CN110198299A - A kind of intrusion detection method and device - Google Patents

A kind of intrusion detection method and device Download PDF

Info

Publication number
CN110198299A
CN110198299A CN201910173078.6A CN201910173078A CN110198299A CN 110198299 A CN110198299 A CN 110198299A CN 201910173078 A CN201910173078 A CN 201910173078A CN 110198299 A CN110198299 A CN 110198299A
Authority
CN
China
Prior art keywords
calling
detected
called
short sequence
vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910173078.6A
Other languages
Chinese (zh)
Other versions
CN110198299B (en
Inventor
张恒
董志强
张祖优
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201910173078.6A priority Critical patent/CN110198299B/en
Publication of CN110198299A publication Critical patent/CN110198299A/en
Application granted granted Critical
Publication of CN110198299B publication Critical patent/CN110198299B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The invention discloses a kind of intrusion detection method and devices, the described method includes: determining the short sequence of multiple calling of process to be detected according to the system call information of process to be detected, calling short sequence includes that the first quantity system of the calling timing arrangement called by system in process is called;It is called according to system each in system call information and determines multiple relative frequency vectors for calling short sequence in multiple frequencies of occurrences called in short sequence respectively;System is carried out based on multiple relative frequency vectors for calling short sequence and calls Distributed learning, obtains characterizing the calling distribution vector of the distribution characteristics of system is called in process to be detected timing and relative frequency;The calling distribution vector of calling distribution vector and multiple non-intrusive processes based on process to be detected carries out clustering;Determine whether process to be detected invades according to the result of clustering.The accuracy rate that intrusion detection can be improved using technical solution provided by the invention avoids situations such as failing to report, judging by accident.

Description

A kind of intrusion detection method and device
Technical field
The present invention relates to Internet communication technology field more particularly to a kind of intrusion detection methods and device.
Background technique
In recent years, the fast development of Internet technology, network have become essential a part in people's life.With The development of internet, various network intrusions also emerge one after another, how effectively and timely to detect network intrusions become it is urgently to be resolved The problem of.
Currently, network invasion monitoring may include the abnormality detection called based on system.Specifically, program can be obtained just The normal frequency distribution character that the system often executed is called, and system calls the number occurred in monitoring program actual moving process (i.e. absolute frequency);Then, the frequency distribution information for calling the number occurred to determine that system is called based on system;According to practical fortune The exception of frequency distribution information and normal frequency distribution character during row compared out, to detect network intrusions.On but The behavioural characteristic that existing method portrays program based on the frequency distribution that system is called is stated, the feature of selection is simple, can not be effective Response procedures actual motion feature, cause the accuracy rate of intrusion detection low, situations such as failing to report, judging by accident occur.Therefore, it is necessary to More reliable or more effective scheme is provided.
Summary of the invention
The present invention provides a kind of intrusion detection method and device, the actual motion that can extract effective response procedures is special The calling distribution vector of sign, and then the accuracy rate of intrusion detection is improved, avoid situations such as failing to report, judging by accident.
On the one hand, the present invention provides a kind of intrusion detection methods, which comprises
The short sequence of multiple calling of the process to be detected, the tune are determined according to the system call information of process to be detected It is called with the first quantity system that short sequence includes the calling timing arrangement called by system in process;
Called according to system each in the system call information calls the frequency of occurrences in short sequence true multiple respectively The fixed the multiple relative frequency vector for calling short sequence;
System is carried out based on the multiple relative frequency vector for calling short sequence and calls Distributed learning, is obtained described to be checked The calling distribution vector of survey process, it is described that distribution vector is called to characterize timing that system in the process to be detected is called and opposite The distribution characteristics of frequency;
The calling distribution vector of calling distribution vector based on the process to be detected and multiple non-intrusive processes is to described Process to be detected and the multiple non-intrusive process carry out clustering;
Determine whether the process to be detected invades according to the result of the clustering.
On the other hand a kind of invasion detecting device is provided, described device includes:
Short sequence determining module is called, for determining the process to be detected according to the system call information of process to be detected The short sequence of multiple calling, it is described call short sequence include the callings timing arrangement called by system in process the first quantity it is a System is called;
Relative frequency vector determining module, for being called according to system each in the system call information respectively multiple The frequency of occurrences in short sequence is called to determine the multiple relative frequency vector for calling short sequence;
Distributed learning module is called, for carrying out system calling based on the multiple relative frequency vector for calling short sequence Distributed learning, obtains the calling distribution vector of the process to be detected, and the calling distribution vector characterizes the process to be detected The distribution characteristics of timing and relative frequency that middle system is called;
Cluster Analysis module, the tune for calling distribution vector and multiple non-intrusive processes based on the process to be detected Clustering is carried out to the process to be detected and the multiple non-intrusive process with distribution vector;
Intrusion detection module, for determining whether the process to be detected enters according to the result of the clustering It invades.
On the other hand a kind of intrusion detection server is provided, the server includes processor and memory, described to deposit Be stored at least one instruction, at least a Duan Chengxu, code set or instruction set in reservoir, at least one instruction, it is described extremely A few Duan Chengxu, the code set or instruction set are loaded by the processor and are executed to realize such as above-mentioned intrusion detection side Method.
On the other hand a kind of computer readable storage medium is provided, at least one finger is stored in the storage medium Enable, at least a Duan Chengxu, code set or instruction set, at least one instruction, an at least Duan Chengxu, the code set or Instruction set is loaded by processor and is executed to realize such as above-mentioned intrusion detection method.
Intrusion detection method and device provided by the invention, have the following technical effect that
The present invention is special from the timing obtained between being called with system in Efficient Characterization process in the system call information of process Property the short sequence of multiple calling, and obtain multiple relative frequency vectors for calling short sequences, taken with this and multiple call short sequences Relative frequency vector carries out the calling Distributed learning of process as learning training data, and the calling distribution vector guaranteed can The distribution characteristics of the timing and relative frequency called with system in effecting reaction process, and then can preferably portray the row of process It is characterized, the actual motion feature of effective response procedures.Then, by the calling distribution vector of process to be detected with it is multiple it is non-enter It invades process and carries out clustering;The intrusion detection for treating detection procedure is realized according to the result of clustering, can effectively improve The accuracy rate of intrusion detection avoids situations such as failing to report, judging by accident.
Detailed description of the invention
It in order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology and advantage, below will be to implementation Example or attached drawing needed to be used in the description of the prior art are briefly described, it should be apparent that, the accompanying drawings in the following description is only It is only some embodiments of the present invention, for those of ordinary skill in the art, without creative efforts, It can also be obtained according to these attached drawings other attached drawings.
Fig. 1 is a kind of flow diagram of intrusion detection method provided in an embodiment of the present invention;
It is described to be detected that Fig. 2 is that a kind of system call information according to process to be detected provided in an embodiment of the present invention determines The flow diagram of the short sequence of multiple calling of process;
Fig. 3 is a kind of signals that multiple short sequences of calling are extracted from system call information provided in an embodiment of the present invention Figure;
Fig. 4 be it is provided in an embodiment of the present invention it is a kind of according to system each in the system call information call respectively more A frequency of occurrences called in short sequence determines the flow diagram of the multiple relative frequency vector for calling short sequence;
Fig. 5 is provided in an embodiment of the present invention a kind of based on the multiple relative frequency vector system for calling short sequence System calls Distributed learning, obtains the flow diagram of the calling distribution vector of the process to be detected;
Fig. 6 be a kind of calling distribution vector based on the process to be detected provided in an embodiment of the present invention with it is multiple it is non-enter The process that the calling distribution vector for invading process carries out clustering with the multiple non-intrusive process to the process to be detected is shown It is intended to;
Fig. 7 be another calling distribution vector based on the process to be detected provided in an embodiment of the present invention with it is multiple non- The calling distribution vector of invasion process carries out the process of clustering to the process to be detected and the multiple non-intrusive process Schematic diagram;
Fig. 8 is that a kind of result according to clustering provided in an embodiment of the present invention determines whether the process to be detected is sent out The flow diagram of raw invasion;
Fig. 9 is whether another kind provided in an embodiment of the present invention according to the result of clustering determines the process to be detected The flow diagram invaded;
Figure 10 is a kind of structural schematic diagram of invasion detecting device provided in an embodiment of the present invention;
Figure 11 is a kind of structural schematic diagram of server provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art without making creative work it is obtained it is all its His embodiment, shall fall within the protection scope of the present invention.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, " Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way Data be interchangeable under appropriate circumstances, so as to the embodiment of the present invention described herein can in addition to illustrating herein or Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, for example, containing the process, method of a series of steps or units, system, product or server need not limit In step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, produce The other step or units of product or equipment inherently.
A kind of intrusion detection method of the present invention introduced below, Fig. 1 are a kind of intrusion detection sides provided in an embodiment of the present invention The flow diagram of method, present description provides the method operating procedures as described in embodiment or flow chart, but based on conventional or Person may include more or less operating procedure without creative labor.The step of enumerating in embodiment sequence is only crowd One of multi-step execution sequence mode does not represent and unique executes sequence.System or server product in practice is held When row, can be executed according to embodiment or method shown in the drawings sequence or it is parallel execute (such as parallel processor or The environment of multiple threads).It is specific as shown in Figure 1, the method may include:
S101: determining the short sequence of multiple calling of the process to be detected according to the system call information of process to be detected, The short sequence of calling includes that the first quantity system of the calling timing arrangement called by system in process is called.
In practical applications, in the program operation process in system, one or more processes is often had and are combined largely System calls the trouble-free operation to realize program.In this specification embodiment, the process to be detected may include one or more A process corresponding with program that is being runed in system.
Specifically, as shown in Fig. 2, the system call information according to process to be detected determines the process to be detected It is multiple to call the short sequences to may include:
S1011: obtaining the system call information of process to be detected, and the system call information includes by system tune in process Multiple systems of timing arrangement are called to call.
In specific embodiment, this can be obtained according to the calling timing that system in process implementation procedure to be detected is called System in process implementation procedure to be detected is called, to obtain the system call information of the process to be detected.Correspondingly, to be detected The system call information of process may include that the multiple systems for the calling timing arrangement called by system in process are called.
S1013: the first quantity that single-trial extraction system is called is determined.
In practical applications, the quantity (the first quantity) that single-trial extraction system is called is bigger, and the short sequence of the calling of selection is got over It is few, call the extraction process amount of short sequence few, but cause to call short sequence more sparse, the subsequent learning training time can be longer; Conversely, the quantity that single-trial extraction system is called can be smaller, the short sequence of the calling of selection is too many, calls the extraction process of short sequence Amount is big, but calls short sequence closer, and the subsequent learning training time is also shorter.Correspondingly, practical application request can be combined The quantity of single-trial extraction system calling is arranged.
S1015: it successively moves third quantity system from front to back from the system call information and calls progress first The extraction that quantity system is called obtains the multiple short sequence of calling.
In this specification embodiment, the first quantity system tune is successively carried out from front to back from the system call information During extraction, it may include one or more that the system moved every time, which calls quantity (third quantity),;Specifically, every The system of secondary movement calls quantity bigger, multiple to call the timing between short sequence poorer;Conversely, but the system tune that moves every time With quantity it is smaller (minimum 1), it is multiple to call the timing between short sequences better.
In addition, in order to guarantee that multiple timings called between short sequence, the third quantity that the system moved every time is called are small In the first quantity for being equal to single-trial extraction system calling.Correspondingly, two neighboring calling is short in the obtained short sequence of multiple calling Rear N number of system of the short sequence of previous calling of sequence is called calls the top n system of short sequence to call unanimously with the latter, should N is the integer more than or equal to 0.
In a specific embodiment, as shown in Figure 3, it is assumed that the system call information P of a certain process to be detected includes Following 8 are called according to the system for calling timing arrangement: close (closing), execve (operation executable file), open (is beaten Open), mmap (is mapped to common memory section the memory of process), and open, mmap, close, exit (are exited).Single-trial extraction system The quantity that system calls is 4, and the quantity that the system moved every time is called is 1.Correspondingly, from system call information from front to back according to One system of secondary movement, which is called, carries out the extraction that 4 systems are called, the short sequence of available five calling: P1 (close, Execve, open, mmap), P2 (execve, open, mmap, open), P3 (open, mmap, open, mmap), P4 (mmap, Open, mmap, close) and P5 (open, mmap, close, exit).
As seen from the above-described embodiment, this specification passes through multiple systems from the calling timing arrangement called by system in process System sequentially extracts multiple short sequences of calling in calling, and the short sequence of multiple calling guaranteed can be with system in Efficient Characterization process Temporal characteristics between calling.
S103: it is called respectively according to system each in the system call information in multiple appearance frequencies called in short sequence Rate determines the multiple relative frequency vector for calling short sequence.
It, can be according in the system call information after obtaining multiple short sequences of calling in this specification embodiment Each system, which is called, determines the multiple relative frequency for calling short sequence in multiple frequencies of occurrences called in short sequence respectively Vector, specifically, as shown in figure 4, may include:
S1031: each system in system call information that obtains is invoked at each frequency of occurrences called in short sequence.
In this specification embodiment, system is invoked at each frequency of occurrences called in short sequence, that is, the system is invoked at The number occurred in the short sequence of the calling.
S1033: the quantity that the frequency is called divided by system in the system call information obtains each calling The vs. frequency data of short sequence.
Specifically, the quantity that system is called in system call information may include calling corresponding system in process implementation procedure The total call number for calling of uniting.By taking the example in Fig. 3 as an example, the quantity that system is called in the system call information is 8.
S1035: based on each vs. frequency data for calling short sequence generate each relative frequency for calling short sequence to Amount, the dimension of the relative frequency vector are the quantity that the system in the system call information is called.
Specifically, can directly arrange obtained vs. frequency data according to the calling timing that corresponding system is called, Obtain each frequency vector for calling short sequence.
The calculating process of the relative frequency vector of short sequence is called, with a specific embodiment introduction below with Fig. 3 institute For corresponding example, each system calls close, execve, open, mmap, open, mmap in system call information, Close, exit call the frequency of occurrences in short sequence P1 (close, execve, open, mmap) to be followed successively by 1,1,1,1,1, 1,1,0;Each system calling close, execve, open, mmap, open, mmap, close, exit exist in system call information The frequency of occurrences in short sequence P2 (execve, open, mmap, open) is called to be followed successively by 0,1,2,1,2,1,0,0;System is called Each system calls close, execve, open in information, and mmap, open, mmap, close, exit is in the short sequence P3 of calling The frequency of occurrences in (open, mmap, open, mmap) is followed successively by 0,0,2,2,2,2,0,0;Each system in system call information Call close, execve, open, mmap, open, mmap, close, exit call short sequence P4 (mmap, open, mmap, Close the frequency of occurrences in) is followed successively by 0,0,1,2,1,2,1,0;Each system calls close in system call information, Execve, open, mmap, open, mmap, close, exit are in calling short sequence P5 (open, mmap, close, exit) The frequency of occurrences is followed successively by 1,0,1,0,1,0,1,1.
Further, the quantity 8 called in conjunction with system in system call information, calls short sequence P1, P2, P3, P4 and P5 Corresponding vs. frequency data is successively are as follows: 0.125,0.125,0.125,0.125,0.125,0.125,0.125,0;0, 0.125,0.25,0.125,0.25,0.125,0,0;0,0,0.25,0.25,0.25,0.25,0,0;0,0,0.125,0.25, 0.125,0.25,0.125,0;0.125,0,0.125,0,0.125,0,0.125,0.125.Correspondingly, call short sequence P1, Relative frequency vector corresponding to P2, P3, P4 and P5 can be to be followed successively by: (0.125,0.125,0.125,0.125,0.125, 0.125、0.125、0)、(0、0.125、0.25、0.125、0.25、0.125、0、0)、(0、0、0.25、0.25、0.25、0.25、 0、0)、(0、0、0.125、0.25、0.125、0.25、0.125、0)、(0.125、0、0.125、0、0.125、0、0.125、 0.125)。
S105: system is carried out based on the multiple relative frequency vector for calling short sequence and calls Distributed learning, obtains institute State the calling distribution vector of process to be detected.
In this specification embodiment, the short sequence of multiple calling of the timing between system is called in obtaining characterization process After relative frequency vector, system can be carried out based on the multiple relative frequency vector for calling short sequence and call chorology It practises, obtains to characterize the calling distribution vector of the distribution characteristics of system is called in process to be detected timing and relative frequency. Specifically, as shown in figure 5, may include:
S1051: distribution is called to the multiple relative frequency vector for calling short sequence based on preset themes model Feature prediction, obtains calling distribution characteristics of the process to be detected in target topic.
In this specification embodiment, the system call information of a large amount of non-intrusive processes can be obtained in advance, and based on it is non-enter The system call information for invading process determines multiple relative frequency vectors for calling short sequence (specifically, determining here non-intrusive The specific steps of the relative frequency vector of the short sequence of multiple calling of process may refer to above-mentioned correlation step, no longer superfluous herein State), using the relative frequency vector of the short sequence of multiple calling of non-intrusive process as training data, correspondingly, the default master Topic model may include that the relative frequency vector for the short sequence of multiple calling for being in advance based on non-intrusive process is called distribution spy The learning training of sign obtains topic model.
Specifically, the preset themes model can include but is not limited to LDA (Latent Dirichlet Allocation implies the distribution of Di Li Cray) model.
It, can will be multiple when being called distribution characteristics prediction in conjunction with preset themes model in this specification embodiment Short sequence is called to regard as multiple texts (text collection), the full text in text collection often shares one or more themes. Correspondingly, the target topic may include one or more discrete points for capable of reacting system calling in multiple short sequences of calling The information of cloth.
In this specification embodiment, preset themes model can be locally trained in equipment;In some embodiments, in order to subtract The load of light local device, can also be trained the preset themes model in advance by cloud server.In practical applications, cloud The memory space of server is larger, correspondingly, whether cloud server to can store a large amount of process resources (known to invade The system call information of process), and by carrying out the mode such as clustering to process, selected from a large amount of process resources it is non-intrusive into Journey, can directly to utilize a large amount of non-intrusive of cloud server when server trains the preset themes model beyond the clouds The system call information of process is called extraction and relative frequency vector of the short sequence of calling of short sequence etc. and determines training The processing of data.
Determination and the preset themes models of data are trained in this specification embodiment by server beyond the clouds Training managing can mitigate the load of local device significantly.Meanwhile a large amount of processes money of cloud server can be efficiently used Preset themes model is adequately trained in source, and then the preset themes model that training obtains can be improved and be distributed to calling The predictablity rate of feature.
S1053: calling distribution characteristics of the process to be detected in target topic is converted using default sampling algorithm At the calling distribution vector of the process to be detected.
In this specification embodiment, after obtaining calling distribution characteristics, can use default sampling algorithm will it is described to Calling distribution characteristics of the detection procedure in target topic is converted into the calling distribution vector of the process to be detected.Specifically, The default use algorithm can include but is not limited to: gibbs sampler.
In this specification embodiment, pass through the short sequence of multiple calling between the timing system calling in characterization process Relative frequency vector carries out system and calls Distributed learning, so that obtained calling distribution vector can be with system in effecting reaction process The timing of calling and the distribution characteristics of relative frequency, and then can preferably portray the behavioural characteristic of process.
S107: the calling distribution vector pair of calling distribution vector and multiple non-intrusive processes based on the process to be detected The process to be detected and the multiple non-intrusive process carry out clustering.
In this specification embodiment, the non-intrusive process may include the normal operation process of no exceptions invasion. Specifically, as shown in fig. 6, the calling of calling distribution vector based on the process to be detected and multiple non-intrusive processes be distributed to Amount carries out clustering with the multiple non-intrusive process to the process to be detected
S1071: the calling distribution vector of multiple non-intrusive processes is obtained.
In this specification embodiment, the specific steps for obtaining the calling distribution vector of non-intrusive process may refer to above-mentioned phase Step is closed, details are not described herein.
S1073: the calling distribution vector of the process to be detected and the calling of the multiple non-intrusive process are calculated separately Distance between distribution vector.
In this specification embodiment, the distance between distribution vector is called to can include but is not limited to cosine value, Euclidean Distance etc., the calling distribution vector of the process to be detected between the calling distribution vector of non-intrusive process at a distance from can characterize Difference between process to be detected and non-intrusive process.The calling distribution vector of process to be detected and the calling point of non-intrusive process Distance between cloth vector is bigger, and the difference between process to be detected and non-intrusive process is bigger;Conversely, the calling of process to be detected Distribution vector between the calling distribution vector of non-intrusive process at a distance from smaller, the difference between process to be detected and non-intrusive process It is different smaller.
S1075: the calling for being less than or equal to pre-determined distance at a distance from the calling distribution vector of the process to be detected is determined The quantity of non-intrusive process corresponding to distribution vector.
In this specification embodiment, the pre-determined distance can be configured in conjunction with practical application request, specifically, described Pre-determined distance is smaller, is divided into the difference between the process to be detected of similar process and multiple non-intrusive processes with multiple non-intrusive processes It is smaller.
S1077: judge whether the quantity is more than or equal to the 4th quantity.
Specifically, the 4th quantity can be configured in conjunction with the quantity of non-intrusive process, in general, the 4th number Amount is more than or equal to the 60% of the non-intrusive number of processes.
S1079: when the result judged is is, determine that the process to be detected and the multiple non-intrusive process are similar Process.
In this specification embodiment, can will be less than or equal at a distance from the calling distribution vector of process to be detected it is default away from From calling distribution vector corresponding to non-intrusive process regard process similar with the process to be detected as, when it is multiple it is non-intrusive into When to reach the 4th quantity non-intrusive process in journey be process similar with the process to be detected, can by this it is to be detected carry out it is true It is set to the similar process with multiple non-intrusive process.
In further embodiments, as shown in fig. 7, when the result that step S1077 judges is no, the method can be with Include:
S10711: determining the process to be detected and the multiple non-intrusive process is non-similar process.
In addition, it should be noted that, clustering method corresponding to above-mentioned Fig. 6 and Fig. 7 is only a kind of example, in reality In the application of border, other clustering modes can also be used, this specification embodiment is not limited with above-mentioned.
S109: determine whether the process to be detected invades according to the result of the clustering.
In this specification embodiment, when the clustering result be the process to be detected with it is the multiple non-intrusive When process is similar process, it can determine that the process to be detected is not invaded.
In further embodiments, when the result of the clustering be the process to be detected with it is the multiple non-intrusive When process is non-similar process, in order to further confirm that whether process to be detected invades, the problems such as judging by accident, failing to report is avoided, As shown in figure 8, determining whether the process to be detected invades according to the result of clustering, may include:
S1091: when the result of the clustering is the process to be detected and the multiple non-intrusive process is non-same When class process, the absolute frequency vector of the process to be detected and the multiple non-intrusive process is obtained.
Specifically, by taking the example in Fig. 3 as an example, the system call information corresponding to a certain process be P (close, Execve, open, mmap, open, mmap, close, exit) when, the absolute frequency vector of the process can for (2,1,2,2, 2,2,2,1).
S1093: absolute frequency vector based on the process to be detected and the multiple non-intrusive process, call distribution to Amount, calculates separately the similarity of the process to be detected and the multiple non-intrusive process.
In this specification embodiment, the similarity between two processes can be calculated in conjunction with following formula:
Wherein, aiIt can indicate the calling distribution vector of i-th of process to be detected;ajIt can indicate j-th of non-intrusive process Calling distribution vector;biIt can indicate the absolute frequency vector of i-th of process to be detected;bjCan indicate j-th it is non-intrusive into The absolute frequency vector of journey.
In addition, it should be noted that, in this specification embodiment, calculate on the similarity between two processes is not limited in The calculation stated, can also use other modes in practical applications, and this specification embodiment is not limited with above-mentioned.
S1095: descending arrangement is carried out according to numerical values recited to the similarity.
S1097: choosing preceding second quantity similarity, calculates the average value of the preceding second quantity similarity.
In this specification embodiment, second quantity can be configured in conjunction with practical application request.
S1099: judge whether the average value is less than or equal to preset threshold.
In this specification embodiment, it is average similar that the preset threshold can characterize the lower limit that process to be detected is invaded Spend threshold value.
S10911: when the average value is less than or equal to the preset threshold, determine that the process to be detected is invaded.
In this specification embodiment, determined treating detection procedure with multiple non-intrusive detection procedures progress clusterings Out, which divides with after the non-similar process of non-intrusive detection procedure in conjunction with the absolute frequency vector sum calling of process Similarity calculation between cloth vector carry out process, and by the average value of higher preceding second quantity similarity and process to be detected The lower limit average similarity threshold value invaded is compared, accurately to carry out the inspection whether process to be detected invades It surveys, effectively improves the accuracy rate of intrusion detection, avoid situations such as failing to report, judging by accident.
In further embodiments, as shown in figure 9, the method is also when the average value is greater than the preset threshold May include:
S10913: determine that the process to be detected is not invaded.
The technical solution provided by above this specification embodiment is as it can be seen that from the system tune of process in this specification embodiment Can be with the short sequence of multiple calling of the temporal characteristics between system calling in Efficient Characterization process with being obtained in information, and obtain multiple The relative frequency vector for calling short sequence takes multiple relative frequency vectors for calling short sequences as learning training data using this, The calling Distributed learning of carry out process, the timing that the calling distribution vector guaranteed can be called with system in effecting reaction process With the distribution characteristics of relative frequency, and then the behavioural characteristic of process can be preferably portrayed, the practical fortune of effective response procedures Row feature.Then, the calling distribution vector of process to be detected and multiple non-intrusive processes are subjected to clustering;According to cluster point The result of analysis realizes the intrusion detection for treating detection procedure, can effectively improve the accuracy rate of intrusion detection, avoids failing to report, judge by accident Situations such as.
The embodiment of the invention also provides a kind of invasion detecting devices, and as shown in Figure 10, described device includes:
Call short sequence determining module 1010, can be used for being determined according to the system call information of process to be detected it is described to The short sequence of multiple calling of detection procedure, described to call short sequence include the arranged by the callings timing that system in process is called One quantity system is called;
Relative frequency vector determining module 1020 can be used for being called according to system each in the system call information and divide The multiple relative frequency vector for calling short sequence is not determined in multiple frequencies of occurrences called in short sequence;
Distributed learning module 1030 is called, can be used for carrying out based on the multiple relative frequency vector for calling short sequence System calls Distributed learning, obtains the calling distribution vector of the process to be detected, described in the callings distribution vector characterization to The distribution characteristics of system is called in detection procedure timing and relative frequency;
Cluster Analysis module 1040, can be used for calling distribution vector based on the process to be detected with it is multiple non-intrusive The calling distribution vector of process carries out clustering to the process to be detected and the multiple non-intrusive process;
Intrusion detection module 1050 can be used for whether determining the process to be detected according to the result of the clustering It invades.
In some embodiments, the intrusion detection module 1050 may include:
Absolute frequency vector acquiring unit is described to be detected for the result when the Cluster Analysis module clustering When process and the multiple non-intrusive process are non-similar process, the process to be detected and the multiple non-intrusive process are obtained Absolute frequency vector;
Similarity calculated, for the absolute frequency based on the process to be detected and the multiple non-intrusive process to Amount calls distribution vector, calculates separately the similarity of the process to be detected and the multiple non-intrusive process;
Descending arrangement units, for carrying out descending arrangement according to numerical values recited to the similarity;
Average calculation unit calculates the preceding second quantity similarity for choosing preceding second quantity similarity Average value;
First judging unit, for judging whether the average value is less than or equal to preset threshold;
First invasion judging unit, for when first judging unit judge average value be less than preset threshold when, really The fixed process to be detected is invaded.
In some embodiments, the intrusion detection module 1050 can also include:
Second invasion judging unit, for judging that average value is more than or equal to preset threshold when first judging unit When, determine that the process to be detected is not invaded.
In some embodiments, the intrusion detection module 1050 may include:
Second invasion judging unit, is the process to be detected for the result when the Cluster Analysis module clustering With the multiple non-intrusive process be similar process when, determine that the process to be detected is not invaded.
In some embodiments, the short sequence determining module 1010 of calling may include:
System call information acquiring unit, for obtaining the system call information of process to be detected, the system calls letter Breath includes that the multiple systems for the calling timing arrangement called by system in process are called;
Single-trial extraction quantity determination unit, the first quantity called for determining single-trial extraction system;
Short retrieval unit is called, for successively moving third quantity from front to back from the system call information The extraction that system calls the first quantity system that carries out to call obtains the multiple short sequence of calling;
Wherein, the third quantity is less than or equal to the first quantity.
In some embodiments, the relative frequency vector determining module 1020 includes:
Frequency of occurrences acquiring unit is invoked at each call in short sequence for obtaining each system in system call information The frequency of occurrences;
Vs. frequency data acquiring unit, the number for calling the frequency divided by system in the system call information Amount obtains each vs. frequency data for calling short sequence;
Each relative frequency vector for calling short sequence is generated based on each vs. frequency data for calling short sequence, it is described The dimension of relative frequency vector is the quantity that the system in the system call information is called.
In some embodiments, the calling Distributed learning module 1030 includes:
Distribution characteristics acquiring unit is called, for the opposite frequency based on preset themes model to the multiple short sequence of calling Rate vector is called distribution characteristics prediction, obtains calling distribution characteristics of the process to be detected in target topic;
First calls distribution vector acquiring unit, for utilizing default sampling algorithm by the process to be detected in target master Calling distribution characteristics in topic is converted into the calling distribution vector of the process to be detected.
In some embodiments, the Cluster Analysis module 1040 may include:
Second calls distribution vector acquiring unit, for obtaining the calling distribution vector of multiple non-intrusive processes;
Metrics calculation unit, for calculate separately the calling distribution vector of the process to be detected with it is the multiple non-intrusive Distance between the calling distribution vector of process;
Distribution vector determination unit is called, is less than at a distance from the calling distribution vector of the process to be detected for determining The quantity of non-intrusive process corresponding to calling distribution vector equal to pre-determined distance;
Second judgment unit, for judging the calling distribution vector of the non-intrusive process less than or equal to pre-determined distance Whether quantity is less than the 4th quantity;
Similar process determination unit determines described to be checked when result for judging when the second judgment unit is is Survey process and the multiple non-intrusive process are similar process.
In some embodiments, the Cluster Analysis module 1040 can also include:
Non- similar process determination unit, when the result for judging when the second judgment unit is no, determine it is described to Detection procedure and the multiple non-intrusive process are non-similar process.Apparatus and method embodiment in the Installation practice Based on similarly inventive concept.
The embodiment of the invention provides a kind of intrusion detection servers, which includes processor and storage Device is stored at least one instruction, at least a Duan Chengxu, code set or instruction set in the memory, at least one instruction, should An at least Duan Chengxu, the code set or instruction set are loaded by the processor and are executed to realize as above method embodiment is provided Intrusion detection method.
Memory can be used for storing software program and module, and processor is stored in the software program of memory by operation And module, thereby executing various function application and data processing.Memory can mainly include storing program area and storage number According to area, wherein storing program area can application program needed for storage program area, function etc.;Storage data area can store basis The equipment uses created data etc..In addition, memory may include high-speed random access memory, can also include Nonvolatile memory, for example, at least a disk memory, flush memory device or other volatile solid-state parts.Phase Ying Di, memory can also include Memory Controller, to provide access of the processor to memory.
Embodiment of the method provided by the embodiment of the present invention can be in mobile terminal, terminal, server or class As execute in arithmetic unit, to carry out Host-based intrusion detection etc..For running on the server, Figure 11 is implementation of the present invention A kind of hardware block diagram of the server for intrusion detection method that example provides.As shown in figure 11, which can be because matching It sets or performance is different and generate bigger difference, may include one or more central processing units (Central Processing Units, CPU) 1110 (processor 1110 can include but is not limited to Micro-processor MCV or programmable logic device The processing unit of part FPGA etc.), memory 1130 for storing data, one or more storage application programs 1123 or The storage medium 1120 (such as one or more mass memory units) of data 1122.Wherein, memory 1130 and storage Medium 1120 can be of short duration storage or persistent storage.Be stored in storage medium 1120 program may include one or one with Upper module, each module may include to the series of instructions operation in server.Further, central processing unit 1110 can To be set as communicating with storage medium 1120, the series of instructions operation in storage medium 1120 is executed on server 1100. Server 1100 can also include one or more power supplys 1160, one or more wired or wireless network interfaces 1150, one or more input/output interfaces 1140, and/or, one or more operating systems 1121, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM etc..
Input/output interface 1140 can be used for that data are received or sent via a network.Above-mentioned network is specifically real Example may include the wireless network that the communication providers of server 1100 provide.In an example, input/output interface 1140 wraps A network adapter (Network Interface Controller, NIC) is included, base station and other network equipments can be passed through It is connected so as to be communicated with internet.In an example, input/output interface 1140 can be radio frequency (Radio Frequency, RF) module, it is used to wirelessly be communicated with internet.
It will appreciated by the skilled person that structure shown in Figure 11 is only to illustrate, above-mentioned electronics is not filled The structure set causes to limit.For example, server 1100 may also include more perhaps less component or tool than shown in Figure 11 There is the configuration different from shown in Figure 11.
The embodiments of the present invention also provide a kind of storage medium, the storage medium be may be disposed among server to protect It deposits for realizing intrusion detection method a kind of in embodiment of the method relevant at least one instruction, at least a Duan Chengxu, code set Or instruction set, this at least one instruction, an at least Duan Chengxu, the code set or the instruction set loaded by the processor and executed with Realize the intrusion detection method that above method embodiment provides.
Optionally, in the present embodiment, above-mentioned storage medium can be located in multiple network servers of computer network At least one network server.Optionally, in the present embodiment, above-mentioned storage medium can include but is not limited to: USB flash disk, only Read memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), movement The various media that can store program code such as hard disk, magnetic or disk.
The embodiment of the intrusion detection method, device, server or the storage medium that are provided by aforementioned present invention is as it can be seen that this hair From the multiple tune for obtaining the temporal characteristics between can calling with system in Efficient Characterization process in the system call information of process in bright With short sequence, and obtain multiple relative frequency vectors for calling short sequences, with this take multiple relative frequencies for calling short sequences to Amount is used as learning training data, carries out the calling Distributed learning of process, the calling distribution vector guaranteed can be with effecting reaction The distribution characteristics of system is called in process timing and relative frequency, and then the behavioural characteristic of process can be preferably portrayed, have The actual motion feature of the response procedures of effect.Then, by the calling distribution vector of process to be detected and multiple non-intrusive processes into Row clustering;The intrusion detection for treating detection procedure is realized according to the result of clustering, can effectively improve intrusion detection Accuracy rate, avoid situations such as failing to report, judging by accident.
It should be understood that embodiments of the present invention sequencing is for illustration only, do not represent the advantages or disadvantages of the embodiments. And above-mentioned this specification specific embodiment is described.Other embodiments are within the scope of the appended claims.One In a little situations, the movement recorded in detail in the claims or step can be executed according to the sequence being different from embodiment and Still desired result may be implemented.In addition, process depicted in the drawing not necessarily requires the particular order shown or company Continuous sequence is just able to achieve desired result.In some embodiments, multitasking and parallel processing it is also possible or It may be advantageous.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device and For server example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to side The part of method embodiment illustrates.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.

Claims (10)

1. a kind of intrusion detection method, which is characterized in that the described method includes:
Determine that the short sequence of multiple calling of the process to be detected, the calling are short according to the system call information of process to be detected Sequence includes that the first quantity system of the calling timing arrangement called by system in process is called;
Called according to system each in the system call information calls the frequency of occurrences in short sequence to determine institute multiple respectively State multiple relative frequency vectors for calling short sequence;
Carry out system based on the multiple relative frequency vector for calling short sequence and call Distributed learning, obtain it is described it is to be detected into The calling distribution vector of journey, it is described that distribution vector is called to characterize system is called in the process to be detected timing and relative frequency Distribution characteristics;
The calling distribution vector of calling distribution vector based on the process to be detected and multiple non-intrusive processes is to described to be checked Survey process and the multiple non-intrusive process carry out clustering;
Determine whether the process to be detected invades according to the result of the clustering.
2. the method according to claim 1, wherein it is described according to the result of the clustering determine it is described to Whether detection procedure occurs invasion
When the result of the clustering is the process to be detected and the multiple non-intrusive process is non-similar process, obtain Take the absolute frequency vector of the process to be detected and the multiple non-intrusive process;
Absolute frequency vector, calling distribution vector based on the process to be detected and the multiple non-intrusive process, are counted respectively Calculate the similarity of the process to be detected and the multiple non-intrusive process;
Descending arrangement is carried out according to numerical values recited to the similarity;
Preceding second quantity similarity is chosen, the average value of the preceding second quantity similarity is calculated;
Judge whether the average value is less than or equal to preset threshold;
When the average value is less than or equal to the preset threshold, determine that the process to be detected is invaded.
3. according to the method described in claim 2, it is characterized in that, when the average value be greater than the preset threshold when, it is described Method further include:
Determine that the process to be detected is not invaded.
4. the method according to claim 1, wherein it is described according to the result of the clustering determine it is described to Whether detection procedure occurs invasion
When the result of the clustering is the process to be detected and the multiple non-intrusive process is similar process, determine The process to be detected is not invaded.
5. the method according to claim 1, wherein described determine according to the system call information of process to be detected The short sequence of multiple calling of the process to be detected includes:
The system call information of process to be detected is obtained, when the system call information includes the calling called by system in process Multiple systems of sequence arrangement are called;
Determine the first quantity that single-trial extraction system is called;
It successively moves third quantity system from front to back from the system call information and calls the first quantity system that carries out The extraction of calling obtains the multiple short sequence of calling;
Wherein, the third quantity is less than or equal to the first quantity.
6. the method according to claim 1, wherein described according to system tune each in the system call information Include: with the relative frequency vector for determining the multiple short sequence of calling in multiple frequencies of occurrences called in short sequence respectively
It obtains each system in system call information and is invoked at each frequency of occurrences called in short sequence;
The quantity that the frequency is called divided by system in the system call information obtains each phase for calling short sequence To frequency data;
Each relative frequency vector for calling short sequence is generated based on each vs. frequency data for calling short sequence, it is described opposite The dimension of frequency vector is the quantity that the system in the system call information is called.
7. the method according to claim 1, wherein described based on the multiple relative frequency for calling short sequence Vector carries out system and calls Distributed learning, and the calling distribution vector for obtaining the process to be detected includes:
Distribution characteristics prediction is called to the multiple relative frequency vector for calling short sequence based on preset themes model, is obtained To calling distribution characteristics of the process to be detected in target topic;
Calling distribution characteristics of the process to be detected in target topic be converted into using default sampling algorithm described to be checked The calling distribution vector of survey process.
8. the method according to claim 1, wherein the calling distribution vector based on the process to be detected Cluster point is carried out to the process to be detected and the multiple non-intrusive process with the calling distribution vector of multiple non-intrusive processes Analysis includes:
Obtain the calling distribution vector of multiple non-intrusive processes;
It calculates separately between the calling distribution vector of the process to be detected and the calling distribution vector of the multiple non-intrusive process Distance;
Determine the calling distribution vector institute for being less than or equal to pre-determined distance at a distance from the calling distribution vector of the process to be detected The quantity of corresponding non-intrusive process;
Judge whether the quantity is more than or equal to the 4th quantity;
When the result judged is is, determines the process to be detected and the multiple non-intrusive process is similar process.
9. according to the method described in claim 8, it is characterized in that, the method also includes:
When the judgment result is no, it determines the process to be detected and the multiple non-intrusive process is non-similar process.
10. a kind of invasion detecting device, which is characterized in that described device includes:
Short sequence determining module is called, for determining the more of the process to be detected according to the system call information of process to be detected A to call short sequence, the short sequence of calling includes the first quantity system of the calling timing arrangement called by system in process It calls;
Relative frequency vector determining module, for being called according to system each in the system call information respectively in multiple calling The frequency of occurrences in short sequence determines the multiple relative frequency vector for calling short sequence;
Distributed learning module is called, calls distribution for carrying out system based on the multiple relative frequency vector for calling short sequence Study obtains the calling distribution vector of the process to be detected, and the calling distribution vector, which characterizes in the process to be detected, is The distribution characteristics for the timing and relative frequency called of uniting;
Cluster Analysis module, the calling point for calling distribution vector and multiple non-intrusive processes based on the process to be detected Cloth vector carries out clustering to the process to be detected and the multiple non-intrusive process;
Intrusion detection module, for determining whether the process to be detected invades according to the result of the clustering.
CN201910173078.6A 2019-03-07 2019-03-07 Intrusion detection method and device Active CN110198299B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910173078.6A CN110198299B (en) 2019-03-07 2019-03-07 Intrusion detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910173078.6A CN110198299B (en) 2019-03-07 2019-03-07 Intrusion detection method and device

Publications (2)

Publication Number Publication Date
CN110198299A true CN110198299A (en) 2019-09-03
CN110198299B CN110198299B (en) 2021-08-17

Family

ID=67751773

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910173078.6A Active CN110198299B (en) 2019-03-07 2019-03-07 Intrusion detection method and device

Country Status (1)

Country Link
CN (1) CN110198299B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112182573A (en) * 2020-09-10 2021-01-05 青岛海尔科技有限公司 Method, device and equipment for intrusion detection
CN112765599A (en) * 2020-12-28 2021-05-07 中科曙光(南京)计算技术有限公司 Intrusion detection method for application program

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1649312A (en) * 2005-03-23 2005-08-03 北京首信科技有限公司 Program grade invasion detecting system and method based on sequency mode evacuation
CN101308473A (en) * 2008-06-27 2008-11-19 浙江大学 Program -class operating system debug method based on serial mode excavation
CN102739690A (en) * 2012-07-17 2012-10-17 中国人民解放军信息工程大学 Safety data exchange process monitoring method and system
CN103425910A (en) * 2013-07-31 2013-12-04 福建天晴数码有限公司 Method for detecting if function being illegally called in procedure
CN104035866A (en) * 2014-05-30 2014-09-10 中国电子科技集团公司第十五研究所 Software behavior evaluation method and device based on system calling and analysis
CN104615936A (en) * 2015-03-04 2015-05-13 哈尔滨工业大学 Behavior monitoring method for VMM (virtual machine monitor) layer of cloud platform
CN108399336A (en) * 2018-02-11 2018-08-14 胡丽丽 A kind of detection method and device of Android application malicious act
CN108563950A (en) * 2018-03-20 2018-09-21 南京邮电大学 Android malware detection method based on SVM

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1649312A (en) * 2005-03-23 2005-08-03 北京首信科技有限公司 Program grade invasion detecting system and method based on sequency mode evacuation
CN101308473A (en) * 2008-06-27 2008-11-19 浙江大学 Program -class operating system debug method based on serial mode excavation
CN102739690A (en) * 2012-07-17 2012-10-17 中国人民解放军信息工程大学 Safety data exchange process monitoring method and system
CN103425910A (en) * 2013-07-31 2013-12-04 福建天晴数码有限公司 Method for detecting if function being illegally called in procedure
CN104035866A (en) * 2014-05-30 2014-09-10 中国电子科技集团公司第十五研究所 Software behavior evaluation method and device based on system calling and analysis
CN104615936A (en) * 2015-03-04 2015-05-13 哈尔滨工业大学 Behavior monitoring method for VMM (virtual machine monitor) layer of cloud platform
CN108399336A (en) * 2018-02-11 2018-08-14 胡丽丽 A kind of detection method and device of Android application malicious act
CN108563950A (en) * 2018-03-20 2018-09-21 南京邮电大学 Android malware detection method based on SVM

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
鲁杰: ""基于主机系统调用的入侵检测方法研究"", 《计算机应用与软件》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112182573A (en) * 2020-09-10 2021-01-05 青岛海尔科技有限公司 Method, device and equipment for intrusion detection
CN112765599A (en) * 2020-12-28 2021-05-07 中科曙光(南京)计算技术有限公司 Intrusion detection method for application program

Also Published As

Publication number Publication date
CN110198299B (en) 2021-08-17

Similar Documents

Publication Publication Date Title
Sayadi et al. 2smart: A two-stage machine learning-based approach for run-time specialized hardware-assisted malware detection
Sayadi et al. Ensemble learning for effective run-time hardware-based malware detection: A comprehensive analysis and classification
CN110832499B (en) Weak supervision action localization through sparse time pooling network
RU2672394C1 (en) Methods and systems for evaluation of training objects through a machine training algorithm
CN105283848B (en) Application tracking is carried out with distributed object
CN110298415A (en) A kind of training method of semi-supervised learning, system and computer readable storage medium
Herbold Training data selection for cross-project defect prediction
CN105283866B (en) Include the use of the application tracking method and system of the optimization analysis of similar frequencies
CN109241740B (en) Malicious software benchmark test set generation method and device
CN105094708B (en) The Forecasting Methodology and device of a kind of disk size
CN108090516A (en) Automatically generate the method and system of the feature of machine learning sample
Asta et al. A tensor-based selection hyper-heuristic for cross-domain heuristic search
CN106104496A (en) The abnormality detection not being subjected to supervision for arbitrary sequence
US10002296B2 (en) Video classification method and apparatus
US11481707B2 (en) Risk prediction system and operation method thereof
JP2005352613A (en) Topic analyzing method, and device and program thereof
CN115376518B (en) Voiceprint recognition method, system, equipment and medium for real-time noise big data
WO2016148601A1 (en) Method for determining the type of motion activity of a person and device for implementing same
CN112215696A (en) Personal credit evaluation and interpretation method, device, equipment and storage medium based on time sequence attribution analysis
CN110751021A (en) Image processing method, image processing device, electronic equipment and computer readable medium
CN110198299A (en) A kind of intrusion detection method and device
CN110168579A (en) For using the system and method for the representation of knowledge using Machine learning classifiers
CN112925924A (en) Multimedia file recommendation method and device, electronic equipment and storage medium
Tarsa et al. Workload prediction for adaptive power scaling using deep learning
CN114282607A (en) Double-sieve model-based dispersion trajectory analysis method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant