CN111709015A - Host security identification method and device and related components - Google Patents
Host security identification method and device and related components Download PDFInfo
- Publication number
- CN111709015A CN111709015A CN202010567644.4A CN202010567644A CN111709015A CN 111709015 A CN111709015 A CN 111709015A CN 202010567644 A CN202010567644 A CN 202010567644A CN 111709015 A CN111709015 A CN 111709015A
- Authority
- CN
- China
- Prior art keywords
- host
- data
- behavior data
- identification method
- operation behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Abstract
The application discloses a host safety identification method, which comprises the following steps: determining a malicious operation target value corresponding to each operation behavior; acquiring operation behavior data of a host, and dividing all the operation behavior data into a plurality of data groups; respectively training a plurality of data sets for a plurality of times, and judging whether a converged data set exists according to a corresponding malicious operation target value; if yes, executing the safety operation of the host. The security evaluation method and the security evaluation system can improve the comprehensiveness of the security evaluation of the host, in the identification process, the security identification efficiency of the host is high, the security operation of the host is executed when the host is judged to be subjected to malicious operation, the vulnerability file is protected, and the security and the reliability of the security evaluation method and the security evaluation system are improved. The application also discloses a host safety identification device, electronic equipment and a computer readable storage medium, which have the beneficial effects.
Description
Technical Field
The present disclosure relates to the field of host security identification, and in particular, to a method, an apparatus, and a related device for host security identification.
Background
With the development of cloud computing, the interaction density of a cloud host with the outside through a network card is more critical, in order to improve the security, access operation and network access data existing in a system need to be evaluated, static files and data are identified in the market at present, and dynamic access or dangerous actions in the operation cannot be identified, so that the evaluation of attack behaviors in the prior art is not comprehensive enough, and the security of the cloud host cannot be guaranteed.
Therefore, how to provide a solution to the above technical problem is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a host safety identification method, a host safety identification device, electronic equipment and a computer readable storage medium, which can improve the comprehensiveness of host safety evaluation, have high host safety identification efficiency in the identification process, execute host safety operation when judging that the host has higher possibility of suffering from malicious operation, protect a vulnerability file, and improve the safety and reliability of the application.
In order to solve the above technical problem, the present application provides a method for identifying security of a host, including:
determining a malicious operation target value corresponding to each operation behavior;
acquiring operation behavior data of a host, and dividing all the operation behavior data into a plurality of data groups;
respectively training a plurality of data sets for a plurality of times, and judging whether a converged data set exists according to a corresponding malicious operation target value;
if yes, executing the safety operation of the host.
Preferably, after the operation behavior data of the host is acquired, the method for securely identifying the host further includes:
dividing the operation behavior data into host internal behavior data and host external behavior data;
correspondingly, the process of dividing all the operation behavior data into a plurality of data groups specifically includes:
dividing the host internal behavior data into a plurality of data groups;
the host external behavior data is divided into a plurality of data groups.
Preferably, the process of dividing all the operation behavior data into a plurality of data groups specifically includes:
and dividing all the operation behavior data into two data groups according to a parity division rule.
Preferably, after determining whether a converged data set exists according to the corresponding malicious operation target value, the host security identification method further includes:
if not, integrating all the data sets into one data set, performing multiple training on the data set, and judging whether the data set is converged according to the corresponding malicious operation target value;
and if so, executing the safety operation of the host.
Preferably, the process of executing the host security operation specifically includes:
and executing filtering interception operation on the corresponding operation behavior at the bottom layer of the kernel.
Preferably, the process of performing the host security operation further includes:
and generating corresponding safe operation prompt information and sending the safe operation prompt information to the terminal.
Preferably, after the operation behavior data of the host is acquired and before all the operation behavior data are divided into a plurality of data groups, the host security identification method further includes:
judging whether all the acquired operation behavior data are in the respective corresponding preset ranges;
if not, executing error reporting operation.
In order to solve the above technical problem, the present application further provides a host security identification device, including:
the determining module is used for determining a malicious operation target value corresponding to each operation behavior;
the system comprises a dividing module, a storage module and a processing module, wherein the dividing module is used for acquiring operation behavior data of a host and dividing all the operation behavior data into a plurality of data groups;
the training module is used for respectively carrying out multiple times of training on the plurality of data sets, judging whether a converged data set exists according to a corresponding malicious operation target value, and if so, triggering the protection module;
and the protection module is used for executing the safety operation of the host.
In order to solve the above technical problem, the present application further provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the host security identification method as described in any one of the above when executing the computer program.
To solve the above technical problem, the present application further provides a computer-readable storage medium, having a computer program stored thereon, where the computer program is executed by a processor to implement the steps of the host security identification method according to any one of the above items.
The application provides a host safety identification method, which monitors operation behavior data of a host, so as to identify the dynamic access of the host or dangerous actions in the operation, improve the comprehensiveness of host safety evaluation, train the acquired operation behavior data in groups in the identification process, judge whether each data group is converged by presetting malicious operation target values corresponding to each operation behavior, improve the convergence speed, improve the host safety identification efficiency, indicate that the host is greatly likely to be operated maliciously at present if the converged data group exists, execute host safety operation at the moment, protect files, and improve the safety and reliability of the application. The application also provides a host safety identification device, electronic equipment and a computer readable storage medium, which have the same beneficial effects as the host safety identification operation.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart illustrating steps of a method for secure identification of a host according to the present application;
fig. 2 is a schematic structural diagram of a host security identification apparatus provided in the present application.
Detailed Description
The core of the application is to provide a host safety identification method, a host safety identification device, an electronic device and a computer readable storage medium, which can improve the comprehensiveness of host safety evaluation, and in the identification process, the host safety identification efficiency is high, and the host safety operation is executed when the host is judged to have high possibility of being subjected to malicious operation, so that a vulnerability file is protected, and the safety and the reliability of the application are improved.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart illustrating steps of a host security identification method provided in the present application, where the host security identification method includes:
s101: determining a malicious operation target value corresponding to each operation behavior;
specifically, the operation behavior may include, but is not limited to, adding, deleting, modifying, executing, terminating, and the like to a text file, a database, software, and the like of the host. Different operation behaviors have different malicious operation target values, and if the computer obtains the scene malicious operation close to the target value in daily operation, the risk is higher.
S102: acquiring operation behavior data of a host, and dividing all the operation behavior data into a plurality of data groups;
s103: respectively training a plurality of data sets for a plurality of times, judging whether a converged data set exists according to a corresponding malicious operation target value, and if so, executing S104;
s104: and executing the host security operation.
Specifically, in the host running process, the operation behavior data of the host is acquired so as to identify the dynamic access of the host or the dangerous actions in the operation, and the safety assessment comprehensiveness of the host is improved. As a preferred embodiment, in order to facilitate subsequent processing of the operation behavior data, it is first determined whether the obtained operation behavior data is within a corresponding preset range, if so, subsequent operations are performed, and if not, an error is reported, so as to avoid that the data convergence speed is affected by the interference data. In consideration of the operation on the internal data of the host and the operation on the external data (network) of the host, the data ranges corresponding to all the operation behaviors and the malicious operation target values are different, and in order to improve the accuracy of the security identification of the host, after all the operation behavior data of the host are obtained, all the operation behavior data are divided into the internal behavior data of the host and the external behavior data of the host according to a preset rule. And dividing the internal behavior data of the host and the external behavior data of the host respectively. The following description will take the internal behavior data of the host as an example, and the external behavior data of the host, similarly.
The method includes substituting host internal behavior data into an improved BP algorithm according to a preset rule to calculate a target value, specifically, grouping input host internal behavior data according to odd numbers and even numbers, calculating simultaneously, assuming that a first data group is [ x1x3x5 … x (2n-1) … xm ], continuing learning under the condition that fast convergence can be achieved during calculation, if the convergence effect is poor when the odd number nodes are adopted for calculation, waking up the even number nodes, learning by all the nodes, and terminating training when the convergence speed of a target is high after a certain number of times is achieved, and changing a formula input vector into [ x1x3x5 … x (2n-1) … xm ]. Furthermore, after multiple training, the result is found to deviate from the expectation, but not convergence but divergence occurs, the training is terminated in this case, if the convergence effect is not obvious after multiple learning, the algorithm is also automatically stopped, that is, the value of f (x) kill (xi) x is set as a boundary value, and the algorithm is terminated.
Specifically, if the data set is brought into the improved algorithm for computation and training for multiple times (for example, 100 times) and then converges, it indicates that the possibility of approaching attack damage is high, measures need to be taken to achieve the purposes of temporarily protecting the vulnerability file from being modified and preventing any operation from being performed on the main process suspected of attack, and specifically, the main machine security operations such as targeted filtering and interception performed on the kernel bottom layer and informing the user of timely processing can be performed.
It can be seen that, in this embodiment, the operation behavior data of the host is monitored, so as to identify the dynamic access of the host or the dangerous actions in the operation, and improve the comprehensiveness of the security evaluation of the host, in the identification process, the operation behavior data is obtained and trained in a packet manner, and whether each data group is converged is determined by presetting a malicious operation target value corresponding to each operation behavior, so that the convergence speed can be improved, and thus the security identification efficiency of the host is improved.
Referring to fig. 2, fig. 2 is a schematic structural diagram of a host security identification apparatus provided in the present application, the host security identification apparatus including:
a determining module 1, configured to determine a malicious operation target value corresponding to each operation behavior;
the dividing module 2 is used for acquiring operation behavior data of the host and dividing all the operation behavior data into a plurality of data groups;
the training module 3 is used for respectively performing multiple training on a plurality of data sets, judging whether a converged data set exists according to corresponding malicious operation target values, and if so, triggering the protection module 4;
and the protection module 4 is used for executing the host security operation.
It can be seen that, in this embodiment, the operation behavior data of the host is monitored, so as to identify the dynamic access of the host or the dangerous actions in the operation, and improve the comprehensiveness of the security evaluation of the host, in the identification process, the operation behavior data is obtained and trained in a packet manner, and whether each data group is converged is determined by presetting a malicious operation target value corresponding to each operation behavior, so that the convergence speed can be improved, and thus the security identification efficiency of the host is improved.
Preferably, the dividing module 2 is further configured to divide the operation behavior data into host internal behavior data and host external behavior data;
correspondingly, the process of dividing all the operation behavior data into a plurality of data groups specifically includes:
dividing the internal behavior data of the host into a plurality of data groups;
the host external behavior data is divided into a plurality of data groups.
Preferably, the process of dividing all the operation behavior data into a plurality of data groups specifically includes:
and dividing all operation behavior data into two data groups according to the odd-even division rule.
Preferably, the training module 3 is further configured to integrate all data sets into one data set, perform multiple training on the data set, determine whether the data set converges according to the corresponding malicious operation target value, and trigger the protection module 4 if the data set converges.
Preferably, the protection module 4 is specifically configured to:
and executing filtering interception operation on the corresponding operation behavior at the bottom layer of the kernel.
Preferably, the protection module 4 is also configured to:
and generating corresponding safe operation prompt information and sending the safe operation prompt information to the terminal.
Preferably, the dividing module 2 is further configured to:
and judging whether all the acquired operation behavior data are in the respective corresponding preset ranges, and if not, executing error reporting operation.
In another aspect, the present application further provides an electronic device, including:
a memory for storing a computer program;
a processor for implementing the steps of the host security identification method as described in any one of the above embodiments when executing the computer program.
For an introduction of an electronic device provided in the present application, please refer to the above embodiments, which are not described herein again.
The electronic equipment provided by the application has the same beneficial effects as the host safety identification method.
In another aspect, the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the host security identification method as described in any one of the above embodiments.
For the introduction of a computer-readable storage medium provided in the present application, please refer to the above embodiments, which are not described herein again.
The computer-readable storage medium provided by the application has the same beneficial effects as the host security identification method.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A host security identification method is characterized by comprising the following steps:
determining a malicious operation target value corresponding to each operation behavior;
acquiring operation behavior data of a host, and dividing all the operation behavior data into a plurality of data groups;
respectively training a plurality of data sets for a plurality of times, and judging whether a converged data set exists according to a corresponding malicious operation target value;
if yes, executing the safety operation of the host.
2. The host security identification method of claim 1, wherein after the operation behavior data of the host is obtained, the host security identification method further comprises:
dividing the operation behavior data into host internal behavior data and host external behavior data;
correspondingly, the process of dividing all the operation behavior data into a plurality of data groups specifically includes:
dividing the host internal behavior data into a plurality of data groups;
the host external behavior data is divided into a plurality of data groups.
3. The host security identification method of claim 1, wherein the process of dividing all the operation behavior data into a plurality of data groups specifically comprises:
and dividing all the operation behavior data into two data groups according to a parity division rule.
4. The host security identification method of claim 1, wherein after determining whether the converged data set exists according to the corresponding malicious operation target value, the host security identification method further comprises:
if not, integrating all the data sets into one data set, performing multiple training on the data set, and judging whether the data set is converged according to the corresponding malicious operation target value;
and if so, executing the safety operation of the host.
5. The host security identification method according to claim 1, wherein the process of performing the host security operation specifically comprises:
and executing filtering interception operation on the corresponding operation behavior at the bottom layer of the kernel.
6. The host security identification method of claim 5, wherein the process of performing host security operations further comprises:
and generating corresponding safe operation prompt information and sending the safe operation prompt information to the terminal.
7. The host security identification method according to any one of claims 1 to 6, wherein after the operation behavior data of the host is obtained, before all the operation behavior data are divided into a plurality of data groups, the host security identification method further comprises:
judging whether all the acquired operation behavior data are in the respective corresponding preset ranges;
if not, executing error reporting operation.
8. A host security identification device, comprising:
the determining module is used for determining a malicious operation target value corresponding to each operation behavior;
the system comprises a dividing module, a storage module and a processing module, wherein the dividing module is used for acquiring operation behavior data of a host and dividing all the operation behavior data into a plurality of data groups;
the training module is used for respectively carrying out multiple times of training on the plurality of data sets, judging whether a converged data set exists according to a corresponding malicious operation target value, and if so, triggering the protection module;
and the protection module is used for executing the safety operation of the host.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the host security identification method according to any of claims 1 to 7 when executing said computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the host security identification method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010567644.4A CN111709015A (en) | 2020-06-19 | 2020-06-19 | Host security identification method and device and related components |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010567644.4A CN111709015A (en) | 2020-06-19 | 2020-06-19 | Host security identification method and device and related components |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111709015A true CN111709015A (en) | 2020-09-25 |
Family
ID=72541720
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010567644.4A Withdrawn CN111709015A (en) | 2020-06-19 | 2020-06-19 | Host security identification method and device and related components |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111709015A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140359761A1 (en) * | 2013-06-04 | 2014-12-04 | Verint Systems, Ltd. | System and method for malware detection learning |
| CN106549980A (en) * | 2016-12-30 | 2017-03-29 | 北京神州绿盟信息安全科技股份有限公司 | A kind of malice C&C server determines method and device |
| CN109547496A (en) * | 2019-01-16 | 2019-03-29 | 西安工业大学 | A kind of host malicious behavioral value method based on deep learning |
| CN110287701A (en) * | 2019-06-28 | 2019-09-27 | 深信服科技股份有限公司 | A kind of malicious file detection method, device, system and associated component |
-
2020
- 2020-06-19 CN CN202010567644.4A patent/CN111709015A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140359761A1 (en) * | 2013-06-04 | 2014-12-04 | Verint Systems, Ltd. | System and method for malware detection learning |
| CN106549980A (en) * | 2016-12-30 | 2017-03-29 | 北京神州绿盟信息安全科技股份有限公司 | A kind of malice C&C server determines method and device |
| CN109547496A (en) * | 2019-01-16 | 2019-03-29 | 西安工业大学 | A kind of host malicious behavioral value method based on deep learning |
| CN110287701A (en) * | 2019-06-28 | 2019-09-27 | 深信服科技股份有限公司 | A kind of malicious file detection method, device, system and associated component |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11710131B2 (en) | Method and apparatus of identifying a transaction risk | |
| CN107046550B (en) | Method and device for detecting abnormal login behavior | |
| CN107943949B (en) | Method and server for determining web crawler | |
| CN111898360A (en) | Text similarity detection method and device based on block chain and electronic equipment | |
| CN106611120B (en) | A kind of appraisal procedure and device of risk prevention system system | |
| CN107992738B (en) | Account login abnormity detection method and device and electronic equipment | |
| CN108924118B (en) | Method and system for detecting database collision behavior | |
| CN109344611B (en) | Application access control method, terminal equipment and medium | |
| CN109753772A (en) | A kind of account safety verification method and system | |
| CN109561097B (en) | Method, device, equipment and storage medium for detecting security vulnerability injection of structured query language | |
| CN109889477A (en) | Server based on trusted cryptography's engine starts method and device | |
| CN109241739B (en) | API-based android malicious program detection method and device and storage medium | |
| CN115146275A (en) | Container safety protection method and device, electronic equipment and storage medium | |
| CN114765584A (en) | User behavior monitoring method and device, electronic equipment and storage medium | |
| CN111709015A (en) | Host security identification method and device and related components | |
| CN111176567A (en) | Storage supply amount verification method and device for distributed cloud storage | |
| CN112600828A (en) | Attack detection and protection method and device for power control system based on data message | |
| CN112488843A (en) | Enterprise risk early warning method, device, equipment and medium based on social network | |
| CN109145536A (en) | A kind of webpage integrity assurance and device | |
| CN115225531B (en) | Database firewall testing method and device, electronic equipment and medium | |
| CN115640581A (en) | Data security risk assessment method, device, medium and electronic equipment | |
| CN115426190A (en) | Intelligent contract active defense method, storage medium and electronic equipment | |
| CN105740666A (en) | Method and device for identifying on-line operational risk | |
| CN111953712B (en) | Intrusion detection method and device based on feature fusion and density clustering | |
| CN113127855A (en) | Safety protection system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20200925 |