CN110489965B - Implementation method and system of deep threat recognition real-time engine - Google Patents
Implementation method and system of deep threat recognition real-time engine Download PDFInfo
- Publication number
- CN110489965B CN110489965B CN201810772887.4A CN201810772887A CN110489965B CN 110489965 B CN110489965 B CN 110489965B CN 201810772887 A CN201810772887 A CN 201810772887A CN 110489965 B CN110489965 B CN 110489965B
- Authority
- CN
- China
- Prior art keywords
- stack
- data
- pressing
- feature vector
- business rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method and a system for realizing a real-time engine for deep threat identification, wherein the method comprises the following steps: analyzing a business rule, wherein the business rule is a infix expression; converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array; receiving a feature vector to be processed, and executing the following for the feature vector in a circulating way until the last data is popped from a stack and the data is taken as a processing result of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack. The invention can improve the processing efficiency of the rule engine.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a method and a system for realizing a deep threat recognition real-time engine.
Background
Deep threat identification system-real time engine (advanced threat detection-real time engine, Atd-rte for short)
The main work of the Atd-rt has two aspects, the first is feature vector calculation, which mainly calculates a feature vector according to an input log, and the feature vector is generally a user feature vector. The second is a rule engine, which judges whether a client (which can be identified by an IP address) has a threat behavior through a business rule.
For example, a feature vector for an ip is as follows:
{"domain.pv":1.3461538461538463,"clientIP.pv":120.0,"clientIP.uriStaticCount":0.0,"clientIP.requestPath.most":0.175,"clientIP.requestPath.uniq":100.0,"clientIP.requestPath.mrr":0.2857142857142857,"clientIP.requestPath.mstr":"/hehetest","clientIP":"220.8.2.1"}
the business rules are as follows:
clientIP.pv>100 and clientIP.pv>domain.pv*2 and(clientIP.uriStaticCount/clientIP.pv<0.4orclientIP.requestPath.uniq<domain.requestPath.uniq)
and judging whether the ip executes dangerous behaviors or not through the rule engine according to the business rule and the feature vector of the ip.
Existing rules engines use the following methods for processing: analyzing the service rule, replacing the variable in the service rule with a specific value corresponding to the variable in the IP characteristic vector to obtain a infix expression without the variable, calculating the value of the infix expression, and taking the value of the infix expression obtained through calculation as a calculation result.
The above calculation method using the infix expression needs to consume a large amount of calculation, and particularly, when there are many business rules and the IP feature vector to be processed is large data, how to improve the processing efficiency of the rule engine is a technical problem to be solved.
Disclosure of Invention
In order to solve the technical problem, the invention provides a method and a system for realizing a deep threat identification real-time engine.
The invention provides a method for realizing a deep threat identification real-time engine, which comprises the following steps:
analyzing a business rule, wherein the business rule is a infix expression;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
receiving a feature vector to be processed, and executing the following for the feature vector in a circulating way until the last data is popped from a stack and the data is taken as a processing result of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides another implementation method of a deep threat identification real-time engine, which comprises the following steps:
analyzing a business rule, wherein the business rule is a infix expression;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
receiving N eigenvectors to be processed, wherein N is an integer greater than 1;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides another implementation method of a deep threat identification real-time engine, which comprises the following steps:
receiving N eigenvectors to be processed, wherein N is an integer greater than 1;
analyzing a business rule, wherein the business rule is a infix expression;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides another implementation method of a deep threat identification real-time engine, which comprises the following steps:
receiving N eigenvectors to be processed and a service rule, wherein N is an integer greater than 1, and the service rule is a infix expression;
analyzing the business rule;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides another implementation method of a deep threat identification real-time engine, which comprises the following steps:
receiving N eigenvectors to be processed and M service rules, wherein both N and M are integers larger than 1, and the service rules are infix expressions;
the following operations are performed for each business rule:
analyzing the business rule;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
looping through the following for each feature vector until the last data is popped from the stack and this data is treated as a result of processing the feature vector using the business rules: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides a realization system of a deep threat identification real-time engine, which comprises the following steps:
the analysis module is used for analyzing a business rule, wherein the business rule is a infix expression;
the conversion module is used for converting the infix expression into an inverse wave blue form and storing elements of the inverse wave blue form in an array;
the receiving module is used for receiving the feature vector to be processed;
a processing module that loops the following for the feature vector until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides another implementation system of a deep threat identification real-time engine, which comprises:
the analysis module is used for analyzing a business rule, wherein the business rule is a infix expression;
the conversion module is used for converting the infix expression into an inverse wave blue form and storing elements of the inverse wave blue form in an array;
the receiving module is used for receiving N eigenvectors to be processed, wherein N is an integer larger than 1;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides another implementation system of a deep threat identification real-time engine, which comprises:
the system comprises a feature vector receiving module, a feature vector processing module and a feature vector processing module, wherein the feature vector receiving module is used for receiving N feature vectors to be processed, and N is an integer greater than 1;
the rule receiving module is used for receiving M business rules, wherein M is an integer greater than or equal to 1; the business rule is a infix expression;
the analysis module is used for analyzing the business rule;
the conversion module is used for converting the infix expression into an inverse wave blue form and storing elements of the inverse wave blue form in an array;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention can improve the processing efficiency of the rule engine, is particularly suitable for scenes that the feature vectors to be processed are large-scale data, and can further improve the processing efficiency by only analyzing the business rules once when the same business rule is used for processing a plurality of feature vectors. The invention is typically suitable for identification of dangerous users, and the characteristic vector in the invention typically refers to a behavior characteristic vector of a user IP.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
FIG. 1 is a flow diagram of a method for implementing a deep threat identification real-time engine in accordance with an embodiment;
FIG. 2 is a block diagram of a system for implementing a deep threat identification real-time engine in accordance with one embodiment;
FIG. 3 is a flowchart of a method for implementing the deep threat identification real-time engine according to the second embodiment;
FIG. 4 is a flowchart of a method for implementing a deep threat identification real-time engine according to a third embodiment;
FIG. 5 is a flowchart of a method for implementing a deep threat identification real-time engine according to a fourth embodiment;
FIG. 6 is a block diagram of an implementation system of a deep threat identification real-time engine according to a fourth embodiment;
FIG. 7 is a flowchart of an implementation method of a deep threat identification real-time engine according to the fifth embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. It should be noted that, in the embodiments and examples of the present application, the feature vectors may be arbitrarily combined with each other without conflict.
The invention is typically suitable for identification of dangerous users, and the characteristic vector in the invention typically refers to a behavior characteristic vector of a user IP.
Example one
In an application scenario applicable to processing a feature vector using a default business rule, as shown in fig. 1, a method for implementing a deep threat identification real-time engine includes:
step 101, analyzing a service rule, wherein the service rule is a infix expression;
102, converting the infix expression into a reverse wave form, and storing elements of the reverse wave form in an array;
step 103, receiving a feature vector to be processed;
step 104, the following is executed in a loop for the feature vector until the last data is popped from the stack and taken as the processing result of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
As shown in fig. 2, a system for implementing a deep threat identification real-time engine in a first embodiment includes:
the analysis module is used for analyzing the business rule, and the business rule is a infix expression;
the conversion module is used for converting the infix expression into a reverse wave form and storing elements of the reverse wave form in an array;
the receiving module is used for receiving the feature vector to be processed;
the processing module circularly executes the following contents aiming at the feature vector until the last data is popped from the stack and the data is taken as the processing result of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
In the first embodiment, an inverse wave form of a data structure more suitable for a computer language than the infix expression is used, so that the data processing efficiency can be improved.
Example two
The second embodiment is applicable to an application scenario in which a plurality of feature vectors are processed by using a default business rule, as shown in fig. 3, an implementation method of a deep threat identification real-time engine includes:
step 301, analyzing a service rule, wherein the service rule is a infix expression;
step 302, converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
step 303, receiving N eigenvectors to be processed, where N is an integer greater than 1;
step 304, the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The structure of the implementation system of the deep threat identification real-time engine in the second embodiment is the same as that in the first embodiment, and the implementation system comprises:
the analysis module is used for analyzing the business rule, and the business rule is a infix expression;
the conversion module is used for converting the infix expression into a reverse wave form and storing elements of the reverse wave form in an array;
the receiving module is used for receiving N eigenvectors to be processed, wherein N is an integer larger than 1;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
EXAMPLE III
The third embodiment is also applicable to an application scenario in which a plurality of feature vectors are processed by using a default business rule, as shown in fig. 4, the implementation method of the deep threat identification real-time engine includes:
step 401, receiving N eigenvectors to be processed, where N is an integer greater than 1;
step 402, analyzing a business rule, wherein the business rule is a infix expression;
step 403, converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
step 404, for each feature vector, loop through the following until the last data is popped from the stack and this data is treated as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The implementation system of the deep threat identification real-time engine in the third embodiment is the same as that in the second embodiment.
In the second and third embodiments, when processing a plurality of feature vectors, the same service rule is only analyzed once, which greatly reduces redundant processing and improves processing efficiency compared with the prior art in which a service rule is analyzed once when processing a feature vector.
Example four
In the fourth embodiment, the application scenario that a specific business rule is used to process multiple feature vectors is shown in fig. 5, and the implementation method of the deep threat identification real-time engine includes:
step 501, receiving N eigenvectors to be processed and a service rule, wherein N is an integer greater than 1, and the service rule is a infix expression;
step 502, analyzing a business rule;
step 503, converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
step 504, for each feature vector, loop through the following until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
As shown in fig. 6, the system for implementing the deep threat identification real-time engine in the fourth embodiment includes:
the system comprises a feature vector receiving module, a feature vector processing module and a feature vector processing module, wherein the feature vector receiving module is used for receiving N feature vectors to be processed, and N is an integer greater than 1;
the rule receiving module is used for receiving M business rules, wherein M is 1; the business rule is a infix expression;
the analysis module is used for analyzing the business rules;
the conversion module is used for converting the infix expression into a reverse wave form and storing elements of the reverse wave form in an array;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
EXAMPLE five
The fifth embodiment is applicable to an application scenario in which a plurality of feature vectors are processed by using a plurality of specified business rules, and as shown in fig. 7, the implementation method of the deep threat identification real-time engine includes:
step 701, receiving N eigenvectors and M service rules to be processed, wherein both N and M are integers greater than 1, and the service rule is a infix expression;
step 702, for each business rule, performing the following operations:
analyzing the business rules;
converting the infix expression into a reverse wave form, and storing elements of the reverse wave form in an array;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector using the business rules: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The structure of the implementation system of the deep threat identification real-time engine in the fifth embodiment is the same as that in the fourth embodiment, and includes:
the system comprises a feature vector receiving module, a feature vector processing module and a feature vector processing module, wherein the feature vector receiving module is used for receiving N feature vectors to be processed, and N is an integer greater than 1;
the rule receiving module is used for receiving M business rules, wherein M is an integer larger than 1; the business rule is a infix expression;
the analysis module is used for analyzing each business rule;
the conversion module is used for converting the infix expression into a reverse wave form and storing elements of the reverse wave form in an array;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of processing the feature vector using the business rules: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The method is described in detail below by means of specific examples.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
The business rule is as follows:
clientIP.pv>100 and clientIP.pv>domain.pv*2 and(clientIP.uriStaticCount/clientIP.pv<0.4 or clientIP.requestPath.uniq<domain.requestPath.uniq)
converting the business rule into an inverse wave form, and storing the business rule into an array, wherein the array is as follows:
[clientIP.pv,100.0,>,clientIP.pv,domain.pv,2.0,*,>,and,clientIP.uriStaticCount,clientIP.pv,/,0.4,<,clientIP.requestPath.uniq,domain.requestPath.uniq,<,or,and]
the user feature vector is:
{"domain.pv":1.3461538461538463,"clientIP.pv":120.0,"clientIP.uriStaticCount":0.0,"clientIP.requestPath.most":0.175,"clientIP.requestPath.uniq":100.0,"clientIP.requestPath.mrr":0.2857142857142857,"clientIP":"220.8.2.1"}
the rules engine calculation process is shown in the following table:
the above-described aspects may be implemented individually or in various combinations, and such variations are within the scope of the present invention.
It will be understood by those skilled in the art that all or part of the steps of the above methods may be implemented by instructing the relevant hardware through a program, and the program may be stored in a computer readable storage medium, such as a read-only memory, a magnetic or optical disk, and the like. Alternatively, all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits, and accordingly, each module/unit in the foregoing embodiments may be implemented in the form of hardware, and may also be implemented in the form of a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
It is to be noted that, in this document, the terms "comprises", "comprising" or any other variation thereof are intended to cover a non-exclusive inclusion, so that an article or apparatus including a series of elements includes not only those elements but also other elements not explicitly listed or inherent to such article or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of additional like elements in the article or device comprising the element.
The above embodiments are merely to illustrate the technical solutions of the present invention and not to limit the present invention, and the present invention has been described in detail with reference to the preferred embodiments. It will be understood by those skilled in the art that various modifications and equivalent arrangements may be made without departing from the spirit and scope of the present invention and it should be understood that the present invention is to be covered by the appended claims.
Claims (8)
1. A method for implementing a deep threat identification real-time engine is characterized by comprising the following steps:
analyzing a business rule, wherein the business rule is a infix expression;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
receiving a behavior feature vector of a user IP to be processed, and circularly executing the following contents aiming at the feature vector until the last data is popped from a stack and taking the data as a processing result of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
2. A method for implementing a deep threat identification real-time engine is characterized by comprising the following steps:
analyzing a business rule, wherein the business rule is a infix expression;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
receiving behavior characteristic vectors of N user IPs to be processed, wherein N is an integer greater than 1;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
3. A method for implementing a deep threat identification real-time engine is characterized by comprising the following steps:
receiving behavior characteristic vectors of N user IPs to be processed, wherein N is an integer greater than 1;
analyzing a business rule, wherein the business rule is a infix expression;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
4. A method for implementing a deep threat identification real-time engine is characterized by comprising the following steps:
receiving behavior characteristic vectors of N user IPs to be processed and a service rule, wherein N is an integer greater than 1, and the service rule is a infix expression;
analyzing the business rule;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
5. A method for implementing a deep threat identification real-time engine is characterized by comprising the following steps:
receiving behavior characteristic vectors of N user IPs to be processed and M service rules, wherein both N and M are integers larger than 1, and the service rules are a affix expression;
the following operations are performed for each business rule:
analyzing the business rule;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
looping through the following for each feature vector until the last data is popped from the stack and this data is treated as a result of processing the feature vector using the business rules: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
6. A system for implementing a deep threat identification real-time engine, comprising:
the analysis module is used for analyzing a business rule, wherein the business rule is a infix expression;
the conversion module is used for converting the infix expression into an inverse wave blue form and storing elements of the inverse wave blue form in an array;
the receiving module is used for receiving the behavior characteristic vector of the user IP to be processed;
a processing module that loops the following for the feature vector until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
7. A system for implementing a deep threat identification real-time engine, comprising:
the analysis module is used for analyzing a business rule, wherein the business rule is a infix expression;
the conversion module is used for converting the infix expression into an inverse wave blue form and storing elements of the inverse wave blue form in an array;
the receiving module is used for receiving behavior characteristic vectors of N user IPs to be processed, wherein N is an integer greater than 1;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
8. A system for implementing a deep threat identification real-time engine, comprising:
the characteristic vector receiving module is used for receiving behavior characteristic vectors of N user IPs to be processed, wherein N is an integer greater than 1;
the rule receiving module is used for receiving M business rules, wherein M is an integer greater than or equal to 1; the business rule is a infix expression;
the analysis module is used for analyzing the business rule;
the conversion module is used for converting the infix expression into an inverse wave blue form and storing elements of the inverse wave blue form in an array;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810772887.4A CN110489965B (en) | 2018-07-14 | 2018-07-14 | Implementation method and system of deep threat recognition real-time engine |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810772887.4A CN110489965B (en) | 2018-07-14 | 2018-07-14 | Implementation method and system of deep threat recognition real-time engine |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110489965A CN110489965A (en) | 2019-11-22 |
CN110489965B true CN110489965B (en) | 2022-01-28 |
Family
ID=68545383
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810772887.4A Active CN110489965B (en) | 2018-07-14 | 2018-07-14 | Implementation method and system of deep threat recognition real-time engine |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110489965B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111460815B (en) * | 2020-03-16 | 2022-04-01 | 平安科技(深圳)有限公司 | Rule processing method, apparatus, medium, and electronic device |
CN112835926A (en) * | 2021-02-09 | 2021-05-25 | 深圳市极致科技股份有限公司 | Formula engine development method and device, electronic equipment and storage medium |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103259793A (en) * | 2013-05-02 | 2013-08-21 | 东北大学 | Method for inspecting deep packets based on suffix automaton regular engine structure |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107645403B (en) * | 2016-07-22 | 2020-07-03 | 阿里巴巴集团控股有限公司 | Terminal rule engine device and terminal rule operation method |
-
2018
- 2018-07-14 CN CN201810772887.4A patent/CN110489965B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103259793A (en) * | 2013-05-02 | 2013-08-21 | 东北大学 | Method for inspecting deep packets based on suffix automaton regular engine structure |
Non-Patent Citations (1)
Title |
---|
中缀式到逆波兰式的转换及求值;敬茂华 等;《实用第一智慧密集》;20100731;第14-16页 * |
Also Published As
Publication number | Publication date |
---|---|
CN110489965A (en) | 2019-11-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10216848B2 (en) | Method and system for recommending cloud websites based on terminal access statistics | |
JP5611852B2 (en) | Public information privacy protection device, public information privacy protection method and program | |
CN107563201B (en) | Associated sample searching method and device based on machine learning and server | |
CN109710402A (en) | Method, apparatus, computer equipment and the storage medium of process resource acquisition request | |
WO2014036936A1 (en) | Systems and methods for software upgrade recommendation | |
CN110489965B (en) | Implementation method and system of deep threat recognition real-time engine | |
WO2015027932A1 (en) | Multi-dimensional decomposition computing method and system | |
JP2017532655A (en) | Compress cascading style sheet files | |
CN107577943B (en) | Sample prediction method and device based on machine learning and server | |
CN114598597B (en) | Multisource log analysis method, multisource log analysis device, computer equipment and medium | |
CN105790967B (en) | Network log processing method and device | |
CN110413840B (en) | Neural network for constructing video determination label and training method thereof | |
Cavagnero et al. | Pem: Prototype-based efficient maskformer for image segmentation | |
CN107741850B (en) | Method and device for generating dynamic wallpaper package and storage medium | |
US10114951B2 (en) | Virus signature matching method and apparatus | |
CN112506636A (en) | Distributed task scheduling method and device based on directed acyclic graph and storage medium | |
CN115455425B (en) | Protection patch generation method, system, equipment and storage medium | |
CN112287396B (en) | Data processing method and device based on privacy protection | |
CN105260405B (en) | A kind of web crawlers method and device | |
US10915594B2 (en) | Associating documents with application programming interfaces | |
CN110704026A (en) | Calling method and device of software development kit, terminal and readable medium | |
CN110493167B (en) | Implementation method and system of high-efficiency deep threat recognition engine | |
CN111144086B (en) | Log formatting method and device, electronic equipment and storage medium | |
CN111026554B (en) | XenServer system physical memory analysis method and system | |
CN112765433B (en) | Text keyword scanning method, device, equipment and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |