CN111064710A - Computer network security abnormal operation intercepting method and device and electronic equipment - Google Patents

Computer network security abnormal operation intercepting method and device and electronic equipment Download PDF

Info

Publication number
CN111064710A
CN111064710A CN201911179999.XA CN201911179999A CN111064710A CN 111064710 A CN111064710 A CN 111064710A CN 201911179999 A CN201911179999 A CN 201911179999A CN 111064710 A CN111064710 A CN 111064710A
Authority
CN
China
Prior art keywords
computer
abnormal
intercepted
operations
computer operation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911179999.XA
Other languages
Chinese (zh)
Inventor
张齐全
李明欢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201911179999.XA priority Critical patent/CN111064710A/en
Publication of CN111064710A publication Critical patent/CN111064710A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Technology Law (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The method can acquire the operation address of each computer operation of equipment to be detected, determine the abnormal score value of each computer operation, acquire the characteristic vector of the operation address of the computer operation C when the abnormal score value of the computer operation C is greater than or equal to a classification threshold value, determine the abnormal category of the computer operation C according to the characteristic vector and the verification characteristic vector in a database, and intercept the computer operation C according to the abnormal category, so that whether the equipment to be detected is invaded or not can be determined according to the operation address of each computer operation of the equipment to be detected, even if a plurality of computer operations of the equipment to be detected are continuous and uninterrupted, the equipment to be detected can be analyzed through each computer operation, and accurately determining whether each computer operation is an abnormal operation or not, and further effectively intercepting the abnormal operation.

Description

Computer network security abnormal operation intercepting method and device and electronic equipment
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for intercepting abnormal operations of computer network security, and an electronic device.
Background
With the continuous development of science and technology, the application of computer networks has been related to various fields, and accordingly, the security of computer networks is more and more emphasized. When a user operates through terminal equipment in a computer network environment, the user may be invaded by hackers or viruses, and the invaded terminal equipment can perform a series of abnormal operations, so that the information of the user is stolen, but the abnormal operations are difficult to be effectively intercepted in the prior art.
Disclosure of Invention
The specification provides a method and a device for intercepting abnormal operation of computer network security and electronic equipment, and aims to solve or partially solve the technical problem that the abnormal operation is difficult to effectively intercept in the prior art.
In order to solve the above technical problem, an embodiment of the present specification discloses a method for intercepting a security abnormal operation of a computer network, where the method includes:
acquiring one or more computer operations of a device to be detected, wherein the computer operations comprise operation addresses;
determining an anomaly score value for each of the one or more computer operations; the abnormal score value of the computer operation is used for representing the significance degree of an operation address corresponding to the computer operation as an abnormal address;
when the abnormal score value of the computer operation C is larger than or equal to the classification threshold value, determining the characteristic vector of the operation address corresponding to the computer operation C according to the longitude and latitude information of the operation address corresponding to the computer operation C, and determining the abnormal category of the computer operation C according to the characteristic vector of the operation address corresponding to the computer operation C and the verification characteristic vector in the database; wherein the computer operation C is any one of the one or more computer operations and the verification feature vector is used to characterize common features of the same class of abnormal computer operations;
and intercepting the computer operation C according to the abnormal category.
In an optional manner, the intercepting the computer operation C according to the exception category includes:
sending a first abnormal verification association request to the equipment to be detected according to the abnormal category;
acquiring abnormal code verification information sent by the equipment to be detected on abnormal historical detection resources corresponding to at least one first abnormal verification association request, wherein the abnormal code verification information of different abnormal historical detection resources is pre-coded by adopting different abnormal code vectors, and the abnormal pre-coded vectors are obtained by the equipment to be detected according to the measurement of the first abnormal verification association request;
sending a second abnormal verification association request to the device to be detected according to the abnormal code verification information, wherein the second abnormal verification association request is used for indicating at least one resource association detection information of the abnormal code verification information;
receiving feedback information corresponding to the resource correlation detection information of the at least one abnormal code verification information sent by the equipment to be detected according to the second abnormal verification correlation request;
and determining whether the equipment to be detected passes the verification or not according to the feedback information, and if not, intercepting the computer operation C.
In an alternative form, the determining an anomaly score value for each of the one or more computer operations includes:
obtaining a signal amplitude of each computer operation, each signal amplitude comprising an amplitude burst, N being a positive integer greater than 1;
decomposing the signal amplitude into a first signal amplitude to be subjected to noise reduction and a second signal amplitude to be subjected to noise reduction according to average intensity subtraction;
inputting the second signal amplitude to be denoised into a denoising self-encoder to obtain a residual signal amplitude after denoising;
superposing the first signal amplitude to be denoised and the residual signal amplitude to obtain a denoised signal amplitude;
and determining the abnormal score value of each computer operation according to the signal amplitude after the noise reduction.
In an optional manner, the method further comprises:
acquiring convolution kernel parameters of K reference convolution kernels of the neural network, wherein K is a positive integer;
acquiring L groups of mask tensors of the neural network, wherein L is a positive integer, each group of mask tensors in the L groups of mask tensors is composed of a plurality of mask tensors, the number of bits occupied by elements in the L groups of mask tensors in storage is smaller than the number of bits occupied by elements in convolution kernel parameters in K reference convolution kernels in storage, and each reference convolution kernel in the K reference convolution kernels corresponds to one group of mask tensors in the L groups of mask tensors;
performing a Hadamard product operation on each reference convolution kernel in the K reference convolution kernels and a group of mask tensors corresponding to each reference convolution kernel in the L groups of mask tensors to obtain a plurality of sub-convolution kernels;
performing convolution processing on the intercepted computer operation according to the plurality of sub-convolution kernels to obtain a plurality of convolution characteristic graphs;
and classifying the intercepted computer operation according to the plurality of convolution characteristic graphs to obtain a classification result of the intercepted computer operation.
In an alternative form, the method includes:
detecting a control operation for the intercepted computer operation;
judging whether the control operation meets a preset condition or not;
and when the control operation meets the preset condition, displaying the intercepted computer operation on a display unit of the network server.
In an alternative, displaying X intercepted computer operations on the presentation unit, X being a positive integer; when the control operation meets the preset condition, displaying the intercepted computer operation, wherein the displaying comprises the following steps:
when the control operation meets a first preset condition, displaying other Y intercepted computer operations on the display unit except the X intercepted computer operations, wherein Y is a positive integer.
When the control operation meets a second preset condition, controlling the X intercepted computer operations to move from the first direction to the second direction, and further replacing at least one intercepted computer operation in the X intercepted computer operations with other intercepted computer operations except the X intercepted computer operations.
In an optional manner, the method further comprises:
judging whether the relation between the target equipment and the equipment to be detected is a preset relation or not;
intercepting all computer operations of the target equipment when the relation between the target equipment and the equipment to be detected is the preset relation;
and when the relation between the target equipment and the equipment to be detected is not the preset relation, acquiring one or more computer operations of the target equipment, and executing abnormal score value determination according to the one or more computer operations of the target equipment until determining whether to intercept the one or more computer operations of the target equipment.
The embodiment of the specification discloses a computer network security abnormal operation intercepting device, which comprises:
the computer operation acquisition module is used for acquiring one or more computer operations of the device to be detected, and the computer operations comprise operation addresses;
an anomaly score value determination module to determine an anomaly score value for each of the one or more computer operations; the abnormal score value of the computer operation is used for representing the significance degree of an operation address corresponding to the computer operation as an abnormal address;
the abnormal category determining module is used for determining the characteristic vector of the operation address corresponding to the computer operation C according to the longitude and latitude information of the operation address corresponding to the computer operation C when the abnormal score value of the computer operation C is larger than or equal to the classification threshold value, and determining the abnormal category of the computer operation C according to the characteristic vector of the operation address corresponding to the computer operation C and the verification characteristic vector in the database; wherein the computer operation C is any one of the one or more computer operations and the verification feature vector is used to characterize common features of the same class of abnormal computer operations;
and the interception module is used for intercepting the computer operation C according to the abnormal category.
The present specification discloses a computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the above method.
The embodiment of the specification discloses an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the steps of the method.
Through one or more technical schemes of this description, this description has following beneficial effect or advantage:
the information processing method, the electronic terminal and the electronic device disclosed in the embodiments of the present specification can obtain an operation address of each computer operation of a device to be tested, then determine an abnormal score value of each computer operation, and obtain a feature vector of the operation address of the computer operation C when the abnormal score value of the computer operation C is greater than or equal to a classification threshold, and determine an abnormal category of the computer operation C according to the feature vector and a verification feature vector in a database, thereby intercepting the computer operation C according to the abnormal category, so that it can determine whether the device to be tested is invaded according to the operation address of each computer operation of the device to be tested, and can accurately determine whether each computer operation is an abnormal operation by analyzing each computer operation even if a plurality of computer operations of the device to be tested are continuous and uninterrupted, and then the abnormal operation is effectively intercepted.
The above description is only an outline of the technical solution of the present specification, and the embodiments of the present specification are described below in order to make the technical means of the present specification more clearly understood, and the present specification and other objects, features, and advantages of the present specification can be more clearly understood.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the specification. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow diagram illustrating a method for intercepting security abnormal operations of a computer network according to one embodiment of the present disclosure.
Fig. 2 is a functional block diagram of a computer network security abnormal operation intercepting apparatus according to an embodiment of the present disclosure.
FIG. 3 shows a schematic diagram of an electronic device in accordance with one embodiment of the present description.
Icon:
20-computer network security abnormal operation intercepting device; 21-a computer operation acquisition module; 22-anomaly score value determination module; 23-an anomaly category determination module; 24-an interception module; 25-a classification module; 26-a display module; 27-a relationship determination module;
30-an electronic device; 300-a bus; 301-a receiver; 302-a processor; 303-a transmitter; 304-a memory; 305-bus interface.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The inventor finds out through research and analysis that most of the common methods for intercepting abnormal operations are to perform overall analysis and diagnosis on a series of continuous computer operations of a user, and do not perform individual analysis and diagnosis on each computer operation of the user, if the abnormal operations occur in the series of continuous computer operations of the user, the common method for intercepting abnormal operation is difficult to diagnose the abnormal operation, and when a user carries out a series of continuous computer operations, even if a certain operation is an abnormal operation performed by a non-user, since the time interval between the abnormal operation and the normal computer operation is short and hard to be perceived by the user, therefore, the common method for intercepting the abnormal operation is difficult to accurately determine the abnormal operation from a series of continuous computer operations of a user, and further difficult to effectively intercept the abnormal operation.
The above prior art solutions have shortcomings which are the results of practical and careful study of the inventor, and therefore, the discovery process of the above problems and the solutions proposed by the following embodiments of the present invention to the above problems should be the contribution of the inventor to the present invention in the course of the present invention.
In view of this, embodiments of the present disclosure provide a method and an apparatus for intercepting abnormal operations of computer network security, and an electronic device, so as to solve or partially solve the technical problem that it is difficult to effectively intercept the abnormal operations.
In order to solve the technical problems, an embodiment of the present disclosure provides a method, an apparatus, and an electronic device for intercepting a security abnormal operation of a computer network, which have the following general ideas:
acquiring one or more computer operations of a device to be detected, wherein the computer operations comprise operation addresses; determining an anomaly score value for each of the one or more computer operations; the abnormal score value of the computer operation is used for representing the significance degree of an operation address corresponding to the computer operation as an abnormal address; when the abnormal score value of the computer operation C is larger than or equal to the classification threshold value, determining the characteristic vector of the operation address corresponding to the computer operation C according to the longitude and latitude information of the operation address corresponding to the computer operation C, and determining the abnormal category of the computer operation C according to the characteristic vector of the operation address corresponding to the computer operation C and the verification characteristic vector in the database; wherein the computer operation C is any one of the one or more computer operations and the verification feature vector is used to characterize common features of the same class of abnormal computer operations; and intercepting the computer operation C according to the abnormal category. Therefore, whether the equipment to be detected is invaded or not can be determined according to the operation address of each computer operation of the equipment to be detected, even if the operation of the computers of the equipment to be detected is continuous and uninterrupted, the computer operation can be analyzed, so that whether each computer operation is abnormal or not can be accurately determined, and the abnormal operation can be effectively intercepted.
In order to better understand the technical solutions of the present invention, the following detailed descriptions of the technical solutions of the present invention are provided with the accompanying drawings and the specific embodiments, and it should be understood that the specific features in the embodiments and the examples of the present invention are the detailed descriptions of the technical solutions of the present invention, and are not limitations of the technical solutions of the present invention, and the technical features in the embodiments and the examples of the present invention may be combined with each other without conflict.
As an alternative embodiment, please refer to fig. 1 in combination, which is a flowchart of a method for intercepting a security abnormal operation of a computer network according to an embodiment of the present disclosure, the method may include the following steps:
s21, one or more computer operations of the device to be detected are obtained, and the computer operations comprise operation addresses.
S22, an anomaly score value for each of the one or more computer operations is determined.
S23, when the abnormal score value of the computer operation C is larger than or equal to the classification threshold value, determining the feature vector of the operation address corresponding to the computer operation C according to the longitude and latitude information of the operation address corresponding to the computer operation C, and determining the abnormal category of the computer operation C according to the feature vector of the operation address corresponding to the computer operation C and the verification feature vector in the database.
And S24, intercepting the computer operation C according to the abnormal category.
By the method, whether the equipment to be detected is invaded can be determined according to the operation address of each computer operation of the equipment to be detected, and even if the operation of the computers of the equipment to be detected is continuous and uninterrupted, whether each computer operation is abnormal or not can be accurately determined by analyzing each computer operation, so that the abnormal operation can be effectively intercepted.
In this embodiment, the method is applied to an electronic device, for example, the electronic device may be a terminal with a communication function, such as a mobile phone, a computer, a tablet computer, and the like, which is not limited herein.
In S22, the abnormal score value of the computer operation is used to represent the degree of significance of the operation address corresponding to the computer operation as the abnormal address.
At S23, the computer operation C is any one of one or more computer operations, and the verification feature vector is used to characterize common features of the same class of abnormal computer operations.
In specific implementation, in order to improve the transmission performance of the request information corresponding to the abnormal operation, so as to ensure quick judgment and quick interception of the abnormal operation, in S24, the computer operation C is intercepted according to the abnormal category, which specifically includes the following contents:
s241, sending a first abnormal verification association request to the equipment to be detected according to the abnormal category.
And S242, acquiring the abnormal code verification information sent by the equipment to be detected on the abnormal history detection resource corresponding to the at least one first abnormal verification association request. The abnormal code verification information of different abnormal historical detection resources is pre-coded by adopting different abnormal code vectors, and the abnormal pre-coded vectors are obtained by the equipment to be detected according to the measurement of the first abnormal verification association request.
And S243, sending a second abnormal verification association request to the equipment to be detected according to the abnormal code verification information, wherein the second abnormal verification association request is used for indicating the resource association detection information of at least one abnormal code verification information.
And S244, receiving feedback information corresponding to the resource association detection information of at least one piece of abnormal code authentication information sent by the device to be detected according to the second abnormal authentication association request.
And S245, determining whether the equipment to be detected passes the verification or not according to the feedback information.
And S246, if the device to be detected does not pass the verification, intercepting the computer operation C.
Through S241-S246, the fast communication with the equipment to be detected can be realized based on the first abnormal verification association request, the second abnormal verification association request, the abnormal code verification information and the feedback information corresponding to the resource association detection information of the abnormal code verification information, the information transmission performance with the equipment to be detected is improved, and therefore the fast judgment and the effective interception of the abnormal operation are ensured.
In practical implementation, the signal corresponding to each computer operation has noise, and in order to determine the abnormal score value more accurately, the noise needs to be eliminated while ensuring the integrity of the detail information of the signal amplitude corresponding to each computer operation, and for this purpose, in S22, the abnormal score value of each computer operation in one or more computer operations is determined, which specifically includes the following:
s221, obtaining signal amplitude values of each computer operation, wherein each signal amplitude value comprises an amplitude wave group, and N is a positive integer greater than 1.
S222, decomposing the signal amplitude into a first signal amplitude to be subjected to noise reduction and a second signal amplitude to be subjected to noise reduction according to the average intensity subtraction.
And S223, inputting the amplitude of the second signal to be denoised into a denoising self-encoder to obtain the amplitude of the residual signal after denoising.
And S224, superposing the first signal amplitude to be denoised and the residual signal amplitude to obtain the denoised signal amplitude.
S225, determining the abnormal score value of each computer operation according to the signal amplitude after noise reduction.
Through S221-S225, the noise of the signal amplitude of each computer operation can be eliminated, meanwhile, the integrity of the detail information of the signal amplitude can be ensured, and further, the abnormal score value can be accurately determined according to the signal amplitude after noise elimination.
In specific implementation, there are many types of abnormal operations, and different abnormal operations need to be classified for mining the abnormal operations and performing wind control management according to the abnormal operations, but because the types of the abnormal operations are many, a common classification method takes a neural network as an example and includes many parameters corresponding to different abnormal operations, it is difficult to deploy a method for classifying different abnormal operations, and further difficult to implement mining of the abnormal operations and perform wind control management according to the abnormal operations, and therefore, the computer network security abnormal operation method provided by this embodiment further includes the following contents:
and S251, acquiring convolution kernel parameters of K reference convolution kernels of the neural network, wherein K is a positive integer.
And S252, L groups of mask tensors of the neural network are obtained, wherein L is a positive integer, each group of mask tensors in the L groups of mask tensors is composed of a plurality of mask tensors, the number of bits occupied when elements in the L groups of mask tensors are stored is smaller than the number of bits occupied when elements in convolution kernel parameters in the K reference convolution kernels are stored, and each reference convolution kernel in the K reference convolution kernels corresponds to one group of mask tensors in the L groups of mask tensors.
And S253, performing Hadamard product operation on each reference convolution kernel in the K reference convolution kernels and a group of mask tensors corresponding to each reference convolution kernel in the L groups of mask tensors to obtain a plurality of sub-convolution kernels.
And S254, performing convolution processing on the intercepted computer operation according to the plurality of sub-convolution kernels respectively to obtain a plurality of convolution characteristic graphs.
S255, classifying the intercepted computer operation according to the plurality of convolution characteristic graphs to obtain a classification result of the intercepted computer operation.
It can be understood that through S251-S255, the storage overhead of the neural network can be effectively reduced, so that smooth deployment of the abnormal operation classification method is realized, the abnormal operation is mined, and wind control management can be performed according to the classified abnormal operation.
In this embodiment, the electronic device is provided with a display unit for displaying intercepted computer operations (abnormal operations), but in practice, the number of intercepted computer operations may be large, and it is difficult for the limited display unit to continuously display a large number of intercepted computer operations, for this reason, in order to improve the flexibility of display and avoid incomplete display or too dense display of the display unit, the method for operating the computer network security abnormality further includes the following steps:
s261, a control operation for the intercepted computer operation is detected.
And S262, judging whether the control operation meets a preset condition.
And S263, when the control operation meets the preset condition, displaying the intercepted computer operation on a display unit of the network server.
By the method, the flexibility of display can be improved, and incomplete display or over-dense display of the display units is avoided. Further, X intercepted computer operations are displayed on the display unit, where X is a positive integer, and in S263, when the control operation meets the preset condition, the intercepted computer operations are displayed, specifically including the following two cases, and certainly, in the specific implementation, the intercepted computer operations are not limited to the following two cases:
first, when the control operation meets a first preset condition, displaying other Y intercepted computer operations on the display unit except the X intercepted computer operations, wherein Y is a positive integer.
And secondly, when the control operation meets a second preset condition, controlling the X intercepted computer operations to move from the first direction to the second direction, and further replacing at least one intercepted computer operation in the X intercepted computer operations with other intercepted computer operations except the X intercepted computer operations.
It can be understood that, through S263, all intercepted computer operations can be exhibited, and X intercepted computer operations that have been exhibited can also be switched, so that flexibility of exhibition can be improved.
In specific implementation, if the device to be detected is invaded by a malicious program or a hacker, the target device having frequent communication interaction with the device to be detected may also be invaded by the malicious program or the hacker, so that, in order to improve the efficiency of intercepting the abnormal operation, all computer operations corresponding to the target device having the preset relationship with the device to be detected may be intercepted.
In this embodiment, the preset relationship is used to represent that the communication accumulated time of the device to be detected and the target device in a preset time period (within a week or a half month, which is not limited herein) exceeds the set time period, and specifically, if the relationship between the device to be detected and the target device is the preset relationship, the communication accumulated time of the device to be detected and the target device in the preset time period exceeds the set time period.
In specific implementation, all computer operations corresponding to target equipment having a preset relationship with equipment to be detected are intercepted, and the method specifically includes the following steps:
and S271, judging whether the relation between the target equipment and the equipment to be detected is a preset relation.
And S272, intercepting all computer operations of the target equipment when the relation between the target equipment and the equipment to be detected is a preset relation.
And S273, when the relation between the target equipment and the equipment to be detected is not a preset relation, acquiring one or more computer operations of the target equipment, and executing the step from the step of determining to determining whether to intercept the one or more computer operations of the target equipment according to the abnormal score value of the one or more computer operations of the target equipment.
It can be understood that through S271-S273, all computer operations of the target device can be intercepted when the relationship between the target device and the device to be detected is the preset relationship, and it is not necessary to analyze and determine each computer operation of the target device, so that the efficiency of intercepting abnormal operations is improved.
Based on the same inventive concept as the foregoing embodiment, as shown in fig. 2, an embodiment of the present specification further provides a computer network security abnormal operation apparatus 20, including:
a computer operation obtaining module 21, configured to obtain one or more computer operations of the device to be tested, where the computer operations include an operation address.
An anomaly score value determination module 22 for determining an anomaly score value for each of the one or more computer operations; and the abnormal score value of the computer operation is used for representing the significance degree of the abnormal address of the operation address corresponding to the computer operation.
The abnormal category determining module 23 is configured to determine, when the abnormal score value of the computer operation C is greater than or equal to the classification threshold, a feature vector of the operation address corresponding to the computer operation C according to the latitude and longitude information of the operation address corresponding to the computer operation C, and determine the abnormal category of the computer operation C according to the feature vector of the operation address corresponding to the computer operation C and the verification feature vector in the database; wherein the computer operation C is any one of the one or more computer operations and the verification feature vector is used to characterize common features of the same class of abnormal computer operations.
And the intercepting module 24 is configured to intercept the computer operation C according to the exception category.
In an alternative form, the interception module 24 is configured to:
sending a first abnormal verification association request to the equipment to be detected according to the abnormal category;
acquiring abnormal code verification information sent by the equipment to be detected on abnormal historical detection resources corresponding to at least one first abnormal verification association request, wherein the abnormal code verification information of different abnormal historical detection resources is pre-coded by adopting different abnormal code vectors, and the abnormal pre-coded vectors are obtained by the equipment to be detected according to the measurement of the first abnormal verification association request;
sending a second abnormal verification association request to the device to be detected according to the abnormal code verification information, wherein the second abnormal verification association request is used for indicating at least one resource association detection information of the abnormal code verification information;
receiving feedback information corresponding to the resource correlation detection information of the at least one abnormal code verification information sent by the equipment to be detected according to the second abnormal verification correlation request;
and determining whether the equipment to be detected passes the verification or not according to the feedback information, and if not, intercepting the computer operation C.
In an alternative manner, the anomaly score value determination module 22 is configured to:
obtaining a signal amplitude of each computer operation, each signal amplitude comprising an amplitude burst, N being a positive integer greater than 1;
decomposing the signal amplitude into a first signal amplitude to be subjected to noise reduction and a second signal amplitude to be subjected to noise reduction according to average intensity subtraction;
inputting the second signal amplitude to be denoised into a denoising self-encoder to obtain a residual signal amplitude after denoising;
superposing the first signal amplitude to be denoised and the residual signal amplitude to obtain a denoised signal amplitude;
and determining the abnormal score value of each computer operation according to the signal amplitude after the noise reduction.
In an alternative form, the computer network security anomaly operation device 20 further comprises:
a classification module 25 configured to:
acquiring convolution kernel parameters of K reference convolution kernels of the neural network, wherein K is a positive integer;
acquiring L groups of mask tensors of the neural network, wherein L is a positive integer, each group of mask tensors in the L groups of mask tensors is composed of a plurality of mask tensors, the number of bits occupied by elements in the L groups of mask tensors in storage is smaller than the number of bits occupied by elements in convolution kernel parameters in K reference convolution kernels in storage, and each reference convolution kernel in the K reference convolution kernels corresponds to one group of mask tensors in the L groups of mask tensors;
performing a Hadamard product operation on each reference convolution kernel in the K reference convolution kernels and a group of mask tensors corresponding to each reference convolution kernel in the L groups of mask tensors to obtain a plurality of sub-convolution kernels;
performing convolution processing on the intercepted computer operation according to the plurality of sub-convolution kernels to obtain a plurality of convolution characteristic graphs;
and classifying the intercepted computer operation according to the plurality of convolution characteristic graphs to obtain a classification result of the intercepted computer operation.
In an alternative form, the computer network security anomaly operation device 20 further comprises:
a display module 26 for:
detecting a control operation for the intercepted computer operation;
judging whether the control operation meets a preset condition or not;
and when the control operation meets the preset condition, displaying the intercepted computer operation on a display unit of the network server.
In an alternative form, display module 26 is configured to:
when the control operation meets a first preset condition, displaying other Y intercepted computer operations on the display unit except the X intercepted computer operations, wherein Y is a positive integer.
When the control operation meets a second preset condition, controlling the X intercepted computer operations to move from the first direction to the second direction, and further replacing at least one intercepted computer operation in the X intercepted computer operations with other intercepted computer operations except the X intercepted computer operations.
In an alternative form, the computer network security anomaly operation device 20 further comprises:
a relationship determination module 27 for:
judging whether the relation between the target equipment and the equipment to be detected is a preset relation or not;
intercepting all computer operations of the target equipment when the relation between the target equipment and the equipment to be detected is the preset relation;
and when the relation between the target equipment and the equipment to be detected is not the preset relation, acquiring one or more computer operations of the target equipment, and executing abnormal score value determination according to the one or more computer operations of the target equipment until determining whether to intercept the one or more computer operations of the target equipment.
Based on the same inventive concept as in the previous embodiments, the present specification further provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of any of the methods described above.
Based on the same inventive concept as in the previous embodiment, an embodiment of the present specification further provides an electronic device 30, as shown in fig. 3, including a memory 304, a processor 302, and a computer program stored on the memory X304 and executable on the processor 302, where the processor 302 implements the steps of any one of the methods described above when executing the program.
Where in fig. 3 a bus architecture (represented by bus 300), bus 300 may include any number of interconnected buses and bridges, bus 300 linking together various circuits including one or more processors, represented by processor 302, and memory, represented by memory 304. The bus 300 may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface 305 provides an interface between the bus 300 and the receiver 301 and transmitter 303. The receiver 301 and the transmitter 303 may be one and the same element, i.e. a transceiver, providing a unit for communicating with various other terminal devices over a transmission medium. The processor 302 is responsible for managing the bus 300 and general processing, and the memory 304 may be used for storing data used by the processor 302 in performing operations.
Through one or more embodiments of the present description, the present description has the following advantages or advantages:
whether the equipment to be detected is invaded can be determined according to the operation address of each computer operation of the equipment to be detected, even if the operation of a plurality of computers of the equipment to be detected is continuous and uninterrupted, whether each computer operation is abnormal operation can be accurately determined by analyzing each computer operation, and then the abnormal operation is effectively intercepted.
The method and the device can realize the quick communication with the equipment to be detected based on the first abnormal verification association request, the second abnormal verification association request, the abnormal code verification information and the feedback information corresponding to the resource association detection information of the abnormal code verification information, improve the information transmission performance with the equipment to be detected, and further ensure the quick judgment and effective interception of abnormal operation.
The method can eliminate noise of the signal amplitude of each computer operation and simultaneously ensure the integrity of detail information of the signal amplitude, and further can accurately determine the abnormal score value according to the signal amplitude after noise elimination.
The method can effectively reduce the storage overhead of the neural network, thereby realizing the smooth deployment of the abnormal operation classification method, further realizing the excavation of the abnormal operation, and also carrying out wind control management according to the classified abnormal operation.
The display flexibility can be improved, and incomplete display or over-dense display of the display units can be avoided.
The method and the device have the advantages that all computer operations of the target equipment can be intercepted when the relation between the target equipment and the equipment to be detected is a preset relation, each computer operation of the target equipment does not need to be analyzed and judged, and the efficiency of intercepting abnormal operations is improved.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, this description is not intended for any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the present specification and that specific languages are described above to disclose the best modes of the specification.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the present description may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the specification, various features of the specification are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that is, the present specification as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this specification.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the description and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of this description may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components of a gateway, proxy server, system in accordance with embodiments of the present description. The present description may also be embodied as an apparatus or device program (e.g., computer program and computer program product) for performing a portion or all of the methods described herein. Such programs implementing the description may be stored on a computer-readable medium or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the specification, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The description may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

Claims (10)

1. A computer network security abnormal operation interception method is characterized by comprising the following steps:
acquiring one or more computer operations of a device to be detected, wherein the computer operations comprise operation addresses;
determining an anomaly score value for each of the one or more computer operations; the abnormal score value of the computer operation is used for representing the significance degree of an operation address corresponding to the computer operation as an abnormal address;
when the abnormal score value of the computer operation C is larger than or equal to the classification threshold value, determining the characteristic vector of the operation address corresponding to the computer operation C according to the longitude and latitude information of the operation address corresponding to the computer operation C, and determining the abnormal category of the computer operation C according to the characteristic vector of the operation address corresponding to the computer operation C and the verification characteristic vector in the database; wherein the computer operation C is any one of the one or more computer operations and the verification feature vector is used to characterize common features of the same class of abnormal computer operations;
and intercepting the computer operation C according to the abnormal category.
2. The method of claim 1, wherein intercepting the computer operation C according to the exception category comprises:
sending a first abnormal verification association request to the equipment to be detected according to the abnormal category;
acquiring abnormal code verification information sent by the equipment to be detected on abnormal historical detection resources corresponding to at least one first abnormal verification association request, wherein the abnormal code verification information of different abnormal historical detection resources is pre-coded by adopting different abnormal code vectors, and the abnormal pre-coded vectors are obtained by the equipment to be detected according to the measurement of the first abnormal verification association request;
sending a second abnormal verification association request to the device to be detected according to the abnormal code verification information, wherein the second abnormal verification association request is used for indicating at least one resource association detection information of the abnormal code verification information;
receiving feedback information corresponding to the resource correlation detection information of the at least one abnormal code verification information sent by the equipment to be detected according to the second abnormal verification correlation request;
and determining whether the equipment to be detected passes the verification or not according to the feedback information, and if not, intercepting the computer operation C.
3. The method of claim 1, wherein determining an anomaly score value for each of the one or more computer operations comprises:
obtaining a signal amplitude of each computer operation, each signal amplitude comprising an amplitude burst, N being a positive integer greater than 1;
decomposing the signal amplitude into a first signal amplitude to be subjected to noise reduction and a second signal amplitude to be subjected to noise reduction according to average intensity subtraction;
inputting the second signal amplitude to be denoised into a denoising self-encoder to obtain a residual signal amplitude after denoising;
superposing the first signal amplitude to be denoised and the residual signal amplitude to obtain a denoised signal amplitude;
and determining the abnormal score value of each computer operation according to the signal amplitude after the noise reduction.
4. The method according to any one of claims 1-3, further comprising:
acquiring convolution kernel parameters of K reference convolution kernels of the neural network, wherein K is a positive integer;
acquiring L groups of mask tensors of the neural network, wherein L is a positive integer, each group of mask tensors in the L groups of mask tensors is composed of a plurality of mask tensors, the number of bits occupied by elements in the L groups of mask tensors in storage is smaller than the number of bits occupied by elements in convolution kernel parameters in K reference convolution kernels in storage, and each reference convolution kernel in the K reference convolution kernels corresponds to one group of mask tensors in the L groups of mask tensors;
performing a Hadamard product operation on each reference convolution kernel in the K reference convolution kernels and a group of mask tensors corresponding to each reference convolution kernel in the L groups of mask tensors to obtain a plurality of sub-convolution kernels;
performing convolution processing on the intercepted computer operation according to the plurality of sub-convolution kernels to obtain a plurality of convolution characteristic graphs;
and classifying the intercepted computer operation according to the plurality of convolution characteristic graphs to obtain a classification result of the intercepted computer operation.
5. The method of claim 4, wherein the method comprises:
detecting a control operation for the intercepted computer operation;
judging whether the control operation meets a preset condition or not;
and when the control operation meets the preset condition, displaying the intercepted computer operation on a display unit of the network server.
6. The method of claim 5, wherein X intercepted computer operations are displayed on the presentation unit, X being a positive integer; when the control operation meets the preset condition, displaying the intercepted computer operation, wherein the displaying comprises the following steps:
when the control operation meets a first preset condition, displaying other Y intercepted computer operations on the display unit except the X intercepted computer operations, wherein Y is a positive integer;
when the control operation meets a second preset condition, controlling the X intercepted computer operations to move from the first direction to the second direction, and further replacing at least one intercepted computer operation in the X intercepted computer operations with other intercepted computer operations except the X intercepted computer operations.
7. The method of claim 1, further comprising:
judging whether the relation between the target equipment and the equipment to be detected is a preset relation or not;
intercepting all computer operations of the target equipment when the relation between the target equipment and the equipment to be detected is the preset relation;
and when the relation between the target equipment and the equipment to be detected is not the preset relation, acquiring one or more computer operations of the target equipment, and executing abnormal score value determination according to the one or more computer operations of the target equipment until determining whether to intercept the one or more computer operations of the target equipment.
8. A computer network security abnormal operation intercepting apparatus, the apparatus comprising:
the computer operation acquisition module is used for acquiring one or more computer operations of the device to be detected, and the computer operations comprise operation addresses;
an anomaly score value determination module to determine an anomaly score value for each of the one or more computer operations; the abnormal score value of the computer operation is used for representing the significance degree of an operation address corresponding to the computer operation as an abnormal address;
the abnormal category determining module is used for determining the characteristic vector of the operation address corresponding to the computer operation C according to the longitude and latitude information of the operation address corresponding to the computer operation C when the abnormal score value of the computer operation C is larger than or equal to the classification threshold value, and determining the abnormal category of the computer operation C according to the characteristic vector of the operation address corresponding to the computer operation C and the verification characteristic vector in the database; wherein the computer operation C is any one of the one or more computer operations and the verification feature vector is used to characterize common features of the same class of abnormal computer operations;
and the interception module is used for intercepting the computer operation C according to the abnormal category.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method of any one of claims 1 to 7 when executing the program.
CN201911179999.XA 2019-11-27 2019-11-27 Computer network security abnormal operation intercepting method and device and electronic equipment Pending CN111064710A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911179999.XA CN111064710A (en) 2019-11-27 2019-11-27 Computer network security abnormal operation intercepting method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911179999.XA CN111064710A (en) 2019-11-27 2019-11-27 Computer network security abnormal operation intercepting method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN111064710A true CN111064710A (en) 2020-04-24

Family

ID=70298685

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911179999.XA Pending CN111064710A (en) 2019-11-27 2019-11-27 Computer network security abnormal operation intercepting method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN111064710A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113556338A (en) * 2021-07-20 2021-10-26 龙海 Computer network security abnormal operation interception method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113556338A (en) * 2021-07-20 2021-10-26 龙海 Computer network security abnormal operation interception method

Similar Documents

Publication Publication Date Title
AU2017254815B2 (en) Anomaly detection to identify coordinated group attacks in computer networks
US20220210200A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US20210021644A1 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
US20190075123A1 (en) Systems and methods for cyber intrusion detection and prevention
US20130263259A1 (en) Analyzing response traffic to detect a malicious source
US11050777B2 (en) Method and system for remediating cybersecurity vulnerabilities based on utilization
CN111178760A (en) Risk monitoring method and device, terminal equipment and computer readable storage medium
CN104579830B (en) service monitoring method and device
CN112017323A (en) Patrol alarm method and device, readable storage medium and terminal equipment
Murad et al. Software testing techniques in iot
CN111447167A (en) Safety protection method and device for vehicle-mounted system
CN109344042A (en) Recognition methods, device, equipment and the medium of abnormal operation behavior
Manickam et al. Labelled Dataset on Distributed Denial‐of‐Service (DDoS) Attacks Based on Internet Control Message Protocol Version 6 (ICMPv6)
CN111064710A (en) Computer network security abnormal operation intercepting method and device and electronic equipment
Dini et al. Evaluating the trust of android applications through an adaptive and distributed multi-criteria approach
CN113765850B (en) Internet of things abnormality detection method and device, computing equipment and computer storage medium
US10911469B1 (en) Dynamic fraudulent user blacklist to detect fraudulent user activity with near real-time capabilities
Ponnusamy et al. Investigation on iot intrusion detection in wireless environment
CN117391214A (en) Model training method and device and related equipment
CN115643044A (en) Data processing method, device, server and storage medium
US11698849B2 (en) Automated application testing of mutable interfaces
CN107590382A (en) A kind of malware detection analysis method and device based on virtual machine Dynamic Execution
Saber et al. Amelioration of attack classifications for evaluating and testing intrusion detection system
CN114025014A (en) Asset detection method and device, electronic equipment and storage medium
Betancourt et al. Linking intrusion detection system information and system model to redesign security architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20200424

WD01 Invention patent application deemed withdrawn after publication