CN111818050B - Target access behavior detection method, system, device, equipment and storage medium - Google Patents
Target access behavior detection method, system, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111818050B CN111818050B CN202010652958.4A CN202010652958A CN111818050B CN 111818050 B CN111818050 B CN 111818050B CN 202010652958 A CN202010652958 A CN 202010652958A CN 111818050 B CN111818050 B CN 111818050B
- Authority
- CN
- China
- Prior art keywords
- data
- time
- access
- target
- characteristic data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 173
- 230000000737 periodic effect Effects 0.000 claims abstract description 52
- 239000012634 fragment Substances 0.000 claims abstract description 31
- 238000000034 method Methods 0.000 claims abstract description 26
- 230000006399 behavior Effects 0.000 claims description 119
- 238000000605 extraction Methods 0.000 claims description 22
- 230000000977 initiatory effect Effects 0.000 claims description 18
- 230000004044 response Effects 0.000 claims description 18
- 230000000007 visual effect Effects 0.000 claims description 18
- 238000007781 pre-processing Methods 0.000 claims description 15
- 230000015654 memory Effects 0.000 claims description 14
- 238000006243 chemical reaction Methods 0.000 claims description 5
- 230000001186 cumulative effect Effects 0.000 claims description 5
- 238000004422 calculation algorithm Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 17
- 238000012545 processing Methods 0.000 description 17
- 238000004891 communication Methods 0.000 description 13
- 238000004590 computer program Methods 0.000 description 11
- 230000002093 peripheral effect Effects 0.000 description 10
- 230000001133 acceleration Effects 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 7
- 238000001914 filtration Methods 0.000 description 6
- 238000012216 screening Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000010606 normalization Methods 0.000 description 4
- 238000013473 artificial intelligence Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 238000009499 grossing Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000009467 reduction Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 239000000919 ceramic Substances 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000011218 segmentation Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 230000006641 stabilisation Effects 0.000 description 1
- 238000011105 stabilization Methods 0.000 description 1
- 239000010409 thin film Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a target access behavior detection method, device, equipment and storage medium, and belongs to the technical field of network security. The method comprises the following steps: performing period detection on the time sequence characteristic data to obtain an access period corresponding to the time sequence characteristic data; segmenting the time sequence characteristic data according to the access period to obtain at least two data segments; performing similarity detection on at least two data fragments; and responding to the detection result of the similarity detection to indicate that the time sequence characteristic data is periodic similar data, and determining that the behavior corresponding to the time sequence characteristic data belongs to the target access behavior. According to the technical scheme, the access period is acquired through period detection, the problem that the manually set period is easy to bypass is avoided, and the rationality of the period can be checked through similarity detection of the data segments after the time sequence characteristic data are segmented, so that the time sequence characteristic data of the corresponding behavior belonging to the target access behavior can be accurately determined.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, a system, an apparatus, a device, and a storage medium for detecting target access behavior.
Background
In the field of network security technology, a suspicious extranet IP periodic connection (Recurring Rare IP Access) refers to a behavior that, in a certain history time, a certain host periodically accesses an external rare IP (Internet Protocol ) within a specific local area network (such as an intranet), and other hosts within the local area network rarely or never access the rare IP. The periodic connection behavior of the suspicious external network IP belongs to a remote Control (Command & Control) attack means, and timely detection of the periodic connection behavior of the suspicious external network IP can effectively protect the safety of a specific local area network.
At present, because the suspicious external network IP periodic connection has a certain periodicity, the access data can be sampled and segmented according to the artificially set period, then the mean variance of each segment is calculated, and whether the suspicious external network IP periodic connection contains a periodic component is judged based on a statistical rule, so that whether the suspicious external network IP periodic connection is detected.
According to the technical scheme, the manually set period is easily bypassed, so that the periodic connection behavior of the suspicious external network IP can not be detected.
Disclosure of Invention
The embodiment of the application provides a target access behavior detection method, a system, a device, equipment and a storage medium, which are used for acquiring an access period by detecting the period of time sequence characteristic data, so that the problem that a manually set period is easy to bypass is avoided, and the rationality of the period can be checked by detecting the similarity of data fragments after the time sequence characteristic data is segmented, so that the corresponding behavior can be accurately determined to belong to the time sequence characteristic data of the target access behavior. The technical proposal is as follows:
in one aspect, a method for detecting target access behavior is provided, including:
performing period detection on time sequence feature data to obtain an access period corresponding to the time sequence feature data, wherein the time sequence feature data is used for representing the features of network access data in target duration;
segmenting the time sequence characteristic data according to the access period to obtain at least two data segments;
performing similarity detection on the at least two data fragments;
and responding to the detection result of the similarity detection to indicate that the time sequence characteristic data is periodic similar data, and determining that the behavior corresponding to the time sequence characteristic data belongs to a target access behavior.
In another aspect, there is provided a target access behavior detection apparatus, the apparatus including:
the period detection module is used for carrying out period detection on the time sequence characteristic data to obtain an access period corresponding to the time sequence characteristic data, wherein the time sequence characteristic data is used for representing the characteristics of network access data in the target duration;
the data dividing module is used for segmenting the time sequence characteristic data according to the access period to obtain at least two data fragments;
the similarity detection module is used for detecting the similarity of the at least two data fragments;
and the determining module is used for responding to the detection result of the similarity detection to indicate that the time sequence characteristic data is periodic similar data and determining that the behavior corresponding to the time sequence characteristic data belongs to the target access behavior.
In an alternative implementation, the period detection module is configured to convert the time-series characteristic data into frequency domain data; and determining the access frequency with the highest amplitude as an access period according to the amplitude-frequency relation of the frequency domain data.
In an alternative implementation, the similarity detection module includes:
The similarity acquisition sub-module is used for respectively acquiring the similarity between two data fragments adjacent in time;
the target data segment acquisition sub-module is used for acquiring a data segment with similarity not greater than a similarity threshold value as a target data segment;
and the detection result acquisition sub-module is used for determining that the time sequence characteristic data is periodic similar data as a detection result in response to the proportion of the target data segment in the at least two data segments being greater than the target proportion.
In an alternative implementation, the similarity obtaining sub-module includes:
a dynamic time warping distance obtaining unit, configured to obtain, for two adjacent data segments at any time, a dynamic time warping distance between the two data segments, where the dynamic time warping distance is used to represent a shortest cumulative euclidean distance between the two data segments;
and the similarity determining unit is used for determining the similarity between the two data fragments according to the dynamic time warping distance.
In an optional implementation manner, the similarity determining unit is configured to obtain a sequence length of the time sequence feature data; and normalizing the dynamic time warping distance according to the sequence length to obtain the similarity between the two data fragments.
In an optional implementation manner, the determining module is configured to obtain a target access address included in the time series feature data in response to the detection result indicating that the time series feature data is periodic similar data, where the target access address is an address to which access points; acquiring a first number of target initiating addresses included in comparison data, wherein the comparison data is time sequence characteristic data of non-target access behaviors, and the target initiating addresses are addresses initiating access to the target access addresses; and determining that the behavior corresponding to the time sequence characteristic data belongs to a target access behavior in response to the first number not being larger than a preset second number.
In an alternative implementation, the apparatus further includes:
the log data acquisition module is used for acquiring flow log data in the target duration;
the data preprocessing module is used for preprocessing the flow log data to obtain the network access data to be detected;
and the feature extraction module is used for carrying out feature extraction on the network access data to obtain at least one piece of time sequence feature data.
In an alternative implementation, the apparatus further includes:
The data conversion module is used for converting the time sequence characteristic data into visual data;
and the display module is used for displaying the visual data on a visual display interface.
In another aspect, a computer device is provided, the computer device including a processor and a memory for storing at least one piece of program code that is loaded and executed by the processor to implement the operations performed in the target access behavior detection method in an embodiment of the present application.
In another aspect, a storage medium is provided, where at least one piece of program code is stored, where the at least one piece of program code is used to perform the target access behavior detection method in an embodiment of the present application.
In another aspect, a computer program product or computer program is provided, the computer program product or computer program comprising computer program code, the computer program code being stored in a computer readable storage medium. The computer program code is read from a computer readable storage medium by a processor of a computer device, and executed by the processor, causes the computer device to perform the method of target access behavior detection provided in the above aspect or various alternative implementations of the above aspect.
The beneficial effects that technical scheme that this application embodiment provided brought are:
in the embodiment of the application, the access period is acquired by carrying out period detection on the time sequence characteristic data, so that the problem that the manually set period is easy to bypass is avoided, and the rationality of the period can be checked by carrying out similarity detection on the data fragments after the time sequence characteristic data are segmented, so that the time sequence characteristic data of the corresponding behavior belonging to the target access behavior can be accurately determined.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an implementation environment of a target access behavior detection method according to an embodiment of the present application;
FIG. 2 is a flow chart of a target access behavior detection method provided in accordance with an embodiment of the present application;
FIG. 3 is a flow chart of a target access behavior detection method provided according to an embodiment of the present application;
FIG. 4 is a schematic diagram of converting time domain data into frequency domain data according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a DWT distance provided by an embodiment of the present application;
FIG. 6 is a flow chart of another target access behavior detection method provided in accordance with an embodiment of the present application;
FIG. 7 is a schematic diagram of a target access behavior detection system provided in accordance with an embodiment of the present application;
FIG. 8 is a schematic diagram of a visual presentation interface provided in accordance with an embodiment of the present application;
FIG. 9 is a schematic diagram of a detection scenario configuration interface provided according to an embodiment of the present application;
FIG. 10 is a block diagram of a target access behavior detection apparatus provided in accordance with an embodiment of the present application;
fig. 11 is a block diagram of a terminal according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of a server according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
In order to facilitate understanding of the technical process of the embodiments of the present application, some terms related to the embodiments of the present application are explained below:
cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, institutions, secure Cloud platforms based on Cloud computing business model applications. Cloud security fuses emerging technologies and concepts such as parallel processing, grid computing, unknown virus behavior judgment and the like, acquires the latest information of Trojan horse and malicious programs in the Internet through abnormal monitoring of a large number of network clients on software behaviors, sends the latest information to a server for automatic analysis and processing, and distributes solutions of viruses and Trojan horse to each client.
The main research directions of cloud security include: 1. cloud computing security, namely, how to guarantee security of cloud and various applications on the cloud, including cloud computer system security, security storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. clouding of a safety infrastructure, mainly researching how to build and integrate safety infrastructure resources by adopting cloud computing, and optimizing a safety protection mechanism, wherein the cloud computing technology is used for constructing a super-large-scale safety event and an information acquisition and processing platform, realizing acquisition and association analysis of mass information, and improving the control capability and risk control capability of the whole-network safety event; 3. cloud security services, mainly research on various security services provided for users based on cloud computing platforms, such as anti-virus services and the like.
A suspicious extranet IP periodic connection (Recurring Rare IP Access) refers to the behavior that, within a particular local area network (e.g., an intranet), there is a periodic access of a certain host to an external rare IP (Internet Protocol, internetworking protocol) for a certain historical period of time, and that other hosts within the local area network have little or no access to the rare IP.
The transmission control protocol (TCP, transmission Control Protocol), a connection-oriented, reliable, byte stream based transport layer communication protocol, is defined by IETF RFC 793. TCP is intended to accommodate a layered protocol hierarchy that supports multiple network applications. Reliable communication services are provided by means of TCP between pairs of processes in host computers connected to different but interconnected computer communication networks. TCP assumes that it can obtain simple, possibly unreliable datagram services from lower level protocols. In principle, TCP should be able to operate over a variety of communication systems from hardwired to packet-switched or circuit-switched networks.
Hereinafter, the environment in which the present application is implemented will be described.
In the embodiment of the application, the electronic device can be provided as a terminal or a server, and optionally, when the electronic device is provided as a terminal, the terminal implements the operation performed by the target access behavior detection method; optionally, when provided as a server, the server implements an operation performed by the target access behavior detection method, the server receives network access data sent by the terminal, and the server performs feature extraction and detection based on the received network access data to obtain a detection result; optionally, the operations performed by the target access behavior detection method are implemented through interaction by the server and the terminal.
Fig. 1 is a schematic diagram of an implementation environment of a target access behavior detection method according to an embodiment of the present application. Taking an example in which the electronic device is provided as a server, referring to fig. 1, the implementation environment includes a terminal 110 and a server 120.
The terminal 110 and the server 120 may be directly or indirectly connected through wired or wireless communication, which is not limited herein. The terminal 110 may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc. The terminal 110 may access the extranet IP based on an intranet IP (Internet Protocol ) allocated inside a local area network (e.g., an intranet) to browse extranet content.
The server 120 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms, and the like. The server 120 is used for providing services such as detection, storage, etc. of time-series characteristic data. Alternatively, the server 120 may undertake primary detection work and the terminal 110 may undertake secondary detection work; alternatively, the server 120 performs a secondary detection operation and the terminal 110 performs a primary detection operation; alternatively, the server 120 or the terminal 110 may separately undertake the detection work, respectively; alternatively, a distributed detection architecture is used for collaborative detection between the server 120 and the terminal 110.
Alternatively, the server 120 may be composed of an access server, a backend server, and a database server. The access server is used to provide access services for the terminal 110. The background server is used for providing detection service. The background server may be one or more. When the background servers are multiple, there are at least two background servers for providing different services, and/or there are at least two background servers for providing the same service, such as providing the same service in a load balancing manner, which is not limited in the embodiments of the present application.
Terminal 110 may refer broadly to one of a plurality of terminals, with the present embodiment being illustrated only by terminal 110. The intranet IP corresponding to different terminals is different. Those skilled in the art will recognize that the number of terminals may be greater or lesser. For example, the number of the terminals may be one, or the number of the terminals may be tens or hundreds, or more. The number of terminals and the device type are not limited in the embodiment of the present application.
Fig. 2 is a flowchart of a target access behavior detection method according to an embodiment of the present application. As shown in fig. 2, the target access behavior detection method includes the steps of:
201. The computer equipment carries out period detection on the time sequence characteristic data to obtain an access period corresponding to the time sequence characteristic data, wherein the time sequence characteristic data is used for representing the characteristics of network access data in the target duration.
In the embodiment of the application, when detecting whether the behavior of the intranet IP to the extranet IP belongs to the target access behavior, such as the suspicious extranet IP periodic connection behavior, the server can acquire network access data in a target duration aiming at the intranet IP and the extranet IP, and then perform feature extraction on the network access data to obtain time sequence feature data. Optionally, the time series characteristic data includes a first address for initiating access, a second address for directing access, a time stamp for initiating access, and a data transmission value during access, and the server uses the intranet IP as the first address for initiating access and uses the extranet IP as the second address for directing access. The computer device can perform period detection on the acquired time series characteristic data to determine an access period corresponding to the time series characteristic data. Because the access period is automatically acquired based on an algorithm, the problem that the manually set period is easy to bypass is avoided.
202. The computer equipment segments the time sequence characteristic data according to the access period to obtain at least two data fragments.
In the embodiment of the application, the computer device can segment the time series characteristic data based on the acquired access period. For example, the access period is T, and the target duration corresponding to the time-series characteristic data is N, the computer device can divide the access data into N/T data segments. Wherein N and T are positive integers. If N/T is less than 2, the time series characteristic data is a cycle-free sequence, and no subsequent steps are needed. If N/T is greater than or equal to 2, the time-series characteristic data is represented as a periodic sequence, and step 203 is performed.
203. The computer device performs similarity detection on at least two data segments.
In the embodiment of the application, after obtaining at least two data segments, the computer device can compare the similarity of two data segments adjacent in time. Alternatively, when there are M pieces of data, the computer device can obtain M-1 similarities and store the M-1 similarities in a list. Wherein M is a positive integer. The computer device can determine whether the data segments are similar by the magnitude relation between the similarities stored in the list and a preset similarity threshold. The computer device can determine the detection result of the similarity detection according to the ratio of the similar data segments in each data segment. The detection result can indicate that the time-series characteristic data is a periodic similar sequence or a periodic sequence.
204. And in response to the detection result of the similarity detection indicating that the time series characteristic data is periodic similar data, the computer equipment determines that the behavior corresponding to the time series characteristic data belongs to the target access behavior.
In the embodiment of the present application, after obtaining the detection result of the similarity detection, when determining that the time-series feature data is periodic similar data based on the detection result, the computer device may determine that the behavior corresponding to the time-series feature data belongs to the target access behavior. Optionally, when the computer device determines that the time series feature data is periodic similar data based on the detection result, the computer device can also filter the time series feature data based on the address pointed by the access included in the time series feature data, so as to reduce occurrence of false detection and improve accuracy of detection.
In the embodiment of the application, the access period is acquired by carrying out period detection on the time sequence characteristic data, so that the problem that the manually set period is easy to bypass is avoided, and the rationality of the period can be checked by carrying out similarity detection on the data fragments after the time sequence characteristic data are segmented, so that the time sequence characteristic data of the corresponding behavior belonging to the target access behavior can be accurately determined.
In the embodiment of the present application, the technical solution provided in the embodiment of the present application is implemented by a computer device, where the computer device can be configured as a server, and also can be configured as a terminal. Of course, the technical solution provided in the embodiment of the present application may also be implemented through interaction between the server and the terminal, which is not limited in this embodiment of the present application.
Fig. 3 is a flowchart of a target access behavior detection method according to an embodiment of the present application, and as shown in fig. 3, an example in which a computer device is configured as a server is described in the embodiment of the present application. The target access behavior detection method comprises the following steps:
301. the server performs feature extraction on the network access data to be detected to obtain at least one piece of time sequence feature data.
In this embodiment of the present application, when a user exchanges data with an external network through a specific local area network (e.g., an intranet), the server may record contents such as an IP address, an initiation time, an end time, and a data transmission amount of both parties initiating data exchange, and store the contents in the form of a traffic log. When the target access behavior is detected, the server can acquire a flow log recorded in a certain time period to obtain a flow log corresponding to the target duration, then perform preprocessing operation on the flow log, and filter to obtain data from the internal IP to the external IP as network access data to be detected, wherein the network access data to be detected is the network access data in the target duration. When the server performs feature extraction on the network access data, the server can perform feature extraction by taking the intranet IP from which access is initiated as a source IP and the extranet IP to which access is directed as a target IP, and the extracted feature value is the size of the data transmission quantity. The server can use the source IP, the foreign IP, the timestamp of the originating network access, and the amount of data transferred as time series characteristic data.
For example, the network access data to be detected acquired by the server is network access data of three hours, the network access data comprises a plurality of source IPs and corresponding destination IPs, and for each source IP and corresponding destination IP, the server extracts a timestamp of the source IP initiating access, and then accumulates the size of the data amount transmitted by bytes_server of the TCP in z minutes with z minutes as granularity. Wherein Z is in the range of 1-60 and Z is Z + . The server uses src_ip to represent source IP, dest_ip to represent destination IP, timestamp to represent timestamp in minutes; data_vol represents the data transmission amount in kilobytes; time series characteristic data { src_ip }. 130.14. Dest_ip }. 98.75. Timestamp:30, data_vol:1000}.
The server can perform noise reduction smoothing processing on at least one piece of obtained time series characteristic data through a smoothing filter so as to reduce noise of the time series characteristic data and enable the change of the time series characteristic data to be smoother. If the time-series feature data is sparse, the noise reduction smoothing processing is not performed. The judgment standard of the sparse time characteristic data is as follows: when the 0-norm ratio of the feature value included in the time-series feature data is greater than 98%, it is determined that the time-series feature data is sparse. The 0 norm represents the number of non-zero elements in the vector.
302. And for any time series characteristic data, the server performs period detection on the time series characteristic data to obtain an access period corresponding to the time series characteristic data.
In the embodiment of the application, the server can detect the periodicity of the time series characteristic data through a periodicity detection algorithm, and acquire the access period of the time series characteristic data. Alternatively, the periodic detection algorithm is an FFT (Fast Fourier Transform ). Alternatively, the server can convert the time-series characteristic data from time-domain data to frequency-domain data by FFT, and then the server determines the access period according to the amplitude-frequency relationship of the frequency-domain data. As the periodicity can be accurately and efficiently detected based on FFT for the time sequence with the unchanged period, the efficiency and the accuracy of period detection are improved.
For example, referring to fig. 4, fig. 4 is a schematic diagram of converting time domain data into frequency domain data according to an embodiment of the present application. The time series characteristic data is corresponding to the graph before conversion, the period of the time series characteristic data is 1440 minutes, the data after FFT conversion is an amplitude-frequency graph, and correspondingly, the abscissa corresponding to the point with the highest amplitude is 1440, namely the frequency is 1440.
The FFT performs period detection on the time-varying signal and the non-periodic time-series characteristic data, and the obtained access period needs to be further verified. See step 303.
303. And the server segments the time sequence characteristic data according to the access period to obtain at least two data fragments.
In the embodiment of the present application, after obtaining the access period, the server may divide the time-series feature data corresponding to the target duration into a plurality of data segments based on the access period, to obtain at least two data segments. If the number of the data segments obtained by the server is less than two after the segmentation, the time sequence characteristic data is represented as a non-periodic sequence, and the subsequent detection step is not needed.
For example, if the access period is T and the target duration corresponding to the time-series characteristic data is N, the computer device can divide the access data into N/T data segments. Wherein N and T are positive integers. If N/T is less than 2, the time series characteristic data is a cycle-free sequence, and no subsequent steps are needed. If N/T is greater than or equal to 2, the time sequence characteristic data is a periodic sequence, and the subsequent steps are continued to be executed.
304. The server performs similarity detection on at least two data fragments.
In the embodiment of the present application, the server can determine whether the entire time-series characteristic data is periodic similar data according to whether the data segments are similar to each other.
In an alternative implementation, the server can obtain the similarity between two data segments that are temporally adjacent, respectively. Then, a data segment having a similarity not greater than a similarity threshold is acquired as a target data segment. In response to the proportion of the target data segment in the at least two data segments being greater than the target proportion, the server can determine that the time series characteristic data is periodic similar data as a detection result; in response to the proportion of the target data segment in the at least two data segments being not greater than the target proportion, the server is able to determine the time series characteristic data as periodic data as a detection result. The target ratio may be 50%, 60%, 70%, or the like, which is not limited in the embodiment of the present application. The method comprises the steps of determining that the whole time sequence characteristic data is a periodic similar sequence when the proportion of the data fragments with the similarity not greater than a similarity threshold is greater than a target proportion, and determining that the whole time sequence characteristic data is the periodic sequence when the proportion of the data fragments with the similarity not greater than the similarity threshold is not greater than the target proportion, so that the time sequence characteristic data with periodicity but without similarity can be filtered, and the accuracy of a detection result is improved.
In an alternative implementation, the server can determine the similarity between the data segments through a DWT (Dynamic Time Warping ) algorithm. Correspondingly, the step of obtaining the similarity between two data segments adjacent in time by the server respectively comprises the following steps: for two data segments that are adjacent at any time, the server can obtain a dynamic time warping distance between the two data segments, where the dynamic time warping distance is used to represent a shortest cumulative euclidean distance between the two data segments. The server can then determine the similarity between the two data segments based on the dynamic time warping distance. By calculating the DWT distance between two data segments, the degree of similarity between the two data segments can be reflected more accurately.
For example, referring to fig. 5, fig. 5 is a schematic diagram of a DWT distance according to an embodiment of the disclosure. As shown in fig. 5, there are two time-series characteristic data x (t 1 ) And y (t) 2 ) The time lengths corresponding to the two time series characteristic data are n and m respectively, and then an n×m matrix D (i, j) can be formed, wherein the value D (i, j) = |x (i) -y (j) | of each matrix is the euclidean distance between x (i) and y (j). DWT can obtain shortest path from D (0, 0) to D (n, m) The shortest path is the two time series characteristic data x (t 1 ) And y (t) 2 ) Is a similarity value of (1).
Note that, the DTW has low reference for similarity detection of sparse time series feature data. Thus, to ensure the validity of the detection, a separate statistical comparison is made with sparse time series characteristic data. And performing DTW similarity calculation on the non-sparse time series characteristic data. The judgment standard of the sparse time characteristic data is as follows: when the 0-norm ratio of the feature value included in the time-series feature data is greater than 98%, it is determined that the time-series feature data is sparse. The 0 norm represents the number of non-zero elements in the vector.
In an alternative implementation, since the calculation result of the DTW is affected by a plurality of factors, and the setting of the similarity threshold is related to the calculation result of the DTW, the server performs the normalization operation on all the time-series feature data before calculating the DTW. The length of the DTW and the time series feature data is then taken as a similarity value. Correspondingly, the server determines the similarity between the two data segments according to the dynamic time warping distance by the steps of: the server can acquire the sequence length of the time sequence characteristic data, and normalize the dynamic time warping distance according to the sequence length to obtain the similarity between the two data fragments. Since DTW is the shortest cumulative euclidean distance of two sequences, the longer the sequence length, the larger the accumulated value, and by dividing the DTW value by the length of time-series characteristic data, the standards of different time-series characteristic data can be made uniform.
For example, the similarity value is expressed asWhere length (x) represents the sequence length of the time-series characteristic data. When the similarity of the two data segments is not greater than the similarity threshold, i.e. the similarity threshold is greater than the similarity, the two data segments are similar, otherwise the two data segments are dissimilar. The server can get N-1 similarities for the entire time series characteristic data when there are N pieces of data, which N-1 similarities are stored in the dist list. When more than 50% of the similarity in the list indicates that the data fragments are similar, the time series characteristic data is determined to be a periodic similar sequence, otherwise, the time series characteristic data is determined to be a periodic sequence.
305. And responding to the detection result of the similarity detection to indicate that the time series characteristic data is periodic similar data, and determining that the behavior corresponding to the time series characteristic data belongs to the target access behavior by the server.
In this embodiment of the present application, if the detection result indicates that the time-series feature data is periodic similar data, it indicates that the source IP included in the time-series feature data periodically accesses the same destination IP, and the size of the transmission data size is similar, based on which the server can determine a behavior corresponding to the time-series feature data, that is, the behavior that the source IP periodically accesses the same destination IP belongs to the target access behavior. The target azimuth behavior refers to suspicious external network IP periodic connection behavior.
In an alternative implementation, the server is further capable of screening the time series characteristic data based on the comparison data. Correspondingly, the server responds to the detection result to indicate that the time sequence feature data is periodic similar data, and the step of determining that the behavior corresponding to the time sequence feature data belongs to the target access behavior is as follows: in response to the detection result indicating that the time-series characteristic data is periodic similar data, the server can acquire a target access address included in the time-series characteristic data, the target access address being an address to which the access is directed. The server can then obtain a first number of target originating addresses accessing the target access address comprised by the comparison data, the comparison data being time-series characteristic data of non-target access behaviors. And in response to the first number not being greater than the preset second number, the server can determine that the behavior corresponding to the time-series characteristic data belongs to the target access behavior. The accuracy of the detection result can be improved by further screening the signature sequence characteristic data based on the comparison data and excluding the time sequence characteristic data corresponding to the normal access behavior.
For example, the server takes the time series characteristic data detected as periodic similar data as suspicious data, and for any destination IP of all destination IPs included in the suspicious data, that is, the foreign network IP address to which the access is directed, the server counts a fixed time, for example, 24 hours, and normal traffic is the number of source IPs accessing the destination IP in the time series characteristic data determined as non-target access behaviors, and a first number normal_count is obtained through deduplication counting. If the first number is larger than a preset second number moral_th, judging that the number of times of the access of the target IP is more, and if the number of times of the access of the target IP is not larger than the preset second number moral_th, judging that the access of the target IP does not belong to the target access behavior, otherwise, the access of the target IP belongs to the target access behavior.
306. And responding to the detection result of the similarity detection to indicate that the time series characteristic data is periodic data, and determining that the behavior corresponding to the time series characteristic data does not belong to the target access behavior by the server.
It should be noted that, the above steps 301 to 306 are optional implementations of the target access behavior detection method provided in the present application, and accordingly, there are other optional implementations of the target access behavior detection method, for example, see fig. 6, and fig. 6 is a flowchart of another target access behavior detection method provided in an embodiment of the present application. As shown in fig. 6, the method comprises the following steps: 601. preprocessing TCP traffic; 602. TCP data feature extraction; 603. constructing time sequence characteristic data; 604. FFT periodic detection; 605. DTW similarity detection; 606. filtering the result by a screening strategy; 607. the time series characteristic data remaining after filtering are ordered. This is not limiting in this embodiment of the present application.
It should be noted that, the above target access behavior detection method can be applied to a target access behavior detection system, as shown in fig. 7, where the system includes a data access processing layer, a feature extraction layer, an algorithm layer, a policy layer, and a normalized output layer. Correspondingly, the workflow of the target access behavior detection system is as follows: 701. preprocessing TCP traffic; 702. extracting features; 703. constructing time sequence characteristic data, and detecting period and similarity; 704. determining whether the behavior corresponding to the time sequence characteristic data belongs to a target access behavior; 705. converting the time sequence characteristic data into visual data; 706. and (5) page display.
The data access preprocessing layer is used for acquiring flow log data, and dispatching preprocessing tasks to preprocess the flow log data to obtain network access data to be detected. Accordingly, the step of obtaining the network access data to be detected by the data access preprocessing layer is referred to above step 301, and will not be described herein.
It should be noted that, when the data access preprocessing layer preprocesses the flow log data, a key field may be set, and further filtering is performed on the flow log to obtain network access data meeting the requirement of the detection task.
And the feature extraction layer is used for scheduling a feature extraction task to perform feature extraction on the network access data to obtain at least one piece of time sequence feature data. When the preprocessing operation on the flow logs is completed, the feature extraction layer can schedule a feature extraction task, and the processed network access data is sent to a feature extraction module for feature extraction to obtain time sequence feature data. Can also be used to fill in and sort missing values in time series feature data. Accordingly, the step of performing feature extraction by the feature extraction layer is referred to above step 301, and will not be described herein.
The algorithm layer is used for scheduling the algorithm task to detect at least one piece of time sequence characteristic data respectively and obtaining at least one detection result, and the detection result is used for indicating whether the corresponding time sequence characteristic data is periodic similar data or not. The detection process comprises two steps of period detection and similarity detection, namely an algorithm layer is used for carrying out period detection on any time sequence characteristic data to obtain an access period; segmenting the time sequence characteristic data according to the access period to obtain at least two data segments; and performing similarity detection on the at least two data fragments to obtain a detection result. Accordingly, the step of detecting by the algorithm layer can refer to the above steps 302 to 304, which are not described herein.
And the policy layer is used for scheduling policy tasks, and filtering at least one piece of time sequence feature data according to at least one detection result to obtain time sequence feature data of the corresponding behavior belonging to the target access behavior. Accordingly, the step of filtering the at least one piece of time-series feature data by the policy layer may refer to the step 305, which is not described herein.
It should be noted that, the policy layer may also set filtering modes such as a white list and a dynamic policy to filter at least one piece of time series feature data, which is not limited in this embodiment of the present application.
The normalization output layer is used for scheduling normalization tasks, converting time sequence characteristic data of the corresponding behavior belonging to the target access behavior into visual data, and the visual data are used for visual display. But also to document data pulling, normalization, and writing data to databases, etc., which may be mysql, kafka (an open source stream processing platform developed by the Apache software foundation) or ES (elastic search is a Lucene-based search server), etc.
For example, referring to fig. 8, fig. 8 is a schematic diagram of a visual presentation interface provided according to an embodiment of the present application. As shown in fig. 8, includes tabs corresponding to the foreign network IP ordered in the top 10. The user can display the image of the accessed date of the external network IP above the right side of the interface by clicking any tab displayed on the left side of the interface, and display the tab of at least one internal network IP accessing the external network IP below the right side of the interface, and the user can watch the statistical data of the internal network IP accessing the external network IP by clicking the tab corresponding to any internal network IP.
It should be noted that, when the user uses the target access behavior detection system to detect target access behavior, the user may configure the detection content by using a detection scene configuration interface, where the detection scene configuration interface includes feature data configuration options, algorithm configuration options and policy configuration options. The feature data configuration options are used for configuring the content included in the time sequence feature data, namely, the feature extracted from the features; the algorithm configuration options are used for configuring algorithms used in the detection process, such as the FFT algorithm, the DTW algorithm and the like; the policy configuration options are used for configuring screening policies for detection results, such as control data screening, white list screening, and the like. The user can set the flow of the target access behavior detection method in a dragging mode.
For example, referring to fig. 9, fig. 9 is a schematic diagram of a detection scenario configuration interface provided according to an embodiment of the present application. As shown in fig. 9, the left side of the detection scenario configuration interface includes three configuration options including feature data, an algorithm and a policy, and the right side of the detection scenario configuration interface is a configured detection flow, where the flow includes: the form of the characteristic data is a form A2, the algorithm is an algorithm B3, and the strategy is a strategy C1.
In the embodiment of the application, the access period is acquired by carrying out period detection on the time sequence characteristic data, so that the problem that the manually set period is easy to bypass is avoided, and the rationality of the period can be checked by carrying out similarity detection on the data fragments after the time sequence characteristic data are segmented, so that the time sequence characteristic data of the corresponding behavior belonging to the target access behavior can be accurately determined.
Fig. 10 is a block diagram of a target access behavior detection apparatus provided according to an embodiment of the present application. The apparatus is configured to perform the steps when the target access behavior detection method is performed, and referring to fig. 10, the apparatus includes: a period detection module 1001, a data division module 1002, a similarity detection module 1003, and a determination module 1004.
The period detection module 1001 is configured to perform period detection on time-series feature data, so as to obtain an access period corresponding to the time-series feature data, where the time-series feature data is used to represent a feature of network access data in a target duration;
the data dividing module 1002 is configured to segment the time sequence feature data according to the access period to obtain at least two data segments;
A similarity detection module 1003, configured to perform similarity detection on the at least two data segments;
the determining module 1004 is configured to determine, in response to the detection result of the similarity detection indicating that the time-series feature data is periodic similar data, that the behavior corresponding to the time-series feature data belongs to a target access behavior.
In one possible implementation, the period detection module 1001 is configured to convert the time-series characteristic data into frequency domain data; and determining the access frequency with the highest amplitude as an access period according to the amplitude-frequency relation of the frequency domain data.
In one possible implementation, the similarity detection module 1003 includes:
the similarity acquisition sub-module is used for respectively acquiring the similarity between two data fragments adjacent in time;
the target data segment acquisition sub-module is used for acquiring a data segment with similarity not greater than a similarity threshold value as a target data segment;
and the detection result acquisition sub-module is used for determining that the time sequence characteristic data is periodic similar data as a detection result in response to the proportion of the target data segment in the at least two data segments being greater than the target proportion.
In one possible implementation, the similarity obtaining sub-module includes:
A dynamic time warping distance obtaining unit, configured to obtain, for two adjacent data segments at any time, a dynamic time warping distance between the two data segments, where the dynamic time warping distance is used to represent a shortest cumulative euclidean distance between the two data segments;
and the similarity determining unit is used for determining the similarity between the two data fragments according to the dynamic time warping distance.
In a possible implementation manner, the similarity determining unit is configured to obtain a sequence length of the time sequence feature data; and normalizing the dynamic time warping distance according to the sequence length to obtain the similarity between the two data fragments.
In a possible implementation manner, the determining module 1004 is configured to obtain, in response to the detection result indicating that the time-series feature data is periodic similar data, a target access address included in the time-series feature data, where the target access address is an address to which access points; acquiring a first number of target initiating addresses included in comparison data, wherein the comparison data is time sequence characteristic data of non-target access behaviors, and the target initiating addresses are addresses initiating access to the target access addresses; and determining that the behavior corresponding to the time series characteristic data belongs to the target access behavior in response to the first number not being larger than the preset second number.
In one possible implementation, the apparatus further includes:
the log data acquisition module is used for acquiring flow log data in the target duration;
the data preprocessing module is used for preprocessing the flow log data to obtain the network access data to be detected;
and the feature extraction module is used for carrying out feature extraction on the network access data to obtain at least one piece of time sequence feature data.
In one possible implementation, the apparatus further includes:
the data conversion module is used for converting the time sequence characteristic data into visual data;
and the display module is used for displaying the visual data on the visual display interface.
In the embodiment of the application, the period detection module is used for carrying out period detection on the time sequence feature data to acquire the access period, so that the problem that the manually set period is easy to bypass is avoided, and the data segmentation module and the similarity detection module are used for carrying out similarity detection on the data fragments after the time sequence feature data are segmented, so that the rationality of the period can be checked, and the corresponding time sequence feature data of the behavior belonging to the target access behavior can be accurately determined through the determination module.
It should be noted that: in the target access behavior detection device provided in the above embodiment, only the division of the above functional modules is used for illustration, and in practical application, the above functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the target access behavior detection device and the target access behavior detection method embodiment provided in the foregoing embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiment, which is not described herein again.
In the embodiment of the present application, the computer device may be configured as a terminal or a server, when the computer device is configured as a terminal, the technical solution provided in the embodiment of the present application may be implemented by the terminal as an execution body, when the computer device is configured as a server, the technical solution provided in the embodiment of the present application may be implemented by the server as an execution body, and also the technical solution provided in the present application may be implemented by interaction between the terminal and the server, for example, a technician obtains time-series feature data from the server through the terminal, determines that an action corresponding to the time-series feature data belongs to a target access action based on the time-series feature data, which is not limited in the embodiment of the present application.
The computer device is configured as a terminal, and fig. 11 is a block diagram of a structure of a terminal 1100 according to an embodiment of the present application. The terminal 1100 may be: a smart phone, a tablet computer, an MP3 player (Moving Picture Experts Group Audio Layer III, motion picture expert compression standard audio plane 3), an MP4 (Moving Picture Experts Group Audio Layer IV, motion picture expert compression standard audio plane 4) player, a notebook computer, or a desktop computer. Terminal 1100 may also be referred to by other names of user devices, portable terminals, laptop terminals, desktop terminals, and the like.
Generally, the terminal 1100 includes: a processor 1101 and a memory 1102.
The processor 1101 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 1101 may be implemented in at least one hardware form of DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor 1101 may also include a main processor, which is a processor for processing data in an awake state, also called a CPU (Central Processing Unit ), and a coprocessor; a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 1101 may be integrated with a GPU (Graphics Processing Unit, image processor) for taking care of rendering and rendering of content that the display screen is required to display. In some embodiments, the processor 1101 may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.
Memory 1102 may include one or more computer-readable storage media, which may be non-transitory. Memory 1102 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 1102 is used to store at least one program code for execution by processor 1101 to implement the target access behavior detection method provided by the method embodiments herein.
In some embodiments, the terminal 1100 may further optionally include: a peripheral interface 1103 and at least one peripheral. The processor 1101, memory 1102, and peripheral interface 1103 may be connected by a bus or signal lines. The individual peripheral devices may be connected to the peripheral device interface 1103 by buses, signal lines or circuit boards. Specifically, the peripheral device includes: at least one of radio frequency circuitry 1104, a display screen 1105, a camera assembly 1106, audio circuitry 1107, and a power supply 1109.
A peripheral interface 1103 may be used to connect I/O (Input/Output) related at least one peripheral device to the processor 1101 and memory 1102. In some embodiments, the processor 1101, memory 1102, and peripheral interface 1103 are integrated on the same chip or circuit board; in some other embodiments, any one or both of the processor 1101, memory 1102, and peripheral interface 1103 may be implemented on a separate chip or circuit board, which is not limited in this embodiment.
The Radio Frequency circuit 1104 is used to receive and transmit RF (Radio Frequency) signals, also known as electromagnetic signals. The radio frequency circuit 1104 communicates with a communication network and other communication devices via electromagnetic signals. The radio frequency circuit 1104 converts an electrical signal into an electromagnetic signal for transmission, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 1104 includes: antenna systems, RF transceivers, one or more amplifiers, tuners, oscillators, digital signal processors, codec chipsets, subscriber identity module cards, and so forth. The radio frequency circuitry 1104 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocol includes, but is not limited to: metropolitan area networks, various generations of mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or WiFi (Wireless Fidelity ) networks. In some embodiments, the radio frequency circuitry 1104 may also include NFC (Near Field Communication, short range wireless communication) related circuitry, which is not limited in this application.
The display screen 1105 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display 1105 is a touch display, the display 1105 also has the ability to collect touch signals at or above the surface of the display 1105. The touch signal may be input to the processor 1101 as a control signal for processing. At this time, the display screen 1105 may also be used to provide virtual buttons and/or virtual keyboards, also referred to as soft buttons and/or soft keyboards. In some embodiments, the display 1105 may be one and disposed on the front panel of the terminal 1100; in other embodiments, the display 1105 may be at least two, respectively disposed on different surfaces of the terminal 1100 or in a folded design; in other embodiments, the display 1105 may be a flexible display disposed on a curved surface or a folded surface of the terminal 1100. Even more, the display 1105 may be arranged in a non-rectangular irregular pattern, i.e., a shaped screen. The display 1105 may be made of LCD (Liquid Crystal Display ), OLED (Organic Light-Emitting Diode) or other materials.
The camera assembly 1106 is used to capture images or video. Optionally, the camera assembly 1106 includes a front camera and a rear camera. Typically, the front camera is disposed on the front panel of the terminal and the rear camera is disposed on the rear surface of the terminal. In some embodiments, the at least two rear cameras are any one of a main camera, a depth camera, a wide-angle camera and a tele camera, so as to realize that the main camera and the depth camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize a panoramic shooting and Virtual Reality (VR) shooting function or other fusion shooting functions. In some embodiments, the camera assembly 1106 may also include a flash. The flash lamp can be a single-color temperature flash lamp or a double-color temperature flash lamp. The dual-color temperature flash lamp refers to a combination of a warm light flash lamp and a cold light flash lamp, and can be used for light compensation under different color temperatures.
The audio circuit 1107 may include a microphone and a speaker. The microphone is used for collecting sound waves of users and environments, converting the sound waves into electric signals, and inputting the electric signals to the processor 1101 for processing, or inputting the electric signals to the radio frequency circuit 1104 for voice communication. For purposes of stereo acquisition or noise reduction, a plurality of microphones may be provided at different portions of the terminal 1100, respectively. The microphone may also be an array microphone or an omni-directional pickup microphone. The speaker is used to convert electrical signals from the processor 1101 or the radio frequency circuit 1104 into sound waves. The speaker may be a conventional thin film speaker or a piezoelectric ceramic speaker. When the speaker is a piezoelectric ceramic speaker, not only the electric signal can be converted into a sound wave audible to humans, but also the electric signal can be converted into a sound wave inaudible to humans for ranging and other purposes. In some embodiments, the audio circuit 1107 may also include a headphone jack.
A power supply 1109 is used to supply power to various components in the terminal 1100. The power source 1109 may be an alternating current, a direct current, a disposable battery, or a rechargeable battery. When the power supply 1109 includes a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.
In some embodiments, terminal 1100 also includes one or more sensors 1110. The one or more sensors 1110 include, but are not limited to: acceleration sensor 1111, gyroscope sensor 1112, pressure sensor 1113, optical sensor 1115, and proximity sensor 1116.
The acceleration sensor 1111 may detect the magnitudes of accelerations on three coordinate axes of a coordinate system established with the terminal 1100. For example, the acceleration sensor 1111 may be configured to detect components of gravitational acceleration in three coordinate axes. The processor 1101 may control the display screen 1105 to display the user interface in a landscape view or a portrait view according to the gravitational acceleration signal acquired by the acceleration sensor 1111. Acceleration sensor 1111 may also be used for the acquisition of motion data of a game or a user.
The gyro sensor 1112 may detect a body direction and a rotation angle of the terminal 1100, and the gyro sensor 1112 may collect a 3D motion of the user on the terminal 1100 in cooperation with the acceleration sensor 1111. The processor 1101 may implement the following functions based on the data collected by the gyro sensor 1112: motion sensing (e.g., changing UI according to a tilting operation by a user), image stabilization at shooting, game control, and inertial navigation.
The pressure sensor 1113 may be disposed at a side frame of the terminal 1100 and/or at a lower layer of the display screen 1105. When the pressure sensor 1113 is disposed at a side frame of the terminal 1100, a grip signal of the terminal 1100 by a user may be detected, and the processor 1101 performs a right-left hand recognition or a shortcut operation according to the grip signal collected by the pressure sensor 1113. When the pressure sensor 1113 is disposed at the lower layer of the display screen 1105, the processor 1101 realizes control of the operability control on the UI interface according to the pressure operation of the user on the display screen 1105. The operability controls include at least one of a button control, a scroll bar control, an icon control, and a menu control.
The optical sensor 1115 is used to collect the ambient light intensity. In one embodiment, the processor 1101 may control the display brightness of the display screen 1105 based on the intensity of ambient light collected by the optical sensor 1115. Specifically, when the intensity of the ambient light is high, the display luminance of the display screen 1105 is turned up; when the ambient light intensity is low, the display luminance of the display screen 1105 is turned down. In another embodiment, the processor 1101 may also dynamically adjust the shooting parameters of the camera assembly 1106 based on the intensity of ambient light collected by the optical sensor 1115.
A proximity sensor 1116, also referred to as a distance sensor, is typically provided on the front panel of the terminal 1100. The proximity sensor 1116 is used to collect a distance between the user and the front surface of the terminal 1100. In one embodiment, when the proximity sensor 1116 detects that the distance between the user and the front face of the terminal 1100 gradually decreases, the processor 1101 controls the display 1105 to switch from the bright screen state to the off screen state; when the proximity sensor 1116 detects that the distance between the user and the front surface of the terminal 1100 gradually increases, the processor 1101 controls the display screen 1105 to switch from the off-screen state to the on-screen state.
Those skilled in the art will appreciate that the structure shown in fig. 11 is not limiting and that terminal 1100 may include more or fewer components than shown, or may combine certain components, or may employ a different arrangement of components.
The computer device is configured as a server. Fig. 12 is a schematic structural diagram of a server provided according to an embodiment of the present application, where the server 1200 may have a relatively large difference due to different configurations or performances, and may include one or more processors (Central Processing Units, CPU) 1201 and one or more memories 1202, where at least one program code is stored in the memories 1202, and the at least one program code is loaded and executed by the processors 1201 to implement the target access behavior detection method provided in the foregoing method embodiments. Of course, the server may also have a wired or wireless network interface, a keyboard, an input/output interface, and other components for implementing the functions of the device, which are not described herein.
The embodiment of the application also provides a computer readable storage medium, which is applied to a computer device, wherein at least one program code is stored in the computer readable storage medium, and the at least one program code is used for being executed by a processor and realizing the operation executed by the computer device in the target access behavior detection method in the embodiment of the application.
Embodiments of the present application also provide a computer program product or computer program comprising computer program code stored in a computer readable storage medium. The computer program code is read from a computer readable storage medium by a processor of a computer device, and executed by the processor, causes the computer device to perform the method of target access behavior detection provided in the above aspect or various alternative implementations of the above aspect.
It will be appreciated by those of ordinary skill in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, or may be implemented by program code indicating that the relevant hardware is implemented, where the program may be stored on a computer readable storage medium, such as a read only memory, a magnetic or optical disk, etc.
The foregoing description of the preferred embodiments is merely exemplary in nature and is in no way intended to limit the invention, since it is intended that all modifications, equivalents, improvements, etc. that fall within the spirit and scope of the invention.
Claims (16)
1. A method for detecting access behavior of a target, the method comprising:
performing period detection on time sequence feature data to obtain an access period corresponding to the time sequence feature data, wherein the time sequence feature data is used for representing the features of network access data in target duration;
segmenting the time sequence characteristic data according to the access period to obtain at least two data segments;
respectively acquiring the similarity between two data segments adjacent in time;
acquiring a data segment with similarity not greater than a similarity threshold as a target data segment;
determining that the time sequence characteristic data is periodic similar data as a detection result of similarity detection in response to the proportion of the target data segment in the at least two data segments being greater than a target proportion;
and responding to the detection result of the similarity detection to indicate that the time sequence characteristic data is periodic similar data, and determining that the behavior corresponding to the time sequence characteristic data belongs to a target access behavior.
2. The method according to claim 1, wherein the performing the period detection on the time-series characteristic data to obtain the access period corresponding to the time-series characteristic data includes:
converting the time-series characteristic data into frequency domain data;
and determining the access frequency with the highest amplitude as an access period according to the amplitude-frequency relation of the frequency domain data.
3. The method of claim 1, wherein the respectively obtaining the similarity between two data segments that are adjacent in time comprises:
for two adjacent data fragments at any time, acquiring a dynamic time warping distance between the two data fragments, wherein the dynamic time warping distance is used for representing the shortest accumulated Euclidean distance between the two data fragments;
and determining the similarity between the two data fragments according to the dynamic time warping distance.
4. A method according to claim 3, wherein said determining the similarity between the two data segments based on the dynamic time warping distance comprises:
acquiring the sequence length of the time sequence characteristic data;
and normalizing the dynamic time warping distance according to the sequence length to obtain the similarity between the two data fragments.
5. The method according to claim 1, wherein the determining that the behavior corresponding to the time-series characteristic data belongs to the target access behavior in response to the detection result indicating that the time-series characteristic data is periodic similar data includes:
responding to the detection result to indicate that the time sequence characteristic data is periodic similar data, and acquiring a target access address included in the time sequence characteristic data, wherein the target access address is an address pointed by access;
acquiring a first number of target initiating addresses included in comparison data, wherein the comparison data is time sequence characteristic data of non-target access behaviors, and the target initiating addresses are addresses initiating access to the target access addresses;
and determining that the behavior corresponding to the time sequence characteristic data belongs to a target access behavior in response to the first number not being larger than a preset second number.
6. The method of claim 1, wherein prior to the periodically detecting time series characteristic data, the method further comprises:
acquiring flow log data in a target duration;
preprocessing the flow log data to obtain the network access data to be detected;
And extracting the characteristics of the network access data to obtain at least one piece of time sequence characteristic data.
7. The method according to claim 1, wherein after the determining that the behavior corresponding to the time-series characteristic data belongs to a target access behavior, the method further comprises:
converting the time series characteristic data into visual data;
and displaying the visual data on a visual display interface.
8. A target access behavior detection apparatus, the apparatus comprising:
the period detection module is used for carrying out period detection on the time sequence characteristic data to obtain an access period corresponding to the time sequence characteristic data, wherein the time sequence characteristic data is used for representing the characteristics of network access data in the target duration;
the data dividing module is used for segmenting the time sequence characteristic data according to the access period to obtain at least two data fragments;
a similarity obtaining sub-module in the similarity detection module, configured to obtain similarities between two data segments adjacent in time respectively;
a target data segment obtaining sub-module in the similarity detection module, configured to obtain a data segment with similarity not greater than a similarity threshold as a target data segment;
A detection result obtaining sub-module in the similarity detection module, configured to determine that the time sequence feature data is periodic similar data as a detection result of similarity detection in response to a proportion of the target data segment in the at least two data segments being greater than a target proportion;
and the determining module is used for responding to the detection result of the similarity detection to indicate that the time sequence characteristic data is periodic similar data and determining that the behavior corresponding to the time sequence characteristic data belongs to the target access behavior.
9. The apparatus of claim 8, wherein the period detection module is configured to convert the time series characteristic data into frequency domain data; and determining the access frequency with the highest amplitude as an access period according to the amplitude-frequency relation of the frequency domain data.
10. The apparatus of claim 8, wherein the similarity acquisition sub-module comprises:
a dynamic time warping distance obtaining unit, configured to obtain, for two adjacent data segments at any time, a dynamic time warping distance between the two data segments, where the dynamic time warping distance is used to represent a shortest cumulative euclidean distance between the two data segments;
And the similarity determining unit is used for determining the similarity between the two data fragments according to the dynamic time warping distance.
11. The apparatus according to claim 10, wherein the similarity determining unit is configured to acquire a sequence length of the time-series characteristic data; and normalizing the dynamic time warping distance according to the sequence length to obtain the similarity between the two data fragments.
12. The apparatus according to claim 8, wherein the determining module is configured to obtain a target access address included in the time-series characteristic data in response to the detection result indicating that the time-series characteristic data is periodic similar data, the target access address being an address to which access is directed; acquiring a first number of target initiating addresses included in comparison data, wherein the comparison data is time sequence characteristic data of non-target access behaviors, and the target initiating addresses are addresses initiating access to the target access addresses; and determining that the behavior corresponding to the time sequence characteristic data belongs to a target access behavior in response to the first number not being larger than a preset second number.
13. The apparatus of claim 8, wherein the apparatus further comprises:
the log data acquisition module is used for acquiring flow log data in the target duration;
the data preprocessing module is used for preprocessing the flow log data to obtain the network access data to be detected;
and the feature extraction module is used for carrying out feature extraction on the network access data to obtain at least one piece of time sequence feature data.
14. The apparatus of claim 8, wherein the apparatus further comprises:
the data conversion module is used for converting the time sequence characteristic data into visual data;
and the display module is used for displaying the visual data on a visual display interface.
15. A computer device comprising a processor and a memory for storing at least one piece of program code, the at least one piece of program code being loaded by the processor and executing the target access behavior detection method of any one of claims 1 to 7.
16. A storage medium storing at least one piece of program code for performing the target access behavior detection method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010652958.4A CN111818050B (en) | 2020-07-08 | 2020-07-08 | Target access behavior detection method, system, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010652958.4A CN111818050B (en) | 2020-07-08 | 2020-07-08 | Target access behavior detection method, system, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111818050A CN111818050A (en) | 2020-10-23 |
| CN111818050B true CN111818050B (en) | 2024-01-19 |
Family
ID=72842600
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010652958.4A Active CN111818050B (en) | 2020-07-08 | 2020-07-08 | Target access behavior detection method, system, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111818050B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112529708B (en) * | 2020-12-25 | 2024-06-04 | 深圳前海微众银行股份有限公司 | Customer identification method and device and electronic equipment |
| CN113358164B (en) * | 2021-06-07 | 2024-03-05 | 芯视界(北京)科技有限公司 | Flow detection method and device, electronic equipment and storage medium |
| CN115150159B (en) * | 2022-06-30 | 2023-11-10 | 深信服科技股份有限公司 | Flow detection method, device, equipment and readable storage medium |
| CN115473789B (en) * | 2022-09-16 | 2024-02-27 | 深信服科技股份有限公司 | Alarm processing method and related equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106375345A (en) * | 2016-10-28 | 2017-02-01 | 中国科学院信息工程研究所 | Malware domain name detection method and system based on periodic detection |
| WO2017084529A1 (en) * | 2015-11-19 | 2017-05-26 | 阿里巴巴集团控股有限公司 | Network attacks identifying method and device |
| CN109600398A (en) * | 2019-01-28 | 2019-04-09 | 杭州数梦工场科技有限公司 | A kind of account usage behavior detection method and device |
| CN110149343A (en) * | 2019-05-31 | 2019-08-20 | 国家计算机网络与信息安全管理中心 | A kind of abnormal communications and liaison behavioral value method and system based on stream |
| CN110611684A (en) * | 2019-09-27 | 2019-12-24 | 国网电力科学研究院有限公司 | Method, system and storage medium for detecting periodic Web access behavior |
| US10645100B1 (en) * | 2016-11-21 | 2020-05-05 | Alert Logic, Inc. | Systems and methods for attacker temporal behavior fingerprinting and grouping with spectrum interpretation and deep learning |
| CN111147459A (en) * | 2019-12-12 | 2020-05-12 | 北京网思科平科技有限公司 | C & C domain name detection method and device based on DNS request data |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10536473B2 (en) * | 2017-02-15 | 2020-01-14 | Microsoft Technology Licensing, Llc | System and method for detecting anomalies associated with network traffic to cloud applications |
-
2020
- 2020-07-08 CN CN202010652958.4A patent/CN111818050B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017084529A1 (en) * | 2015-11-19 | 2017-05-26 | 阿里巴巴集团控股有限公司 | Network attacks identifying method and device |
| CN106375345A (en) * | 2016-10-28 | 2017-02-01 | 中国科学院信息工程研究所 | Malware domain name detection method and system based on periodic detection |
| US10645100B1 (en) * | 2016-11-21 | 2020-05-05 | Alert Logic, Inc. | Systems and methods for attacker temporal behavior fingerprinting and grouping with spectrum interpretation and deep learning |
| CN109600398A (en) * | 2019-01-28 | 2019-04-09 | 杭州数梦工场科技有限公司 | A kind of account usage behavior detection method and device |
| CN110149343A (en) * | 2019-05-31 | 2019-08-20 | 国家计算机网络与信息安全管理中心 | A kind of abnormal communications and liaison behavioral value method and system based on stream |
| CN110611684A (en) * | 2019-09-27 | 2019-12-24 | 国网电力科学研究院有限公司 | Method, system and storage medium for detecting periodic Web access behavior |
| CN111147459A (en) * | 2019-12-12 | 2020-05-12 | 北京网思科平科技有限公司 | C & C domain name detection method and device based on DNS request data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111818050A (en) | 2020-10-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111818050B (en) | Target access behavior detection method, system, device, equipment and storage medium | |
| CN108696514B (en) | Resource collection task management method, device, storage medium and system | |
| CN110222789B (en) | Image recognition method and storage medium | |
| CN108924737B (en) | Positioning method, device, equipment and computer readable storage medium | |
| CN111262887B (en) | Network risk detection method, device, equipment and medium based on object characteristics | |
| CN110689460A (en) | Traffic accident data processing method, device, equipment and medium based on block chain | |
| CN110414232B (en) | Malicious program early warning method and device, computer equipment and storage medium | |
| WO2020048392A1 (en) | Application virus detection method, apparatus, computer device, and storage medium | |
| CN110839128B (en) | Photographing behavior detection method and device and storage medium | |
| CN110096865B (en) | Method, device and equipment for issuing verification mode and storage medium | |
| CN110569220B (en) | Game resource file display method and device, terminal and storage medium | |
| CN110851510A (en) | Data processing method and device of transaction system based on block chain | |
| CN111078521A (en) | Abnormal event analysis method, device, equipment, system and storage medium | |
| CN112084811A (en) | Identity information determining method and device and storage medium | |
| CN111416996B (en) | Multimedia file detection method, multimedia file playing device, multimedia file equipment and storage medium | |
| CN110769050B (en) | Data processing method, data processing system, computer device, and storage medium | |
| CN107944024B (en) | Method and device for determining audio file | |
| CN108537040B (en) | Method, device, terminal and storage medium for intercepting telecom fraud Trojan horse program | |
| CN111931712B (en) | Face recognition method, device, snapshot machine and system | |
| CN115495169A (en) | Data acquisition method, page generation method, device, equipment and readable storage medium | |
| CN114124405B (en) | Service processing method, system, computer equipment and computer readable storage medium | |
| CN112764824B (en) | Method, device, equipment and storage medium for triggering identity verification in application program | |
| CN113900920A (en) | Data processing method and device, electronic equipment and computer readable storage medium | |
| CN113343709A (en) | Method for training intention recognition model, method, device and equipment for intention recognition | |
| CN111897709A (en) | Method, device, electronic equipment and medium for monitoring user |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40030768 Country of ref document: HK |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |