CN109344042A - Recognition methods, device, equipment and the medium of abnormal operation behavior - Google Patents
Recognition methods, device, equipment and the medium of abnormal operation behavior Download PDFInfo
- Publication number
- CN109344042A CN109344042A CN201810961289.1A CN201810961289A CN109344042A CN 109344042 A CN109344042 A CN 109344042A CN 201810961289 A CN201810961289 A CN 201810961289A CN 109344042 A CN109344042 A CN 109344042A
- Authority
- CN
- China
- Prior art keywords
- operation behavior
- preference
- cloud
- predicted
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3438—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
Abstract
The invention discloses the recognition methods of abnormal operation behavior, device, equipment and media.This method comprises: obtaining historical operation behavior set according to the user behaviors log of multiple cloud operators;According to the user behaviors log of the first cloud operator, preference operation behavior set is obtained;Calculate the similarity of every kind of operation behavior in the every kind of operation behavior and preference operation behavior set in historical operation behavior set;Predicted operation behavior set is generated according to similarity;According to predicted operation behavior set, identify whether practical operation behavior of the first cloud operator in each preset time period of the second predetermined period is abnormal operation behavior.According to the technical solution of the present invention, the abnormal behaviour of cloud operator can be identified, in time so as to full-scope safeguards user's right.
Description
Technical field
The present invention relates to cloud computing security fields more particularly to a kind of recognition methods of abnormal operation behavior, device, equipment
And computer-readable medium.
Background technique
Cloud computing, which refers to, is managed collectively by virtualization technology and dispatches the resources such as calculating, storage, network, software, uses
The services such as basic resource, platform capabilities, software application are supplied to user by the Internet model.In brief, cloud computing is exactly to use
The management to data is realized by cloud computing platform by data and business migration to cloud platform in family.
Obviously, the substantive characteristics of cloud computing mode is data ownership and administrative power separation.Therefore, it is used under cloud computing mode
Family loses direct control for oneself data and operation system on cloud, and cloud management person objectively has steathily
Peep, steal the ability of user data and computing resource.
For the malicious act of cloud management person, traditional security strategy is difficult to take precautions against, and can not determine current cloud operator
It whether is legal cloud operator, therefore can not full-scope safeguards user's right.
Summary of the invention
The embodiment of the invention provides a kind of recognition methods of abnormal operation behavior, device, equipment and computer-readable Jie
Matter can identify the abnormal behaviour of cloud operator, in time so as to full-scope safeguards user's right.
One side according to an embodiment of the present invention provides a kind of recognition methods of abnormal operation behavior, this method comprises:
According to the user behaviors log of multiple cloud operators, historical operation behavior set, the historical operation behavior set are obtained
It is made of the multiple cloud operator in the various operation behaviors of the first predetermined period;
According to the user behaviors log of the first cloud operator, preference operation behavior set, the preference operation behavior set are obtained
By the first cloud operator, the various operation behaviors of preference are constituted in the preset time period of first predetermined period;
Calculate every kind of operation behavior in the historical operation behavior set with it is every in the preference operation behavior set
The similarity of kind operation behavior;
Generate predicted operation behavior set according to the similarity, the predicted operation behavior set by predict described the
Various operation behaviors of the one cloud operator in the preset time period of the second predetermined period are constituted;
According to the predicted operation behavior set, identify the first cloud operator in each of described second predetermined period
Whether the practical operation behavior in the preset time period is abnormal operation behavior.
According to another aspect of an embodiment of the present invention, a kind of identification device of abnormal operation behavior is provided, comprising:
First obtains module, for the user behaviors log according to multiple cloud operators, obtains historical operation behavior set, described
Historical operation behavior set is made of the multiple cloud operator in the various operation behaviors of the first predetermined period;
Second obtains module, for the user behaviors log according to the first cloud operator, obtains preference operation behavior set, described
Preference operation behavior set by the first cloud operator in the preset time period of first predetermined period preference it is various
Operation behavior is constituted;
Computing module is gone for calculating every kind of operation behavior in the historical operation behavior set and preference operation
For the similarity of every kind of operation behavior in set;
Generation module, for generating predicted operation behavior set according to the similarity;Wherein, the predicted operation behavior
Various operation behavior structures of the set by the first cloud operator for predicting in the preset time period of the second predetermined period
At;
Identification module, for identifying the first cloud operator described second according to the predicted operation behavior set
Whether the practical operation behavior in each of predetermined period preset time period is abnormal operation behavior.
It is according to an embodiment of the present invention in another aspect, provide a kind of identification equipment of abnormal operation behavior, the equipment packet
It includes: processor and the memory for being stored with computer program instructions;
The processor realizes abnormal operation behavior as described in relation to the first aspect when executing the computer program instructions
Recognition methods.
It is according to an embodiment of the present invention in another aspect, provide a kind of computer readable storage medium, it is described computer-readable
It is stored with computer program instructions on storage medium, first aspect institute is realized when the computer program instructions are executed by processor
The recognition methods for the abnormal operation behavior stated
Recognition methods, device, equipment and the medium of abnormal operation behavior according to embodiments of the present invention, pass through current cloud
The operation behavior of operator and the operation behavior of historical record compare, it can be determined that currently the operation behavior of cloud operator is
It is no normal.It can identify the abnormal behaviour of cloud operator, in time in this way so as to full-scope safeguards user's right.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, will make below to required in the embodiment of the present invention
Attached drawing is briefly described, for those of ordinary skill in the art, without creative efforts, also
Other drawings may be obtained according to these drawings without any creative labor.
Fig. 1 shows the flow diagram of the recognition methods of abnormal operation behavior in the embodiment of the present invention;
Fig. 2 shows the detail flowcharts of the recognition methods of the abnormal operation behavior of some exemplary embodiments;
Fig. 3 show the embodiment of the present invention identification practical operation behavior whether be abnormal operation behavior schematic diagram.
Fig. 4 shows the structural schematic diagram of the identification device of abnormal operation behavior in the embodiment of the present invention.
Fig. 5 shows the hardware structural diagram of the identification equipment of abnormal operation behavior in the embodiment of the present invention.
Specific embodiment
The feature and exemplary embodiment of various aspects of the invention is described more fully below, in order to make mesh of the invention
, technical solution and advantage be more clearly understood, with reference to the accompanying drawings and embodiments, the present invention is further retouched in detail
It states.It should be understood that specific embodiment described herein is only configured to explain the present invention, it is not configured as limiting the present invention.
To those skilled in the art, the present invention can be real in the case where not needing some details in these details
It applies.Below the description of embodiment is used for the purpose of better understanding the present invention to provide by showing example of the invention.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence " including ... ", it is not excluded that including
There is also other identical elements in the process, method, article or equipment of the element.
The malicious operator of cloud platform or Network Intrusion person are likely to meeting to the hidden of user in embodiments of the present invention
Private threatens.It is dangerous in order to avoid occurring, the credible evaluation and test system of cloud platform is designed in existing cloud platform greatly, existing cloud is flat
Evaluation and test system that platform is credible includes trusted third party (TTP) gateway.The TTP gateway by logic connect, physics simultaneously
The mode of connection is deployed in the front end of tested cloud platform, and the privileged operation of user and cloud operator need to be accessed by TTP gateway
Cloud platform.TTP gateway is divided by function as " behavioural analysis of cloud platform privilege and audit " part and " data flow is visual
Change, monitor and desensitize " part.
" behavioural analysis of cloud platform privilege and audit " acquires cloud operator for continuing, in real time and grasps to the management of cloud platform
It notes down, and the classification mechanism based on cloud operator operation carries out early warning to risky operation and unauthorized operation.
Being somebody's turn to do " behavioural analysis of cloud platform privilege and audit " includes: analysis module and Audit Module, the two modules are mainly
Evaluated and tested for two class data, one kind is the behavioral data of collected current cloud operator, it is another kind of be cloud platform
The historical operation behavioral data being stored with.
The recognition methods of the embodiment of the present invention is mainly applied to " behavioural analysis of cloud platform privilege and audit ".
In order to better understand the present invention, below in conjunction with attached drawing, abnormal behaviour according to an embodiment of the present invention is described in detail
Make the recognition methods of behavior, it should be noted that these embodiments are not for limiting the scope of the present disclosure.
Fig. 1 is the flow chart for showing the recognition methods of abnormal operation behavior according to an embodiment of the present invention.As shown in Figure 1,
Method 100 in the embodiment of the present invention the following steps are included:
Step S110 obtains historical operation behavior set, the historical operation row according to the user behaviors log of multiple cloud operators
It is made of multiple cloud operators in the various operation behaviors of the first predetermined period for set.
In this step, operation behavior may include: operating function, operation corresponding period, action type and operation
Frequency etc..According to the user behaviors log of multiple cloud operators, historical operation behavior set is obtained.Specifically for example: obtaining A, B and C
The user behaviors log in a certain fixed time period of three cloud operators, the user behaviors log of these three clouds operator is analyzed
Processing, will treated user behaviors log as historical operation behavior set.
In one embodiment, such as: the operation behavior of cloud operator A [starts, open Cloud Server];Cloud operator B
Operation behavior [is deleted, delete content M, the area B];Operation behavior [duplication, the area reproducting content N, B] of cloud operator C etc..
In addition, each cloud operator may be there are many operation behavior in one month user behaviors log.Specifically for example: cloud operation
There are three types of operation behaviors in 8:00-9:00 (period) by member A:
Operation behavior 1[starts, and opens Cloud Server];Operation behavior 2[is deleted, and deletes content M, the area B, the area C];Operation row
For 3[duplication, the area reproducting content N, B, the area C].
Finally, the operation behavior of tri- cloud operators of A, B and C is constituted historical operation behavior set.
Step S120 obtains preference operation behavior set, preference operation behavior according to the user behaviors log of the first cloud operator
By the first cloud operator, the various operation behaviors of preference are constituted set in the preset time period of the first predetermined period.
In this step, by the first cloud operator in the preset time period of the first predetermined period preference various operation rows
To constitute preference operation behavior set.Specifically, in one embodiment for example: user behaviors log of the cloud operator A in one month.
And include in one month user behaviors log: cloud operator A is in 8:00-9:00 period preference (i.e. frequency is higher) a variety of behaviour
Make behavior.Such as: the first operation behavior [starting, 10 times];Second of operation behavior [duplication, 8 times].
Step S130, calculate historical operation behavior set in every kind of operation behavior with it is every in preference operation behavior set
The similarity of kind operation behavior.
Step S140, according to similarity generate predicted operation behavior set, predicted operation behavior set by predict first
Various operation behaviors of the cloud operator in the preset time period of the second predetermined period are constituted.
In this step, such as: the operation within this period of 8:00-9:00 daily in one month of cloud operator A
Behavior: operation behavior [start, open Cloud Server, the area A, the area B, 10 times] or operation behavior [duplication, the area reproducting content N, B,
The area C, 8 times].
Step S150, according to predicted operation behavior set, the first cloud operator of identification is pre- in each of the second predetermined period
If whether the practical operation behavior in the period is abnormal operation behavior.
In this step, such as: the behaviour executed within this period of 8:00-9:00 daily in cloud operator A one month
It is predicted operation behavior as behavior is [duplication, the area reproducting content N, B, the area C, 8 times], and the actual operation behavior of cloud operator A
It is that the area A executes 20 duplications operation, then it is assumed that cloud operator A is abnormal operation within this period of 8:00-9:00.
The recognition methods of abnormal operation behavior through the embodiment of the present invention, by the preference operation behavior of cloud operator with go through
History operation behavior set carries out similarity calculation, according to the ranking results of similarity, predicts cloud operator in the second default week
Various operation behaviors in the preset time period of phase determine then according to predicted operation behavior set in the second predetermined period
Whether the practical operation behavior in preset time period is normal operation behavior, can identify the exception of cloud operator in time in this way
Behavior, so as to full-scope safeguards user's right.
Fig. 2 is to show the detail flowchart of the recognition methods of abnormal operation behavior of some exemplary embodiments, Fig. 2 with
Fig. 1 identical or equivalent step uses identical label.
As shown in Fig. 2, in one embodiment, step S120 can specifically include:
S121, according to the user behaviors log of the first cloud operator, the first cloud operator of statistics is in the default of the first predetermined period
The execution frequency of every kind of operation behavior in period.
In this step, such as: statistics cloud operator A daily 8:00-9:00 period preference (i.e. frequency in one month
It is higher) two kinds of operation behaviors: the first operation behavior [deleting, 20 times];Second of operation behavior [duplication, 10 times].
S122 will execute operation behavior of the frequency greater than the first preset value, as the first cloud operator in the first default week
The operation behavior of preference in the preset time period of phase obtains preference operation behavior set.
In this step, such as: by cloud operator A the first of 8:00-9:00 period preference daily in one month
Kind operation behavior [is deleted, 20 times].
It is greater than due to 20 times, so being used as cloud operator A first for [deletion] operation behavior for 15 times of the first preset value
The operation behavior of preference in the preset time period of predetermined period.So analogize and obtains preference operation behavior set.
By obtaining the operation behavior of cloud operator preference in the preset time period of the first predetermined period, knowledge can be improved
The probability of other abnormal operation behavior, improves the accuracy of identification.
In one embodiment, step S130 is in order to calculate the every kind of operation behavior and preference in historical operation behavior set
The similarity of every kind of operation behavior in operation behavior set is summed by the Similarity-Weighted to characteristic item, calculates history behaviour
Make the similarity of every kind of operation behavior in the every kind of operation behavior and preference operation behavior set in behavior set.
Specifically, calculating formula of similarity are as follows:
Sim(ci,xi)=∑KλkSim(cik,xjk) (1)
In formula (1), ciIndicate cloud operator, xjIndicate operation behavior, cikIndicate cloud operator in the spy of k-th of aspect
Sign, xjkIndicate operation behavior in the feature of k-th of aspect, Sim (ci,xi) indicate operation behavior ciAnd xjIn k-th of characteristic aspect
Similarity, λkIndicate weight.
The every kind of operation behavior and preference operation behavior set in historical operation behavior set are calculated by above-mentioned formula (1)
In every kind of operation behavior similarity, can be improved in this way it is subsequent identification abnormal operation behavior accuracy.
In another embodiment, step S140 generates predicted operation behavior set according to similarity, mainly by following
Step:
Step S141 screens every kind of operation behavior and every kind of behaviour in preference operation behavior set in historical operation behavior set
The similarity for making behavior is greater than the operation behavior of the second preset value.
In this step, Sim (c in above-mentioned formula (1) is filtered outi,xi) value be greater than the second preset value operation behavior,
Subsequent processing can have been simplified significantly in this way, while having also improved the accuracy of subsequent identification abnormal operation behavior.
Step S142, the operation behavior that will be filtered out, as the first cloud operator the second predetermined period preset time
Predicted operation behavior in section.
In this step, such as: the operation behavior filtered out is cloud operator A in one month when daily 8:00-9:00
Between the operation behavior of section preference be [deletion], then prediction cloud operator A 8:00-9:00 period daily in one month following
Operation behavior be [deletion].
Step S143 is based on predicted operation behavior, generates predicted operation behavior set.
In embodiments of the present invention, every kind of operation behavior and preference operation behavior collection in historical operation behavior set are calculated
The similarity of every kind of operation behavior in conjunction is predicted by being ranked up according to the similarity being calculated to operation behavior
Operation behavior set, then the behaviour in cloud operator following a period of time can be accurately judged that out according to predicted operation behavior set
Make whether behavior is abnormal operation behavior, can identify the abnormal behaviour of cloud operator, in time in this way so as to protect comprehensively
Hinder user's right.
Fig. 3 show the embodiment of the present invention identification practical operation behavior whether be abnormal operation behavior schematic diagram, Fig. 3
Identical or equivalent step uses identical label with Fig. 1.
As shown in figure 3, in one embodiment, step S150 is according to predicted operation behavior set, identification the first cloud operation
Whether practical operation behavior of the member in each preset time period of the second predetermined period is abnormal operation behavior.Of the invention real
Apply in example is illustrated by two kinds of situations.
The first 301, when practical operation row of the first cloud operator in some preset time period of the second predetermined period
It is then abnormal operation behavior by practical operation Activity recognition when not to be the operation behavior in predicted operation behavior set.
Second 302, when practical operation row of the first cloud operator in some preset time period of the second predetermined period
It is then normal operation behavior by practical operation Activity recognition when to be the operation behavior in predicted operation behavior set.
In embodiments of the present invention by judging whether practical operation behavior is operation row in predicted operation behavior set
For that can identify the abnormal behaviour of cloud operator, in time in this way so as to full-scope safeguards user's right.
In one embodiment, the above-mentioned historical operation behavior set being mentioned to, preference operation behavior set and prediction behaviour
The every kind of operation behavior made in behavior set is characterized by least one characteristic item.
In this embodiment, it will be understood that each operation behavior is indicated using feature vector, each feature to
Amount includes multiple characteristic items.In addition, characteristic item is mainly action type, operating function and the execution of operation in this embodiment
Position.Such as: opening, duplication, deletion, the area A etc..
The identification device of the abnormal operation behavior of the embodiment of the present invention is discussed in detail below with reference to Fig. 4.Fig. 4 shows basis
Another embodiment of the present invention provides abnormal operation behavior identification device structural schematic diagram.As shown in figure 4, abnormal operation row
For identification device 400 include:
First obtains module 410, for the user behaviors log according to multiple cloud operators, obtains historical operation behavior set,
Historical operation behavior set is made of multiple cloud operators in the various operation behaviors of the first predetermined period.
Second obtains module 420, for the user behaviors log according to the first cloud operator, obtains preference operation behavior set,
Preference operation behavior set by the first cloud operator preference in the preset time period of the first predetermined period various operation behaviors
It constitutes.
Computing module 430, for calculating every kind of operation behavior in historical operation behavior set and preference operation behavior collection
The similarity of every kind of operation behavior in conjunction.
Generation module 440, for generating predicted operation behavior set according to similarity;Wherein, predicted operation behavior set
It is made of various operation behaviors of the first cloud operator predicted in the preset time period of the second predetermined period.
Identification module 450, for according to the predicted operation behavior set, identifying the first cloud operator described the
Whether the practical operation behavior in each of the two predetermined periods preset time period is abnormal operation behavior.
In one embodiment, second module 420 is obtained, can specifically include:
Statistic unit 421, for the user behaviors log according to the first cloud operator, the first cloud operator of statistics is default first
The execution frequency of every kind of operation behavior in the preset time period in period.
Preference unit 422 is obtained, the operation behavior for being greater than the first preset value for that will execute frequency is operated as the first cloud
The operation behavior of member's preference in the preset time period of the first predetermined period, obtains preference operation behavior set.
In one embodiment, computing module 430 are calculated specifically for being summed by the Similarity-Weighted to characteristic item
The similarity of every kind of operation behavior in every kind of operation behavior and preference operation behavior set in historical operation behavior set.
In one embodiment, generation module 440 can specifically include:
Screening unit 441, for screening every kind of operation behavior and preference operation behavior set in historical operation behavior set
In every kind of operation behavior similarity be greater than the second preset value operation behavior.
Predicting unit 442, the operation behavior for will filter out, as the first cloud operator in the pre- of the second predetermined period
If the predicted operation behavior in the period.
Generation unit 443 generates predicted operation behavior set for being based on predicted operation behavior.
In one embodiment, identification module 450 specifically can be used for when the first cloud operator is in the second predetermined period
When practical operation behavior in some preset time period is not the operation behavior in predicted operation behavior set, then by practical operation
Activity recognition is the abnormal operation behavior;
Alternatively,
For being pre- when practical operation behavior of the first cloud operator in some preset time period of the second predetermined period
It is then normal operation behavior by practical operation Activity recognition when surveying the operation behavior in operation behavior set.
In one embodiment, in historical operation behavior set, preference operation behavior set and predicted operation behavior set
Every kind of operation behavior by least one characteristic item characterize.
In one embodiment, characteristic item comprises at least one of the following: action type, operating function and the execution position of operation
It sets.
The other details of the identification device of abnormal operation behavior according to an embodiment of the present invention combine Fig. 1 description with more than
The recognition methods of abnormal operation behavior according to an embodiment of the present invention is similar, and details are not described herein.
The identification device of the abnormal operation behavior provided through the embodiment of the present invention can identify operator in time
Abnormal behaviour, so as to full-scope safeguards user's right.
The recognition methods of the abnormal operation behavior according to an embodiment of the present invention described in conjunction with Fig. 1 to Fig. 4 and device can be with
It is realized by the identification equipment of abnormal operation behavior.Fig. 5 is to show to be set according to the identification of the abnormal operation behavior of inventive embodiments
Standby 500 schematic diagram of hardware configuration.
As shown in figure 5, the identification equipment 500 of the abnormal operation behavior in the present embodiment connects including input equipment 501, input
Mouth 502, central processing unit 503, memory 504, output interface 505 and output equipment 506.Wherein, input interface 502, in
Central processor 503, memory 504 and output interface 505 are connected with each other by bus 510, and input equipment 501 and output are set
Standby 506 are connect by input interface 502 and output interface 505 with bus 510 respectively, and then are set with the identification of abnormal operation behavior
Standby 500 other assemblies connect.
Specifically, input equipment 501 is received from external input information, and will input information by input interface 502
It is transmitted to central processing unit 503;Central processing unit 503 is based on the computer executable instructions stored in memory 504 to input
Information is handled to generate output information, and output information is temporarily or permanently stored in memory 504, is then passed through
Output information is transmitted to output equipment 506 by output interface 505;Output information is output to abnormal operation row by output equipment 506
For identification equipment 500 outside for users to use.
That is, the identification equipment of abnormal operation behavior shown in fig. 5 also may be implemented as including: to be stored with calculating
The memory of machine executable instruction;And processor, the processor may be implemented to combine when executing computer executable instructions
The recognition methods of the abnormal operation behavior of Fig. 1 to Fig. 4 description and device.
In one embodiment, the identification equipment 500 of abnormal operation behavior shown in fig. 5 includes: memory 504, is used for
Store program;Processor 503, the program for being stored in run memory, to execute abnormal operation behavior of the embodiment of the present invention
Recognition methods.
The identification equipment of abnormal operation behavior provided in an embodiment of the present invention can identify the exception of cloud operator in time
Behavior, so as to full-scope safeguards user's right.
The embodiment of the present invention also provides a kind of computer readable storage medium, is stored on the computer readable storage medium
Computer program instructions;The computer program instructions realize abnormal operation row provided in an embodiment of the present invention when being executed by processor
For recognition methods.
It should be clear that the invention is not limited to specific configuration described above and shown in figure and processing.
For brevity, it is omitted here the detailed description to known method.In the above-described embodiments, several tools have been described and illustrated
The step of body, is as example.But method process of the invention is not limited to described and illustrated specific steps, this field
Technical staff can be variously modified, modification and addition after understanding spirit of the invention, or suitable between changing the step
Sequence.
Functional block shown in structures described above block diagram can be implemented as hardware, software, firmware or their group
It closes.When realizing in hardware, it may, for example, be electronic circuit, specific integrated circuit (ASIC), firmware appropriate, insert
Part, function card etc..When being realized with software mode, element of the invention is used to execute program or the generation of required task
Code section.Perhaps code segment can store in machine readable media program or the data-signal by carrying in carrier wave is passing
Defeated medium or communication links are sent." machine readable media " may include any medium for capableing of storage or transmission information.
The example of machine readable media includes electronic circuit, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), soft
Disk, CD-ROM, CD, hard disk, fiber medium, radio frequency (RF) link, etc..Code segment can be via such as internet, inline
The computer network of net etc. is downloaded.
It should also be noted that, the exemplary embodiment referred in the present invention, is retouched based on a series of step or device
State certain methods or system.But the present invention is not limited to the sequence of above-mentioned steps, that is to say, that can be according in embodiment
The sequence referred to executes step, may also be distinct from that the sequence in embodiment or several steps are performed simultaneously.
The above description is merely a specific embodiment, it is apparent to those skilled in the art that,
For convenience of description and succinctly, the system, module of foregoing description and the specific work process of unit can refer to preceding method
Corresponding process in embodiment, details are not described herein.It should be understood that scope of protection of the present invention is not limited thereto, it is any to be familiar with
Those skilled in the art in the technical scope disclosed by the present invention, can readily occur in various equivalent modifications or substitutions,
These modifications or substitutions should be covered by the protection scope of the present invention.
Claims (10)
1. a kind of recognition methods of abnormal operation behavior characterized by comprising
According to the user behaviors log of multiple cloud operators, historical operation behavior set is obtained, the historical operation behavior set is by institute
The various operation behaviors that multiple cloud operators are stated in the first predetermined period are constituted;
According to the user behaviors log of the first cloud operator, preference operation behavior set is obtained, the preference operation behavior set is by institute
The various operation behaviors for stating the first cloud operator preference in the preset time period of first predetermined period are constituted;
Calculate every kind of behaviour in the every kind of operation behavior and the preference operation behavior set in the historical operation behavior set
Make the similarity of behavior;
Predicted operation behavior set is generated according to the similarity, the predicted operation behavior set is by first cloud predicted
Various operation behaviors of the operator in the preset time period of the second predetermined period are constituted;
According to the predicted operation behavior set, identify that the first cloud operator is described in each of described second predetermined period
Whether the practical operation behavior in preset time period is abnormal operation behavior.
2. the recognition methods of abnormal operation behavior according to claim 1, which is characterized in that the first cloud of foundation operator
User behaviors log, obtain preference operation behavior set, comprising:
According to the user behaviors log of the first cloud operator, the first cloud operator is counted in the institute of first predetermined period
State the execution frequency of every kind of operation behavior in preset time period;
The execution frequency is greater than to the operation behavior of the first preset value, it is default described first as the first cloud operator
The operation behavior of preference in the preset time period in period obtains preference operation behavior set.
3. the recognition methods of abnormal operation behavior according to claim 2, which is characterized in that described to calculate the historical operation
The similarity of every kind of operation behavior in every kind of operation behavior and the preference operation behavior set in behavior set, comprising:
By the Similarity-Weighted summation to the characteristic item, every kind of operation behavior in the historical operation behavior set is calculated
With the similarity of every kind of operation behavior in the preference operation behavior set.
4. the recognition methods of -3 any abnormal operation behaviors according to claim 1, which is characterized in that described according to the phase
Predicted operation behavior set is generated like degree, comprising:
Every kind of operation behavior in the historical operation behavior set is screened to go with every kind of operation in the preference operation behavior set
For similarity be greater than the second preset value operation behavior;
The operation behavior that will be filtered out, as the first cloud operator second predetermined period the preset time period
Interior predicted operation behavior;
Based on the predicted operation behavior, the predicted operation behavior set is generated.
5. the recognition methods of -3 any abnormal operation behaviors according to claim 1, which is characterized in that described according to described pre-
Operation behavior set is surveyed, identifies the first cloud operator in each of second predetermined period preset time period
Whether practical operation behavior is abnormal operation behavior, comprising:
When practical operation behavior of the first cloud operator in some described preset time period of second predetermined period
It is then the abnormal operation by the practical operation Activity recognition when not being the operation behavior in the predicted operation behavior set
Behavior;
Alternatively,
When practical operation behavior of the first cloud operator in some described preset time period of second predetermined period
It is then normal operation behavior by the practical operation Activity recognition when being the operation behavior in the predicted operation behavior set.
6. the recognition methods of -3 any abnormal operation behaviors according to claim 1, which is characterized in that the historical operation row
It is every kind of operation behavior in set, the preference operation behavior set and the predicted operation behavior set by least one
Characteristic item characterization.
7. the recognition methods of abnormal operation behavior according to claim 6, which is characterized in that the characteristic item include with down toward
Few one kind: action type, operating function and the execution position of operation.
8. a kind of identification device of abnormal operation behavior, which is characterized in that described device includes:
First obtains module, for the user behaviors log according to multiple cloud operators, obtains historical operation behavior set, the history
Operation behavior set is made of the multiple cloud operator in the various operation behaviors of the first predetermined period;
Second obtains module, for the user behaviors log according to the first cloud operator, obtains preference operation behavior set, the preference
Operation behavior set by the first cloud operator preference in the preset time period of first predetermined period various operations
Behavior is constituted;
Computing module, for calculating every kind of operation behavior in the historical operation behavior set and the preference operation behavior collection
The similarity of every kind of operation behavior in conjunction;
Generation module, for generating predicted operation behavior set according to the similarity;Wherein, the predicted operation behavior set
It is made of various operation behaviors of the first cloud operator predicted in the preset time period of the second predetermined period;
Identification module, for identifying that the first cloud operator is default described second according to the predicted operation behavior set
Whether the practical operation behavior in each of period preset time period is abnormal operation behavior.
9. a kind of identification equipment of abnormal operation behavior, which is characterized in that the equipment includes: processor and is stored with calculating
The memory of machine program instruction;
The processor realizes the abnormal operation as described in claim 1-7 any one when executing the computer program instructions
The recognition methods of behavior.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program instruction realizes the exception as described in claim 1-7 any one when the computer program instructions are executed by processor
The recognition methods of operation behavior.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810961289.1A CN109344042B (en) | 2018-08-22 | 2018-08-22 | Abnormal operation behavior identification method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810961289.1A CN109344042B (en) | 2018-08-22 | 2018-08-22 | Abnormal operation behavior identification method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109344042A true CN109344042A (en) | 2019-02-15 |
| CN109344042B CN109344042B (en) | 2022-02-18 |
Family
ID=65291633
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810961289.1A Active CN109344042B (en) | 2018-08-22 | 2018-08-22 | Abnormal operation behavior identification method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109344042B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111342994A (en) * | 2020-02-03 | 2020-06-26 | 杭州迪普科技股份有限公司 | Network management system and method |
| CN112286775A (en) * | 2020-10-30 | 2021-01-29 | 深圳前海微众银行股份有限公司 | Method, equipment and storage medium for detecting fatigue state |
| WO2021098327A1 (en) * | 2019-11-22 | 2021-05-27 | 支付宝(杭州)信息技术有限公司 | Private data protection-based method and device for abnormal collection behavior recognition |
| CN113449558A (en) * | 2020-03-26 | 2021-09-28 | 上海依图网络科技有限公司 | Method and device for monitoring abnormal behaviors of personnel |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102963298A (en) * | 2012-09-29 | 2013-03-13 | 重庆长安汽车股份有限公司 | Abnormal behavior monitoring method based on sight detection |
| CN104616092A (en) * | 2014-12-16 | 2015-05-13 | 国家电网公司 | Distributed log analysis based distributed mode handling method |
| US20150205692A1 (en) * | 2014-01-23 | 2015-07-23 | Concurix Corporation | Behavior clustering analysis and alerting system for computer applications |
| CN106199421A (en) * | 2016-06-27 | 2016-12-07 | 北京协同创新研究院 | A kind of method for early warning based on the big data of industry and system |
| CN107330128A (en) * | 2017-07-24 | 2017-11-07 | 上海众人网络安全技术有限公司 | Certification abnormality judgment method and device |
-
2018
- 2018-08-22 CN CN201810961289.1A patent/CN109344042B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102963298A (en) * | 2012-09-29 | 2013-03-13 | 重庆长安汽车股份有限公司 | Abnormal behavior monitoring method based on sight detection |
| US20150205692A1 (en) * | 2014-01-23 | 2015-07-23 | Concurix Corporation | Behavior clustering analysis and alerting system for computer applications |
| CN104616092A (en) * | 2014-12-16 | 2015-05-13 | 国家电网公司 | Distributed log analysis based distributed mode handling method |
| CN106199421A (en) * | 2016-06-27 | 2016-12-07 | 北京协同创新研究院 | A kind of method for early warning based on the big data of industry and system |
| CN107330128A (en) * | 2017-07-24 | 2017-11-07 | 上海众人网络安全技术有限公司 | Certification abnormality judgment method and device |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021098327A1 (en) * | 2019-11-22 | 2021-05-27 | 支付宝(杭州)信息技术有限公司 | Private data protection-based method and device for abnormal collection behavior recognition |
| CN111342994A (en) * | 2020-02-03 | 2020-06-26 | 杭州迪普科技股份有限公司 | Network management system and method |
| CN113449558A (en) * | 2020-03-26 | 2021-09-28 | 上海依图网络科技有限公司 | Method and device for monitoring abnormal behaviors of personnel |
| CN112286775A (en) * | 2020-10-30 | 2021-01-29 | 深圳前海微众银行股份有限公司 | Method, equipment and storage medium for detecting fatigue state |
| CN112286775B (en) * | 2020-10-30 | 2023-01-24 | 深圳前海微众银行股份有限公司 | Method, equipment and storage medium for detecting fatigue state |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109344042B (en) | 2022-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3528463B1 (en) | An artificial intelligence cyber security analyst | |
| Milajerdi et al. | Holmes: real-time apt detection through correlation of suspicious information flows | |
| US11012472B2 (en) | Security rule generation based on cognitive and industry analysis | |
| EP3292471B1 (en) | Method and device for managing security in a computer network | |
| US9998484B1 (en) | Classifying potentially malicious and benign software modules through similarity analysis | |
| Noor et al. | A machine learning framework for investigating data breaches based on semantic analysis of adversary’s attack patterns in threat intelligence repositories | |
| EP2610776B1 (en) | Automated behavioural and static analysis using an instrumented sandbox and machine learning classification for mobile security | |
| US11347867B2 (en) | Methods and apparatuses to evaluate cyber security risk by establishing a probability of a cyber-attack being successful | |
| CN109344042A (en) | Recognition methods, device, equipment and the medium of abnormal operation behavior | |
| Kumar et al. | A robust intelligent zero-day cyber-attack detection technique | |
| Khosravi et al. | Alerts correlation and causal analysis for APT based cyber attack detection | |
| US20230336581A1 (en) | Intelligent prioritization of assessment and remediation of common vulnerabilities and exposures for network nodes | |
| WO2023283357A1 (en) | Intelligent prioritization of assessment and remediation of common vulnerabilities and exposures for network nodes | |
| RU2610395C1 (en) | Method of computer security distributed events investigation | |
| Kannan et al. | A novel cloud intrusion detection system using feature selection and classification | |
| Machado et al. | A hybrid artificial immune and mobile agent intrusion detection based model for computer network operations | |
| CN113225331A (en) | Method, system and device for detecting host intrusion safety based on graph neural network | |
| Mukherjee et al. | Evading {Provenance-Based}{ML} Detectors with Adversarial System Actions | |
| Safarzadeh et al. | A novel and comprehensive evaluation methodology for SIEM | |
| Kassem | Intelligent system using machine learning techniques for security assessment and cyber intrusion detection | |
| CN115632884A (en) | Network security situation perception method and system based on event analysis | |
| Wagner et al. | Quantitative analysis of the mission impact for host-level cyber defensive mitigations. | |
| Ogundokun et al. | Cyber intrusion detection system based on machine learning classification approaches | |
| Malek et al. | GUI-based user behavior intrusion detection | |
| Chapman | Intruder detection through pattern matching and provenance driven data recovery |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |