CN111770095A - Detection method, device, equipment and storage medium - Google Patents
Detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111770095A CN111770095A CN202010605431.6A CN202010605431A CN111770095A CN 111770095 A CN111770095 A CN 111770095A CN 202010605431 A CN202010605431 A CN 202010605431A CN 111770095 A CN111770095 A CN 111770095A
- Authority
- CN
- China
- Prior art keywords
- risk
- target
- data
- detection
- risk detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 212
- 238000000034 method Methods 0.000 claims description 43
- 230000015654 memory Effects 0.000 claims description 18
- 238000010276 construction Methods 0.000 claims description 3
- 239000000523 sample Substances 0.000 claims 1
- 238000004364 calculation method Methods 0.000 description 29
- 230000000694 effects Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 9
- 238000012423 maintenance Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000004590 computer program Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000002790 cross-validation Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012800 visualization Methods 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the application discloses a detection method, a detection device, detection equipment and a storage medium, and relates to the fields of computers, cloud computing and big data. The specific implementation scheme is as follows: acquiring target data to be subjected to risk detection; acquiring a risk detection topological graph, and determining a target risk detection path for performing risk detection on the target data from the risk detection topological graph; wherein the target risk detection path is determined based on risk detection nodes in the risk detection topology, the risk detection nodes indicating a risk type; and performing risk detection on the target data along the target risk detection path based on the risk type corresponding to the target risk detection path to obtain a risk detection result.
Description
Technical Field
The application relates to the technical field of computers, in particular to the technical field of cloud computing and big data.
Background
With the complexity development and diversity change of internet services, the cheating means of network black and grey product group partners is continuously increased, and the committing tools and platforms are continuously enriched. The existing security detection means are limited, and the capability of detecting novel or anti-upgrading cheating methods is very weak.
Disclosure of Invention
The application provides a detection method, a detection device, detection equipment and a storage medium.
In a first aspect, an embodiment of the present application provides a detection method, including:
acquiring target data to be subjected to risk detection;
acquiring a risk detection topological graph, and determining a target risk detection path for performing risk detection on target data from the risk detection topological graph; the target risk detection path is determined based on risk detection nodes in the risk detection topological graph, and the risk detection nodes indicate risk types;
and performing risk detection on the target data along the target risk detection path based on the risk type corresponding to the target risk detection path to obtain a risk detection result.
In a second aspect, an embodiment of the present application provides a detection apparatus, including:
the target data acquisition module is used for acquiring target data to be subjected to risk detection;
the topological graph acquisition module is used for acquiring a risk detection topological graph and determining a target risk detection path for performing risk detection on target data from the risk detection topological graph; the target risk detection path is determined based on risk detection nodes in the risk detection topological graph, and the risk detection nodes indicate risk types;
and the risk detection result module is used for carrying out risk detection on the target data along the target risk detection path based on the risk type corresponding to the target risk detection path to obtain a risk detection result.
The technology according to the application solves the problem that the value of various risk detection types can be fully played.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present application, nor do they limit the scope of the present application. Other features of the present application will become apparent from the following description.
Drawings
The drawings are included to provide a better understanding of the present solution and are not intended to limit the present application. Wherein:
FIG. 1 is a flow chart of a detection method according to an embodiment of the present application;
FIG. 2 is a first exemplary diagram of a probing method according to an embodiment of the present application;
FIG. 3 is an exemplary diagram of a risk detection map module of a detection method according to an embodiment of the present application;
FIG. 4 is an exemplary diagram of a risk detection graph of a detection method according to an embodiment of the application;
FIG. 5 is a computational flow diagram of a risk detection graph module of a detection method according to an embodiment of the present application;
FIG. 6 is an exemplary diagram of a fact maintenance module of a probing method according to an embodiment of the present application;
FIG. 7 is a flow chart of the calculation of a fact maintenance module of the detection method according to an embodiment of the present application;
fig. 8 is an apparatus diagram of a fact maintenance module of a probing method according to an embodiment of the present application.
Detailed Description
The following description of the exemplary embodiments of the present application, taken in conjunction with the accompanying drawings, includes various details of the embodiments of the application for the understanding of the same, which are to be considered exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present application. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
An embodiment of the present application provides a detection method, and referring to fig. 1, the detection method includes:
s101, acquiring target data to be subjected to risk detection;
s102, acquiring a risk detection topological graph, and determining a target risk detection path for performing risk detection on target data from the risk detection topological graph; the target risk detection path is determined based on risk detection nodes in the risk detection topological graph, and the risk detection nodes indicate risk types;
s103, performing risk detection on the target data along the target risk detection path based on the risk type corresponding to the target risk detection path to obtain a risk detection result.
The target data may be service data, and the service data may include: user data (which refers to basic information of a user), behavior data (which refers to data recording what the user has done, mainly including what behaviors the user has done, time when the behaviors occur, and the like), commodity data (which includes commodity names, commodity categories, commodity comments, inventory, and the like), and activity data (activity information of a platform).
The embodiment of the application provides a detection method based on graph-like calculation, various risk types are integrated together in a topological graph mode, each node of the topological graph indicates one risk type, and a plurality of target risk detection paths are organized through the nodes and the connection among the nodes. And multiple risk detection nodes along the target risk detection path can realize multiple risk detection on the target data.
The method and the device have the advantages that the value of various risk detection types can be fully exerted, the detection mode can be adjusted by adjusting the topological relation of the graph, and flexibility is achieved.
The advantages of the technical idea include: (1) the length of the path represents the depth of analysis, the longer the length of the path is, the more risk detection nodes the path passes through are shown to be, the higher the reliability of the obtained detection result is, the risk can be accurately positioned by utilizing the result, and the black birth team is traced and accurately struck.
(2) And the out-degree of the risk detection node represents the richness of the analysis cross validation, and the same batch of data is subjected to rich labels, so that the cross validation is carried out. For example, for the same batch of data, the results analyzed by the risk detection node a, the risk detection node B, and the risk detection node C are obtained and compared, and the detection effects of different risk detection nodes are verified according to the comparison results. Generally, the more data intersections of risks of different nodes, the more accurate the risk detection effect is.
In one embodiment, referring to fig. 2, the method further comprises:
(1) determining risk types and incidence relations among the risk types;
(2) and taking the risk types as risk detection nodes, and constructing edges based on the incidence relation among the risk types to obtain a risk detection topological graph.
The above embodiments provide a method for establishing a risk detection topological graph. For example, a risk type a, a risk type B, a risk type C, and a risk type D are preset, for example, risk type a is associated with risk types B and C, and risk type B is associated with risk types C and D; then, the risk type a, the risk type B, the risk type C, and the risk type D may be used as risk detection nodes, and edges are constructed between the risk types a and B, the risk types a and C, the risk types B and C, and the risk types B and D, respectively, to obtain a risk detection topological graph.
Alternatively, the risk types in the topological graph and the association relationship between the risk types can be flexibly established by a user, and the method has flexibility.
In one embodiment, the risk detection topological graph is a directed topological graph, and edges between the risk detection nodes are directed edges to indicate the flow direction of the risk detection.
For example, the risk detection node a → the risk detection node B indicates that the data detected by the risk detection node a is detected by the risk detection node B. The flow direction of wind direction detection can be indicated through the directed edges, so that the possibility of formulating the risk detection flow direction can be realized, and more possibilities are provided for a user to design a detection scheme.
In one embodiment, the step S103, based on the risk type corresponding to the target risk detection path, performs risk detection on the target data along the target risk detection path, and includes:
(1) selecting a target risk attribute corresponding to the risk type in the target risk detection path from preset risk attributes, wherein the preset risk attributes are determined based on the attribute characteristics of the risk object after the risk object is identified from known risk data;
(2) acquiring a target risk object corresponding to the target risk attribute;
(3) and detecting whether the target data has risk data matched with the target risk object or not until all the risk types corresponding to the target risk detection path are detected.
Wherein the risk object and the attribute feature may each be determined from one or more dimensional combinations. For example, a piece of data of a risk object (ip, cuid) on attribute features (past, requests) may be (202.118.231.56,12345678) - (88888,300), where the risk object includes both ip and cuid dimensions, the attribute features include both past and requests dimensions, 88888 represents an attribute value of past, and 300 represents an attribute value of requests.
Taking the risk object (ip, cuid) and the corresponding attribute features (past, requests) as an example, the process of acquiring the known risk data may be as follows: based on intelligence data collected by a plurality of intelligence sources, after an air risk object (202.118.231.56,12345678) is identified from the intelligence data, attribute characteristics (88888,300) of the air risk object are determined, and known risk data (202.118.231.56,12345678) - (88888,300) are obtained according to the air risk object and the attribute characteristics of the air risk object. At this time, the preset risk attributes may include (past, requests).
One specific example of the above step S103 may be as follows: for example, the target risk attribute of the risk type is (past, requests), and target risk objects corresponding to the target risk attribute (past, requests) such as (ip1, cuid1), (ip2, cuid2), (ip3, cuid3) may be selected from the known risk data.
With reference to the known risk data related to (ip1, cuid1), (ip2, cuid2), (ip3, cuid3), the risk object (ip1, cuid1) also exists in the target data, and at this time, the data related to the risk object (ip1, cuid1) in the target data can be determined as the risk data, and the risk type exists.
In one embodiment, the method further comprises:
and taking the risk data matched with the target risk object in the target data as known risk data so as to optimize the preset risk attribute and the risk object.
For example, in the above example, the risk data (ip1, cuid1) - (past 1, requests1) are selected, and the preset risk attributes (past, requests) and the risk object (ip, cuid) can be optimized by using the known data.
In one embodiment, the method further comprises:
(1) acquiring the weight of the target risk type;
(2) determining a risk value of risk data corresponding to the target risk type; the risk value is obtained based on the matching degree of the target risk object corresponding to the target risk type and the risk data;
(3) and obtaining the risk degree of the target data based on the weight of the target risk type and the risk value of the corresponding risk data.
For example, the risk detection type a has a weight of a, the risk value of the obtained risk data is a1, the risk detection type B has a weight of B, and the risk value of the obtained risk data is B1, so that the obtained risk degree is (a1 × a + B1 × B).
In one embodiment, obtaining a risk detection result includes:
detecting that risk data matched with the target risk object exists in the target data;
taking risk data matched with the target risk object as a risk detection result; and/or the presence of a gas in the gas,
and taking the risk type corresponding to the target risk object as a target risk type, and taking the target risk type as a risk detection result.
And if the risk type corresponding to the risk existing in the target data is the target risk type. For example, risks corresponding to risk types of a node a, a node B, and a node C on a path all exist, the target risk type of the target data is considered to be a risk type corresponding to each of the node a, the node B, and the node C, or after risk detection of the node a, the node B, and the node C, risk data of a risk type corresponding to each of the node a, the node B, and the node C exist in the target data is obtained.
Optionally, in the detection of each risk detection node on the passing path, risk data with a risk corresponding to the risk detection node is determined from the target data, and a risk label of the risk detection node is marked on the risk data.
Correspondingly, the risk detection result of each path includes risk data which is in accordance with all risk types on the path in the target data, and the risk data carries risk labels corresponding to all risk types on the path. The risk label can be used for further processing or analysis of the risk data, such as statistics of distribution of various risk labels of the target data.
The following is a specific example of an embodiment of the present application.
Based on the technical scheme provided by the application, a calculation process can be constructed, the input of the calculation process is business data, the output of the calculation process is business data with risk labels, statistical information of various risk labels comprises the attribute of each risk label and the proportion of each risk label data in the business data, and the calculation process comprises two main modules as shown in figure 2: a Risk Detection Graph module (RDG) and a fact maintenance module (GTM).
The RDG is mainly used for analyzing and calculating business data (mainly log data), and the input of the RDG is the log data and also needs fact data provided by a GTM (data to be saved) as support.
And GTM is a computing module built on top of the Threat Intelligence Data Warehouse (thread intelligent Data wait). In one aspect, the GTM builds fact data (Ground TruthData) from data in the threat intelligence data warehouse, as shown the fact data (including tag/statistics/allocation data) required for the threat intelligence data warehouse calculations are provided to the GTM for use by the RDG. On the other hand, the GTM cleans and updates threat intelligence data warehouse data and fact data according to the result data obtained from each analysis of the RDG, and creates/updates/removes data and tags as shown in the figure, so as to continuously improve the accuracy of risk detection. Wherein the threat intelligence data repository may store data in the form of hive tables.
The implementation steps of the RDG and GTM modules in the present application will be described in detail below.
Implementation of RDG
Referring to fig. 3, the risk detection map module is a calculation module, and is composed of a data loading and preprocessing module, a controller module, a plurality of risk detector modules, a risk detector collection module, and a result visualization result platform. Each risk detector module is an independent calculation module, under the condition of giving input business data, the business data can be loaded and cleaned, the loaded and cleaned data are input into the hive form, the data in the hive form are input into the controller module, the controller module inputs the data into the risk detector modules, and the data obtained through calculation of the risk detector modules are partially stored with local data and are configured with the hive form. And then, collecting risk detection results through a risk detector collecting module, configuring hive form results and statistical data, and finally displaying final results through a visualization result platform. According to the data flow direction, the risk detector modules are organized in a directed acyclic graph mode to achieve collaborative computing. The risk detector modules are all managed by the controller module. Wherein hive is based on one data warehouse tool, and hive is only used as an example and can be replaced by other data warehouse tools.
In practical use, the risk detector modules are organized into a directed acyclic graph, each vertex in the graph is a risk detector, and each directed edge is a data flow direction, i.e. indicating the output result of one risk detector and the input data of another risk detector. One RDG topology is shown in fig. 4, for example.
The risk detector comprises an activity risk RD, a channel risk RD, an internet protocol (ip) risk RD, a pass identity card (past) risk RD, a cuid-xid associated deletion risk RD, a cuid-wifi device aggregation risk RD, an xid-safety factor risk RD, a time distribution risk RD and the like.
Referring to fig. 4, the input data first passes through 4 risk detectors, namely, active wind control RD, channel wind control RD, ip-integrated RD, past-integrated RD, to obtain the relevant output data respectively. And then the output data are respectively pushed to the cuid-xid associated missing RD, the cuid-wifi device aggregation RD and the xid-safety factor RD for calculation, it is noted that the data pushed by different upstream RDs are different, for example, one part of data is pushed to the cuid-xid associated missing RD by the active wind control RD, and the other part of data is pushed to the cuid-xid associated missing RD by the channel wind control RD. These 3 RD then push the respective results to the timeframe-distribution RD. And finally, summarizing results corresponding to all 31 calculation paths by a result collection module, and counting relevant distribution and statistical values.
And the activity risk RD is used for judging whether the input data has activity risk, and the activity can be an activity held by the platform, such as an e-commerce promotion activity and the like.
And the channel wind control RD is used for judging whether the input data has channel side risks.
And the ip comprehensive RD is used for judging whether the input data has the ip party risk.
And the past comprehensive RD is used for judging whether the input data has the risk of a past party.
And the Cuid-xid wind control RD is used for judging whether the Cuid-xid risk exists or not by analyzing whether the Cuid in the input data lacks the corresponding xid.
And the Xid-security factor RD is used for judging whether the risk of the Xid-security factor exists or not by analyzing the security features of the fingerprint information of the equipment.
And the time distribution-RD is used for judging whether time distribution risks exist according to the time distribution of the input data.
Referring to fig. 5, fig. 5 shows the calculation flow of RDG:
(1) RDG overall calculation flow: firstly, a data loader is started to load and preprocess data. And starting the RDG controller, and starting a plurality of risk detectors for calculation according to the RDG topological graph. And then, after all the calculation of each risk detector is completed, starting a result collector to perform result summarization and statistical form output.
(2) RDG controller calculation process: and reading a configuration file, wherein the configuration file comprises input/output data addresses, RDG graph topology and existing risk detector information. And then, judging whether the calculation of the directed edges corresponding to all the paths in the graph is finished, if so, ending the calculation process, otherwise, continuously searching the directed edges which are not finished in calculation and exist in the input data, sending the calculation instruction to the corresponding risk detector, receiving calculation finishing information returned by the risk detector, marking the corresponding directed edges as the calculation finishing state, and returning to the step of judging whether the calculation of the directed edges corresponding to all the paths in the graph is finished.
(3) RDG controller calculation process: the method comprises the steps of firstly reading a configuration file, starting a local monitoring process to receive an instruction sent by an RDG controller, then receiving the instruction, reading input data according to input positions summarized by the instruction, executing a preset risk detection algorithm, and storing a result to an output position appointed in the instruction.
(II) GTM implementation
Referring to fig. 6, the fact maintenance module (GTM) is also a calculation module, and is composed of a fact controller and a plurality of fact constructors, and each fact constructor outputs data including: entity-attribute configuration forms and entity-attribute assignment & statistics, where entities are risk objects and attributes may also be referred to as attribute features. The controller module is responsible for creating, managing and destroying fact constructors, and each fact constructor is responsible for correlating and calculating various intelligence data sources and producing designated risk object-attribute characteristic data. The risk object-attribute feature data refers to a value of a risk object composed of a specific data dimension in the specific attribute dimension, for example, a piece of data of an (ip, cuid) entity in (past, requests) attribute may be (202.118.231.56,12345678) - (88888,300). The purpose of the GTM is to provide trusted intelligence data for each risk detector in the RDG for association of a particular risk object.
The fact maintenance module can acquire intelligence data from a plurality of intelligence sources, such as a hive form, a cooperative purchase data ip, a mobile phone hive form, a security SDKhive form, a wind control data hive form and the like of each service data which is calculated by the RD module.
Further, the fact maintenance module may be set: input and output data addresses are set, and the number of registers is constructed.
Referring to fig. 7, fig. 7 shows the calculation flow of GTM as follows:
(1) calculating flow of the GTM controller: firstly, reading a configuration file, and acquiring an input/output data position and an existing GTM constructor; next, the calculation instruction and the calculation parameter are sent to each constructor.
(2) Calculating flow of GTM constructor: firstly, reading a configuration file, and starting a local monitoring process to receive an instruction sent by a GTM controller; and receiving the instruction, reading input data according to the input position in the instruction, executing a preset intelligence data construction algorithm, and storing the result to the specified output position in the instruction.
Referring to fig. 8, an embodiment of the present application further provides a detection apparatus 800, including:
a target data acquiring module 801, configured to acquire target data to be subjected to risk detection;
a topological graph obtaining module 802, configured to obtain a risk detection topological graph, and determine a target risk detection path for performing risk detection on target data from the risk detection topological graph; the target risk detection path is determined based on risk detection nodes in the risk detection topological graph, and the risk detection nodes indicate risk types;
and a risk detection result module 803, configured to perform risk detection on the target data along the target risk detection path based on the risk type corresponding to the target risk detection path, to obtain a risk detection result.
In one embodiment, the method further comprises:
the risk type determining module is used for determining the risk types and the incidence relation among the risk types; and the topological graph building module is used for taking the risk types as risk detection nodes, building edges based on the incidence relation among the risk types, and obtaining the risk detection topological graph.
In one embodiment, the risk detection topological graph is a directed topological graph, and edges between the risk detection nodes are directed edges to indicate the flow direction of the risk detection.
In one embodiment, the risk detection results module includes:
the target risk attribute determining submodule is used for selecting a target risk attribute corresponding to the risk type in the target risk detection path from preset risk attributes, wherein the preset risk attributes are determined based on the attribute characteristics of the risk object after the risk object is identified from known risk data;
the target risk object acquisition submodule is used for acquiring a target risk object corresponding to the target risk attribute;
and the risk data detection submodule is used for detecting whether the target data has risk data matched with the target risk object or not until all the corresponding risk types in the target risk detection path are detected.
In one embodiment, the risk detection results module includes:
the first risk detection result submodule is used for detecting that risk data matched with the target risk object exists in the target data; taking risk data matched with the target risk object as a risk detection result; and/or the presence of a gas in the gas,
and the second risk detection result submodule is used for taking the risk type corresponding to the target risk object as a target risk type and taking the target risk type as a risk detection result.
In one embodiment, the method further comprises:
and the known risk data determining module is used for taking the risk data matched with the target risk object in the target data as known risk data so as to optimize the preset risk attribute and the risk object.
In one embodiment, the method further comprises:
the weight determining module is used for obtaining the weight of the target risk type;
the risk value determining module is used for determining the risk value of the risk data corresponding to the target risk type in the target data; wherein the risk value is obtained based on the matching degree of the target risk object and the risk data;
and the risk degree determining module is used for obtaining the risk degree of the target data based on the weight of the target risk type and the risk value of the risk data. According to an embodiment of the present application, an electronic device and a readable storage medium are also provided.
The electronic device of the method of detection according to embodiments of the present application is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other suitable computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the present application that are described and/or claimed herein.
The electronic device includes: one or more processors, memory, and interfaces for connecting the components, including high-speed interfaces and low-speed interfaces. The various components are interconnected using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions for execution within the electronic device, including instructions stored in or on the memory to display graphical information of a GUI on an external input/output apparatus (such as a display device coupled to the interface). In other embodiments, multiple processors and/or multiple buses may be used, along with multiple memories and multiple memories, as desired. Also, multiple electronic devices may be connected, with each device providing portions of the necessary operations (e.g., as a server array, a group of blade servers, or a multi-processor system).
The memory is a non-transitory computer readable storage medium as provided herein. Wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform the method of probing provided herein. The non-transitory computer readable storage medium of the present application stores computer instructions for causing a computer to perform the method of probing provided herein.
The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the methods of exploration in the embodiments of the present application (e.g., target data acquisition module 801, topology acquisition module 802, and risk exploration results module 803 shown in fig. 8). The processor executes various functional applications of the server and data processing by executing non-transitory software programs, instructions, and modules stored in the memory, that is, implements the method of detection in the above-described method embodiments.
The memory may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the detected use of the electronic device, and the like. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located from the processor, and such remote memory may be connected to the probed electronic device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The electronic device of the method of detecting may further comprise: an input device and an output device. The processor, memory, input device, and output device may be connected by a bus or other means.
The input device may receive input numeric or character information and generate key signal inputs related to detected user settings and function controls of the electronic device, such as a touch screen, keypad, mouse, track pad, touch pad, pointer stick, one or more mouse buttons, track ball, joystick, or other input device. The output devices may include a display device, auxiliary lighting devices (e.g., LEDs), and haptic feedback devices (e.g., vibrating motors), among others. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device can be a touch screen.
Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, application specific ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
These computer programs (also known as programs, software applications, or code) include machine instructions for a programmable processor, and may be implemented using high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so as to solve the defects of high management difficulty and weak service expansibility in the traditional physical host and Virtual Private Server (VPS) service.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present application may be executed in parallel, sequentially, or in different orders, as long as the desired results of the technical solutions disclosed in the present application can be achieved, and the present invention is not limited herein.
The above-described embodiments should not be construed as limiting the scope of the present application. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (16)
1. A method of probing, comprising:
acquiring target data to be subjected to risk detection;
acquiring a risk detection topological graph, and determining a target risk detection path for performing risk detection on the target data from the risk detection topological graph; wherein the target risk detection path is determined based on risk detection nodes in the risk detection topology, the risk detection nodes indicating a risk type;
and performing risk detection on the target data along the target risk detection path based on the risk type corresponding to the target risk detection path to obtain a risk detection result.
2. The method of claim 1, further comprising:
determining risk types and incidence relations among the risk types;
and taking the risk types as the risk detection nodes, and constructing edges based on the incidence relation among the risk types to obtain the risk detection topological graph.
3. The method of claim 1, wherein,
the risk detection topological graph is a directed topological graph, and edges among the risk detection nodes are directed edges to indicate the flow direction of risk detection.
4. The method of claim 1, wherein,
the performing risk detection on the target data along the target risk detection path based on the risk type corresponding to the target risk detection path includes:
selecting a target risk attribute corresponding to the risk type in the target risk detection path from preset risk attributes, wherein the preset risk attributes are determined based on the attribute characteristics of the risk object after the risk object is identified from known risk data;
acquiring a target risk object corresponding to the target risk attribute;
and detecting whether the target data has risk data matched with the target risk object or not until all the risk types corresponding to the target risk detection path are detected.
5. The method of claim 4, wherein the obtaining a risk detection result comprises:
detecting that risk data matched with the target risk object exists in the target data;
taking the risk data matched with the target risk object as the risk detection result; and/or the presence of a gas in the gas,
and taking the risk type corresponding to the target risk object as a target risk type, and taking the target risk type as the risk detection result.
6. The method of claim 4, further comprising:
and taking the risk data matched with the target risk object in the target data as the known risk data so as to optimize the preset risk attribute and the risk object.
7. The method of claim 5, further comprising:
acquiring the weight of the target risk type;
determining a risk value of risk data corresponding to the target risk type in the target data; wherein the risk value is derived based on a degree of matching of the target risk object with the risk data;
and obtaining the risk degree of the target data based on the weight of the target risk type and the risk value of the risk data.
8. A probe apparatus, comprising:
the target data acquisition module is used for acquiring target data to be subjected to risk detection;
the topological graph acquisition module is used for acquiring a risk detection topological graph and determining a target risk detection path for performing risk detection on the target data from the risk detection topological graph; wherein the target risk detection path is determined based on risk detection nodes in the risk detection topology, the risk detection nodes indicating a risk type;
and the risk detection result module is used for carrying out risk detection on the target data along the target risk detection path based on the risk type corresponding to the target risk detection path to obtain a risk detection result.
9. The apparatus of claim 8, further comprising:
the risk type determining module is used for determining the risk types and the incidence relation among the risk types;
and the topological graph construction module is used for taking the risk types as the risk detection nodes, constructing edges based on the incidence relation among the risk types and obtaining the risk detection topological graph.
10. The apparatus of claim 8, wherein,
the risk detection topological graph is a directed topological graph, and edges among the risk detection nodes are directed edges to indicate the flow direction of risk detection.
11. The apparatus of claim 8, wherein,
the risk detection result module includes:
the target risk attribute determining submodule is used for selecting a target risk attribute corresponding to a risk type in the target risk detection path from preset risk attributes, wherein the preset risk attributes are determined based on attribute characteristics of risk objects after the risk objects are identified from known risk data;
a target risk object obtaining sub-module, configured to obtain a target risk object corresponding to the target risk attribute;
and the risk data detection submodule is used for detecting whether the target data has risk data matched with the target risk object or not until all the corresponding risk types in the target risk detection path are detected.
12. The apparatus of claim 11, wherein the risk detection result module comprises:
a first risk detection result submodule, configured to detect that risk data matched with the target risk object exists in the target data; taking the risk data matched with the target risk object as the risk detection result; and/or the presence of a gas in the gas,
and the second risk detection result submodule is used for taking the risk type corresponding to the target risk object as a target risk type and taking the target risk type as the risk detection result.
13. The apparatus of claim 11, further comprising:
and the known risk data determining module is used for taking the risk data matched with the target risk object in the target data as the known risk data so as to optimize the preset risk attribute and the risk object.
14. The apparatus of claim 12, further comprising:
the weight determining module is used for acquiring the weight of the target risk type;
a risk value determining module, configured to determine a risk value of risk data corresponding to the target risk type in the target data; wherein the risk value is derived based on a degree of matching of the target risk object with the risk data;
and the risk degree determining module is used for obtaining the risk degree of the target data based on the weight of the target risk type and the risk value of the risk data.
15. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
16. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010605431.6A CN111770095B (en) | 2020-06-29 | 2020-06-29 | Detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010605431.6A CN111770095B (en) | 2020-06-29 | 2020-06-29 | Detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111770095A true CN111770095A (en) | 2020-10-13 |
| CN111770095B CN111770095B (en) | 2023-04-18 |
Family
ID=72724276
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010605431.6A Active CN111770095B (en) | 2020-06-29 | 2020-06-29 | Detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111770095B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050092098A1 (en) * | 2002-02-11 | 2005-05-05 | Bechtel Bwxt Idaho, Llc | Pipeline including network and topology for identifying, locating and quantifying physical phenomena |
| CN103200184A (en) * | 2013-03-14 | 2013-07-10 | 电子科技大学 | Evaluation method for mobile terminal security |
| CN104135380A (en) * | 2014-03-26 | 2014-11-05 | 中国通信建设集团设计院有限公司 | Method and device of risk analysis of hierarchical network |
| CN107682270A (en) * | 2017-09-13 | 2018-02-09 | 北京百卓网络技术有限公司 | A kind of method for discovering network topology and device |
| CN108667511A (en) * | 2018-05-18 | 2018-10-16 | 国家电网公司信息通信分公司 | Optical transport network operation risk method for early warning based on depth finding and system |
| CN109829629A (en) * | 2019-01-07 | 2019-05-31 | 平安科技(深圳)有限公司 | Generation method, device, computer equipment and the storage medium of risk analysis reports |
| CN110428091A (en) * | 2019-07-10 | 2019-11-08 | 平安科技(深圳)有限公司 | Risk Identification Method and relevant device based on data analysis |
| CN110557393A (en) * | 2019-09-05 | 2019-12-10 | 腾讯科技(深圳)有限公司 | network risk assessment method and device, electronic equipment and storage medium |
-
2020
- 2020-06-29 CN CN202010605431.6A patent/CN111770095B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050092098A1 (en) * | 2002-02-11 | 2005-05-05 | Bechtel Bwxt Idaho, Llc | Pipeline including network and topology for identifying, locating and quantifying physical phenomena |
| CN103200184A (en) * | 2013-03-14 | 2013-07-10 | 电子科技大学 | Evaluation method for mobile terminal security |
| CN104135380A (en) * | 2014-03-26 | 2014-11-05 | 中国通信建设集团设计院有限公司 | Method and device of risk analysis of hierarchical network |
| CN107682270A (en) * | 2017-09-13 | 2018-02-09 | 北京百卓网络技术有限公司 | A kind of method for discovering network topology and device |
| CN108667511A (en) * | 2018-05-18 | 2018-10-16 | 国家电网公司信息通信分公司 | Optical transport network operation risk method for early warning based on depth finding and system |
| CN109829629A (en) * | 2019-01-07 | 2019-05-31 | 平安科技(深圳)有限公司 | Generation method, device, computer equipment and the storage medium of risk analysis reports |
| CN110428091A (en) * | 2019-07-10 | 2019-11-08 | 平安科技(深圳)有限公司 | Risk Identification Method and relevant device based on data analysis |
| CN110557393A (en) * | 2019-09-05 | 2019-12-10 | 腾讯科技(深圳)有限公司 | network risk assessment method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111770095B (en) | 2023-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20170109657A1 (en) | Machine Learning-Based Model for Identifying Executions of a Business Process | |
| US9766922B2 (en) | Automated web task procedures based on an analysis of actions in web browsing history logs | |
| US20170109676A1 (en) | Generation of Candidate Sequences Using Links Between Nonconsecutively Performed Steps of a Business Process | |
| US20170109668A1 (en) | Model for Linking Between Nonconsecutively Performed Steps in a Business Process | |
| US8904351B2 (en) | Maintenance of a subroutine repository for an application under test based on subroutine usage information | |
| US20170109667A1 (en) | Automaton-Based Identification of Executions of a Business Process | |
| US9633115B2 (en) | Analyzing a query and provisioning data to analytics | |
| US20170109636A1 (en) | Crowd-Based Model for Identifying Executions of a Business Process | |
| CN111752935B (en) | Method and device for checking power transaction user data | |
| CN104699735A (en) | Data processing method and device for enterprise data center | |
| US20170109638A1 (en) | Ensemble-Based Identification of Executions of a Business Process | |
| CN111639253A (en) | Data duplication judging method, device, equipment and storage medium | |
| CN112784732A (en) | Method, device, equipment and medium for recognizing ground object type change and training model | |
| CN113763066A (en) | Method and apparatus for analyzing information | |
| CN111782611A (en) | Prediction model modeling method, device, equipment and storage medium | |
| US20170109640A1 (en) | Generation of Candidate Sequences Using Crowd-Based Seeds of Commonly-Performed Steps of a Business Process | |
| CN112149828B (en) | Operator precision detection method and device based on deep learning framework | |
| CN113138906A (en) | Call chain data acquisition method, device, equipment and storage medium | |
| CN111770095B (en) | Detection method, device, equipment and storage medium | |
| US20170109637A1 (en) | Crowd-Based Model for Identifying Nonconsecutive Executions of a Business Process | |
| CN102880927A (en) | A method and apparatus for enterprise intelligence ('ei') management in an ei framework | |
| CN112540904B (en) | Machine operation behavior recognition method, device, electronic equipment and computer medium | |
| CN115293291A (en) | Training method of ranking model, ranking method, device, electronic equipment and medium | |
| CN112085268B (en) | Method, device, equipment and readable storage medium for measuring and calculating resident trip information | |
| CN114881521A (en) | Service evaluation method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |