CN110489965B - Implementation method and system of deep threat recognition real-time engine - Google Patents

Implementation method and system of deep threat recognition real-time engine Download PDF

Info

Publication number
CN110489965B
CN110489965B CN201810772887.4A CN201810772887A CN110489965B CN 110489965 B CN110489965 B CN 110489965B CN 201810772887 A CN201810772887 A CN 201810772887A CN 110489965 B CN110489965 B CN 110489965B
Authority
CN
China
Prior art keywords
stack
data
pressing
feature vector
business rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810772887.4A
Other languages
Chinese (zh)
Other versions
CN110489965A (en
Inventor
汪海
丛磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shuan Xinyun Information Technology Co ltd
Original Assignee
Beijing Shuan Xinyun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shuan Xinyun Information Technology Co ltd filed Critical Beijing Shuan Xinyun Information Technology Co ltd
Priority to CN201810772887.4A priority Critical patent/CN110489965B/en
Publication of CN110489965A publication Critical patent/CN110489965A/en
Application granted granted Critical
Publication of CN110489965B publication Critical patent/CN110489965B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method and a system for realizing a real-time engine for deep threat identification, wherein the method comprises the following steps: analyzing a business rule, wherein the business rule is a infix expression; converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array; receiving a feature vector to be processed, and executing the following for the feature vector in a circulating way until the last data is popped from a stack and the data is taken as a processing result of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack. The invention can improve the processing efficiency of the rule engine.

Description

Implementation method and system of deep threat recognition real-time engine
Technical Field
The invention relates to the technical field of internet, in particular to a method and a system for realizing a deep threat recognition real-time engine.
Background
Deep threat identification system-real time engine (advanced threat detection-real time engine, Atd-rte for short)
The main work of the Atd-rt has two aspects, the first is feature vector calculation, which mainly calculates a feature vector according to an input log, and the feature vector is generally a user feature vector. The second is a rule engine, which judges whether a client (which can be identified by an IP address) has a threat behavior through a business rule.
For example, a feature vector for an ip is as follows:
{"domain.pv":1.3461538461538463,"clientIP.pv":120.0,"clientIP.uriStaticCount":0.0,"clientIP.requestPath.most":0.175,"clientIP.requestPath.uniq":100.0,"clientIP.requestPath.mrr":0.2857142857142857,"clientIP.requestPath.mstr":"/hehetest","clientIP":"220.8.2.1"}
the business rules are as follows:
clientIP.pv>100 and clientIP.pv>domain.pv*2 and(clientIP.uriStaticCount/clientIP.pv<0.4orclientIP.requestPath.uniq<domain.requestPath.uniq)
and judging whether the ip executes dangerous behaviors or not through the rule engine according to the business rule and the feature vector of the ip.
Existing rules engines use the following methods for processing: analyzing the service rule, replacing the variable in the service rule with a specific value corresponding to the variable in the IP characteristic vector to obtain a infix expression without the variable, calculating the value of the infix expression, and taking the value of the infix expression obtained through calculation as a calculation result.
The above calculation method using the infix expression needs to consume a large amount of calculation, and particularly, when there are many business rules and the IP feature vector to be processed is large data, how to improve the processing efficiency of the rule engine is a technical problem to be solved.
Disclosure of Invention
In order to solve the technical problem, the invention provides a method and a system for realizing a deep threat identification real-time engine.
The invention provides a method for realizing a deep threat identification real-time engine, which comprises the following steps:
analyzing a business rule, wherein the business rule is a infix expression;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
receiving a feature vector to be processed, and executing the following for the feature vector in a circulating way until the last data is popped from a stack and the data is taken as a processing result of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides another implementation method of a deep threat identification real-time engine, which comprises the following steps:
analyzing a business rule, wherein the business rule is a infix expression;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
receiving N eigenvectors to be processed, wherein N is an integer greater than 1;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides another implementation method of a deep threat identification real-time engine, which comprises the following steps:
receiving N eigenvectors to be processed, wherein N is an integer greater than 1;
analyzing a business rule, wherein the business rule is a infix expression;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides another implementation method of a deep threat identification real-time engine, which comprises the following steps:
receiving N eigenvectors to be processed and a service rule, wherein N is an integer greater than 1, and the service rule is a infix expression;
analyzing the business rule;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides another implementation method of a deep threat identification real-time engine, which comprises the following steps:
receiving N eigenvectors to be processed and M service rules, wherein both N and M are integers larger than 1, and the service rules are infix expressions;
the following operations are performed for each business rule:
analyzing the business rule;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
looping through the following for each feature vector until the last data is popped from the stack and this data is treated as a result of processing the feature vector using the business rules: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides a realization system of a deep threat identification real-time engine, which comprises the following steps:
the analysis module is used for analyzing a business rule, wherein the business rule is a infix expression;
the conversion module is used for converting the infix expression into an inverse wave blue form and storing elements of the inverse wave blue form in an array;
the receiving module is used for receiving the feature vector to be processed;
a processing module that loops the following for the feature vector until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides another implementation system of a deep threat identification real-time engine, which comprises:
the analysis module is used for analyzing a business rule, wherein the business rule is a infix expression;
the conversion module is used for converting the infix expression into an inverse wave blue form and storing elements of the inverse wave blue form in an array;
the receiving module is used for receiving N eigenvectors to be processed, wherein N is an integer larger than 1;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention provides another implementation system of a deep threat identification real-time engine, which comprises:
the system comprises a feature vector receiving module, a feature vector processing module and a feature vector processing module, wherein the feature vector receiving module is used for receiving N feature vectors to be processed, and N is an integer greater than 1;
the rule receiving module is used for receiving M business rules, wherein M is an integer greater than or equal to 1; the business rule is a infix expression;
the analysis module is used for analyzing the business rule;
the conversion module is used for converting the infix expression into an inverse wave blue form and storing elements of the inverse wave blue form in an array;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The invention can improve the processing efficiency of the rule engine, is particularly suitable for scenes that the feature vectors to be processed are large-scale data, and can further improve the processing efficiency by only analyzing the business rules once when the same business rule is used for processing a plurality of feature vectors. The invention is typically suitable for identification of dangerous users, and the characteristic vector in the invention typically refers to a behavior characteristic vector of a user IP.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
FIG. 1 is a flow diagram of a method for implementing a deep threat identification real-time engine in accordance with an embodiment;
FIG. 2 is a block diagram of a system for implementing a deep threat identification real-time engine in accordance with one embodiment;
FIG. 3 is a flowchart of a method for implementing the deep threat identification real-time engine according to the second embodiment;
FIG. 4 is a flowchart of a method for implementing a deep threat identification real-time engine according to a third embodiment;
FIG. 5 is a flowchart of a method for implementing a deep threat identification real-time engine according to a fourth embodiment;
FIG. 6 is a block diagram of an implementation system of a deep threat identification real-time engine according to a fourth embodiment;
FIG. 7 is a flowchart of an implementation method of a deep threat identification real-time engine according to the fifth embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention. It should be noted that, in the embodiments and examples of the present application, the feature vectors may be arbitrarily combined with each other without conflict.
The invention is typically suitable for identification of dangerous users, and the characteristic vector in the invention typically refers to a behavior characteristic vector of a user IP.
Example one
In an application scenario applicable to processing a feature vector using a default business rule, as shown in fig. 1, a method for implementing a deep threat identification real-time engine includes:
step 101, analyzing a service rule, wherein the service rule is a infix expression;
102, converting the infix expression into a reverse wave form, and storing elements of the reverse wave form in an array;
step 103, receiving a feature vector to be processed;
step 104, the following is executed in a loop for the feature vector until the last data is popped from the stack and taken as the processing result of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
As shown in fig. 2, a system for implementing a deep threat identification real-time engine in a first embodiment includes:
the analysis module is used for analyzing the business rule, and the business rule is a infix expression;
the conversion module is used for converting the infix expression into a reverse wave form and storing elements of the reverse wave form in an array;
the receiving module is used for receiving the feature vector to be processed;
the processing module circularly executes the following contents aiming at the feature vector until the last data is popped from the stack and the data is taken as the processing result of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
In the first embodiment, an inverse wave form of a data structure more suitable for a computer language than the infix expression is used, so that the data processing efficiency can be improved.
Example two
The second embodiment is applicable to an application scenario in which a plurality of feature vectors are processed by using a default business rule, as shown in fig. 3, an implementation method of a deep threat identification real-time engine includes:
step 301, analyzing a service rule, wherein the service rule is a infix expression;
step 302, converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
step 303, receiving N eigenvectors to be processed, where N is an integer greater than 1;
step 304, the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The structure of the implementation system of the deep threat identification real-time engine in the second embodiment is the same as that in the first embodiment, and the implementation system comprises:
the analysis module is used for analyzing the business rule, and the business rule is a infix expression;
the conversion module is used for converting the infix expression into a reverse wave form and storing elements of the reverse wave form in an array;
the receiving module is used for receiving N eigenvectors to be processed, wherein N is an integer larger than 1;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
EXAMPLE III
The third embodiment is also applicable to an application scenario in which a plurality of feature vectors are processed by using a default business rule, as shown in fig. 4, the implementation method of the deep threat identification real-time engine includes:
step 401, receiving N eigenvectors to be processed, where N is an integer greater than 1;
step 402, analyzing a business rule, wherein the business rule is a infix expression;
step 403, converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
step 404, for each feature vector, loop through the following until the last data is popped from the stack and this data is treated as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The implementation system of the deep threat identification real-time engine in the third embodiment is the same as that in the second embodiment.
In the second and third embodiments, when processing a plurality of feature vectors, the same service rule is only analyzed once, which greatly reduces redundant processing and improves processing efficiency compared with the prior art in which a service rule is analyzed once when processing a feature vector.
Example four
In the fourth embodiment, the application scenario that a specific business rule is used to process multiple feature vectors is shown in fig. 5, and the implementation method of the deep threat identification real-time engine includes:
step 501, receiving N eigenvectors to be processed and a service rule, wherein N is an integer greater than 1, and the service rule is a infix expression;
step 502, analyzing a business rule;
step 503, converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
step 504, for each feature vector, loop through the following until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
As shown in fig. 6, the system for implementing the deep threat identification real-time engine in the fourth embodiment includes:
the system comprises a feature vector receiving module, a feature vector processing module and a feature vector processing module, wherein the feature vector receiving module is used for receiving N feature vectors to be processed, and N is an integer greater than 1;
the rule receiving module is used for receiving M business rules, wherein M is 1; the business rule is a infix expression;
the analysis module is used for analyzing the business rules;
the conversion module is used for converting the infix expression into a reverse wave form and storing elements of the reverse wave form in an array;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
EXAMPLE five
The fifth embodiment is applicable to an application scenario in which a plurality of feature vectors are processed by using a plurality of specified business rules, and as shown in fig. 7, the implementation method of the deep threat identification real-time engine includes:
step 701, receiving N eigenvectors and M service rules to be processed, wherein both N and M are integers greater than 1, and the service rule is a infix expression;
step 702, for each business rule, performing the following operations:
analyzing the business rules;
converting the infix expression into a reverse wave form, and storing elements of the reverse wave form in an array;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector using the business rules: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The structure of the implementation system of the deep threat identification real-time engine in the fifth embodiment is the same as that in the fourth embodiment, and includes:
the system comprises a feature vector receiving module, a feature vector processing module and a feature vector processing module, wherein the feature vector receiving module is used for receiving N feature vectors to be processed, and N is an integer greater than 1;
the rule receiving module is used for receiving M business rules, wherein M is an integer larger than 1; the business rule is a infix expression;
the analysis module is used for analyzing each business rule;
the conversion module is used for converting the infix expression into a reverse wave form and storing elements of the reverse wave form in an array;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of processing the feature vector using the business rules: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, carrying out operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack.
The method is described in detail below by means of specific examples.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
The business rule is as follows:
clientIP.pv>100 and clientIP.pv>domain.pv*2 and(clientIP.uriStaticCount/clientIP.pv<0.4 or clientIP.requestPath.uniq<domain.requestPath.uniq)
converting the business rule into an inverse wave form, and storing the business rule into an array, wherein the array is as follows:
[clientIP.pv,100.0,>,clientIP.pv,domain.pv,2.0,*,>,and,clientIP.uriStaticCount,clientIP.pv,/,0.4,<,clientIP.requestPath.uniq,domain.requestPath.uniq,<,or,and]
the user feature vector is:
{"domain.pv":1.3461538461538463,"clientIP.pv":120.0,"clientIP.uriStaticCount":0.0,"clientIP.requestPath.most":0.175,"clientIP.requestPath.uniq":100.0,"clientIP.requestPath.mrr":0.2857142857142857,"clientIP":"220.8.2.1"}
the rules engine calculation process is shown in the following table:
Figure BDA0001730732320000121
Figure BDA0001730732320000131
the above-described aspects may be implemented individually or in various combinations, and such variations are within the scope of the present invention.
It will be understood by those skilled in the art that all or part of the steps of the above methods may be implemented by instructing the relevant hardware through a program, and the program may be stored in a computer readable storage medium, such as a read-only memory, a magnetic or optical disk, and the like. Alternatively, all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits, and accordingly, each module/unit in the foregoing embodiments may be implemented in the form of hardware, and may also be implemented in the form of a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
It is to be noted that, in this document, the terms "comprises", "comprising" or any other variation thereof are intended to cover a non-exclusive inclusion, so that an article or apparatus including a series of elements includes not only those elements but also other elements not explicitly listed or inherent to such article or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of additional like elements in the article or device comprising the element.
The above embodiments are merely to illustrate the technical solutions of the present invention and not to limit the present invention, and the present invention has been described in detail with reference to the preferred embodiments. It will be understood by those skilled in the art that various modifications and equivalent arrangements may be made without departing from the spirit and scope of the present invention and it should be understood that the present invention is to be covered by the appended claims.

Claims (8)

1. A method for implementing a deep threat identification real-time engine is characterized by comprising the following steps:
analyzing a business rule, wherein the business rule is a infix expression;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
receiving a behavior feature vector of a user IP to be processed, and circularly executing the following contents aiming at the feature vector until the last data is popped from a stack and taking the data as a processing result of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
2. A method for implementing a deep threat identification real-time engine is characterized by comprising the following steps:
analyzing a business rule, wherein the business rule is a infix expression;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
receiving behavior characteristic vectors of N user IPs to be processed, wherein N is an integer greater than 1;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
3. A method for implementing a deep threat identification real-time engine is characterized by comprising the following steps:
receiving behavior characteristic vectors of N user IPs to be processed, wherein N is an integer greater than 1;
analyzing a business rule, wherein the business rule is a infix expression;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
4. A method for implementing a deep threat identification real-time engine is characterized by comprising the following steps:
receiving behavior characteristic vectors of N user IPs to be processed and a service rule, wherein N is an integer greater than 1, and the service rule is a infix expression;
analyzing the business rule;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
the following is performed for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
5. A method for implementing a deep threat identification real-time engine is characterized by comprising the following steps:
receiving behavior characteristic vectors of N user IPs to be processed and M service rules, wherein both N and M are integers larger than 1, and the service rules are a affix expression;
the following operations are performed for each business rule:
analyzing the business rule;
converting the infix expression into an inverse wave form, and storing elements of the inverse wave form in an array;
looping through the following for each feature vector until the last data is popped from the stack and this data is treated as a result of processing the feature vector using the business rules: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
6. A system for implementing a deep threat identification real-time engine, comprising:
the analysis module is used for analyzing a business rule, wherein the business rule is a infix expression;
the conversion module is used for converting the infix expression into an inverse wave blue form and storing elements of the inverse wave blue form in an array;
the receiving module is used for receiving the behavior characteristic vector of the user IP to be processed;
a processing module that loops the following for the feature vector until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
7. A system for implementing a deep threat identification real-time engine, comprising:
the analysis module is used for analyzing a business rule, wherein the business rule is a infix expression;
the conversion module is used for converting the infix expression into an inverse wave blue form and storing elements of the inverse wave blue form in an array;
the receiving module is used for receiving behavior characteristic vectors of N user IPs to be processed, wherein N is an integer greater than 1;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
8. A system for implementing a deep threat identification real-time engine, comprising:
the characteristic vector receiving module is used for receiving behavior characteristic vectors of N user IPs to be processed, wherein N is an integer greater than 1;
the rule receiving module is used for receiving M business rules, wherein M is an integer greater than or equal to 1; the business rule is a infix expression;
the analysis module is used for analyzing the business rule;
the conversion module is used for converting the infix expression into an inverse wave blue form and storing elements of the inverse wave blue form in an array;
a processing module for performing the following for each feature vector loop until the last data is popped from the stack and this data is taken as the result of the processing of the feature vector: obtaining an element from the data group, if the element is a variable, finding the value of the variable from the characteristic vector, pressing the value into a stack, if the element is a constant, pressing the constant into the stack, if the element is an operator, popping up two operation data from the stack, performing operation corresponding to the operator on the two operation data, and pressing the result obtained by operation into the stack;
and judging whether a user has a threat behavior or not through the business rule.
CN201810772887.4A 2018-07-14 2018-07-14 Implementation method and system of deep threat recognition real-time engine Active CN110489965B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810772887.4A CN110489965B (en) 2018-07-14 2018-07-14 Implementation method and system of deep threat recognition real-time engine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810772887.4A CN110489965B (en) 2018-07-14 2018-07-14 Implementation method and system of deep threat recognition real-time engine

Publications (2)

Publication Number Publication Date
CN110489965A CN110489965A (en) 2019-11-22
CN110489965B true CN110489965B (en) 2022-01-28

Family

ID=68545383

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810772887.4A Active CN110489965B (en) 2018-07-14 2018-07-14 Implementation method and system of deep threat recognition real-time engine

Country Status (1)

Country Link
CN (1) CN110489965B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111460815B (en) * 2020-03-16 2022-04-01 平安科技(深圳)有限公司 Rule processing method, apparatus, medium, and electronic device
CN112835926A (en) * 2021-02-09 2021-05-25 深圳市极致科技股份有限公司 Formula engine development method and device, electronic equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103259793A (en) * 2013-05-02 2013-08-21 东北大学 Method for inspecting deep packets based on suffix automaton regular engine structure

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107645403B (en) * 2016-07-22 2020-07-03 阿里巴巴集团控股有限公司 Terminal rule engine device and terminal rule operation method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103259793A (en) * 2013-05-02 2013-08-21 东北大学 Method for inspecting deep packets based on suffix automaton regular engine structure

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
中缀式到逆波兰式的转换及求值;敬茂华 等;《实用第一智慧密集》;20100731;第14-16页 *

Also Published As

Publication number Publication date
CN110489965A (en) 2019-11-22

Similar Documents

Publication Publication Date Title
US10216848B2 (en) Method and system for recommending cloud websites based on terminal access statistics
JP5611852B2 (en) Public information privacy protection device, public information privacy protection method and program
CN107563201B (en) Associated sample searching method and device based on machine learning and server
CN109710402A (en) Method, apparatus, computer equipment and the storage medium of process resource acquisition request
WO2014036936A1 (en) Systems and methods for software upgrade recommendation
CN110489965B (en) Implementation method and system of deep threat recognition real-time engine
WO2015027932A1 (en) Multi-dimensional decomposition computing method and system
JP2017532655A (en) Compress cascading style sheet files
CN107577943B (en) Sample prediction method and device based on machine learning and server
CN114598597B (en) Multisource log analysis method, multisource log analysis device, computer equipment and medium
CN105790967B (en) Network log processing method and device
CN110413840B (en) Neural network for constructing video determination label and training method thereof
Cavagnero et al. Pem: Prototype-based efficient maskformer for image segmentation
CN107741850B (en) Method and device for generating dynamic wallpaper package and storage medium
US10114951B2 (en) Virus signature matching method and apparatus
CN112506636A (en) Distributed task scheduling method and device based on directed acyclic graph and storage medium
CN115455425B (en) Protection patch generation method, system, equipment and storage medium
CN112287396B (en) Data processing method and device based on privacy protection
CN105260405B (en) A kind of web crawlers method and device
US10915594B2 (en) Associating documents with application programming interfaces
CN110704026A (en) Calling method and device of software development kit, terminal and readable medium
CN110493167B (en) Implementation method and system of high-efficiency deep threat recognition engine
CN111144086B (en) Log formatting method and device, electronic equipment and storage medium
CN111026554B (en) XenServer system physical memory analysis method and system
CN112765433B (en) Text keyword scanning method, device, equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant