12-23 | 2015-06-24 | 阿里巴巴集团控股有限公司 | Method and device for processing abnormal business data |
CN104767640A (en) * | 2015-03-25 | 2015-07-08 | 亚信科技(南京)有限公司 | Early-warning method and system |
CN105357216A (en) * | 2015-11-30 | 2016-02-24 | 上海斐讯数据通信技术有限公司 | Secure access method and system |
CN105407112A (en) * | 2014-08-19 | 2016-03-16 | 中兴通讯股份有限公司 | Equipment capability learning method, device and system |
CN105577608A (en) * | 2014-10-08 | 2016-05-11 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and network attack behavior detection device |
CN106548471A (en) * | 2016-10-18 | 2017-03-29 | 安庆师范大学 | The medical microscopic images definition evaluation method of coarse-fine focusing |
CN106803815A (en) * | 2015-11-26 | 2017-06-06 | 阿里巴巴集团控股有限公司 | A kind of flow control methods and device |
CN107220530A (en) * | 2016-03-21 | 2017-09-29 | 北大方正集团有限公司 | Turing test method and system based on customer service behavioural analysis |
CN107276980A (en) * | 2017-05-02 | 2017-10-20 | 广东电网有限责任公司信息中心 | A kind of user's anomaly detection method and system based on association analysis |
CN107402957A (en) * | 2017-06-09 | 2017-11-28 | 全球能源互联网研究院 | The structure and user behavior method for detecting abnormality, system in user behavior pattern storehouse |
CN107707433A (en) * | 2017-11-14 | 2018-02-16 | 北京思特奇信息技术股份有限公司 | A kind of method and computer equipment from network platform test operation flow |
CN107743113A (en) * | 2016-11-23 | 2018-02-27 | 腾讯科技(深圳)有限公司 | A kind of detection method and system of website attack |
CN107783942A (en) * | 2016-08-25 | 2018-03-09 | 中国移动通信集团上海有限公司 | A kind of anomaly detection method and device |
CN107888574A (en) * | 2017-10-27 | 2018-04-06 | 深信服科技股份有限公司 | Method, server and the storage medium of Test database risk |
CN108306846A (en) * | 2017-01-13 | 2018-07-20 | 中国移动通信集团公司 | A kind of network access exception detection method and system |
CN108600258A (en) * | 2018-05-09 | 2018-09-28 | 华东师范大学 | A kind of method for auditing safely towards Integrated Electronic System self-generating white list |
CN108632097A (en) * | 2018-05-14 | 2018-10-09 | 平安科技(深圳)有限公司 | Recognition methods, terminal device and the medium of abnormal behaviour object |
CN108712284A (en) * | 2018-05-18 | 2018-10-26 | 阿里巴巴集团控股有限公司 | A kind of localization method, device and the service server of failure business |
CN108880841A (en) * | 2017-05-11 | 2018-11-23 | 上海宏时数据系统有限公司 | A kind of threshold values setting, abnormality detection system and the method for service monitoring system |
CN109120629A (en) * | 2018-08-31 | 2019-01-01 | 新华三信息安全技术有限公司 | A kind of abnormal user recognition methods and device |
CN109450869A (en) * | 2018-10-22 | 2019-03-08 | 杭州安恒信息技术股份有限公司 | A kind of service security means of defence based on user feedback |
CN110502895A (en) * | 2019-08-27 | 2019-11-26 | 中国工商银行股份有限公司 | Interface exception call determines method and device |
CN111385126A (en) * | 2018-12-29 | 2020-07-07 | 华为技术有限公司 | Equipment behavior control method, device, system and storage medium |
US10715546B2 (en) | 2016-11-23 | 2020-07-14 | Tencent Technology (Shenzhen) Company Limited | Website attack detection and protection method and system |
CN112054989A (en) * | 2020-07-13 | 2020-12-08 | 北京天融信网络安全技术有限公司 | Construction method of detection model and detection method of batch operation abnormity |
CN112565271A (en) * | 2020-12-07 | 2021-03-26 | 瑞数信息技术(上海)有限公司 | Web attack detection method and device |
WO2021057131A1 (en) * | 2019-09-27 | 2021-04-01 | 支付宝(杭州)信息技术有限公司 | User ticket purchase behavior detection method and device |
CN113595972A (en) * | 2021-06-08 | 2021-11-02 | 贵州电网有限责任公司 | Web service behavior logic detection method based on middleware flow analysis technology |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1333552C (en) * | 2005-03-23 | 2007-08-22 | 北京首信科技有限公司 | Detecting system and method for user behaviour abnormal based on machine study |
CN100488139C (en) * | 2005-08-10 | 2009-05-13 | 华为技术有限公司 | Method of establishing instant data transmission channel to realize instant message transmission |
CN101075256A (en) * | 2007-06-08 | 2007-11-21 | 北京神舟航天软件技术有限公司 | System and method for real-time auditing and analyzing database |
-
2009
- 2009-05-27 CN CN200910085032.5A patent/CN101902366B/en not_active Expired - Fee Related
Cited By (51)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102609346B (en) * | 2012-01-16 | 2014-12-03 | 深信服网络科技(深圳)有限公司 | Monitoring method and monitoring device on basis of service operation |
CN102609346A (en) * | 2012-01-16 | 2012-07-25 | 深信服网络科技(深圳)有限公司 | Monitoring method and monitoring device on basis of service operation |
CN103685161A (en) * | 2012-09-03 | 2014-03-26 | 北京千橡网景科技发展有限公司 | Abnormal user behavior processing method and equipment |
CN102945254B (en) * | 2012-10-18 | 2015-12-16 | 福建省海峡信息技术有限公司 | The method of the data that note abnormalities in TB level magnanimity Audit data |
CN102945254A (en) * | 2012-10-18 | 2013-02-27 | 福建省海峡信息技术有限公司 | Method for detecting abnormal data among TB-level mass audit data |
CN104468466A (en) * | 2013-09-12 | 2015-03-25 | 深圳市腾讯计算机系统有限公司 | Operation management method and device for network account |
CN104731816A (en) * | 2013-12-23 | 2015-06-24 | 阿里巴巴集团控股有限公司 | Method and device for processing abnormal business data |
CN105407112B (en) * | 2014-08-19 | 2020-06-05 | 中兴通讯股份有限公司 | Equipment capability learning method, device and system |
CN105407112A (en) * | 2014-08-19 | 2016-03-16 | 中兴通讯股份有限公司 | Equipment capability learning method, device and system |
CN105577608B (en) * | 2014-10-08 | 2020-02-07 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and device |
CN105577608A (en) * | 2014-10-08 | 2016-05-11 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and network attack behavior detection device |
CN104392297A (en) * | 2014-10-27 | 2015-03-04 | 普元信息技术股份有限公司 | Method and system for realizing non-business process irregularity detection in large data environment |
CN104636874A (en) * | 2015-02-12 | 2015-05-20 | 北京嘀嘀无限科技发展有限公司 | Method and equipment for detecting business exception |
CN104636874B (en) * | 2015-02-12 | 2019-04-16 | 北京嘀嘀无限科技发展有限公司 | Detect the method and apparatus of service exception |
CN104767640B (en) * | 2015-03-25 | 2019-03-12 | 亚信科技(南京)有限公司 | Method for early warning and early warning system |
CN104767640A (en) * | 2015-03-25 | 2015-07-08 | 亚信科技(南京)有限公司 | Early-warning method and system |
CN106803815A (en) * | 2015-11-26 | 2017-06-06 | 阿里巴巴集团控股有限公司 | A kind of flow control methods and device |
CN106803815B (en) * | 2015-11-26 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Flow control method and device |
CN105357216A (en) * | 2015-11-30 | 2016-02-24 | 上海斐讯数据通信技术有限公司 | Secure access method and system |
CN107220530A (en) * | 2016-03-21 | 2017-09-29 | 北大方正集团有限公司 | Turing test method and system based on customer service behavioural analysis |
CN107783942B (en) * | 2016-08-25 | 2021-04-13 | 中国移动通信集团上海有限公司 | Abnormal behavior detection method and device |
CN107783942A (en) * | 2016-08-25 | 2018-03-09 | 中国移动通信集团上海有限公司 | A kind of anomaly detection method and device |
CN106548471B (en) * | 2016-10-18 | 2019-04-05 | 安庆师范大学 | The medical microscopic images clarity evaluation method of coarse-fine focusing |
CN106548471A (en) * | 2016-10-18 | 2017-03-29 | 安庆师范大学 | The medical microscopic images definition evaluation method of coarse-fine focusing |
CN107743113A (en) * | 2016-11-23 | 2018-02-27 | 腾讯科技(深圳)有限公司 | A kind of detection method and system of website attack |
US10715546B2 (en) | 2016-11-23 | 2020-07-14 | Tencent Technology (Shenzhen) Company Limited | Website attack detection and protection method and system |
CN108306846A (en) * | 2017-01-13 | 2018-07-20 | 中国移动通信集团公司 | A kind of network access exception detection method and system |
CN107276980A (en) * | 2017-05-02 | 2017-10-20 | 广东电网有限责任公司信息中心 | A kind of user's anomaly detection method and system based on association analysis |
CN108880841A (en) * | 2017-05-11 | 2018-11-23 | 上海宏时数据系统有限公司 | A kind of threshold values setting, abnormality detection system and the method for service monitoring system |
CN107402957B (en) * | 2017-06-09 | 2023-02-07 | 全球能源互联网研究院 | Method and system for constructing user behavior pattern library and detecting user behavior abnormity |
CN107402957A (en) * | 2017-06-09 | 2017-11-28 | 全球能源互联网研究院 | The structure and user behavior method for detecting abnormality, system in user behavior pattern storehouse |
CN107888574A (en) * | 2017-10-27 | 2018-04-06 | 深信服科技股份有限公司 | Method, server and the storage medium of Test database risk |
CN107888574B (en) * | 2017-10-27 | 2020-08-14 | 深信服科技股份有限公司 | Method, server and storage medium for detecting database risk |
CN107707433A (en) * | 2017-11-14 | 2018-02-16 | 北京思特奇信息技术股份有限公司 | A kind of method and computer equipment from network platform test operation flow |
CN107707433B (en) * | 2017-11-14 | 2020-12-11 | 北京思特奇信息技术股份有限公司 | Method for testing business process from network platform and computer equipment |
CN108600258A (en) * | 2018-05-09 | 2018-09-28 | 华东师范大学 | A kind of method for auditing safely towards Integrated Electronic System self-generating white list |
CN108632097B (en) * | 2018-05-14 | 2019-12-13 | 平安科技(深圳)有限公司 | Abnormal behavior object identification method, terminal device and medium |
CN108632097A (en) * | 2018-05-14 | 2018-10-09 | 平安科技(深圳)有限公司 | Recognition methods, terminal device and the medium of abnormal behaviour object |
WO2019218475A1 (en) * | 2018-05-14 | 2019-11-21 | 平安科技(深圳)有限公司 | Method and device for identifying abnormally-behaving subject, terminal device, and medium |
CN108712284B (en) * | 2018-05-18 | 2020-11-24 | 创新先进技术有限公司 | Fault service positioning method and device and service server |
CN108712284A (en) * | 2018-05-18 | 2018-10-26 | 阿里巴巴集团控股有限公司 | A kind of localization method, device and the service server of failure business |
CN109120629B (en) * | 2018-08-31 | 2021-07-30 | 新华三信息安全技术有限公司 | Abnormal user identification method and device |
CN109120629A (en) * | 2018-08-31 | 2019-01-01 | 新华三信息安全技术有限公司 | A kind of abnormal user recognition methods and device |
CN109450869A (en) * | 2018-10-22 | 2019-03-08 | 杭州安恒信息技术股份有限公司 | A kind of service security means of defence based on user feedback |
CN111385126A (en) * | 2018-12-29 | 2020-07-07 | 华为技术有限公司 | Equipment behavior control method, device, system and storage medium |
CN111385126B (en) * | 2018-12-29 | 2021-08-13 | 华为技术有限公司 | Equipment behavior control method, device, system and storage medium |
CN110502895A (en) * | 2019-08-27 | 2019-11-26 | 中国工商银行股份有限公司 | Interface exception call determines method and device |
WO2021057131A1 (en) * | 2019-09-27 | 2021-04-01 | 支付宝(杭州)信息技术有限公司 | User ticket purchase behavior detection method and device |
CN112054989A (en) * | 2020-07-13 | 2020-12-08 | 北京天融信网络安全技术有限公司 | Construction method of detection model and detection method of batch operation abnormity |
CN112565271A (en) * | 2020-12-07 | 2021-03-26 | 瑞数信息技术(上海)有限公司 | Web attack detection method and device |
CN113595972A (en) * | 2021-06-08 | 2021-11-02 | 贵州电网有限责任公司 | Web service behavior logic detection method based on middleware flow analysis technology |
Also Published As
Publication number | Publication date |
---|---|
CN101902366B (en) | 2014-03-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101902366B (en) | Method and system for detecting abnormal service behaviors | |
CN111475804B (en) | Alarm prediction method and system | |
US9292408B2 (en) | Automated detection of a system anomaly | |
CN108989150B (en) | Login abnormity detection method and device | |
AU2017274576B2 (en) | Classification of log data | |
CN109684160A (en) | Database method for inspecting, device, equipment and computer readable storage medium | |
CN111177714A (en) | Abnormal behavior detection method and device, computer equipment and storage medium | |
Costante et al. | A white-box anomaly-based framework for database leakage detection | |
CN108259202A (en) | A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems | |
US20200204428A1 (en) | System and method of automated fault correction in a network environment | |
CN108092985B (en) | Network security situation analysis method, device, equipment and computer storage medium | |
Singh et al. | Sql injection detection and correction using machine learning techniques | |
CN112767008A (en) | Enterprise revenue trend prediction method and device, computer equipment and storage medium | |
KR101444250B1 (en) | System for monitoring access to personal information and method therefor | |
US20160162348A1 (en) | Automated detection of a system anomaly | |
CN117375985A (en) | Method and device for determining security risk index, storage medium and electronic device | |
KR20060058186A (en) | Information technology risk management system and method the same | |
Salazar et al. | Monitoring approaches for security and safety analysis: application to a load position system | |
CN111126801A (en) | Hierarchical analysis and evaluation system based on information entropy for equipment guarantee capability | |
US11526775B2 (en) | Automatically evaluating application architecture through architecture-as-code | |
Pak et al. | Asset priority risk assessment using hidden markov models | |
CN115706669A (en) | Network security situation prediction method and system | |
KR20180118869A (en) | Integration security anomaly symptom monitoring system | |
CN116401714B (en) | Security information acquisition method, device, equipment and medium | |
CN107566187A (en) | A kind of SLA fault monitoring method, device and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140312 Termination date: 20180527 |