CN111026653B - Abnormal program behavior detection method and device, electronic equipment and storage medium - Google Patents

Abnormal program behavior detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN111026653B
CN111026653B CN201911183934.2A CN201911183934A CN111026653B CN 111026653 B CN111026653 B CN 111026653B CN 201911183934 A CN201911183934 A CN 201911183934A CN 111026653 B CN111026653 B CN 111026653B
Authority
CN
China
Prior art keywords
program behavior
data
program
abnormal
characteristic data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911183934.2A
Other languages
Chinese (zh)
Other versions
CN111026653A (en
Inventor
周勇钧
郑越
鲁四喜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201911183934.2A priority Critical patent/CN111026653B/en
Publication of CN111026653A publication Critical patent/CN111026653A/en
Application granted granted Critical
Publication of CN111026653B publication Critical patent/CN111026653B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3636Software debugging by tracing the execution of the program
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Abstract

The application provides an abnormal program behavior detection method and device, electronic equipment and a storage medium. The method comprises the following steps: responding to a program detection request initiated by a user, and acquiring program behavior data corresponding to the program detection request from a block chain system; acquiring program behavior characteristic data from the program behavior data; carrying out unsupervised clustering analysis on the program behavior characteristic data to obtain outlier characteristic data and program behavior characteristic data except the outlier characteristic data; training a machine learning model using program behavior feature data other than outlier feature data; and inputting the outlier characteristic data into the machine learning model, and determining abnormal program behavior data according to the output result of the machine learning model. According to the method and the device, the possible abnormal outlier characteristic data are preliminarily determined through unsupervised clustering analysis on the program behavior data, and then the abnormal program behavior data are further judged and found out through the outlier characteristic data, so that the abnormal program behavior data can be determined more conveniently and rapidly.

Description

Abnormal program behavior detection method and device, electronic equipment and storage medium
The application is a divisional application with application number 201910872409.5 and invented name of 'abnormal program behavior detection method and device' filed in 2019, 09, month and 16.
Technical Field
The present application relates to the field of computer and communications technologies, and in particular, to a method and an apparatus for detecting abnormal program behavior, an electronic device, and a storage medium.
Background
Because the informatization and intelligentization construction of various industries is more and more popularized, the performance requirement of a user on program service is continuously improved, and the integral framework of the program service is gradually complicated. In the daily test stage, the problem hidden in the program behavior is difficult to find only by manually checking the log or monitoring data, so that the method has very important significance in conveniently and quickly detecting the abnormal program behavior.
Disclosure of Invention
The application aims to provide an abnormal program behavior detection method, an abnormal program behavior detection device, an electronic device and a storage medium, which can conveniently detect abnormal program behaviors.
According to an aspect of an embodiment of the present application, there is provided an abnormal program behavior detection method, including: responding to a program detection request initiated by a user, and acquiring program behavior data corresponding to the program detection request from a block chain system; acquiring program behavior characteristic data from the program behavior data; carrying out unsupervised clustering analysis on the program behavior characteristic data to obtain outlier characteristic data and program behavior characteristic data except the outlier characteristic data; training a machine learning model using program behavior feature data other than the outlier feature data; and inputting the outlier characteristic data into the machine learning model, and determining abnormal program behavior data according to an output result of the machine learning model.
According to an aspect of an embodiment of the present application, there is provided an abnormal program behavior detection apparatus including: the acquisition module is used for responding to a program detection request initiated by a user, acquiring program behavior data corresponding to the program detection request from a block chain system, and acquiring program behavior characteristic data from the program behavior data; the clustering module is used for carrying out unsupervised clustering analysis on the program behavior characteristic data to obtain outlier characteristic data and program behavior characteristic data except the outlier characteristic data; and the identification module is used for training a machine learning model by using program behavior characteristic data except the outlier characteristic data, inputting the outlier characteristic data into the machine learning model and determining abnormal program behaviors according to an output result of the machine learning model.
In some embodiments of the present application, based on the foregoing solution, the obtaining module is configured to: after receiving the program detection request, storing program behavior data corresponding to a target application program for which the program detection request is directed in at least two cache regions; and acquiring the program behavior data from at least one cache region.
In some embodiments of the present application, based on the foregoing solution, the clustering module is configured to: preprocessing the program behavior characteristic data; and carrying out unsupervised clustering analysis on the preprocessed program behavior characteristic data to obtain program behavior characteristic data except for outlier characteristic data.
In some embodiments of the present application, based on the foregoing solution, the clustering module is further configured to: and carrying out normalization processing and dimension reduction processing on the program behavior characteristic data.
In some embodiments of the present application, based on the foregoing, the identification module is configured to: identifying abnormal program behavior characteristic data according to the output result of the machine learning model; matching the abnormal program behavior characteristic data with a preset characteristic; and determining abnormal program behavior data according to the program behavior characteristic data which is not matched with the preset characteristics in the abnormal program behavior characteristic data.
In some embodiments of the present application, based on the foregoing solution, the identification module is further configured to: sending the program behavior characteristic data which is not matched with the preset characteristics in the abnormal program behavior characteristic data to a user for manual detection; program behavior feature data which are not detected through manual work are received, and abnormal program behavior data are determined based on the program behavior feature data which are not detected through manual work.
In some embodiments of the present application, based on the foregoing solution, the obtaining module is further configured to: and acquiring the program behavior data, converting the program behavior data into a preset format, and storing the preset format in the block chain system.
According to an aspect of embodiments of the present application, there is provided a computer-readable program medium storing computer program instructions which, when executed by a computer, cause the computer to perform the method of any one of the above.
According to an aspect of an embodiment of the present application, there is provided an electronic apparatus including: a processor; a memory having computer readable instructions stored thereon which, when executed by the processor, implement the method of any of the above.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
in the technical solutions provided in some embodiments of the present application, by responding to a program detection request initiated by a user, program behavior data corresponding to the program detection request is obtained from a blockchain system, and only program behavior data corresponding to a target application program targeted by the program detection request is obtained, which can avoid obtaining redundant program behavior data and is beneficial to improving program detection efficiency. Acquiring program behavior characteristic data from the program behavior data; carrying out unsupervised clustering analysis on the program behavior characteristic data to obtain outlier characteristic data and program behavior characteristic data except the outlier characteristic data; the program behavior characteristic data except the outlier characteristic data is used for training the machine learning model, other program behavior characteristic data do not need to be acquired for training the machine learning model, and the program detection process is simplified. And the outlier characteristic data has the possibility of abnormality, the outlier characteristic data is input into the machine learning model, and finally the abnormal program behavior data is determined according to the output result of the machine learning model.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
FIG. 1A shows a schematic diagram of an exemplary system architecture to which aspects of embodiments of the present application may be applied;
fig. 1B is a schematic diagram showing a data sharing system to which the technical solution of one embodiment of the present application can be applied;
FIG. 1C is a diagram illustrating a node at which a blockchain may be used to store program behavior data according to one embodiment of the present application;
FIG. 2 schematically shows a flow diagram of an abnormal program behavior detection method according to one embodiment of the present application;
FIG. 3 schematically shows a flow diagram for obtaining program behavior feature data from program behavior data according to an embodiment of the present application;
FIG. 4 schematically illustrates a flow diagram for determining anomalous program behavior data from output results of a machine learning model, according to one embodiment of the present application;
FIG. 5 schematically shows a flow diagram of an abnormal program behavior detection method according to one embodiment of the present application;
FIG. 6 schematically shows a block diagram of an abnormal program behavior detection apparatus according to an embodiment of the present application;
FIG. 7 is a hardware diagram illustrating an electronic device according to an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the application. One skilled in the relevant art will recognize, however, that the subject matter of the present application can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the application.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
Fig. 1A shows a schematic diagram of an exemplary system architecture 1A00 to which the technical solution of the embodiments of the present application can be applied.
As shown in fig. 1A, the system architecture 1A00 may include a terminal device 101 (the terminal device may be one or more of a smartphone, a tablet, a laptop, a desktop computer), a network 102, and a server 103. Network 102 is the medium used to provide communication links between terminal devices 101 and server 103. Network 102 may include various connection types, such as wired communication links, wireless communication links, and so forth.
It should be understood that the number of terminal devices 101, networks 102, servers 103 in fig. 1A is merely illustrative. There may be any number of terminal devices 101, networks 102, and servers 103, as desired for implementation. For example, the server 103 may be a server cluster composed of a plurality of servers.
In an embodiment of the present application, the server 103 may obtain program behavior data of a program running in the terminal device 101, and the server 103 may also obtain program behavior data of a program running in the server 103 itself or in another server, where the program behavior data may be collected by an existing performance analysis tool. The server 103 obtains the program behavior feature data from the program behavior data, clusters the program behavior feature data to obtain outlier feature data, and the outlier feature data has a possibility of abnormality, so that the outlier feature data can be input into a machine learning model for program behavior recognition, the outlier feature data is screened, and finally the abnormal program behavior data is determined according to an output result of the machine learning model.
It should be noted that the abnormal program behavior detection method provided in the embodiment of the present application is generally executed by the server 103, and accordingly, the abnormal program behavior detection apparatus is generally disposed in the server 103. However, in other embodiments of the present application, the terminal device 101 may also have a similar function as the server 103, so as to execute the abnormal program behavior detection method provided in the embodiments of the present application.
Fig. 1B shows a schematic diagram of a data sharing system 1B00 to which the technical solution of an embodiment of the present application can be applied.
Referring to the data sharing system shown in fig. 1B, the data sharing system 1B00 refers to a system for performing data sharing between nodes, the data sharing system may include a plurality of nodes 104, and the plurality of nodes 104 may refer to respective clients in the data sharing system. Each node 104 may receive program behavior data while operating normally and maintain shared data within the data sharing system based on the received program behavior data. In order to ensure information intercommunication in the data sharing system, information connection can exist between each node in the data sharing system, and information transmission can be carried out between the nodes through the information connection. For example, when any node in the data sharing system receives program behavior data, other nodes in the data sharing system acquire the program behavior data according to a consensus algorithm, and store the program behavior data as data in shared data, so that the data stored on all nodes in the data sharing system are consistent.
Each node in the data sharing system has a node identifier corresponding thereto, and each node in the data sharing system may store a node identifier of another node in the data sharing system, so that the generated block is broadcast to the other node in the data sharing system according to the node identifier of the other node in the following. Each node may maintain a node identifier list as shown in the following table, and store the node name and the node identifier in the node identifier list correspondingly. The node identifier may be an IP (Internet Protocol) address and any other information that can be used to identify the node, and table 1 only illustrates the IP address as an example.
Node name Node identification
Node 1 117.114.151.174
Node 2 117.116.189.145
Node N 119.123.789.258
Each node in the data sharing system stores one identical blockchain. The block chain is composed of a plurality of blocks, referring to fig. 1B, the block chain is composed of a plurality of blocks, the starting block includes a block head and a block main body, the block head stores a program behavior data characteristic value, a version number, a timestamp and a difficulty value, and the block main body stores program behavior data; the next block of the starting block takes the starting block as a parent block, the next block also comprises a block head and a block main body, the block head stores the program behavior data characteristic value of the current block, the block head characteristic value of the parent block, the version number, the timestamp and the difficulty value, and the like, so that the block data stored in each block in the block chain is associated with the block data stored in the parent block, and the safety of the program behavior data in the block is ensured.
When each block in the block chain is generated, referring to fig. 1C, when the node where the block chain is located receives the program behavior data, the program behavior data is verified, after the verification is completed, the program behavior data is stored in the memory pool, and the hash tree used for recording the program behavior data is updated; and then, updating the updating time stamp to the time when the program behavior data is received, trying different random numbers, and calculating the characteristic value for multiple times, so that the calculated characteristic value can meet the following formula:
SHA256(SHA256(version+prev_hash+merkle_root+ntime+nbits+x))<TARGET
wherein, SHA256 is a characteristic value algorithm used for calculating a characteristic value; version is version information of the relevant block protocol in the block chain; prev _ hash is a block head characteristic value of a parent block of the current block; merkle _ root is a characteristic value of program behavior data; ntime is the update time of the update timestamp; nbits is the current difficulty, is a fixed value within a period of time, and is determined again after exceeding a fixed time period; x is a random number; TARGET is a feature threshold, which can be determined from nbits.
Therefore, when the random number meeting the formula is obtained through calculation, the program behavior data can be correspondingly stored, and the block head and the block main body are generated to obtain the current block. And then, the node where the block chain is located respectively sends the newly generated blocks to other nodes in the data sharing system where the newly generated blocks are located according to the node identifications of the other nodes in the data sharing system, the newly generated blocks are verified by the other nodes, the newly generated blocks are added into the block chain stored in the newly generated blocks after the verification is finished, and then program behavior data are acquired from the block chain so as to execute the abnormal program behavior detection method.
The implementation details of the technical solution of the embodiment of the present application are set forth in detail below:
fig. 2 schematically shows a flowchart of an abnormal program behavior detection method according to an embodiment of the present application, and an execution subject of the abnormal program behavior detection method may be a server, such as the server 103 shown in fig. 1.
Referring to fig. 2, the abnormal program behavior detection method at least includes steps S210 to S240, which are described in detail as follows:
in step S210, program behavior feature data is acquired from the program behavior data.
In one embodiment of the present application, the program behavior data is program behavior data of a target application to be detected, and the program behavior data may be collected by an existing performance analysis tool. Multiple performance analysis tools can be used for collecting program behavior data at the same time, so that the efficiency of collecting the program behavior data is higher. The data collected by the performance analysis tool also comprises program behavior data, and the program behavior data collected by the performance analysis tool can be used for detecting abnormal program behavior data.
In one embodiment of the present application, the program behavior characteristic data may include any combination of one or more of: duration of program behavior, result of program behavior, and continuity of program behavior.
In this embodiment, the program behavior duration may be an entire running duration of the target application to be detected, and if the program behavior duration of the target application exceeds a duration threshold set for the target application, the abnormal program behavior data is determined. The program behavior duration may also be an operation duration of a part of the program in the target application program, and if the program behavior duration of the part of the program in the target application program exceeds a duration threshold set for the program behavior duration, it is considered that abnormal program behavior data may occur.
In this embodiment, when the target application is detected, test data is input to the target application, and the target application outputs a program behavior result. The program behavior results output by the target application are compared to the correct results that the target application should output. And detecting whether the target application program has errors in operation or not by comparing whether the program behavior result is the same as the correct result or not, so as to analyze whether abnormal program behavior data possibly occurs or not.
In this embodiment, the continuity of the program behavior is whether the target application program runs according to the setting step during running, and if the target application program runs according to the setting step during running and no step is omitted, the program behavior is considered to be continuous, and it is possible to confirm that no abnormal program behavior data occurs; if the target application program does not run according to the set steps during running and the steps are omitted, the program behavior is considered to be discontinuous, and abnormal program behavior data can occur.
In an embodiment of the application, the program behavior feature data and the keyword comparison table may be preset, the keywords in the program behavior data are obtained, the program behavior feature data and the keyword comparison table are searched, and the program behavior feature data corresponding to the keywords in the program behavior data are found. The corresponding relation between the program behavior characteristic data and the keywords can be set according to the requirement.
In an embodiment of the present application, the program behavior feature data may be multiple types, and for one type of program behavior feature data, historical data of the program behavior feature data is obtained, the same characters included in the historical data of the program behavior feature data are obtained, and the same characters are used as keywords corresponding to the program behavior feature data.
In an embodiment of the application, the program behavior feature data may be of multiple types, for each type of program behavior feature data, the same character included in the history data of the type of program behavior feature data is obtained, the same character in the same character of the type of program behavior feature data, which is the same as that in the same character of the multiple types of program behavior feature data, is discarded, and the keyword corresponding to the type of program behavior feature data is obtained. By searching the distinguishing characters of each program behavior characteristic data from other program behavior characteristic data, abnormal program behavior data can be obtained more quickly.
In an embodiment of the present application, program behavior feature data may be obtained from a plurality of setting positions of the program behavior feature data, where the setting positions may be multiple, and the program behavior feature data in each setting position may also be multiple, and the program behavior feature data in each setting position corresponds to the program behavior feature data of a setting type.
In an embodiment of the present application, as shown in fig. 3, the process of acquiring program behavior feature data from the program behavior data in step S210 may include steps S310 and S320:
in step S310, in response to the program detection request, program behavior data corresponding to the target application program for which the program detection request is directed is acquired.
In an embodiment of the application, program behavior data of a plurality of application programs may be collected in advance, after a detection request for a target application program initiated by a user is received, the program detection request is responded, and program behavior data corresponding to the target application program is obtained from the program behavior data of the plurality of application programs collected in advance.
In an embodiment of the present application, program behavior data of a plurality of application programs collected in advance may be converted into preprocessed data in a predetermined format, and a target application program corresponding to the target application program may be extracted from the preprocessed data. Program behavior data may be collected using performance analysis tools, and in order to make the collected program behavior data more comprehensive, and also to increase the speed of collecting program behavior data, program behavior data may be collected using a variety of performance analysis tools. Because the tools for acquiring the program behavior data are different, the formats of the acquired program behavior data are possibly different, and the program behavior data in different formats are converted into the preset format, so that the subsequent processing of the program behavior data is facilitated. The predetermined format may be one or more of the formats of program behavior data collected by existing performance analysis tools.
In an embodiment of the application, program behavior data of the same application program in the program behavior data of a plurality of application programs collected in advance can be converted into the same format, so that subsequent processing of the program behavior data of the application program is facilitated.
In an embodiment of the present application, after obtaining the program behavior data corresponding to the target application program for which the program detection request is directed, the program behavior data corresponding to the target application program for which the program detection request is directed may be stored in at least two cache regions, and the program behavior data corresponding to the target application program for which the program detection request is directed may be obtained from at least one cache region.
In this embodiment, the program behavior data corresponding to the target application program is extracted from the plurality of cache regions, and partial program behavior data corresponding to the target application program can be extracted from each cache region, so that the time for extracting the program behavior data corresponding to the target application program can be shortened.
In this embodiment, the program behavior data corresponding to the target application program targeted by the program detection request is stored in at least two cache regions, each cache region has complete program behavior data corresponding to the target application program, after the program behavior data in one of the cache regions is used for detecting the target application program, the program behavior data corresponding to the target application program in the other cache regions can still be called, and other users can still detect the target application program.
With continued reference to fig. 3, in step S320, program behavior feature data is extracted from the program behavior data corresponding to the target application program.
In the embodiment of fig. 3, after responding to the program detection request, the program behavior data corresponding to the target application program targeted by the program detection request is obtained, and then the program behavior feature data is extracted from the program behavior data corresponding to the target application program. One or more target application programs can be provided, and after the program detection request is received, only the program behavior data corresponding to the target application program targeted by the program detection request is acquired, so that the acquisition of redundant program behavior data can be avoided, and the efficiency of program detection can be improved.
In an embodiment of the present application, the extracted program behavior feature data may be normalized. The program behavior characteristic data can be subjected to normalization processing, dimension reduction processing and the like, comparability is enhanced, and subsequent processing of the program behavior characteristic data is facilitated.
With continued reference to fig. 2, in step S220, the program behavior feature data is clustered to obtain outlier feature data.
In one embodiment of the present application, unsupervised clustering may be performed on program behavior feature data, and the obtained outlier feature data may be abnormal program behavior feature data.
In one embodiment of the present application, when performing unsupervised clustering on program behavior feature data, the program behavior feature data which are distributed sparsely and are far from a program behavior feature data group with high density are taken as outlier feature data.
In an embodiment of the present application, the unsupervised Clustering may be implemented by a Local Outer Factor (LOF) algorithm Based on Local Density, a DBSCAN algorithm (Density-Based Spatial Clustering of Applications with Noise), an isolated forest algorithm, and the like.
In an embodiment of the present application, semi-supervised clustering or supervised clustering may be performed on the program behavior feature data, and the program behavior feature data is clustered according to preset features, so that the obtained outlier feature data may be abnormal program behavior data.
In one embodiment of the present application, supervised clustering may be implemented by random forest algorithm, deep learning, and the like.
In step S230, the cluster feature data is input to a machine learning model for program behavior recognition.
In an embodiment of the application, before the cluster feature data is input into the machine learning model, program behavior feature data other than the cluster feature data may be obtained from the program behavior feature data as a first normal data set, and the machine learning model may be trained according to the program behavior feature data in the first normal data set.
In the embodiment, the machine learning model is trained by using the first normal data set in the program behavior characteristic data, and other program behavior characteristic data do not need to be acquired to train the machine learning model, so that the program detection process is simplified, and the program detection efficiency is improved.
In one embodiment of the present application, the machine learning model may be pre-trained by the following process: and acquiring program behavior characteristic data in a first normal data set, wherein whether the program behavior characteristic data corresponding to each program behavior characteristic data in the first normal data set is abnormal or not is known, and inputting the program behavior characteristic data into a machine learning model for each program behavior characteristic data in the first normal data set to obtain a result of whether the program behavior characteristic data corresponding to the program behavior characteristic data output by the machine learning model is abnormal or not. And comparing the output result with the known result of whether the program behavior data corresponding to the program behavior characteristic data is abnormal or not, and if not, adjusting the machine learning model to ensure that the output result is consistent with the result of whether the program behavior data corresponding to the program behavior characteristic data is abnormal or not.
In step S240, abnormal program behavior data is determined based on the output result of the machine learning model.
In one embodiment of the present application, the output result of the machine learning model may be whether program behavior data corresponding to the program behavior feature data is abnormal.
In this embodiment, since the program behavior data corresponding to the obtained outlier feature data may be abnormal or may be normal, the program behavior data that may be abnormal is screened through the machine learning model, whether the program behavior data corresponding to the outlier feature data is abnormal is further determined, and the program behavior data that is normal is prevented from being mistakenly determined as abnormal program behavior data.
In this embodiment, program behavior feature data is acquired from the program behavior data, and the program behavior feature data is clustered to obtain outlier feature data, where the program behavior data corresponding to the outlier feature data may be abnormal. And then inputting the outlier feature data into a machine learning model for identifying the program behavior, screening the program behavior data corresponding to the outlier feature data, and finally determining abnormal program behavior data according to an output result of the machine learning model.
In one embodiment of the present application, as shown in fig. 4, abnormal program behavior data may be determined from the output result of the machine learning model through steps S410 to S430:
in step S410, abnormal program behavior feature data is identified based on the output result of the machine learning model.
In one embodiment of the present application, the output result of the machine learning model may be whether the program behavior feature data is abnormal.
In one embodiment of the present application, the machine learning model may be pre-trained by the following process: and acquiring program behavior characteristic data in the first normal data set, wherein each program behavior characteristic data in the first normal data set is not abnormal, and inputting the program behavior characteristic data into the machine learning model for each program behavior characteristic data in the first normal data set to obtain a result of whether the program behavior characteristic data output by the machine learning model is abnormal or not. And checking whether the output result of whether the program behavior characteristic data is abnormal or not, and if the output result of whether the program behavior characteristic data is abnormal or not, adjusting the machine learning model to ensure that the output result of whether the program behavior characteristic data is abnormal or not is not abnormal.
In this embodiment, since the program behavior data corresponding to the obtained outlier feature data may be abnormal or may be normal, the program behavior data that may be abnormal is screened through the machine learning model, whether the program behavior data corresponding to the outlier feature data is abnormal is further determined, and the program behavior data that is normal is prevented from being mistakenly determined as abnormal program behavior data.
In one embodiment of the application, after the outlier feature data is input into the machine learning model, the machine learning model assigns a label to the outlier feature data, and identifies whether the outlier feature data is abnormal program behavior feature data according to the label.
In an embodiment of the application, after the abnormal program behavior characteristic data is identified, program behavior characteristic data other than the abnormal program behavior characteristic data is acquired from the program behavior characteristic data, the program behavior characteristic data other than the abnormal program behavior characteristic data in the program behavior characteristic data is added into the first normal data set, and the machine learning model is trained according to the program behavior characteristic data in the first normal data set.
In the embodiment, the machine learning model for program behavior recognition is further trained, so that the output of the machine learning model for program behavior recognition is more accurate.
With continued reference to fig. 4, in step S420, the abnormal program behavior feature data is matched with the preset features.
In an embodiment of the application, a process of matching abnormal program behavior characteristic data with preset characteristics can be realized in a manner of performing supervised clustering on the abnormal program behavior characteristic data according to the preset characteristics.
In one embodiment of the present application, the preset features may include any one or more of the following in combination: the program behavior duration is within the duration threshold set for the program behavior duration, the program behavior result is correct, and the program behavior is continuous.
In step S430, the abnormal program behavior data is determined according to the program behavior feature data that does not match the preset features in the abnormal program behavior feature data.
In the embodiment, according to the output result of the machine learning model, abnormal program behavior feature data is identified, in order to improve the accuracy of program detection, the program behavior feature data which is not matched with the preset features in the abnormal program behavior feature data is determined as the abnormal program behavior feature data, and the program behavior data corresponding to the abnormal program behavior feature data is determined as the abnormal program behavior data, so that the determination of the abnormal program behavior data is more accurate.
In one embodiment of the present application, the program behavior duration does not match the preset feature, that is, the program behavior duration is not within the duration threshold set for the program behavior duration, the program behavior result is incorrect, or the program behavior is discontinuous.
In an embodiment of the present application, the program behavior data corresponding to the program behavior feature data that does not match the preset features in the abnormal program behavior feature data may be determined as the abnormal program behavior data.
In an embodiment of the application, the program behavior feature data which is not matched with the preset features in the abnormal program behavior feature data may also be sent to a user for manual detection, the program behavior feature data which fails to pass the manual detection is received, and the abnormal program behavior data is determined based on the program behavior feature data which fails to pass the manual detection.
In this embodiment, the user further screens program behavior feature data, which is not matched with the preset features, from the abnormal program behavior feature data, to more accurately find the abnormal program behavior feature data, and further more accurately find the abnormal program behavior data.
In one embodiment of the application, after abnormal program behavior data is determined, program behavior data other than the abnormal program behavior data is acquired from the program behavior data, program behavior feature data in the program behavior data other than the abnormal program behavior data in the program behavior data is added into a first normal data set, and a machine learning model is trained according to the program behavior feature data in the first normal data set.
In this embodiment, the machine learning model is further trained by using the program behavior feature data in the program behavior data of the determined abnormality, so that the output of the machine learning model for program behavior recognition is more accurate.
In one embodiment of the application, after determining abnormal program behavior data, program information corresponding to the abnormal program behavior data is acquired, and the program information is sent to a user.
In one embodiment of the application, the program information corresponding to the abnormal program behavior data, the abnormal program behavior data and the abnormal program behavior feature data are sent to a user, so that the user can know the specific situation of the abnormal program behavior data.
In an embodiment of the application, the abnormal program behavior data may be analyzed, a cause of the abnormal program behavior data and a suggested solution may be obtained according to the program behavior data of the application program and the program information corresponding to the abnormal program behavior data, and an analysis report is formed and sent to a user by the program information corresponding to the abnormal program behavior data, the abnormal program behavior feature data, the cause of the abnormal program behavior data and the suggested solution, so that the user knows how to repair the abnormal program behavior data.
Fig. 5 schematically shows a flowchart of an abnormal program behavior detection method according to an embodiment of the present application, and an execution subject of the abnormal program behavior detection method may be a server, such as the server 103 shown in fig. 1.
Referring to fig. 5, the abnormal program behavior detection method at least includes steps S510 to S590, which are described in detail as follows:
in step S510, program behavior data is collected, preprocessed, and then stored in a distributed database.
In an embodiment of the present application, program behavior data may be collected by using a plurality of existing performance analysis tools, and the program behavior data collected by the plurality of performance analysis tools may be converted into a predetermined format and then sent to a plurality of distributed databases for distributed storage. Because the program behavior data are sent to the distributed databases for distributed storage, compared with the case that the program behavior data are sent to one database for storage, the data in each distributed database are less, the program behavior data stored in the distributed databases are called more quickly, and the efficiency of program detection is improved.
In an embodiment of the present application, different databases in the distributed database may store the same program behavior data, and when a user detects some program behavior data, the same program behavior data still remains in the distributed database as a backup, and other users may call the backup program behavior data to perform detection.
In an embodiment of the present application, the collected program behavior data may be multiple, or only the program behavior data of the target application program may be collected.
In step S520, in response to the program detection request initiated by the user, program behavior data corresponding to the target application program for which the program detection request is directed is obtained from the distributed database.
In an embodiment of the present application, program behavior data corresponding to a target application program for which a program detection request is directed may be obtained from a distributed database. The program behavior data corresponding to the target application program can be obtained from a plurality of distributed databases, and partial program behavior data corresponding to the target application program can be obtained from each distributed database, so that the method is faster than the method for obtaining all program behavior data corresponding to the target application program from one distributed database.
In step S530, program behavior feature data is obtained from the program behavior data corresponding to the target application program.
In step S540, the acquired program behavior feature data is preprocessed.
In an embodiment of the present application, the preprocessing the acquired program behavior feature data may be normalization processing and dimension reduction processing of the acquired program behavior feature data, so as to enhance comparability of the program behavior feature data.
In step S550, unsupervised clustering analysis is performed on the preprocessed program behavior feature data, a set of the cluster feature data is used as a pre-abnormal program behavior feature data set, and a set of program behavior feature data other than the cluster feature data in the preprocessed program behavior feature data is used as a pre-normal program behavior feature data set.
In one embodiment of the present application, the outlier signature data in the pre-exception program behavior signature data set may be abnormal program behavior signature data. And confirming the data in the pre-normal program behavior characteristic data set as normal program behavior characteristic data.
In step S560, the machine learning model is trained based on the program behavior feature data in the pre-normal program behavior feature data set.
In step S570, the program behavior feature data in the pre-abnormal program behavior feature data set is input into the machine learning model, and a normal program behavior feature data set and an abnormal program behavior feature data set output by the machine learning model are obtained.
In step S580, the program behavior feature data in the normal program behavior feature data set is added to the pre-normal program behavior feature data set.
In step S590, the program behavior feature data in the abnormal program behavior feature data set is sent to the user for manual detection, and the program behavior data corresponding to the program behavior feature data that fails to pass manual detection is obtained as the abnormal program behavior data.
In the embodiment, the abnormal program behavior feature data set is found by analyzing the program behavior feature data of the program behavior data, and then the program behavior data in the abnormal program behavior data set is manually detected, so that the method is more convenient and quicker compared with the conventional method of manually detecting the abnormal program behavior data from the program behavior data directly.
It should be noted that fig. 5 only schematically shows steps of the abnormal program behavior detection method according to an embodiment of the present application, where the program detection task initiated by the user is a distributed task, and steps S510 to S590 are independent from each other, and any one of steps S510 to S590 may be executed separately.
The following describes embodiments of an apparatus of the present application, which may be used to perform the abnormal program behavior detection method in the above embodiments of the present application. For details that are not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the abnormal program behavior detection method described above in the present application.
Fig. 6 schematically shows a block diagram of an abnormal program behavior detection apparatus according to an embodiment of the present application.
Referring to fig. 6, an abnormal program behavior detection apparatus 600 according to an embodiment of the present application includes an obtaining module 601, a clustering module 602, and an identifying module 603.
In some embodiments of the present application, based on the foregoing solution, the obtaining module 601 is configured to obtain program behavior feature data from program behavior data; a clustering module 602, configured to cluster the program behavior feature data to obtain outlier feature data; the identifying module 603 is configured to input the outlier feature data into a machine learning model for identifying program behavior, and determine abnormal program behavior data according to an output result of the machine learning model.
In some embodiments of the present application, based on the foregoing solution, the identifying module 603 is configured to: acquiring program behavior characteristic data except outlier characteristic data from the program behavior characteristic data to serve as a first normal data set; and training the machine learning model according to the program behavior characteristic data in the first normal data set.
In some embodiments of the present application, based on the foregoing solution, the identifying module 603 is further configured to: identifying abnormal program behavior characteristic data according to an output result of the machine learning model; matching the abnormal program behavior characteristic data with preset characteristics; and determining abnormal program behavior data according to the program behavior characteristic data which is not matched with the preset characteristics in the abnormal program behavior characteristic data.
In some embodiments of the present application, based on the foregoing solution, the identifying module 603 is further configured to: sending program behavior characteristic data which is not matched with preset characteristics in the abnormal program behavior characteristic data to a user for manual detection; and receiving program behavior characteristic data which fails to pass manual detection, and determining abnormal program behavior data based on the program behavior characteristic data which fails to pass manual detection.
In some embodiments of the present application, based on the foregoing solution, the obtaining module 601 is configured to: responding to the program detection request, and acquiring program behavior data corresponding to a target application program aimed at by the program detection request; and extracting program behavior characteristic data from the program behavior data corresponding to the target application program.
In some embodiments of the present application, based on the foregoing solution, the obtaining module 601 is further configured to: after receiving a program detection request, storing program behavior data corresponding to a target application program aimed at by the program detection request in at least two cache regions; program behavior data is obtained from at least one cache region.
In some embodiments of the present application, based on the foregoing solution, the obtaining module 601 is further configured to: converting the program behavior data into pre-processing data in a preset format; and extracting program behavior characteristic data from the preprocessed data.
In some embodiments of the present application, based on the foregoing solution, the obtaining module 601 is further configured to: program behavior characterization data comprising any combination of one or more of: duration of program behavior, result of program behavior, and continuity of program behavior.
In some embodiments of the present application, based on the foregoing solution, the abnormal program behavior detection apparatus further includes: and the sending module is used for acquiring the program information corresponding to the abnormal program behavior data and sending the program information to the user.
As will be appreciated by one skilled in the art, aspects of the present application may be embodied as a system, method or program product. Accordingly, various aspects of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 70 according to this embodiment of the present application is described below with reference to fig. 7. The electronic device 70 shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 7, the electronic device 70 is embodied in the form of a general purpose computing device. The components of the electronic device 70 may include, but are not limited to: the at least one processing unit 71, the at least one memory unit 72, a bus 73 connecting different system components (including the memory unit 72 and the processing unit 71), and a display unit 74.
Wherein the storage unit stores program code executable by the processing unit 71 to cause the processing unit 71 to perform the steps according to various exemplary embodiments of the present application described in the section "example methods" above in this specification.
The storage unit 72 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)721 and/or a cache memory unit 722, and may further include a read only memory unit (ROM) 723.
The memory unit 72 may also include a program/utility 724 having a set (at least one) of program modules 725, such program modules 725 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 73 can be any one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 70 may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 70, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 70 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 75. Also, the electronic device 70 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 76. As shown, the network adapter 76 communicates with the other modules of the electronic device 70 via the bus 73. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with electronic device 70, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to make a computing device (which can be a personal computer, a server, a terminal device, or a network device, etc.) execute the method according to the embodiments of the present application.
There is also provided, in accordance with an embodiment of the present application, a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, various aspects of the present application may also be implemented in the form of a program product comprising program code for causing a terminal device to perform the steps according to various exemplary embodiments of the present application described in the "exemplary methods" section above of this specification, when the program product is run on the terminal device.
There is also provided, in accordance with an embodiment of the present application, a program product for implementing the above-described method, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present application is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the present application, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (14)

1. An abnormal program behavior detection method is characterized by comprising
Responding to a program detection request initiated by a user, and acquiring program behavior data corresponding to the program detection request from a block chain system;
acquiring program behavior characteristic data from the program behavior data;
carrying out unsupervised clustering analysis on the program behavior characteristic data to obtain outlier characteristic data and program behavior characteristic data except the outlier characteristic data;
training a machine learning model using program behavior feature data other than the outlier feature data;
inputting the outlier feature data into the machine learning model, wherein the machine learning model assigns a label to the outlier feature data;
identifying abnormal program behavior characteristic data according to the output result of the machine learning model;
matching the abnormal program behavior characteristic data with preset characteristics in a supervised clustering mode;
and determining abnormal program behavior data according to the program behavior characteristic data which is not matched with the preset characteristics in the abnormal program behavior characteristic data.
2. The abnormal program behavior detection method of claim 1, wherein the obtaining program behavior data corresponding to the program detection request from a blockchain system in response to a program detection request initiated by a user comprises:
after receiving the program detection request, storing program behavior data corresponding to a target application program for which the program detection request is directed in at least two cache regions;
and acquiring the program behavior data from at least one cache region.
3. The abnormal program behavior detection method of claim 1, wherein the unsupervised cluster analysis of the program behavior feature data to obtain outlier feature data and program behavior feature data other than the outlier feature data comprises:
preprocessing the program behavior characteristic data;
and carrying out unsupervised clustering analysis on the preprocessed program behavior characteristic data to obtain program behavior characteristic data except for outlier characteristic data.
4. The abnormal program behavior detection method of claim 3, wherein the preprocessing the program behavior feature data comprises:
and carrying out normalization processing and dimension reduction processing on the program behavior characteristic data.
5. The abnormal program behavior detection method according to claim 1, wherein the determining abnormal program behavior data according to program behavior feature data that does not match the preset feature in the abnormal program behavior feature data includes:
sending the program behavior characteristic data which is not matched with the preset characteristics in the abnormal program behavior characteristic data to a user for manual detection;
program behavior feature data which are not detected through manual work are received, and abnormal program behavior data are determined based on the program behavior feature data which are not detected through manual work.
6. The abnormal program behavior detection method of claim 1, wherein, before the program behavior data corresponding to the program detection request is obtained from a blockchain system in response to a user-initiated program detection request, the method comprises:
and acquiring the program behavior data, converting the program behavior data into a preset format, and storing the preset format in the block chain system.
7. An abnormal program behavior detection apparatus, comprising:
the acquisition module is used for responding to a program detection request initiated by a user, acquiring program behavior data corresponding to the program detection request from a block chain system, and acquiring program behavior characteristic data from the program behavior data;
the clustering module is used for carrying out unsupervised clustering analysis on the program behavior characteristic data to obtain outlier characteristic data and program behavior characteristic data except the outlier characteristic data;
the identification module is used for training a machine learning model by using program behavior characteristic data except the outlier characteristic data, inputting the outlier characteristic data into the machine learning model, and distributing a label for the outlier characteristic data by the machine learning model; identifying abnormal program behavior characteristic data according to the output result of the machine learning model; matching the abnormal program behavior characteristic data with preset characteristics in a supervised clustering mode; and determining abnormal program behavior data according to the program behavior characteristic data which is not matched with the preset characteristics in the abnormal program behavior characteristic data.
8. The abnormal program behavior detection apparatus of claim 7, wherein the acquisition module is configured to: after receiving the program detection request, storing program behavior data corresponding to a target application program for which the program detection request is directed in at least two cache regions; and acquiring the program behavior data from at least one cache region.
9. The abnormal program behavior detection apparatus of claim 7, wherein the clustering module is configured to: preprocessing the program behavior characteristic data; and carrying out unsupervised clustering analysis on the preprocessed program behavior characteristic data to obtain program behavior characteristic data except for outlier characteristic data.
10. The abnormal program behavior detection apparatus of claim 9, wherein the clustering module is further configured to: and carrying out normalization processing and dimension reduction processing on the program behavior characteristic data.
11. The abnormal program behavior detection apparatus of claim 7, wherein the identification module is further configured to: sending the program behavior characteristic data which is not matched with the preset characteristics in the abnormal program behavior characteristic data to a user for manual detection; program behavior feature data which are not detected through manual work are received, and abnormal program behavior data are determined based on the program behavior feature data which are not detected through manual work.
12. The abnormal program behavior detection apparatus of claim 7, wherein the obtaining module is further configured to: and acquiring the program behavior data, converting the program behavior data into a preset format, and storing the preset format in the block chain system.
13. An electronic device, comprising: a processor; a memory having stored thereon computer readable instructions which, when executed by the processor, implement the abnormal program behavior detection method of any of claims 1-6.
14. A computer-readable storage medium storing computer program instructions which, when executed by a computer, cause the computer to perform the abnormal program behavior detection method of any one of claims 1 to 6.
CN201911183934.2A 2019-09-16 2019-09-16 Abnormal program behavior detection method and device, electronic equipment and storage medium Active CN111026653B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911183934.2A CN111026653B (en) 2019-09-16 2019-09-16 Abnormal program behavior detection method and device, electronic equipment and storage medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910872409.5A CN110716868B (en) 2019-09-16 2019-09-16 Abnormal program behavior detection method and device
CN201911183934.2A CN111026653B (en) 2019-09-16 2019-09-16 Abnormal program behavior detection method and device, electronic equipment and storage medium

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201910872409.5A Division CN110716868B (en) 2019-09-16 2019-09-16 Abnormal program behavior detection method and device

Publications (2)

Publication Number Publication Date
CN111026653A CN111026653A (en) 2020-04-17
CN111026653B true CN111026653B (en) 2022-04-08

Family

ID=69210508

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201910872409.5A Active CN110716868B (en) 2019-09-16 2019-09-16 Abnormal program behavior detection method and device
CN201911183934.2A Active CN111026653B (en) 2019-09-16 2019-09-16 Abnormal program behavior detection method and device, electronic equipment and storage medium

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201910872409.5A Active CN110716868B (en) 2019-09-16 2019-09-16 Abnormal program behavior detection method and device

Country Status (1)

Country Link
CN (2) CN110716868B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111343161B (en) * 2020-02-14 2021-12-10 平安科技(深圳)有限公司 Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment
CN112015705A (en) * 2020-06-05 2020-12-01 浙商银行股份有限公司 Block chain log monitoring method based on deep learning
CN113886213A (en) * 2020-06-29 2022-01-04 腾讯科技(深圳)有限公司 Program data processing method, device, computer readable storage medium and equipment
CN113010268B (en) * 2021-03-22 2022-10-04 腾讯科技(深圳)有限公司 Malicious program identification method and device, storage medium and electronic equipment
CN113640675B (en) * 2021-07-29 2022-05-20 南京航空航天大学 Aviation lithium battery abnormity detection method based on Snippets characteristic extraction
CN116820539B (en) * 2023-08-30 2023-11-10 深圳市秦丝科技有限公司 System software operation maintenance system and method based on Internet

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106371939A (en) * 2016-09-12 2017-02-01 山东大学 Time-series data exception detection method and system thereof
CN109376381A (en) * 2018-09-10 2019-02-22 平安科技(深圳)有限公司 Method for detecting abnormality, device, computer equipment and storage medium are submitted an expense account in medical insurance
CN109948728A (en) * 2019-03-28 2019-06-28 第四范式(北京)技术有限公司 The method and apparatus of the training of abnormal transaction detection model and abnormal transaction detection
CN110059775A (en) * 2019-05-22 2019-07-26 湃方科技(北京)有限责任公司 Rotary-type mechanical equipment method for detecting abnormality and device
CN110177108A (en) * 2019-06-02 2019-08-27 四川虹微技术有限公司 A kind of anomaly detection method, device and verifying system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9558347B2 (en) * 2013-08-27 2017-01-31 Globalfoundries Inc. Detecting anomalous user behavior using generative models of user actions
JP2015161745A (en) * 2014-02-26 2015-09-07 株式会社リコー pattern recognition system and program
CN106778259B (en) * 2016-12-28 2020-01-10 北京明朝万达科技股份有限公司 Abnormal behavior discovery method and system based on big data machine learning
CN109032829B (en) * 2018-07-23 2020-12-08 腾讯科技(深圳)有限公司 Data anomaly detection method and device, computer equipment and storage medium
CN109766393A (en) * 2018-12-06 2019-05-17 中科恒运股份有限公司 Abnormal deviation data examination method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106371939A (en) * 2016-09-12 2017-02-01 山东大学 Time-series data exception detection method and system thereof
CN109376381A (en) * 2018-09-10 2019-02-22 平安科技(深圳)有限公司 Method for detecting abnormality, device, computer equipment and storage medium are submitted an expense account in medical insurance
CN109948728A (en) * 2019-03-28 2019-06-28 第四范式(北京)技术有限公司 The method and apparatus of the training of abnormal transaction detection model and abnormal transaction detection
CN110059775A (en) * 2019-05-22 2019-07-26 湃方科技(北京)有限责任公司 Rotary-type mechanical equipment method for detecting abnormality and device
CN110177108A (en) * 2019-06-02 2019-08-27 四川虹微技术有限公司 A kind of anomaly detection method, device and verifying system

Also Published As

Publication number Publication date
CN110716868A (en) 2020-01-21
CN110716868B (en) 2022-02-25
CN111026653A (en) 2020-04-17

Similar Documents

Publication Publication Date Title
CN111026653B (en) Abnormal program behavior detection method and device, electronic equipment and storage medium
US11238365B2 (en) Method and system for detecting anomalies in data labels
US10243982B2 (en) Log analyzing device, attack detecting device, attack detection method, and program
US7912714B2 (en) Method for segmenting communication transcripts using unsupervised and semi-supervised techniques
CN108108743B (en) Abnormal user identification method and device for identifying abnormal user
CN110263009B (en) Method, device and equipment for generating log classification rule and readable storage medium
CN111178410A (en) Illegal picture identification method and device
Kobayashi et al. Towards an NLP-based log template generation algorithm for system log analysis
WO2021174812A1 (en) Data cleaning method and apparatus for profile, and medium and electronic device
WO2020140624A1 (en) Method for extracting data from log, and related device
Wurzenberger et al. Aecid-pg: A tree-based log parser generator to enable log analysis
CN113986643A (en) Method, electronic device and computer program product for analyzing log file
CN113704328A (en) User behavior big data mining method and system based on artificial intelligence
CN110704390A (en) Method, device, electronic equipment and medium for obtaining server maintenance script
CN112671614B (en) Method, system, device and storage medium for testing connectivity of association system
US11501058B2 (en) Event detection based on text streams
CN112015779A (en) Method, system and device for predicting preference of students
US20230229540A1 (en) Systems and methods for generating a system log parser
CN112598226B (en) Equipment checking method, device, equipment and storage medium
CN113628077A (en) Method for generating non-repeated examination questions, terminal and readable storage medium
CN110826616B (en) Information processing method and device, electronic equipment and storage medium
CN113723555A (en) Abnormal data detection method and device, storage medium and terminal
CN110083807B (en) Contract modification influence automatic prediction method, device, medium and electronic equipment
US20200073891A1 (en) Systems and methods for classifying data in high volume data streams
CN113612777A (en) Training method, traffic classification method, device, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40021432

Country of ref document: HK

SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant