CN111898123B - Malicious operation identification method, device, equipment and readable storage medium - Google Patents
Malicious operation identification method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN111898123B CN111898123B CN202010738573.XA CN202010738573A CN111898123B CN 111898123 B CN111898123 B CN 111898123B CN 202010738573 A CN202010738573 A CN 202010738573A CN 111898123 B CN111898123 B CN 111898123B
- Authority
- CN
- China
- Prior art keywords
- evaluation value
- value
- matching
- malicious
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000011156 evaluation Methods 0.000 claims abstract description 222
- 230000006399 behavior Effects 0.000 claims description 46
- 230000009471 action Effects 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 206010010144 Completed suicide Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 150000001875 compounds Chemical class 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a malicious operation identification method, a malicious operation identification device, malicious operation identification equipment and a computer readable storage medium, wherein the method comprises the following steps: receiving the operation of a user and determining an operation object of the operation; determining an operation value of an operation object based on a correspondence between the operation object and the operation value established in advance, and calculating an evaluation value of an operation according to the operation value of the operation object; matching the evaluation value of the operation with a pre-established database, and determining a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value; and judging whether the operation is malicious operation or not based on the operation behavior, and if so, intercepting the operation. According to the technical scheme, the operation behavior is obtained by obtaining the operation value of the operation object, calculating the evaluation value of the operation and matching the evaluation value of the operation with the database, the malicious operation is identified based on the operation behavior, and the malicious operation is intercepted when being identified, so that the operation safety of the data center is ensured as much as possible.
Description
Technical Field
The present application relates to the field of security technologies, and in particular, to a malicious operation identification method, apparatus, device, and computer-readable storage medium.
Background
With the development of cloud computing, data centers of many units are handed to third parties for operation and maintenance, and hackers and trojans have paid great attention and have corresponding countermeasures. However, for the operation of the operation and maintenance personnel, at present, it is impossible to determine whether the operation is a benign operation or a malicious operation, that is, the malicious operation cannot be identified, so the malicious operation cannot be processed in time, and the safe operation of the data center is affected.
In summary, how to identify and process malicious operations in time is a technical problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
In view of the above, an object of the present application is to provide a malicious operation identification method, device, apparatus, and computer readable storage medium, for identifying and timely processing a malicious operation.
In order to achieve the above purpose, the present application provides the following technical solutions:
a malicious operation identification method, comprising:
receiving an operation of a user and determining an operation object of the operation;
determining an operation value of an operation object based on a corresponding relation between the operation object and the operation value which is established in advance, and calculating an evaluation value of the operation according to the operation value of the operation object;
matching the evaluation value of the operation with a pre-established database, and determining a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value;
and judging whether the operation is malicious operation or not based on the operation behavior, and if so, intercepting the operation.
Preferably, calculating the evaluation value of the operation from the operation value of the operation object includes:
by using
Calculating an evaluation value of the operation
;
Wherein,
the operation value corresponding to the account logged in by the user,
a weight corresponding to an account for which the user is logged in,
in order to operate the operation value of the main body,
is the weight of the subject of the operation,
in order to operate the operation value of the object,
is the weight of the operation object,
is the operational value of the operational action,
is the weight of the action of the operation,
。
preferably, matching the evaluation value of the operation with a pre-established database, and determining a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value, includes:
dividing the evaluation values in the database into a plurality of matching groups;
matching the evaluation value of the operation with each matching group respectively;
and when the evaluation value of the operation is successfully matched with the evaluation value in one of the matching groups, terminating the matching, taking the evaluation value successfully matched as the target evaluation value, and acquiring the operation behavior corresponding to the target evaluation value from the database.
Preferably, the matching the evaluation value of the operation with each of the matching groups respectively includes:
taking the first evaluation value in the matching group as a current evaluation value, and judging whether the evaluation value of the operation is within a matching range determined by the current evaluation value;
if yes, determining that the matching is successful;
if not, the next evaluation value in the matching group is taken as the current evaluation value, and the step of judging whether the evaluation value of the operation is in the matching range determined by the current evaluation value is executed.
Preferably, dividing the evaluation values in the database into a plurality of matching groups includes:
and dividing the evaluation values in the database into odd number matching groups and even number matching groups according to the odd number and the even number.
Preferably, after intercepting the operation, the method further comprises:
and sending a prompt to the user.
A malicious operation identification apparatus comprising:
the receiving module is used for receiving the operation of a user and determining an operation object of the operation;
the first determination module is used for determining the operation value of the operation object based on the corresponding relation between the operation object and the operation value which is established in advance, and calculating the evaluation value of the operation according to the operation value of the operation object;
the second determination module is used for matching the evaluation value of the operation with a pre-established database and determining a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value;
and the interception module is used for judging whether the operation is malicious operation or not based on the operation behavior, and if so, intercepting the operation.
Preferably, the first determining module includes:
a computing unit for utilizing
Calculating an evaluation value of the operation
;
Wherein, among others,
the operation value corresponding to the account logged in by the user,
a weight corresponding to an account for which the user is logged in,
to operateThe operational value of the main body is set,
is the weight of the subject of the operation,
in order to operate the operation value of the object,
is the weight of the operation object,
is the operational value of the operational action,
is the weight of the action of the operation,
。
a malicious operation identification apparatus comprising:
a memory for storing a computer program;
a processor for implementing the steps of the malicious operation identification method according to any one of the above claims when executing the computer program.
A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the malicious operation identification method according to any one of the preceding claims.
The application provides a malicious operation identification method, a malicious operation identification device, malicious operation identification equipment and a computer readable storage medium, wherein the method comprises the following steps: receiving the operation of a user and determining an operation object of the operation; determining an operation value of an operation object based on a corresponding relation between the operation object and the operation value established in advance, and calculating an evaluation value of the operation according to the operation value of the operation object; matching the evaluation value of the operation with a pre-established database, and determining a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value; and judging whether the operation is malicious operation or not based on the operation behavior, and if so, intercepting the operation.
According to the technical scheme, after the operation of a user is received, the operation value of the operation object in the operation is determined based on the corresponding relation between the operation object and the operation value which is established in advance, the operation evaluation value is calculated according to the operation value of the operation object, the operation behavior corresponding to the target evaluation value and the target evaluation value corresponding to the operation is determined by matching the operation evaluation value with a database which is established in advance, then whether the operation is malicious operation or not is judged based on the determined operation behavior, and the malicious operation is intercepted when the operation is determined, so that the malicious operation is identified, the interception processing is carried out when the malicious operation is identified, and the operation safety of a data center is ensured as much as possible.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a malicious operation identification method according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a malicious operation identification apparatus according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a malicious operation identification device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, which shows a flowchart of a malicious operation identification method provided in an embodiment of the present application, a malicious operation identification method provided in an embodiment of the present application may include:
s11: and receiving the operation of the user and determining the operation object of the operation.
When a user operates the data center, the user can operate the data center by logging in an account, and accordingly the data center can receive the operation of the user on the data center and can determine an operation object of the operation.
S12: the operation value of the operation object is determined based on the correspondence relationship between the operation object and the operation value established in advance, and the evaluation value of the operation is calculated from the operation value of the operation object.
Before receiving the operation of the user, the corresponding relationship between the operation object and the operation value may be set in advance through experiments.
After step S11 is completed, the operation value corresponding to the operation object may be determined based on the correspondence relationship between the operation object and the operation value established in advance, and the evaluation value of the operation may be calculated from the operation value of the operation object, for example: txt, namely determining that the normal action evaluation value of the user test on the deletion of the common file test is 100, the normal deletion action evaluation value of the user test on the system file is 110, and the editing malicious action evaluation value of the user administeror on the core file is 120.
S13: and matching the evaluation value of the operation with a pre-established database, and determining a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value.
Before receiving the operation of the user, a database including a plurality of evaluation values and corresponding relationships between the evaluation values and the operation behaviors may be established in advance based on experiments or the like. It should be noted that the operation behaviors mentioned herein may be specifically classified into normal class 1, normal class 2, normal class 3, and abnormal class 4 … …, and the evaluation values and their corresponding operation behaviors may be stored in the database in the form of a data table, for example: as shown in table 1, it shows a correspondence table between evaluation values and operation behaviors in the database:
TABLE 1 table of correspondence between evaluation values and operation behaviors in database
In addition, the database mentioned here needs to contain various possible operation behaviors and their corresponding evaluation values in order to improve the accuracy and reliability of operation matching.
After step S12 is performed, the evaluation values of the operations may be matched with a database established in advance to determine a target evaluation value corresponding to the evaluation value of the operation, and an operation behavior corresponding to the target evaluation value.
After determining the target evaluation value corresponding to the evaluation value of the operation and the operation behavior corresponding to the target evaluation value, the operation behavior corresponding to the target evaluation value and the target evaluation value can be returned to the user, so that the user can know the state in time.
S14: judging whether the operation is malicious operation or not based on the operation behavior; if yes, go to step S15;
s15: and intercepting the operation.
After determining the target evaluation value corresponding to the operation and the operation behavior corresponding to the target evaluation value, whether the operation performed by the user is a malicious operation or not can be judged based on the operation behavior, wherein if the operation behavior is a normal class, the operation performed by the user is determined not to be the malicious operation, if the operation behavior is not the normal class, the operation is determined to be the malicious operation, and the identified malicious operation can be intercepted, that is, the malicious operation can be prevented, so that the malicious operation is prevented from affecting the safe operation of the data center.
According to the technical scheme, after the operation of a user is received, the operation value of the operation object in the operation is determined based on the corresponding relation between the operation object and the operation value which is established in advance, the operation evaluation value is determined according to the operation value of the operation object, the operation behavior corresponding to the target evaluation value and the target evaluation value corresponding to the operation is determined by matching the operation evaluation value with a database which is established in advance, then whether the operation is malicious operation or not is judged based on the determined operation behavior, and the malicious operation is intercepted when the operation is determined, so that the malicious operation is identified, the interception processing is carried out when the malicious operation is identified, and the operation safety of a data center is ensured as much as possible.
The malicious operation identification method provided by the embodiment of the application calculates the evaluation value of the operation according to the operation value of the operation object, and may include:
by using
Calculating an evaluation value of the operation
;
Wherein,
the operation value corresponding to the account logged in by the user,
the weight corresponding to the account the user is logged in,
in order to operate the operation value of the main body,
in order to manipulate the weight of the subject,
in order to operate the operation value of the object,
in order to manipulate the weight of the object,
is the operational value of the operational action,
in order to weight the action of the operation,
。
when calculating the evaluation value of the operation from the operation value of the operation object, a formula may be specifically used
A calculation is performed in which, among other things,
as an evaluation value for the operation,
the operation value corresponding to the account logged in by the user,
the weight corresponding to the account the user is logged in,
in order to operate the operation value of the main body,
in order to manipulate the weight of the subject,
in order to operate the operation value of the object,
in order to manipulate the weight of the object,
is the operational value of the operational action,
in order to weight the action of the operation,
,
、
、
and
can be set empirically, for example
It may be a compound of the order of 0.1,
it may be in the range of 0.2,
it may be in the range of 0.3,
these weights may be 0.4, although they may be adjusted.
The malicious operation identification method provided by the embodiment of the application matches the evaluation value of the operation with a pre-established database, and determines a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value, and may include:
dividing the evaluation values in the database into a plurality of matching groups;
matching the evaluation value of the operation with each matching group respectively;
when the evaluation value of the operation is successfully matched with the evaluation value in one of the matching groups, the matching is terminated, the successfully matched evaluation value is taken as the target evaluation value, and the operation behavior corresponding to the target evaluation value is obtained from the database.
When the evaluation value of the operation is matched with a pre-established database, and a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value are determined, in order to improve the matching efficiency and facilitate the identification of malicious operation as soon as possible, thereby facilitating the reduction of the influence of the malicious operation on the safe operation of a data center as much as possible, the evaluation value in the database can be divided into a plurality of matching groups, and the evaluation value of the operation can be simultaneously matched with each of the divided matching groups, when the matching is performed, when the evaluation value of the operation is successfully matched with the evaluation value in any one of the matching groups, the matching is terminated, that is, the matching is not continued, that is, a so-called suicide mechanism is realized, so as to improve the matching efficiency. When the matching is successfully terminated, the evaluation value successfully matched can be used as a target evaluation value, and the operation behavior corresponding to the target evaluation value can be acquired from the database, so that whether the operation performed by the user is a malicious operation or not can be determined according to the operation behavior.
The malicious operation identification method provided by the embodiment of the application matches the evaluation value of the operation with each matching group respectively, and may include:
taking the first evaluation value in the matching group as a current evaluation value, and judging whether the evaluation value of the operation is within a matching range determined by the current evaluation value;
if yes, determining that the matching is successful;
if not, the next evaluation value in the matching group is taken as the current evaluation value, and a step of judging whether the evaluation value of the operation is within the matching range determined by the current evaluation value is performed.
When the evaluation value of the operation is matched with each matching group, respectively, the first evaluation value in each matching group may be set as a current evaluation value, and it is determined whether the evaluation value of the operation is within a matching range determined by the current evaluation value, matching is successful if the evaluation value of the operation is within the matching range determined by the current evaluation value, and if the evaluation value of the operation is not within the matching range determined by the current evaluation value, the next evaluation value in each matching group (i.e., one evaluation value located behind the current evaluation value) may be set as the current evaluation value, and the step of determining whether the evaluation value of the operation is within the matching range determined by the current evaluation value is performed until matching is successful. The above-mentioned matching range may be specifically a range (including end points) obtained by expanding a preset error (for example, 10 or 20, etc.) to the left and right sides with the current evaluation value as a center, for example: taking the current evaluation value as 100 and the preset error as 20 as an example, the corresponding matching range is 80-120 (including 80 and 120), that is, when the evaluation value of the operation is any value between 80-120, the target evaluation value matched with the operation is 100.
The fuzzy matching is realized by judging whether the evaluation value of the operation is within the matching range determined by the current evaluation value, so as to improve the matching efficiency.
The malicious operation identification method provided by the embodiment of the application divides the evaluation value in the database into a plurality of matching groups, and may include:
the evaluation values in the database are divided into odd number matching groups and even number matching groups according to the parity.
When dividing the evaluation values in the database, the evaluation values in the database may be specifically divided into odd-numbered matched groups and even-numbered matched groups according to odd numbers and even numbers, where the evaluation values included in the odd-numbered matched groups are all odd numbers, and the evaluation values included in the even-numbered matched groups are all even numbers.
Of course, the evaluation values in the database may be divided into a plurality of matching groups in other manners, and the dividing manner is not limited herein.
After intercepting the operation, the malicious operation identification method provided by the embodiment of the application may further include:
and sending a prompt to the user.
After the operation is intercepted, a prompt can be sent to the user, so that the user can correct the operation in time or take other measures to reduce the influence of the malicious operation on the data center.
Referring to fig. 2, a structural schematic diagram of a malicious operation recognition apparatus provided in an embodiment of the present application is shown, and the malicious operation recognition apparatus may include:
a receiving module 21, configured to receive an operation of a user and determine an operation object of the operation;
a first determining module 22, configured to determine an operation value of the operation object based on a correspondence relationship between the operation object and the operation value established in advance, and calculate an evaluation value of the operation according to the operation value of the operation object;
a second determining module 23, configured to match the evaluation value of the operation with a pre-established database, and determine a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value;
and the intercepting module 24 is configured to determine whether the operation is a malicious operation based on the operation behavior, and intercept the operation if the operation is the malicious operation.
In an apparatus for identifying malicious operations provided in an embodiment of the present application, the first determining module 22 may include:
a computing unit for utilizing
Calculating an evaluation value of the operation
;
Wherein,
the operation value corresponding to the account logged in by the user,
the weight corresponding to the account the user is logged in,
in order to operate the operation value of the main body,
in order to manipulate the weight of the subject,
in order to operate the operation value of the object,
in order to manipulate the weight of the object,
is the operational value of the operational action,
in order to weight the action of the operation,
。
in an apparatus for identifying malicious operations provided in an embodiment of the present application, the second determining module 23 may include:
a dividing unit configured to divide the evaluation values in the database into a plurality of matching groups;
a matching unit for matching the evaluation value of the operation with each matching group, respectively;
and an acquisition unit configured to terminate the matching when the evaluation value of the operation is successfully matched with the evaluation value in one of the matching groups, and to take the evaluation value successfully matched as a target evaluation value, and to acquire an operation behavior corresponding to the target evaluation value from the database.
In an apparatus for identifying malicious operations provided in an embodiment of the present application, a matching unit may include:
a judging subunit operable to take the first evaluation value in the matching group as a current evaluation value, and judge whether the evaluation value of the operation is within a matching range determined by the current evaluation value;
a determination subunit operable to determine that matching is successful if the evaluation value of the operation is within the matching range determined by the current evaluation value;
an execution subunit operable, if the evaluation value of the operation is not within the matching range determined by the current evaluation value, to take a next evaluation value in the matching group as the current evaluation value, and to execute a step of judging whether the evaluation value of the operation is within the matching range determined by the current evaluation value.
In an apparatus for identifying malicious operations provided in an embodiment of the present application, a dividing unit may include:
and the dividing subunit is used for dividing the evaluation values in the database into odd number matching groups and even number matching groups according to the odd number and the even number.
The malicious operation identification device provided by the embodiment of the application can further include:
and the prompt module is used for sending a prompt to the user after the operation is intercepted.
An embodiment of the present application further provides a malicious operation identification device, see fig. 3, which shows a schematic structural diagram of a malicious operation identification device provided in an embodiment of the present application, and the malicious operation identification device may include:
a memory 31 for storing a computer program;
the processor 32, when executing the computer program stored in the memory 31, may implement the following steps:
receiving the operation of a user and determining an operation object of the operation; determining an operation value of an operation object based on a corresponding relation between the operation object and the operation value established in advance, and calculating an evaluation value of the operation according to the operation value of the operation object; matching the evaluation value of the operation with a pre-established database, and determining a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value; and judging whether the operation is malicious operation or not based on the operation behavior, and if so, intercepting the operation.
An embodiment of the present application further provides a computer-readable storage medium, in which a computer program is stored, and when executed by a processor, the computer program can implement the following steps:
receiving the operation of a user and determining an operation object of the operation; determining an operation value of an operation object based on a corresponding relation between the operation object and the operation value established in advance, and calculating an evaluation value of the operation according to the operation value of the operation object; matching the evaluation value of the operation with a pre-established database, and determining a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value; and judging whether the operation is malicious operation or not based on the operation behavior, and if so, intercepting the operation.
The computer-readable storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
For a description of a relevant part in a malicious operation identification apparatus, a device, and a computer-readable storage medium provided in an embodiment of the present application, reference may be made to a detailed description of a corresponding part in a malicious operation identification method provided in an embodiment of the present application, and details are not described here again.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include elements inherent in the list. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element. In addition, parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of corresponding technical solutions in the prior art, are not described in detail so as to avoid redundant description.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (7)
1. A malicious operation identification method, comprising:
receiving the operation of a user and determining an operation object of the operation;
determining an operation value of an operation object based on a corresponding relation between the operation object and the operation value which is established in advance, and calculating an evaluation value of the operation according to the operation value of the operation object;
matching the evaluation value of the operation with a pre-established database, and determining a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value;
judging whether the operation is malicious operation or not based on the operation behavior, and if so, intercepting the operation;
calculating an evaluation value of the operation according to the operation value of the operation object, including:
by using
Calculating an evaluation value of the operation
;
Wherein,
the operation value corresponding to the account logged in by the user,
a weight corresponding to an account for which the user is logged in,
in order to operate the operation value of the main body,
is the weight of the subject of the operation,
in order to operate the operation value of the object,
is the weight of the operation object and is the weight of the operation object,
is an operation value for the operation action and,
is the weight of the action of the operation,
;
matching the evaluation value of the operation with a pre-established database, and determining a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value, wherein the method comprises the following steps:
dividing the evaluation values in the database into a plurality of matching groups;
matching the evaluation value of the operation with each matching group respectively;
and when the evaluation value of the operation is successfully matched with the evaluation value in one of the matching groups, terminating the matching, taking the evaluation value successfully matched as the target evaluation value, and acquiring the operation behavior corresponding to the target evaluation value from the database.
2. The malicious operation identification method according to claim 1, wherein matching the evaluation value of the operation with each of the matching groups, respectively, includes:
taking the first evaluation value in the matching group as a current evaluation value, and judging whether the evaluation value of the operation is within a matching range determined by the current evaluation value;
if yes, determining that the matching is successful;
if not, the next evaluation value in the matching group is taken as the current evaluation value, and the step of judging whether the evaluation value of the operation is within the matching range determined by the current evaluation value is executed.
3. The malicious operation identification method according to claim 1, wherein dividing the evaluation values in the database into a plurality of matching groups includes:
and dividing the evaluation values in the database into odd number matching groups and even number matching groups according to the odd number and the even number.
4. The malicious operation identification method according to claim 1, further comprising, after intercepting the operation:
and sending a prompt to the user.
5. A malicious operation recognition apparatus, comprising:
the receiving module is used for receiving the operation of a user and determining an operation object of the operation;
the first determination module is used for determining the operation value of the operation object based on the corresponding relation between the operation object and the operation value which is established in advance, and calculating the evaluation value of the operation according to the operation value of the operation object;
the second determination module is used for matching the evaluation value of the operation with a pre-established database and determining a target evaluation value corresponding to the evaluation value of the operation and an operation behavior corresponding to the target evaluation value;
the intercepting module is used for judging whether the operation is malicious operation or not based on the operation behavior, and if so, intercepting the operation;
the first determining module includes:
a computing unit for utilizing
Calculating an evaluation value of the operation
;
Wherein,
the operation value corresponding to the account logged in by the user,
a weight corresponding to an account to which the user logs in,
in order to operate the operation value of the main body,
is the weight of the subject of the operation,
in order to operate the operation value of the object,
is the weight of the operation object,
is the operational value of the operational action,
is the weight of the action of the operation,
;
the second determining module includes:
a dividing unit configured to divide the evaluation values in the database into a plurality of matching groups;
a matching unit for matching the evaluation value of the operation with each of the matching groups, respectively;
and the acquisition unit is used for terminating the matching when the evaluation value of the operation is successfully matched with the evaluation value in one of the matching groups, taking the successfully matched evaluation value as the target evaluation value, and acquiring the operation behavior corresponding to the target evaluation value from the database.
6. A malicious operation identification device characterized by comprising:
a memory for storing a computer program;
a processor for implementing the steps of the malicious operation identification method of any of claims 1 to 4 when executing the computer program.
7. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the malicious operation identification method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010738573.XA CN111898123B (en) | 2020-07-28 | 2020-07-28 | Malicious operation identification method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010738573.XA CN111898123B (en) | 2020-07-28 | 2020-07-28 | Malicious operation identification method, device, equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111898123A CN111898123A (en) | 2020-11-06 |
| CN111898123B true CN111898123B (en) | 2022-06-10 |
Family
ID=73182237
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010738573.XA Active CN111898123B (en) | 2020-07-28 | 2020-07-28 | Malicious operation identification method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111898123B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114185610A (en) * | 2021-11-18 | 2022-03-15 | 福建省天奕网络科技有限公司 | Client function configuration method and server |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954342A (en) * | 2014-03-31 | 2015-09-30 | 腾讯科技(深圳)有限公司 | Security estimation method and device |
| CN110365698A (en) * | 2019-07-29 | 2019-10-22 | 杭州数梦工场科技有限公司 | Methods of risk assessment and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8196201B2 (en) * | 2006-07-19 | 2012-06-05 | Symantec Corporation | Detecting malicious activity |
-
2020
- 2020-07-28 CN CN202010738573.XA patent/CN111898123B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954342A (en) * | 2014-03-31 | 2015-09-30 | 腾讯科技(深圳)有限公司 | Security estimation method and device |
| CN110365698A (en) * | 2019-07-29 | 2019-10-22 | 杭州数梦工场科技有限公司 | Methods of risk assessment and device |
Non-Patent Citations (1)
| Title |
|---|
| P2P网络中基于信任的用户行为分析与安全管理机制;刘武等;《中国海洋大学学报(自然科学版)》;20081015;101-103 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111898123A (en) | 2020-11-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1811381B1 (en) | Software operation modeling and monitoring device and method | |
| CN108053318B (en) | Method and device for identifying abnormal transactions | |
| CN107220130B (en) | Method, device and system for realizing information consensus at nodes of block chain | |
| EP3627431A1 (en) | Cross-chain trading method and apparatus | |
| CN110348188B (en) | Core body checking method and device | |
| CN109815697B (en) | Method and device for processing false alarm behavior | |
| KR102440878B1 (en) | Learning method for learning detection model for fraud detection of virtual asset, detecting method of fraud detection of virtual asset using the detection model, apparatus and computer program for performing the learning method and the detecting method | |
| CN109242658B (en) | Suspicious transaction report generation method, suspicious transaction report generation system, suspicious transaction report generation computer device and suspicious transaction report storage medium | |
| CN111898123B (en) | Malicious operation identification method, device, equipment and readable storage medium | |
| CN113064759A (en) | Block chain data rollback processing method and processing system thereof | |
| CN109583731A (en) | A kind of Risk Identification Method, device and equipment | |
| CN103440460A (en) | Application system change validation method and system | |
| KR101951015B1 (en) | Server detecting abnormal game activity and operating method of thereof | |
| CN108090736B (en) | Workflow approval bill-based approval method and device and readable storage medium | |
| CN113220598A (en) | System test method, apparatus, device, medium, and program product | |
| EP3174263A1 (en) | Apparatus and method for verifying detection rule | |
| CN111191215A (en) | Safety equipment identification method and system | |
| CN116010217A (en) | Data processing method, device, computer equipment and storage medium | |
| CN112488562B (en) | Service realization method and device | |
| CN104933620A (en) | Online transaction monitoring device and method | |
| EP3907968A1 (en) | Method and system for blockchain intrusion prevention | |
| CN114416581A (en) | Method, device and equipment for determining test failure reason | |
| CN112529462A (en) | Service verification method, device, server and storage medium | |
| CN112966288A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN112363933A (en) | Automatic verification method and device for word paragraph table, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |