CN111062019A - User attack detection method and device and electronic equipment - Google Patents
User attack detection method and device and electronic equipment Download PDFInfo
- Publication number
- CN111062019A CN111062019A CN201911286350.8A CN201911286350A CN111062019A CN 111062019 A CN111062019 A CN 111062019A CN 201911286350 A CN201911286350 A CN 201911286350A CN 111062019 A CN111062019 A CN 111062019A
- Authority
- CN
- China
- Prior art keywords
- detection
- user
- attack detection
- sample
- counterfeiting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
- G06F18/2148—Generating training patterns; Bootstrap methods, e.g. bagging or boosting characterised by the process organisation or structure, e.g. boosting cascade
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
Abstract
A user attack detection method is disclosed, which is applied to a security detection system, and the security detection system is loaded with an attack detection model. The method comprises the steps of extracting biological characteristics and behavior characteristics related to a user from a real-time data stream after privacy desensitization of a butt-joint service system; performing anti-counterfeiting detection on the biological characteristics to obtain corresponding anti-counterfeiting detection results; constructing a training sample based on the behavior characteristics, and performing sample marking on the training sample by taking the anti-counterfeiting detection result as a sample label; based on the training sample marked by the sample, the attack detection model is trained to update the attack detection model carried by the safety detection system in real time, so that the user attack detection based on the attack detection model is realized, and the accuracy and the real-time performance of the attack detection are greatly improved.
Description
Technical Field
The application relates to the technical field of machine learning and computer application, in particular to a user attack detection method, a user attack detection device and electronic equipment.
Background
Machine learning techniques have changed significantly over the past decade, from purely academic research in laboratories to widespread use in various production areas, such as: financial industry, e-commerce retail industry, IT industry, medical industry, and the like. Machine learning models are essentially algorithms that attempt to learn potential patterns and relationships from data, rather than building invariant rules through code.
AI (Artificial Intelligence) technology is a new scientific technology for studying and developing theories, methods, techniques and application systems for simulating, extending and expanding human Intelligence. AI attempts to understand the essence of intelligence and produces a new intelligent machine that can react in a manner similar to human intelligence, and its application areas can include robotics, speech recognition, image recognition, natural language processing, and expert systems, among others.
With the development of the internet and the mobile internet, the number of service applications based on the internet and the mobile internet is increasing, and the service applications deployed on the public network are often confronted with various malicious attacks. Along with the development of AI technology, malicious attack means are becoming more and more obvious. For example, face forgery, voice forgery, video forgery, and the like can be performed based on the AI technique, thereby performing malicious attack.
Disclosure of Invention
The application provides a user attack detection method, which is applied to a security detection system, wherein the security detection system is loaded with an attack detection model; the method comprises the following steps:
extracting biological characteristics and behavior characteristics related to a user from a real-time data stream after privacy desensitization of a butted service system;
performing anti-counterfeiting detection on the biological characteristics to obtain corresponding anti-counterfeiting detection results;
constructing a training sample based on the behavior characteristics, and performing sample marking on the training sample by taking the anti-counterfeiting detection result as a sample label;
and training the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
Optionally, the method further includes:
user-related behavioral characteristics are extracted from the historical data stream of the docked business system.
Optionally, the performing anti-counterfeit detection on the biometric data includes:
inputting the biological characteristic data into a plurality of biological characteristic anti-counterfeiting detection models for joint detection;
and carrying out weighted calculation on the anti-counterfeiting detection results of the biological characteristic anti-counterfeiting detection models to obtain the anti-counterfeiting detection result of the biological characteristic data.
Optionally, the constructing a training sample based on the behavior feature includes:
and constructing a training sample based on the user-related behavior characteristics extracted from the real-time data stream after the privacy desensitization of the docked service system and the user-related behavior characteristics extracted from the historical data stream after the privacy desensitization of the docked service system.
Optionally, the training the attack detection model based on the training sample after the sample marking is performed to update the attack detection model carried by the security detection system in real time, including:
retraining the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time; alternatively, the first and second electrodes may be,
and performing incremental training on the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
Optionally, the biometric features comprise any one or a combination of more of the following: the data processing method comprises the following steps of face data of a user, voice data of the user, iris data of the user, fingerprint data of the user and handwriting data of the user.
Optionally, the method further includes:
and based on the trained attack detection model, carrying out attack detection on the to-be-detected real-time data stream which is acquired from the butted service system after privacy desensitization to obtain a corresponding detection result.
The application also provides a user attack detection device, which is applied to a safety detection system, wherein the safety detection system is loaded with an attack detection model; the device comprises:
the characteristic extraction module is used for extracting biological characteristics and behavior characteristics related to a user from the real-time data stream after the privacy desensitization of the butted service system;
the anti-counterfeiting detection module is used for carrying out anti-counterfeiting detection on the biological characteristics to obtain a corresponding anti-counterfeiting detection result;
the sample construction module is used for constructing a training sample based on the behavior characteristics and marking the training sample by taking the anti-counterfeiting detection result as a sample label;
and the training updating module is used for training the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
Optionally, the feature extraction module further:
user-related behavioral characteristics are extracted from the historical data stream of the docked business system.
Optionally, the anti-counterfeiting detection module further:
inputting the biological characteristic data into a plurality of biological characteristic anti-counterfeiting detection models for joint detection;
and carrying out weighted calculation on the anti-counterfeiting detection results of the biological characteristic anti-counterfeiting detection models to obtain the anti-counterfeiting detection result of the biological characteristic data.
Optionally, the sample construction module further:
and constructing a training sample based on the user-related behavior characteristics extracted from the real-time data stream after the privacy desensitization of the docked service system and the user-related behavior characteristics extracted from the historical data stream after the privacy desensitization of the docked service system.
Optionally, the training update module further:
retraining the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time; alternatively, the first and second electrodes may be,
and performing incremental training on the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
Optionally, the biometric features comprise any one or a combination of more of the following: the data processing method comprises the following steps of face data of a user, voice data of the user, iris data of the user, fingerprint data of the user and handwriting data of the user.
Optionally, the method further includes:
and the attack detection module is used for carrying out attack detection on the to-be-detected real-time data stream which is acquired from the butted service system after privacy desensitization based on the trained attack detection model to obtain a corresponding detection result.
The application also provides an electronic device, which comprises a communication interface, a processor, a memory and a bus, wherein the communication interface, the processor and the memory are mutually connected through the bus;
the memory stores machine-readable instructions, and the processor executes the method by calling the machine-readable instructions.
The present application also provides a machine-readable storage medium having stored thereon machine-readable instructions which, when invoked and executed by a processor, implement the above-described method.
Through the embodiment, the biological characteristics and the behavior characteristics related to the user are extracted from the real-time data stream after the privacy desensitization of the butted service system; and, performing anti-counterfeiting detection on the biological characteristics; constructing a training sample based on the behavior characteristics, and performing sample marking on the training sample by taking an anti-counterfeiting detection result as a sample label; furthermore, based on the training sample marked by the sample, the attack detection model carried by the safety detection system is trained so as to update the attack detection model carried by the safety detection system in real time, thereby realizing the user attack detection based on the attack detection model and greatly improving the accuracy and the real-time performance of the attack detection.
Drawings
FIG. 1 is a flow chart of a method for user attack detection provided by an exemplary embodiment;
FIG. 2 is a schematic diagram of an attack detection process provided by an exemplary embodiment;
FIG. 3 is a hardware block diagram of an electronic device provided by an exemplary embodiment;
fig. 4 is a block diagram of a user attack detection apparatus according to an exemplary embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In order to make those skilled in the art better understand the technical solution in the embodiment of the present specification, the following briefly describes the related technology of user attack detection related to the embodiment of the present specification.
Under a common condition, the existing technical scheme of user attack detection mainly comprises a black and white list mechanism, a rule engine mechanism based on manual experience summary of security experts and a simple model for user attack detection;
the black and white list mechanism mainly comprises: intercepting blacklist users and releasing white list users in the process of requesting a system by users according to the result of service feedback or information feedback;
the rule engine mechanism mainly comprises: the method is carried out depending on a strategy formulated by an expert, and when the requirement of a certain rule or a plurality of rules is met in the user request process, corresponding treatment is carried out, for example, a verification code is output for man-machine verification;
the simple model mainly comprises: attack detection is only applied to single-mode data, such as: automatic mining is carried out according to logs to find risks, false faces are found through live body detection, and the like.
The implementation and deployment of the above-described technical scheme of the existing user attack detection are relatively simple, but the detection accuracy and real-time performance of the user attack are relatively poor, and the user attack detection can be discovered and bypassed by an attacker.
Based on this, the present specification aims to provide a technical solution for performing user attack detection by training and updating an attack detection model in real time based on multi-modal user-related biological features and behavior features.
When the method is realized, the security detection system carries an attack detection model; the safety detection system extracts biological characteristics and behavior characteristics related to a user from a real-time data stream after privacy desensitization of a butted service system; and performing anti-counterfeiting detection on the biological characteristics.
Further, the safety detection system constructs a training sample based on the behavior characteristics, and uses the anti-counterfeiting detection result as a sample label to carry out sample marking on the training sample; and training the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
Further, based on the trained attack detection model, attack detection is performed on the to-be-detected real-time data stream obtained from the docked service system after privacy desensitization, and a corresponding detection result is obtained.
In the technical scheme, biological characteristics and behavior characteristics related to a user are extracted from a real-time data stream after privacy desensitization of a butted service system; and, performing anti-counterfeiting detection on the biological characteristics; constructing a training sample based on the behavior characteristics, and performing sample marking on the training sample by taking an anti-counterfeiting detection result as a sample label; furthermore, based on the training sample marked by the sample, the attack detection model carried by the safety detection system is trained so as to update the attack detection model carried by the safety detection system in real time, thereby realizing the user attack detection based on the attack detection model and greatly improving the accuracy and the real-time performance of the attack detection.
The present specification is described below with reference to specific embodiments and specific application scenarios.
Referring to fig. 1, fig. 1 is a flowchart of a user attack detection method provided in an embodiment of the present specification, where the method is applied to a security detection system, and the security detection system is equipped with an attack detection model; the method comprises the following steps:
and 102, extracting biological characteristics and behavior characteristics related to the user from the real-time data stream after the privacy desensitization of the docked service system.
And 104, performing anti-counterfeiting detection on the biological characteristics to obtain a corresponding anti-counterfeiting detection result.
And 106, constructing a training sample based on the behavior characteristics, and performing sample marking on the training sample by taking the anti-counterfeiting detection result as a sample label.
And 108, training the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
In this specification, the business system may include a machine or a machine cluster in any business form. For example, in practical applications, the business system may apply a corresponding business system to panning, tianmao, paypal, alisma, and the like.
In this specification, the security detection system may include a machine or a machine cluster that performs attack detection on an online real-time data stream and an offline historical data stream that are interfaced with the service system and have desensitized privacy of the service system.
For example, in practical applications, the security detection system may include a machine or a machine cluster that interfaces with a business system corresponding to an application such as pan, skatecat, pay, and arri, and performs attack detection on an online real-time data stream and an offline historical data stream after privacy desensitization of the business system corresponding to the application such as pan, skatecat, pay, and arri.
In this specification, the attack detection model refers to a machine learning model or a set of multiple machine learning models that are run on the security detection system and perform attack detection.
For example, in practical applications, the attack detection model may include a machine learning model based on a deep neural network, a convolutional neural network, a cyclic neural network, or a combination thereof.
For another example, in practical applications, the attack detection model may be a machine learning model with a width and depth architecture; the machine learning model of the width and depth architecture is a hybrid machine learning model obtained by performing joint training on the machine learning model including the width machine learning model and the depth machine learning model.
For another example, in practical application, the attack detection model may be a hybrid machine learning model obtained by performing integrated training on a plurality of decision tree models based on an XGBoost (extreme gradient Boosting) algorithm architecture.
For ease of understanding, the following "joint training" concept is introduced here. In general, in training for machine learning models, there are two confusing concepts: "Joint training", "Integrated training"; wherein, the joint training refers to that the same training sample is respectively input to a plurality of machine learning models for training; in the training process, in the process of carrying out optimization solution on the multiple machine learning models, all model parameters of the multiple machine learning models are updated simultaneously, and the outputs of the multiple machine learning models are weighted and added to serve as the output of a mixed model of the multiple machine learning models.
And the integrated training means that the plurality of machine learning models respectively and independently perform model training, model parameters updated by the model training among the plurality of machine learning models are not related to each other, and prediction results corresponding to prediction samples respectively output by the plurality of machine learning models are combined together only when the prediction samples are predicted.
In the present specification, the biometric features described above may include any form of biometric features associated with the user.
In one embodiment, the biometric feature includes any one or more of face data of the user, voice data of the user, iris data of the user, fingerprint data of the user, and handwriting data of the user.
For example, the biometric features may include any one or a combination of a plurality of data, such as a picture and a video of a face of the user, a recording of a user speaking and singing at the terminal, handwritten characters input by the user through the terminal, and iris information collected by the user through the terminal.
In this specification, the behavior feature may include any form of behavior feature related to the user.
For example, in practical applications, the behavior characteristics may include: the method comprises the steps of the equipment type, the number and the terminal system type of the user login terminal equipment, account information and the operation sequence of business operation of the user login on the terminal equipment, the time, the place and the IP address of the user login equipment, whether the user is active, the associated equipment and the associated user of the user account and the like. The specific contents and storage modes of the above behavior characteristics are not particularly limited in this specification.
In this specification, the security detection system extracts the biometric feature and the behavioral feature from a real-time data stream of the business system.
For example, in practical applications, the security detection system may extract the biometric feature and the behavior feature from a real-time data stream of the business system through a mounted real-time computing engine; the real-time computing engine may be any one of Flink (an open-source real-time computing engine), Blink (an open-source modified real-time computing engine based on Flink developed by ariziba), Spark (a real-time computing engine with a general parallel framework similar to HadoopMapReduce), and Storm (an open-source real-time computing engine by Twitter). For the above specific architecture and real-time computing principle of the real-time computing engine, please refer to Flink, Blink, Spark and Storm related technical descriptions, which are not repeated herein.
In an embodiment, the security detection system may extract the behavior feature related to the user from a historical data stream of the docked service system, in addition to extracting the behavior feature from a real-time data stream of the service system.
For example, in practical applications, in addition to extracting the behavior feature from the real-time data stream of the business system, the security detection system may also extract the behavior feature related to the user from the historical data stream of the business system through a mounted offline calculation engine; the offline computing engine may be a Hive (an open source offline computing engine based on a Hadoop architecture) or an ODPS (open data processing service, an offline computing engine based on an alicba development architecture). For the above specific architecture and offline calculation principle of the offline calculation engine, please refer to the technical description related to Hive and ODPS, which is not described herein again.
For ease of understanding, the concepts of off-line computation and real-time computation are briefly described herein. The off-line calculation refers to performing calculation analysis on accumulated data, the off-line calculation is usually performed on massive static data, the data accumulation time is long (usually, data on the order of days, weeks, months, years, etc.), a large amount of storage space is required, the calculation order is large, and the calculation time is long (for example, calculation time on the order of hours or more is required). For example, in practical applications, offline computation may be used in scenarios where hundreds of GB of accumulated, even TB, or even PB-level data is computed.
Compared with off-line calculation, the real-time calculation objects are usually a small amount of dynamic data, the dynamic change of the data cannot be predicted, but the data calculation amount is relatively small, and the calculation results are usually required to be output within a short calculation time (for example, within the order of milliseconds, seconds and minutes). For example, in practical applications, the solid line calculation may be used in situations such as killing of seconds by users, promotion of large commodities, and the like, which require a short calculation time.
In this specification, the security detection system may perform a forgery prevention detection on the biometric feature to obtain a corresponding forgery prevention detection result.
The biological characteristics are taken as the face pictures for illustration, and the security detection system performs anti-counterfeiting detection on the extracted face pictures of the user.
In one embodiment, during the process of performing the anti-counterfeiting detection on the biological characteristics, the security detection system inputs the biological characteristic data into a plurality of biological characteristic anti-counterfeiting detection models for joint detection.
Continuing the example, the security detection system inputs the extracted face pictures of the user into a plurality of face feature anti-counterfeiting detection models for joint detection; the plurality of face feature anti-counterfeiting detection models can perform joint detection in a face PS detection model, a face screen replay detection model, a face synthesis detection model and a face image watermark detection model.
The types and numbers of the plurality of biometric authentication detection models are not particularly limited in this specification.
In this specification, the security detection system may further perform a weighted calculation on the forgery prevention detection results of the plurality of biometric forgery prevention detection models to obtain a forgery prevention detection result of the biometric data.
During implementation, the security detection system performs weighted calculation on the anti-counterfeiting detection results of the plurality of biological characteristic anti-counterfeiting detection models through the detection confidence degrees of the plurality of biological characteristic anti-counterfeiting detection models; the detection confidence degrees of the biological characteristic anti-counterfeiting detection models can be obtained based on historical statistics.
Continuing to exemplify the above example, the security detection system performs weighted calculation on the anti-counterfeiting detection results of each detection model respectively output by the face PS detection model, the face screen playback detection model, the face synthesis detection model, and the face image watermark detection model according to the detection confidence of each detection model to obtain the anti-counterfeiting detection result corresponding to the face image; the face picture with the anti-counterfeiting detection result being greater than or less than the preset threshold value can be determined as a forged face picture or a non-forged face picture.
The data expression format of the above-described forgery prevention detection result of the biometric characteristic is not particularly limited in the present specification. Such as: the forgery prevention detection result may be represented by 1 indicating that the biometric feature is a forgery, and may be represented by 0 indicating that the biometric feature is an forgery prevention.
In this specification, the safety detection system constructs a training sample based on the behavior characteristics.
The biological characteristics are taken as face pictures for illustration, and the safety detection system constructs training samples based on user behavior characteristics corresponding to the face pictures.
In an embodiment shown, in the process of constructing the training sample based on the behavior feature, the security detection system may further construct the training sample based on the user-related behavior feature extracted from the real-time data stream of the business system and the user-related behavior feature extracted from the historical data stream of the business system.
Continuing the example from the above example, in the process of constructing the training sample based on the behavior feature, the security detection system may further construct the training sample based on the behavior feature related to the user extracted from the real-time data stream of the business system and the behavior feature related to the user extracted from the historical data stream of the business system; that is, the training samples include a picture of a face of a user, and real-time behavior features and historical behavior features of the user.
In this specification, after a training sample is constructed based on the behavior characteristics, the security detection system further performs sample labeling on the training sample using the anti-counterfeiting detection result as a sample label.
Continuing with the above example, the security detection system uses the obtained anti-counterfeiting detection results of the face pictures respectively corresponding to the million users (for example, the anti-counterfeiting detection results may include an anti-counterfeiting detection result indicating that the face picture is forged and an anti-counterfeiting detection result indicating that the face picture is not forged) as sample labels. Similarly, the security detection system takes the anti-counterfeiting detection results of the face pictures respectively corresponding to the million users as sample marks of the behavior characteristics of the users to construct training samples corresponding to the million users.
In this specification, after the training samples are sample-labeled, the security detection system trains the attack detection model based on the sample-labeled training samples to update the attack detection model in real time.
Continuing the example from the above example, after training samples of behavior features corresponding to the faces of millions of users are constructed, the security detection system may train the attack detection model through a mounted real-time computing engine (e.g., Flink, Blink, Spark, Storm, etc.) to update the attack detection model in real time.
It should be noted that, the security detection system can process mass data in real time through the real-time computing engine, and thus training and updating speeds of the attack detection model are greatly increased.
In one embodiment, in the process of training the attack detection model based on the training sample labeled with a sample to update the attack detection model in real time, the security detection system retrains the attack detection model based on the training sample labeled with a sample to update the attack detection model in real time.
Continuing to exemplify the above example, the security detection system retrains the attack detection model to update the attack detection model in real time by using training samples of behavior characteristics corresponding to the faces of the million users (including the behavior characteristics corresponding to the faces of the million users and whether the faces of the million users are counterfeit detection results).
It should be noted that retraining the attack detection model refers to extracting user-related behavior features from the privacy-desensitized real-time data stream of the service system within a preset time period (for example, one day) and extracting user-related behavior features from the privacy-desensitized historical data stream of the service system, and using the user-related behavior features as training samples to retrain the attack detection model.
In another embodiment shown in the above, in the process of training the attack detection model based on the training sample labeled with a sample to update the attack detection model in real time, the security detection system performs incremental training on the attack detection model based on the training sample labeled with a sample to update the attack detection model carried by the security detection system in real time.
Continuing to exemplify the above example, the training samples of the behavior characteristics corresponding to the faces of the million users of the security detection system (including the behavior characteristics corresponding to the faces of the million users, and whether the faces of the million users are false-proof detection results) are subjected to incremental training on the attack detection model, so as to update the attack detection model carried by the security detection system in real time.
It should be noted that, the incremental training of the attack detection model is performed by, on the basis that the attack detection model is completed by training the user-related behavior features extracted from the history data stream after the privacy desensitization of the service system, extracting the user-related behavior features and the corresponding sample labels (for example, the anti-counterfeiting detection result for the face of the user) from the real-time data stream after the privacy desensitization of the service system within a preset time period (for example, one day) and performing the incremental training. Compared with the technical scheme of the black and white list mechanism, the rule engine mechanism of the expert experience and the simple model, the updating speed of the attack detection model can be increased by retraining the attack detection model and performing repeated iterative incremental training on the attack detection model.
In this specification, after the attack detection model is updated in real time, the security detection system performs attack detection on the service system using the attack detection model updated in real time.
In an embodiment shown, the security detection system performs attack detection on the real-time data stream to be detected acquired from the service system based on the trained attack detection model, and obtains a corresponding detection result.
Continuing to illustrate the above example, the security detection system acquires the privacy-desensitized real-time data stream to be detected from the service system, and acquires and extracts biological features (such as facial features) and behavior features (such as user operation behaviors) related to the user from the real-time data stream; firstly, reading the biological characteristics (such as human face characteristics) related to the user to perform anti-counterfeiting detection to obtain an anti-counterfeiting detection result corresponding to the user; when the anti-counterfeiting detection result corresponding to the user is an anti-counterfeiting detection result indicating that the biological feature is 'non-counterfeit' or 'counterfeit', the behavior feature of the user is further input into the attack detection model for detection, and a detection result of whether the real-time data stream contains attack (such as counterfeit human face, abnormal behavior and the like) flow is obtained.
Compared with the black-and-white list mechanism, the expert-experienced rule engine mechanism and the simple model technical scheme, the multi-modal feature is extracted from the real-time streaming analysis based on the big data engine, so that the abnormal movement of an attacker can be automatically tracked from multiple dimensions, the attacker can be prevented from being bypassed, and meanwhile, compared with a single-modal detection mode, the detection accuracy and the real-time performance are greatly improved.
For convenience of understanding, the main processes of the above-illustrated technical solutions are generally described, and refer to fig. 2 below.
Referring to fig. 2, fig. 2 is a schematic diagram of an attack detection process according to an embodiment of the present disclosure.
As shown in fig. 2, the security detection system described above uses "user-related biometric and behavioral features extracted in a real-time data stream"; after the biological characteristics are subjected to anti-counterfeiting detection, an anti-counterfeiting detection result is obtained, and the anti-counterfeiting detection result is used as a sample label corresponding to the behavior characteristics by the security detection system; the safety detection system trains a behavior detection model through behavior characteristics extracted from a historical data stream and related to a user; the safety detection system inputs ' behavior characteristics ' of a user and sample labels ' corresponding to the behavior characteristics into the behavior detection model, and retrains or increments the behavior model to obtain a ' trained behavior model '. The security detection system inputs the real-time data stream to be detected into the trained behavior model for prediction, and obtains a corresponding attack detection result.
In the technical scheme, biological characteristics and behavior characteristics related to a user are extracted from a real-time data stream after privacy desensitization of a butted service system; and, performing anti-counterfeiting detection on the biological characteristics; constructing a training sample based on the behavior characteristics, and performing sample marking on the training sample by taking an anti-counterfeiting detection result as a sample label; furthermore, based on the training sample marked by the sample, the attack detection model carried by the safety detection system is trained so as to update the attack detection model carried by the safety detection system in real time, thereby realizing the user attack detection based on the attack detection model and greatly improving the accuracy and the real-time performance of the attack detection.
Corresponding to the embodiment of the method, the application also provides an embodiment of the user attack detection device.
Corresponding to the embodiment of the method, the specification also provides an embodiment of a user attack detection device. The embodiment of the user attack detection device in the specification can be applied to electronic equipment. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. Taking a software implementation as an example, as a logical device, the device is formed by reading, by a processor of the electronic device where the device is located, a corresponding computer program instruction in the nonvolatile memory into the memory for operation. From a hardware aspect, as shown in fig. 3, the hardware structure diagram of the electronic device where the user attack detection apparatus of this specification is located is shown, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3, the electronic device where the apparatus is located in the embodiment may also include other hardware according to the actual function of the electronic device, which is not described again.
Fig. 4 is a block diagram of a user attack detection apparatus according to an exemplary embodiment of the present specification.
Referring to fig. 4, the user attack detection apparatus 40 may be applied to the electronic device shown in fig. 3, where the apparatus is applied to a security detection system, and the security detection system is equipped with an attack detection model; the device comprises:
the feature extraction module 401 is configured to extract biological features and behavior features related to the user from the real-time data stream after the privacy desensitization of the docked service system;
the anti-counterfeiting detection module 402 is used for performing anti-counterfeiting detection on the biological characteristics to obtain a corresponding anti-counterfeiting detection result;
a sample construction module 403, configured to construct a training sample based on the behavior characteristics, and perform sample labeling on the training sample by using the anti-counterfeiting detection result as a sample label;
and a training and updating module 404 for training the attack detection model based on the training sample marked by the sample, so as to update the attack detection model carried by the security detection system in real time.
In this embodiment, the feature extraction module 401 further:
user-related behavioral characteristics are extracted from the historical data stream of the docked business system.
In this embodiment, the anti-counterfeit detection module 402 further:
inputting the biological characteristic data into a plurality of biological characteristic anti-counterfeiting detection models for joint detection;
and carrying out weighted calculation on the anti-counterfeiting detection results of the biological characteristic anti-counterfeiting detection models to obtain the anti-counterfeiting detection result of the biological characteristic data.
In this embodiment, the sample construction module 403 further:
and constructing a training sample based on the user-related behavior characteristics extracted from the real-time data stream after the privacy desensitization of the docked service system and the user-related behavior characteristics extracted from the historical data stream after the privacy desensitization of the docked service system.
In this embodiment, the training update module 404 further:
retraining the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time; alternatively, the first and second electrodes may be,
and performing incremental training on the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
In this embodiment, the biometric features include any one or a combination of more of the following: the data processing method comprises the following steps of face data of a user, voice data of the user, iris data of the user, fingerprint data of the user and handwriting data of the user.
In this embodiment, the method further includes:
an attack detection module 405 (not shown in fig. 4) performs attack detection on the to-be-detected real-time data stream after privacy desensitization acquired from the docked service system based on the trained attack detection model to obtain a corresponding detection result.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The apparatuses, modules or modules illustrated in the above embodiments may be implemented by a computer chip or an entity, or by an article with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
Corresponding to the method embodiment, the present specification also provides an embodiment of an electronic device. The electronic equipment can be applied to a security detection system, and the security detection system is loaded with an attack detection model; the electronic device includes: a processor and a memory for storing machine executable instructions; wherein the processor and the memory are typically interconnected by an internal bus. In other possible implementations, the device may also include an external interface to enable communication with other devices or components.
In this embodiment, the processor is caused to:
extracting biological characteristics and behavior characteristics related to a user from a real-time data stream after privacy desensitization of a butted service system;
performing anti-counterfeiting detection on the biological characteristics to obtain corresponding anti-counterfeiting detection results;
constructing a training sample based on the behavior characteristics, and performing sample marking on the training sample by taking the anti-counterfeiting detection result as a sample label;
and training the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
In this embodiment, the processor is caused to:
user-related behavioral characteristics are extracted from the historical data stream of the docked business system.
In this embodiment, the processor is caused to:
inputting the biological characteristic data into a plurality of biological characteristic anti-counterfeiting detection models for joint detection;
and carrying out weighted calculation on the anti-counterfeiting detection results of the biological characteristic anti-counterfeiting detection models to obtain the anti-counterfeiting detection result of the biological characteristic data.
In this embodiment, the processor is caused to:
and constructing a training sample based on the user-related behavior characteristics extracted from the real-time data stream after the privacy desensitization of the docked service system and the user-related behavior characteristics extracted from the historical data stream after the privacy desensitization of the docked service system.
In this embodiment, the processor is caused to:
retraining the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time; alternatively, the first and second electrodes may be,
and performing incremental training on the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
In this embodiment, the biometric features include any one or a combination of more of the following: the data processing method comprises the following steps of face data of a user, voice data of the user, iris data of the user, fingerprint data of the user and handwriting data of the user.
In this embodiment, the processor is caused to:
and based on the trained attack detection model, carrying out attack detection on the to-be-detected real-time data stream which is acquired from the butted service system after privacy desensitization to obtain a corresponding detection result.
Other embodiments of the present disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (15)
1. A user attack detection method is applied to a security detection system, and the security detection system is loaded with an attack detection model; the method comprises the following steps:
extracting biological characteristics and behavior characteristics related to a user from a real-time data stream after privacy desensitization of a butted service system;
performing anti-counterfeiting detection on the biological characteristics to obtain corresponding anti-counterfeiting detection results;
constructing a training sample based on the behavior characteristics, and performing sample marking on the training sample by taking the anti-counterfeiting detection result as a sample label;
and training the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
2. The method of claim 1, further comprising:
user-related behavioral characteristics are extracted from the historical data stream of the docked business system.
3. The method of claim 2, wherein the performing anti-counterfeiting detection on the biometric data comprises:
inputting the biological characteristic data into a plurality of biological characteristic anti-counterfeiting detection models for joint detection;
and carrying out weighted calculation on the anti-counterfeiting detection results of the biological characteristic anti-counterfeiting detection models to obtain the anti-counterfeiting detection result of the biological characteristic data.
4. The method of claim 3, the constructing training samples based on the behavioral features, comprising:
and constructing a training sample based on the user-related behavior characteristics extracted from the real-time data stream after the privacy desensitization of the docked service system and the user-related behavior characteristics extracted from the historical data stream after the privacy desensitization of the docked service system.
5. The method according to claim 1, wherein the training the attack detection model based on the training sample labeled by the sample to update the attack detection model carried by the security detection system in real time comprises:
retraining the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time; alternatively, the first and second electrodes may be,
and performing incremental training on the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
6. The method of claim 1, the biometric features comprising a combination of any one or more of the following: the data processing method comprises the following steps of face data of a user, voice data of the user, iris data of the user, fingerprint data of the user and handwriting data of the user.
7. The method of claim 1, further comprising:
and based on the trained attack detection model, carrying out attack detection on the to-be-detected real-time data stream which is acquired from the butted service system after privacy desensitization to obtain a corresponding detection result.
8. A user attack detection device is applied to a security detection system, and an attack detection model is carried by the security detection system; the device comprises:
the characteristic extraction module is used for extracting biological characteristics and behavior characteristics related to a user from the real-time data stream after the privacy desensitization of the butted service system;
the anti-counterfeiting detection module is used for carrying out anti-counterfeiting detection on the biological characteristics to obtain a corresponding anti-counterfeiting detection result;
the sample construction module is used for constructing a training sample based on the behavior characteristics and marking the training sample by taking the anti-counterfeiting detection result as a sample label;
and the training updating module is used for training the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
9. The apparatus of claim 8, the feature extraction module further to:
user-related behavioral characteristics are extracted from the historical data stream of the docked business system.
10. The apparatus of claim 9, the anti-counterfeiting detection module further to:
inputting the biological characteristic data into a plurality of biological characteristic anti-counterfeiting detection models for joint detection;
and carrying out weighted calculation on the anti-counterfeiting detection results of the biological characteristic anti-counterfeiting detection models to obtain the anti-counterfeiting detection result of the biological characteristic data.
11. The apparatus of claim 10, the sample construction module further to:
and constructing a training sample based on the user-related behavior characteristics extracted from the real-time data stream after the privacy desensitization of the docked service system and the user-related behavior characteristics extracted from the historical data stream after the privacy desensitization of the docked service system.
12. The apparatus of claim 8, the training update module further to:
retraining the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time; alternatively, the first and second electrodes may be,
and performing incremental training on the attack detection model based on the training sample marked by the sample so as to update the attack detection model carried by the safety detection system in real time.
13. The apparatus of claim 8, the biometric features comprising a combination of any one or more of the following: the data processing method comprises the following steps of face data of a user, voice data of the user, iris data of the user, fingerprint data of the user and handwriting data of the user.
14. The apparatus of claim 8, further comprising:
and the attack detection module is used for carrying out attack detection on the to-be-detected real-time data stream which is acquired from the butted service system after privacy desensitization based on the trained attack detection model to obtain a corresponding detection result.
15. An electronic device comprises a communication interface, a processor, a memory and a bus, wherein the communication interface, the processor and the memory are connected with each other through the bus;
the memory has stored therein machine-readable instructions, the processor executing the method of any of claims 1 to 7 by calling the machine-readable instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911286350.8A CN111062019A (en) | 2019-12-13 | 2019-12-13 | User attack detection method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911286350.8A CN111062019A (en) | 2019-12-13 | 2019-12-13 | User attack detection method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111062019A true CN111062019A (en) | 2020-04-24 |
Family
ID=70301629
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911286350.8A Pending CN111062019A (en) | 2019-12-13 | 2019-12-13 | User attack detection method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111062019A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111641598A (en) * | 2020-05-11 | 2020-09-08 | 华南理工大学 | Intrusion detection method based on width learning |
| CN113839963A (en) * | 2021-11-25 | 2021-12-24 | 南昌首页科技发展有限公司 | Network security vulnerability intelligent detection method based on artificial intelligence and big data |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105844203A (en) * | 2015-01-12 | 2016-08-10 | 阿里巴巴集团控股有限公司 | Human face vivo detection method and device |
| CN107358157A (en) * | 2017-06-07 | 2017-11-17 | 阿里巴巴集团控股有限公司 | A kind of human face in-vivo detection method, device and electronic equipment |
| CN108491714A (en) * | 2018-04-09 | 2018-09-04 | 众安信息技术服务有限公司 | The man-machine recognition methods of identifying code |
| CN108875546A (en) * | 2018-04-13 | 2018-11-23 | 北京旷视科技有限公司 | Face auth method, system and storage medium |
| CN109492585A (en) * | 2018-11-09 | 2019-03-19 | 联想(北京)有限公司 | A kind of biopsy method and electronic equipment |
| CN109919754A (en) * | 2019-01-24 | 2019-06-21 | 北京迈格威科技有限公司 | A kind of data capture method, device, terminal and storage medium |
| US20190213306A1 (en) * | 2013-11-15 | 2019-07-11 | AuthenWare Corp. | System and method for identity authentication |
| CN110472519A (en) * | 2019-07-24 | 2019-11-19 | 杭州晟元数据安全技术股份有限公司 | A kind of human face in-vivo detection method based on multi-model |
-
2019
- 2019-12-13 CN CN201911286350.8A patent/CN111062019A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190213306A1 (en) * | 2013-11-15 | 2019-07-11 | AuthenWare Corp. | System and method for identity authentication |
| CN105844203A (en) * | 2015-01-12 | 2016-08-10 | 阿里巴巴集团控股有限公司 | Human face vivo detection method and device |
| CN107358157A (en) * | 2017-06-07 | 2017-11-17 | 阿里巴巴集团控股有限公司 | A kind of human face in-vivo detection method, device and electronic equipment |
| CN108491714A (en) * | 2018-04-09 | 2018-09-04 | 众安信息技术服务有限公司 | The man-machine recognition methods of identifying code |
| CN108875546A (en) * | 2018-04-13 | 2018-11-23 | 北京旷视科技有限公司 | Face auth method, system and storage medium |
| CN109492585A (en) * | 2018-11-09 | 2019-03-19 | 联想(北京)有限公司 | A kind of biopsy method and electronic equipment |
| CN109919754A (en) * | 2019-01-24 | 2019-06-21 | 北京迈格威科技有限公司 | A kind of data capture method, device, terminal and storage medium |
| CN110472519A (en) * | 2019-07-24 | 2019-11-19 | 杭州晟元数据安全技术股份有限公司 | A kind of human face in-vivo detection method based on multi-model |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111641598A (en) * | 2020-05-11 | 2020-09-08 | 华南理工大学 | Intrusion detection method based on width learning |
| CN113839963A (en) * | 2021-11-25 | 2021-12-24 | 南昌首页科技发展有限公司 | Network security vulnerability intelligent detection method based on artificial intelligence and big data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108111489B (en) | URL attack detection method and device and electronic equipment | |
| CN107577945B (en) | URL attack detection method and device and electronic equipment | |
| US20230041233A1 (en) | Image recognition method and apparatus, computing device, and computer-readable storage medium | |
| CN111539389B (en) | Face anti-counterfeiting recognition method, device, equipment and storage medium | |
| Almarashdeh et al. | An overview of technology evolution: Investigating the factors influencing non-bitcoins users to adopt bitcoins as online payment transaction method | |
| WO2022037541A1 (en) | Image processing model training method and apparatus, device, and storage medium | |
| Thieltges et al. | The devil’s triangle: Ethical considerations on developing bot detection methods | |
| CN111241291A (en) | Method and device for generating countermeasure sample by utilizing countermeasure generation network | |
| CN111126347B (en) | Human eye state identification method, device, terminal and readable storage medium | |
| CN110234018A (en) | Multimedia content description generation method, training method, device, equipment and medium | |
| CN113792871A (en) | Neural network training method, target identification method, device and electronic equipment | |
| CN113011884B (en) | Account feature extraction method, device, equipment and readable storage medium | |
| US20220269796A1 (en) | Method and system for securely deploying an artificial intelligence model | |
| CN116824278B (en) | Image content analysis method, device, equipment and medium | |
| CN111353554B (en) | Method and device for predicting missing user service attributes | |
| CN113011387A (en) | Network training and human face living body detection method, device, equipment and storage medium | |
| CN111062019A (en) | User attack detection method and device and electronic equipment | |
| CN114707589A (en) | Method, device, storage medium, equipment and program product for generating countermeasure sample | |
| CN114282258A (en) | Screen capture data desensitization method and device, computer equipment and storage medium | |
| CN113362852A (en) | User attribute identification method and device | |
| CN114581702A (en) | Image classification method and device, computer equipment and computer readable storage medium | |
| CN114186039A (en) | Visual question answering method and device and electronic equipment | |
| CN112749686A (en) | Image detection method, image detection device, computer equipment and storage medium | |
| CN114676705A (en) | Dialogue relation processing method, computer and readable storage medium | |
| KR102533512B1 (en) | Personal information object detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200424 |
|
| RJ01 | Rejection of invention patent application after publication |