CN109344042B - Abnormal operation behavior identification method, device, equipment and medium - Google Patents
Abnormal operation behavior identification method, device, equipment and medium Download PDFInfo
- Publication number
- CN109344042B CN109344042B CN201810961289.1A CN201810961289A CN109344042B CN 109344042 B CN109344042 B CN 109344042B CN 201810961289 A CN201810961289 A CN 201810961289A CN 109344042 B CN109344042 B CN 109344042B
- Authority
- CN
- China
- Prior art keywords
- operation behavior
- behavior
- behaviors
- cloud
- predicted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3438—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method, a device, equipment and a medium for identifying abnormal operation behaviors. The method comprises the following steps: obtaining a historical operation behavior set according to behavior logs of a plurality of cloud operators; obtaining a preference operation behavior set according to a behavior log of a first cloud operator; calculating the similarity of each operation behavior in the historical operation behavior set and each operation behavior in the preference operation behavior set; generating a prediction operation behavior set according to the similarity; and identifying whether the actual operation behavior of the first cloud operator in each preset time period of the second preset period is abnormal operation behavior or not according to the predicted operation behavior set. By the technical scheme, the abnormal behavior of the cloud operator can be recognized in time, so that the user rights and interests can be comprehensively guaranteed.
Description
Technical Field
The invention relates to the field of cloud computing security, in particular to a method, a device, equipment and a computer readable medium for identifying abnormal operation behaviors.
Background
Cloud computing refers to unified management and scheduling of resources such as computing, storage, networks and software through a virtualization technology, and services such as basic resources, platform capacity and software application are provided for users in an internet mode. In short, cloud computing is that a user migrates data and services to a cloud platform, and management of the data is realized by means of the cloud computing platform.
It is clear that an essential feature of the cloud computing model is the separation of data ownership and administrative rights. Therefore, in the cloud computing mode, the user loses direct control over the data and business system of the user on the cloud, and the cloud administrator objectively has the ability of peeping and stealing the user data and computing resources.
For the malicious behavior of the cloud administrator, the traditional security policy is difficult to prevent, and whether the current cloud operator is a legal cloud operator cannot be determined, so that the user rights and interests cannot be comprehensively guaranteed.
Disclosure of Invention
The embodiment of the invention provides a method, a device and equipment for identifying abnormal operation behaviors and a computer readable medium, which can identify the abnormal behaviors of a cloud operator in time so as to comprehensively guarantee the rights and interests of users.
According to an aspect of the embodiments of the present invention, there is provided a method for identifying an abnormal operation behavior, the method including:
obtaining a historical operation behavior set according to behavior logs of a plurality of cloud operators, wherein the historical operation behavior set is formed by various operation behaviors of the plurality of cloud operators in a first preset period;
obtaining a preference operation behavior set according to a behavior log of a first cloud operator, wherein the preference operation behavior set is composed of various operation behaviors preferred by the first cloud operator in a preset time period of the first preset period;
calculating the similarity of each operation behavior in the historical operation behavior set and each operation behavior in the preference operation behavior set;
generating a predicted operation behavior set according to the similarity, wherein the predicted operation behavior set is formed by various predicted operation behaviors of the first cloud operator in the preset time period of a second preset period;
and identifying whether the actual operation behavior of the first cloud operator in each preset time period of the second preset period is abnormal operation behavior or not according to the predicted operation behavior set.
According to another aspect of the embodiments of the present invention, there is provided an apparatus for identifying an abnormal operation behavior, including:
the cloud operation management system comprises a first obtaining module, a second obtaining module and a processing module, wherein the first obtaining module is used for obtaining a historical operation behavior set according to behavior logs of a plurality of cloud operators, and the historical operation behavior set is formed by various operation behaviors of the plurality of cloud operators in a first preset period;
the second acquisition module is used for acquiring a preference operation behavior set according to a behavior log of a first cloud operator, wherein the preference operation behavior set is formed by various operation behaviors preferred by the first cloud operator in a preset time period of the first preset period;
the calculation module is used for calculating the similarity of each operation behavior in the historical operation behavior set and each operation behavior in the preference operation behavior set;
the generating module is used for generating a prediction operation behavior set according to the similarity; wherein the set of predicted operational behaviors consists of predicted various operational behaviors of the first cloud operator within the preset time period of a second preset cycle;
and the identification module is used for identifying whether the actual operation behavior of the first cloud operator in each preset time period of the second preset period is abnormal operation behavior according to the predicted operation behavior set.
According to still another aspect of the embodiments of the present invention, there is provided an apparatus for identifying an abnormal operation behavior, the apparatus including: a processor and a memory storing computer program instructions;
the processor, when executing the computer program instructions, implements a method of identifying abnormal operating behavior as described in the first aspect.
According to a further aspect of the embodiments of the present invention, there is provided a computer-readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the method for identifying abnormal operation behavior of the first aspect
According to the method, the device, the equipment and the medium for identifying the abnormal operation behaviors, whether the operation behaviors of the current cloud operator are normal or not can be judged by comparing the operation behaviors of the current cloud operator with the operation behaviors of the historical records. Therefore, abnormal behaviors of the cloud operator can be recognized in time, and the user rights and interests can be comprehensively guaranteed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart illustrating a method for identifying abnormal operation behavior according to an embodiment of the present invention;
FIG. 2 illustrates a detailed flow diagram of a method of identification of abnormal operating behavior of some example embodiments;
fig. 3 is a schematic diagram illustrating the identification of whether an actual operation behavior is an abnormal operation behavior according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram showing an abnormal operation behavior recognition apparatus according to an embodiment of the present invention.
Fig. 5 is a schematic hardware configuration diagram of the device for identifying abnormal operation behavior in the embodiment of the present invention.
Detailed Description
Features and exemplary embodiments of various aspects of the present invention will be described in detail below, and in order to make objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not to be construed as limiting the invention. It will be apparent to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present invention by illustrating examples of the present invention.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
In the embodiment of the invention, a malicious operator or an intrusion attacker of the cloud platform may threaten the privacy of the user. In order to avoid danger, a cloud platform trusted evaluation system is mostly arranged in the existing cloud platform, and the existing cloud platform trusted evaluation system comprises a Trusted Third Party (TTP) service gateway. The TTP service gateway is deployed at the front end of a tested cloud platform in a logic series connection and physical parallel connection mode, and privileged operation of a user and a cloud operator needs to be accessed to the cloud platform through the TTP service gateway. The TTP service gateway is divided into a 'cloud platform privilege behavior analysis and audit' part and a 'data flow visualization, monitoring and desensitization' part according to functions.
The 'analysis and audit of the privilege behavior of the cloud platform' is used for continuously collecting the management operation record of a cloud operator on the cloud platform in real time and carrying out early warning on dangerous operation and unauthorized operation based on a grading mechanism of the operation of the cloud operator.
The 'analysis and audit of the privilege behavior of the cloud platform' comprises the following steps: the system comprises an analysis module and an auditing module, wherein the two modules are mainly used for evaluating two types of data, one type is collected behavior data of a current cloud operator, and the other type is historical operation behavior data stored in a cloud platform.
The identification method provided by the embodiment of the invention is mainly applied to the privilege behavior analysis and audit of the cloud platform.
For a better understanding of the present invention, the method for identifying abnormal operation behavior according to the embodiments of the present invention will be described in detail below with reference to the accompanying drawings, and it should be noted that these embodiments are not intended to limit the scope of the present disclosure.
Fig. 1 is a flowchart illustrating an identification method of abnormal operation behavior according to an embodiment of the present invention. As shown in fig. 1, the method 100 in an embodiment of the present invention includes the following steps:
step S110, obtaining a historical operation behavior set according to the behavior logs of the plurality of cloud operators, where the historical operation behavior set is formed by various operation behaviors of the plurality of cloud operators in a first preset period.
In this step, the operation behavior may include: an operation function, a time period corresponding to the operation, an operation type, an operation frequency, and the like. And obtaining a historical operation behavior set according to the behavior logs of a plurality of cloud operators. Specific examples thereof include: behavior logs of three cloud operators, namely A, B and C, within a certain fixed time period are obtained, the behavior logs of the three cloud operators are analyzed and processed, and the processed behavior logs are used as a historical operation behavior set.
In one embodiment, for example: operation behaviors of the cloud operator a [ start, open cloud server ]; operation behaviors of the cloud operator B [ delete, delete content M, B zone ]; the operation behavior of the cloud operator C [ copy, copy content N, B zone ], and the like.
In addition, each cloud operator may have multiple operational behaviors in a monthly behavior log. Specific examples thereof include: cloud operator a has three operational behaviors at 8:00-9:00 (time period):
operation behavior 1 [ start, open cloud server ]; operation behavior 2 [ delete, delete content M, zone B, zone C ]; operation act 3 [ copy, copy content N, B zone, C zone ].
Finally, the operation behaviors of A, B and C three cloud operators are formed into a historical operation behavior set.
Step S120, obtaining a preference operation behavior set according to the behavior log of the first cloud operator, where the preference operation behavior set is formed by various operation behaviors preferred by the first cloud operator in a preset time period of a first preset period.
In this step, various operation behaviors preferred by the first cloud operator within a preset time period of the first preset cycle are made a preferred operation behavior set. Specifically, in one embodiment, for example: a log of the behavior of cloud operator a over a month. And the behavior log in the month includes: cloud operator a prefers (i.e., has a higher frequency) a variety of operational behaviors over a period of 8:00-9: 00. For example: first act of operation [ start, 10 ]; the second act [ copy, 8 ].
And step S130, calculating the similarity between each operation behavior in the historical operation behavior set and each operation behavior in the preference operation behavior set.
And step S140, generating a prediction operation behavior set according to the similarity, wherein the prediction operation behavior set is formed by various predicted operation behaviors of the first cloud operator in a preset time period of a second preset period.
In this step, for example: the operation behavior of cloud operator a in the period of 8:00-9:00 per day in one month: operation behaviors [ start, open cloud server, zone a, zone B, 10 times ] or operation behaviors [ copy, copy content N, zone B, zone C, 8 times ].
Step S150, identifying whether the actual operation behavior of the first cloud operator in each preset time period of the second preset period is an abnormal operation behavior according to the predicted operation behavior set.
In this step, for example: the operation behavior executed by the cloud operator A in the time period of 8:00-9:00 every day in one month is that the predicted operation behavior is [ copy, copy content N, B area, C area, 8 ] and the actual operation behavior of the cloud operator A is that the area A executes 20 times of copy operation, and the cloud operator A is considered to be abnormal operation in the time period of 8:00-9: 00.
According to the method for identifying the abnormal operation behaviors, the similarity calculation is carried out on the preference operation behaviors of the cloud operator and the historical operation behavior set, various operation behaviors of the cloud operator in the preset time period of the second preset period are predicted according to the sequencing result of the similarity, and then whether the actual operation behaviors in the preset time period of the second preset period are normal operation behaviors or not is determined according to the predicted operation behavior set, so that the abnormal behaviors of the cloud operator can be identified in time, and the user rights and interests can be comprehensively guaranteed.
Fig. 2 is a detailed flow chart illustrating a method of identifying abnormal operation behavior of some exemplary embodiments, and steps of fig. 2 that are the same or equivalent to those of fig. 1 use the same reference numerals.
As shown in fig. 2, in an embodiment, the step S120 may specifically include:
and S121, counting the execution frequency of each operation behavior of the first cloud operator in a preset time period of a first preset period according to the behavior log of the first cloud operator.
In this step, for example: two operation behaviors of the cloud operator A in a month with preference (i.e. high frequency) for the time period of 8:00-9:00 each day are counted: the first act of operation [ delete, 20 ]; the second act [ copy, 10 ].
And S122, taking the operation behavior with the execution frequency larger than the first preset value as the preferred operation behavior of the first cloud operator in the preset time period of the first preset period, and obtaining a preferred operation behavior set.
In this step, for example: the first operation behavior of cloud operator a in a period of 8:00-9:00 per day within one month is preferred [ delete, 20 times ].
Since 20 times of operation behaviors greater than the first preset value are 15 times, the operation behaviors [ deleted ] are regarded as the preferred operation behaviors of the cloud operator a within the preset time period of the first preset period. And so on to obtain a set of preferred operating behaviors.
By acquiring the preferred operation behaviors of the cloud operator in the preset time period of the first preset period, the probability of identifying the abnormal operation behaviors can be improved, and the identification accuracy is improved.
In one embodiment, step S130 calculates the similarity between each operation behavior in the historical operation behavior set and each operation behavior in the preferred operation behavior set by weighting and summing the similarities of the feature items in order to calculate the similarity between each operation behavior in the historical operation behavior set and each operation behavior in the preferred operation behavior set.
Specifically, the similarity calculation formula is:
Sim(ci,xi)=∑KλkSim(cik,xjk) (1)
in the formula (1), ciRepresenting the cloud operator, xjRepresenting the operating behavior, cikRepresenting features of the cloud operator in the kth aspect, xjkFeature representing the operation behavior in the kth aspect, Sim (c)i,xi) Representing an operation behavior ciAnd xjSimilarity in the kth feature, λkRepresenting the weight.
The similarity between each operation behavior in the historical operation behavior set and each operation behavior in the preference operation behavior set is calculated through the formula (1), so that the accuracy of the subsequent abnormal operation behavior identification can be improved.
In another embodiment, step S140 generates the set of predicted operation behaviors according to the similarity, mainly by the following steps:
and step S141, screening the operation behaviors of which the similarity between each operation behavior in the historical operation behavior set and each operation behavior in the preference operation behavior set is greater than a second preset value.
In this step, Sim (c) in the above formula (1) is screened outi,xi) The value of the abnormal operation behavior is larger than the second preset value, so that the subsequent processing can be greatly simplified, and the accuracy of the subsequent abnormal operation behavior identification is improved.
And step S142, taking the screened operation behaviors as predicted operation behaviors of the first cloud operator in a preset time period of a second preset period.
In this step, for example: the operation behaviors screened out are the operation behaviors which are preferred by the cloud operator A in 8:00-9:00 time periods each day in one month, namely [ deletion ], so that the operation behaviors of the cloud operator A in 8:00-9:00 time periods each day in the future one month are predicted to be [ deletion ].
Step S143, based on the predicted operation behavior, generates a set of predicted operation behaviors.
In the embodiment of the invention, the similarity between each operation behavior in the historical operation behavior set and each operation behavior in the preference operation behavior set is calculated, the operation behaviors are sequenced according to the calculated similarity to obtain the predicted operation behavior set, and then whether the operation behavior of the cloud operator in a period of time in the future is an abnormal operation behavior can be accurately judged according to the predicted operation behavior set, so that the abnormal behavior of the cloud operator can be identified in time, and the user rights and interests can be comprehensively guaranteed.
Fig. 3 is a schematic diagram illustrating the identification of whether the actual operation behavior is the abnormal operation behavior according to the embodiment of the present invention, and the same reference numerals are used for the steps in fig. 3 that are the same as or equivalent to those in fig. 1.
As shown in fig. 3, in one embodiment, step S150 identifies whether the actual operation behavior of the first cloud operator in each preset time period of the second preset period is an abnormal operation behavior according to the set of predicted operation behaviors. In the embodiment of the present invention, the description is made by two cases.
The first method 301 identifies an actual operation behavior as an abnormal operation behavior when the actual operation behavior of the first cloud operator within a certain preset time period of the second preset period is not an operation behavior in the set of predicted operation behaviors.
Second, 302, when the actual operation behavior of the first cloud operator in a certain preset time period of the second preset period is an operation behavior in the predicted operation behavior set, the actual operation behavior is identified as a normal operation behavior.
In the embodiment of the invention, whether the actual operation behavior is the operation behavior in the prediction operation behavior set is judged, so that the abnormal behavior of the cloud operator can be identified in time, and the user rights and interests can be comprehensively guaranteed.
In one embodiment, each of the above-mentioned historical set of operating behaviors, preferred set of operating behaviors, and predicted set of operating behaviors is characterized by at least one feature item.
In this embodiment, it should be understood that each operation behavior is represented by a feature vector, and each feature vector includes a plurality of feature items. In addition, the characteristic items in this embodiment are mainly the operation type, the operation function, and the execution position of the operation. For example: open, copy, delete, a-zone, etc.
The device for identifying abnormal operation behavior according to the embodiment of the present invention will be described in detail with reference to fig. 4. Fig. 4 is a schematic structural diagram illustrating an apparatus for identifying abnormal operation behavior according to another embodiment of the present invention. As shown in fig. 4, the abnormal operation behavior recognition apparatus 400 includes:
the first obtaining module 410 is configured to obtain a historical operation behavior set according to the behavior logs of the multiple cloud operators, where the historical operation behavior set is formed by various operation behaviors of the multiple cloud operators in a first preset period.
The second obtaining module 420 is configured to obtain a preferred operation behavior set according to the behavior log of the first cloud operator, where the preferred operation behavior set is formed by various operation behaviors preferred by the first cloud operator in a preset time period of a first preset period.
The calculating module 430 is configured to calculate a similarity between each operation behavior in the historical operation behavior set and each operation behavior in the preferred operation behavior set.
A generating module 440, configured to generate a set of predicted operation behaviors according to the similarity; and the predicted operation behavior set is formed by various predicted operation behaviors of the first cloud operator in a preset time period of a second preset period.
The identifying module 450 is configured to identify whether the actual operation behavior of the first cloud operator in each preset time period of the second preset period is an abnormal operation behavior according to the predicted operation behavior set.
In an embodiment, the second obtaining module 420 may specifically include:
the counting unit 421 is configured to count an execution frequency of each operation behavior of the first cloud operator in a preset time period of the first preset period according to the behavior log of the first cloud operator.
The obtaining preference unit 422 is configured to use an operation behavior with an execution frequency greater than a first preset value as a preferred operation behavior of the first cloud operator in a preset time period of a first preset cycle, and obtain a preferred operation behavior set.
In an embodiment, the calculating module 430 is specifically configured to calculate a similarity between each operation behavior in the historical operation behavior set and each operation behavior in the preferred operation behavior set by weighted summation of similarities of the feature items.
In an embodiment, the generating module 440 may specifically include:
and the screening unit 441 is configured to screen an operation behavior in the historical operation behavior set, of which the similarity to each operation behavior in the preferred operation behavior set is greater than a second preset value.
The prediction unit 442 is configured to use the screened operation behavior as a predicted operation behavior of the first cloud operator in a preset time period of the second preset cycle.
A generating unit 443 configured to generate a set of predicted operation behaviors based on the predicted operation behaviors.
In an embodiment, the identifying module 450 may be specifically configured to identify an actual operation behavior as the abnormal operation behavior when an actual operation behavior of the first cloud operator within a certain preset time period of the second preset period is not an operation behavior in the predicted operation behavior set;
alternatively, the first and second electrodes may be,
and when the actual operation behavior of the first cloud operator in a certain preset time period of the second preset period is the operation behavior in the predicted operation behavior set, identifying the actual operation behavior as the normal operation behavior.
In one embodiment, each of the set of historical operational behaviors, the set of preferred operational behaviors, and the set of predicted operational behaviors is characterized by at least one feature item.
In one embodiment, the characteristic items include at least one of: operation type, operation function, and execution position of the operation.
Other details of the apparatus for identifying abnormal operating behavior according to the embodiment of the present invention are similar to the method for identifying abnormal operating behavior according to the embodiment of the present invention described above with reference to fig. 1, and are not repeated herein.
The abnormal operation behavior recognition device provided by the embodiment of the invention can recognize the abnormal behavior of the cloud operator in time, so that the user rights and interests can be comprehensively guaranteed.
The method and apparatus for identifying abnormal operation behavior according to the embodiment of the present invention described in conjunction with fig. 1 to 4 may be implemented by an apparatus for identifying abnormal operation behavior. Fig. 5 is a schematic diagram showing a hardware configuration 500 of an abnormal operation behavior recognition apparatus according to an embodiment of the present invention.
As shown in fig. 5, the abnormal operation behavior recognition device 500 in the present embodiment includes an input device 501, an input interface 502, a central processing unit 503, a memory 504, an output interface 505, and an output device 506. The input interface 502, the central processing unit 503, the memory 504, and the output interface 505 are connected to each other through a bus 510, and the input device 501 and the output device 506 are connected to the bus 510 through the input interface 502 and the output interface 505, respectively, and further connected to other components of the abnormal operation behavior recognition device 500.
Specifically, the input device 501 receives input information from the outside and transmits the input information to the central processor 503 through the input interface 502; the central processor 503 processes input information based on computer-executable instructions stored in the memory 504 to generate output information, temporarily or permanently stores the output information in the memory 504, and then transmits the output information to the output device 506 through the output interface 505; the output device 506 outputs the output information to the outside of the identification device 500 of abnormal operation behavior for use by the user.
That is, the identification device of abnormal operation behavior shown in fig. 5 may also be implemented to include: a memory storing computer-executable instructions; and a processor which, when executing computer executable instructions, may implement the method and apparatus for identifying abnormal operating behavior described in connection with fig. 1-4.
In one embodiment, the apparatus 500 for identifying abnormal operation behavior shown in fig. 5 includes: a memory 504 for storing programs; the processor 503 is configured to execute the program stored in the memory to perform the method for identifying the abnormal operation behavior according to the embodiment of the present invention.
The identification device for the abnormal operation behaviors provided by the embodiment of the invention can identify the abnormal behaviors of the cloud operator in time, so that the user rights and interests can be comprehensively guaranteed.
An embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium has computer program instructions stored thereon; the computer program instructions, when executed by a processor, implement the method for identifying abnormal operation behavior provided by embodiments of the present invention.
It is to be understood that the invention is not limited to the specific arrangements and instrumentality described above and shown in the drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions or change the order between the steps after comprehending the spirit of the present invention.
The functional blocks shown in the above-described structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
It should also be noted that the exemplary embodiments mentioned in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.
As described above, only the specific embodiments of the present invention are provided, and it can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the system, the module and the unit described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. It should be understood that the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the present invention, and these modifications or substitutions should be covered within the scope of the present invention.
Claims (10)
1. A method for identifying abnormal operation behavior, comprising:
obtaining a historical operation behavior set according to behavior logs of a plurality of cloud operators, wherein the historical operation behavior set is formed by various operation behaviors of the plurality of cloud operators in a first preset period;
obtaining a preference operation behavior set according to a behavior log of a first cloud operator, wherein the preference operation behavior set is composed of various operation behaviors preferred by the first cloud operator in a preset time period of the first preset period;
calculating the similarity of each operation behavior in the historical operation behavior set and each operation behavior in the preference operation behavior set;
generating a predicted operation behavior set according to the similarity, wherein the predicted operation behavior set is formed by various predicted operation behaviors of the first cloud operator in the preset time period of a second preset period;
and identifying whether the actual operation behavior of the first cloud operator in each preset time period of the second preset period is abnormal operation behavior or not according to the predicted operation behavior set.
2. The method for identifying abnormal operation behavior according to claim 1, wherein the obtaining a set of preferred operation behaviors from a behavior log of a first cloud operator comprises:
according to the behavior log of the first cloud operator, counting the execution frequency of each operation behavior of the first cloud operator in the preset time period of the first preset period;
and taking the operation behavior with the execution frequency larger than a first preset value as the preferred operation behavior of the first cloud operator in the preset time period of the first preset period, and obtaining a preferred operation behavior set.
3. The method for identifying abnormal operation behavior according to claim 2, wherein the calculating the similarity between each operation behavior in the historical operation behavior set and each operation behavior in the preferred operation behavior set comprises:
and calculating the similarity of each operation behavior in the historical operation behavior set and each operation behavior in the preference operation behavior set by weighted summation of the similarity of the feature items.
4. The method for identifying abnormal operation behavior according to any one of claims 1 to 3, wherein the generating a set of predicted operation behaviors according to the similarity comprises:
screening the operation behaviors of which the similarity between each operation behavior in the historical operation behavior set and each operation behavior in the preference operation behavior set is greater than a second preset value;
taking the screened operation behavior as a predicted operation behavior of the first cloud operator in the preset time period of the second preset period;
generating the set of predicted operational behaviors based on the predicted operational behaviors.
5. The method for identifying abnormal operation behavior according to any one of claims 1 to 3, wherein the identifying whether the actual operation behavior of the first cloud operator in each of the preset time periods of the second preset period is abnormal operation behavior according to the set of predicted operation behaviors comprises:
when the actual operation behavior of the first cloud operator in a certain preset time period of the second preset period is not the operation behavior in the predicted operation behavior set, identifying the actual operation behavior as the abnormal operation behavior;
alternatively, the first and second electrodes may be,
when the actual operation behavior of the first cloud operator in a certain preset time period of the second preset period is an operation behavior in the predicted operation behavior set, identifying the actual operation behavior as a normal operation behavior.
6. The method for identifying abnormal operating behavior according to any one of claims 1 to 3, wherein each operating behavior of the set of historical operating behaviors, the set of preferred operating behaviors and the set of predicted operating behaviors is characterized by at least one characteristic item.
7. The method for identifying abnormal operation behavior according to claim 6, wherein the feature items comprise at least one of: operation type, operation function, and execution position of the operation.
8. An apparatus for identifying abnormal operation behavior, the apparatus comprising:
the cloud operation management system comprises a first obtaining module, a second obtaining module and a processing module, wherein the first obtaining module is used for obtaining a historical operation behavior set according to behavior logs of a plurality of cloud operators, and the historical operation behavior set is formed by various operation behaviors of the plurality of cloud operators in a first preset period;
the second acquisition module is used for acquiring a preference operation behavior set according to a behavior log of a first cloud operator, wherein the preference operation behavior set is formed by various operation behaviors preferred by the first cloud operator in a preset time period of the first preset period;
the calculation module is used for calculating the similarity of each operation behavior in the historical operation behavior set and each operation behavior in the preference operation behavior set;
the generating module is used for generating a prediction operation behavior set according to the similarity; wherein the set of predicted operational behaviors consists of predicted various operational behaviors of the first cloud operator within the preset time period of a second preset cycle;
and the identification module is used for identifying whether the actual operation behavior of the first cloud operator in each preset time period of the second preset period is abnormal operation behavior according to the predicted operation behavior set.
9. An apparatus for identifying abnormal operation behavior, the apparatus comprising: a processor and a memory storing computer program instructions;
the processor, when executing the computer program instructions, implements a method of identifying abnormal operating behavior as claimed in any one of claims 1 to 7.
10. A computer-readable storage medium, having stored thereon computer program instructions, which, when executed by a processor, implement the method for identifying abnormal operating behavior of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810961289.1A CN109344042B (en) | 2018-08-22 | 2018-08-22 | Abnormal operation behavior identification method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810961289.1A CN109344042B (en) | 2018-08-22 | 2018-08-22 | Abnormal operation behavior identification method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109344042A CN109344042A (en) | 2019-02-15 |
| CN109344042B true CN109344042B (en) | 2022-02-18 |
Family
ID=65291633
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810961289.1A Active CN109344042B (en) | 2018-08-22 | 2018-08-22 | Abnormal operation behavior identification method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109344042B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110826006B (en) * | 2019-11-22 | 2021-03-19 | 支付宝(杭州)信息技术有限公司 | Abnormal collection behavior identification method and device based on privacy data protection |
| CN111342994A (en) * | 2020-02-03 | 2020-06-26 | 杭州迪普科技股份有限公司 | Network management system and method |
| CN113449558A (en) * | 2020-03-26 | 2021-09-28 | 上海依图网络科技有限公司 | Method and device for monitoring abnormal behaviors of personnel |
| CN112286775B (en) * | 2020-10-30 | 2023-01-24 | 深圳前海微众银行股份有限公司 | Method, equipment and storage medium for detecting fatigue state |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102963298A (en) * | 2012-09-29 | 2013-03-13 | 重庆长安汽车股份有限公司 | Abnormal behavior monitoring method based on sight detection |
| CN104616092A (en) * | 2014-12-16 | 2015-05-13 | 国家电网公司 | Distributed log analysis based distributed mode handling method |
| CN106199421A (en) * | 2016-06-27 | 2016-12-07 | 北京协同创新研究院 | A kind of method for early warning based on the big data of industry and system |
| CN107330128A (en) * | 2017-07-24 | 2017-11-07 | 上海众人网络安全技术有限公司 | Certification abnormality judgment method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9921937B2 (en) * | 2014-01-23 | 2018-03-20 | Microsoft Technology Licensing, Llc | Behavior clustering analysis and alerting system for computer applications |
-
2018
- 2018-08-22 CN CN201810961289.1A patent/CN109344042B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102963298A (en) * | 2012-09-29 | 2013-03-13 | 重庆长安汽车股份有限公司 | Abnormal behavior monitoring method based on sight detection |
| CN104616092A (en) * | 2014-12-16 | 2015-05-13 | 国家电网公司 | Distributed log analysis based distributed mode handling method |
| CN106199421A (en) * | 2016-06-27 | 2016-12-07 | 北京协同创新研究院 | A kind of method for early warning based on the big data of industry and system |
| CN107330128A (en) * | 2017-07-24 | 2017-11-07 | 上海众人网络安全技术有限公司 | Certification abnormality judgment method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109344042A (en) | 2019-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109344042B (en) | Abnormal operation behavior identification method, device, equipment and medium | |
| EP3622402B1 (en) | Real time detection of cyber threats using behavioral analytics | |
| CN111259204B (en) | APT detection correlation analysis method based on graph algorithm | |
| CN113965404A (en) | Network security situation self-adaptive active defense system and method | |
| US11888881B2 (en) | Context informed abnormal endpoint behavior detection | |
| Tianfield | Cyber security situational awareness | |
| EP3053083A2 (en) | Advanced persistent threat (apt) detection center | |
| Goyal et al. | Discovering signals from web sources to predict cyber attacks | |
| US11847216B2 (en) | Analysis device, analysis method and computer-readable recording medium | |
| US11886587B2 (en) | Malware detection by distributed telemetry data analysis | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| Angelini et al. | An attack graph-based on-line multi-step attack detector | |
| CN113660115A (en) | Network security data processing method, device and system based on alarm | |
| Okutan et al. | Capture: cyberattack forecasting using non-stationary features with time lags | |
| Fedorchenko et al. | Correlation of security events based on the analysis of structures of event types | |
| CN113196265A (en) | Security detection assay | |
| CN115632884B (en) | Network security situation perception method and system based on event analysis | |
| CN117391214A (en) | Model training method and device and related equipment | |
| EP4068687A1 (en) | System and method for anomaly detection in a computer network | |
| CN113660223A (en) | Network security data processing method, device and system based on alarm information | |
| TWI667587B (en) | Information security protection method | |
| CN114846767A (en) | Techniques for analyzing data with a device to resolve conflicts | |
| Sopuru et al. | Modeling A malware detection and categorization system based on seven network flow-based features | |
| Chakir et al. | Risk Assessment and Alert Prioritization for Intrusion Detection Systems | |
| Sharma et al. | An efficient cyber threat prediction using a novel artificial intelligence technique |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |