CN112087452B - Abnormal behavior detection method and device, electronic equipment and computer storage medium - Google Patents
Abnormal behavior detection method and device, electronic equipment and computer storage medium Download PDFInfo
- Publication number
- CN112087452B CN112087452B CN202010943289.6A CN202010943289A CN112087452B CN 112087452 B CN112087452 B CN 112087452B CN 202010943289 A CN202010943289 A CN 202010943289A CN 112087452 B CN112087452 B CN 112087452B
- Authority
- CN
- China
- Prior art keywords
- behavior
- network
- event
- target user
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Algebra (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- Telephonic Communication Services (AREA)
- Alarm Systems (AREA)
Abstract
The application provides an abnormal behavior detection method and device, electronic equipment and a computer storage medium, and relates to the technical field of data security. The method comprises the following steps: acquiring network behavior characteristic data of a target user on target equipment, wherein the network behavior characteristic data is used for describing at least one network behavior event of the target user; determining an actual behavior track of a target user on the network according to the network behavior characteristic data; and judging whether the network behavior event is an abnormal behavior event or not according to the difference between the actual behavior track and at least one standard behavior track, wherein the standard behavior track is a normal network user behavior track. The abnormal behavior can be rapidly identified, and guarantee is provided for data safety of the target device.
Description
Technical Field
The present application relates to the field of data security technologies, and in particular, to a method and an apparatus for detecting abnormal behavior, an electronic device, and a computer storage medium.
Background
Along with the popularization of a large number of mobile devices, data exchange between a mobile terminal and the outside world is increasingly frequent, the security risk is increasingly increased, the traditional security detection method cannot detect unknown threats and internal threats and cannot expand, and along with the increase of data volume, the security detection speed is slower and slower, and the response speed is overlong.
Disclosure of Invention
The application provides a method and a device for detecting abnormal behaviors, electronic equipment and a computer storage medium, which are used for solving the technical problem of improving the speed of identifying the abnormal behaviors.
In a first aspect, a method for detecting abnormal behavior is provided, the method including:
acquiring network behavior characteristic data of a target user on target equipment, wherein the network behavior characteristic data is used for describing at least one network behavior event of the target user;
determining an actual behavior track of a target user on the network according to the network behavior characteristic data;
and judging whether the network behavior event is an abnormal behavior event or not according to the difference between the actual behavior track and at least one standard behavior track, wherein the standard behavior track is a normal network user behavior track. In a second aspect, there is provided an apparatus for abnormal behavior detection, the apparatus comprising:
the network behavior feature data is used for describing at least one network behavior event of the target user;
the first determining module is used for determining the actual behavior track of the target user on the network according to the network behavior characteristic data;
and the judging module is used for judging whether the network behavior event is an abnormal behavior event or not according to the difference between the actual behavior track and at least one standard behavior track, wherein the standard behavior track is a normal network user behavior track.
In a third aspect, an electronic device is provided, which includes:
one or more processors;
a memory;
one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs configured to perform operations corresponding to the method of abnormal behavior detection as set forth in the first aspect of the present application.
In a fourth aspect, a computer storage medium is provided, on which a computer program is stored, which when executed by a processor, implements the method of abnormal behavior detection shown in the first aspect of the present application.
The beneficial effect that technical scheme that this application provided brought is:
according to the method and the device, the network behavior characteristic data of the target user on the target device are obtained, then the actual behavior track of the target user on the network can be determined based on the network behavior characteristic data, and a large amount of behavior characteristic data can be processed at the same time; and the actual behavior track of the target user is compared with the preset standard behavior track, so that whether the behavior characteristic data of the target user belongs to the abnormal behavior can be rapidly identified, the identification rate of the abnormal behavior event is improved, and the data safety of the target equipment is guaranteed.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings used in the description of the embodiments of the present application will be briefly described below.
Fig. 1 is a schematic flowchart of an abnormal behavior detection method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a method for establishing a first behavior feature distribution model according to an embodiment of the present application;
fig. 3 is a schematic flowchart of another abnormal behavior detection method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an abnormal behavior detection apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a first behavior feature distribution model building apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of another abnormal behavior detection apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative and are only for the purpose of explaining the present application and are not to be construed as limiting the present invention.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. As used herein, the term "and/or" includes all or any element and all combinations of one or more of the associated listed items.
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The application provides an abnormal behavior detection method, an abnormal behavior detection device, an electronic device and a computer storage medium, and aims to solve the above technical problems in the prior art.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
An embodiment of the present application provides a method for detecting an abnormal behavior, as shown in fig. 1, the method includes:
step S101: and acquiring network behavior characteristic data of the target user on the target equipment, wherein the network behavior characteristic data is used for describing at least one network behavior event of the target user.
It should be understood that the target device includes a mobile terminal but is not limited to the mobile terminal, and the following description will take the mobile terminal as an example. The target user may be a user who directly uses the mobile terminal, or may be a user who uses other devices, but manipulates the mobile terminal, or transmits data to the mobile terminal.
It can be understood that the network behavior feature data of the target user on the target device includes device behaviors, such as connection, downloading, execution, file reading and writing and the like, which are responded after the target user performs various behavior operations on the target device and the target device receives the various behavior operations.
The network behavior feature data may be a network behavior event of the target user, and in an embodiment of the present application, the network behavior event may include a plurality of events such as connection, use, operation, access, upload, download, successful login, restart, shutdown, login failure, attack, infection, and the like.
In an embodiment of the present application, acquiring network behavior feature data of a target user on a target device includes:
step S1011: when a target user accesses a network program based on a target device, network behavior characteristic data of the target user in the process of executing the network program is obtained.
It is understood that the mobile terminal generally performs data exchange with the outside world through the network, and therefore, in an embodiment of the present application, when the user accesses the network program using the mobile terminal, the network behavior feature data of the user during the execution of the network program, that is, various device behaviors that the target device responds to during the execution of the network program, may be acquired.
In an embodiment of the present application, the acquiring network behavior feature data of the target user in the process of executing the network program includes:
step S1011a: acquiring at least one function calling symbol in the executed process of the network program, wherein the function calling symbol is used for describing a function identifier of a function called by the network program in the executed process;
it is understood that the device behavior for the target device in the process of executing the network program may be obtained by obtaining and analyzing the function called in the process of executing the network program. Specifically, for example, in a Linux system, when a network program is executed, a kernel records the network program and a linker into a memory together, the linker completes a loading process of a dynamic link, and a base library on which the network program depends is loaded to obtain at least one function call symbol in the executed process of the network program, that is, a function identifier of a function called by the network program in the executed process.
Step S1011b: analyzing and acquiring a network behavior event corresponding to at least one function call symbol, wherein the network behavior event can comprise any one of starting, logging in, accessing, uploading and downloading;
specifically, the preset classification model can divide the calling behavior corresponding to the calling function into a conventional behavior, a file system behavior and the like according to the calling time duration of the function calling symbol, and then can further determine the network behavior events corresponding to the network calling symbol, such as connection, downloading, execution, file read-write access and the like, according to the equipment behaviors included in different behaviors.
Step S1011c: and determining a network behavior sequence aiming at the target device in the process of executing the network program based on the time stamp of the at least one network behavior event, and determining a feature vector of the network behavior sequence in the process of executing the network program as the network behavior feature data of the target user.
The timestamp of the network behavior event includes a time when the network form event occurs, and the network behavior sequence for the target device includes a series of device behaviors of the target device in a period of time, such as the target device logging on to a certain website at a first time and previewing and downloading a picture of the certain website at a second time.
It can be understood that, after determining the network behavior event corresponding to each function call symbol according to the preset classification model, a series of device behaviors of the target device within a certain period of time in the process of executing the network program may be determined according to the time of occurrence of each network behavior event.
In an embodiment of the present application, after a series of device behaviors of a target device within a certain period of time is determined, the user identity of an operating user operating the series of device behaviors may be traced, and then the identity characteristic of the operating user and the characteristic of a network behavior sequence are determined as network behavior characteristic data of the target user.
The user identity characteristics of the operation user comprise at least one of a user name and login of the operation user to the target equipment.
Step S102: and determining the actual behavior track of the target user on the network according to the network behavior characteristic data.
For example, the actual behavior trace of the target user on the network may include that a certain user logs on to a certain website on the target device at a first time, and previews and downloads a picture of a certain website at a second time.
In one embodiment of the present application, determining an actual behavior trace of a target user on a network according to network behavior feature data includes:
inputting the network behavior feature data into a first pre-trained behavior feature distribution model to obtain a first distribution probability for each network behavior event, and determining an actual behavior track of a target user on the network according to the first distribution probability of each network behavior event, wherein the first behavior feature distribution model is a mixed Gaussian model aiming at the behavior feature data of target equipment distributed in a feature space.
The first behavior feature distribution model is a pre-trained Gaussian mixture model which accords with the behavior feature distribution of the target device user and can be used for determining the actual network behavior distribution result of the target user.
Specifically, the network behavior feature data may be input into a first behavior feature distribution model trained in advance, so as to obtain a first distribution probability for each network behavior event, where the first distribution probability for each network behavior event is related to the name of the network behavior event and the position of the network behavior event in the whole network program execution process.
It can be understood that, for each network program, when it needs to achieve a specific execution purpose in the executed process, the network behavior event that occurs in the executed process time period, that is, the device behavior of the target device, is generally relatively fixed, so that the distribution probability of various network behavior events at each location in the executed process of the network program can be obtained in advance, and the network behavior event with the maximum probability at each location is determined as a standard behavior event, where the distribution probability of various network behavior events at each location is obtained based on a large number of statistical results.
After inputting actual network behavior feature data of a target user, i.e., a series of network behavior events in a period of time, such as in the process of executing a network program, into a pre-trained first feature distribution model, a first distribution probability, i.e., an actual distribution probability, of the actual network behavior event at each position can be obtained, the actual distribution probabilities of the actual network behavior events in the period of time are combined into an actual distribution result in the period of time, and the actual distribution result not only represents an actual behavior trajectory of the target user in the period of time, but also represents an actual distribution probability of each actual network behavior event.
In one embodiment of the present application, obtaining a standard behavior trace of a target user on a network includes:
inputting the network behavior feature data into a second behavior feature distribution model trained in advance to obtain a second distribution probability for each network behavior event, and determining a standard behavior track of a target user on the network according to the second distribution probability of each network behavior event, wherein the second behavior feature distribution model is a general background model about the distribution of the standard behavior feature data in a feature space.
The second behavior feature distribution model is a pre-trained general background model which accords with the behavior feature distribution of a plurality of devices and a plurality of users and can be used for determining a standard network behavior distribution result of a target user.
Specifically, the network behavior feature data may be input into a second behavior feature distribution model trained in advance, so as to obtain a second distribution probability for each network behavior event, where the second distribution probability for each network behavior event is related to a position of the network behavior event in the whole network program execution process.
It can be understood that, for each network program, when it needs to achieve a specific execution purpose in the executed process, the network behavior events occurring within the executed process time period are generally fixed, so that the network behavior event with the highest probability of various network behavior events at each position in the executed process of the network program may be determined as the standard network behavior event, and the probability of the standard network behavior event may be determined as the second distribution probability, that is, the standard distribution probability.
And forming a standard distribution result in the period of time by the standard distribution probability of the standard network behavior event in the period of time, wherein the standard distribution result not only represents the standard behavior track of the target user in the period of time, but also represents the standard distribution probability of each standard network behavior event.
It should be noted that, in the embodiment of the present application, a possible implementation manner is provided, and as shown in fig. 2, the establishing process of the first behavior feature distribution model includes the following steps:
step S201: and training the Gaussian mixture model through the sample behavior characteristic data of the non-target equipment to obtain a second characteristic distribution model.
Step S202: and inputting the sample behavior feature data of the target equipment into the second feature distribution model, and obtaining the first behavior feature distribution model through maximum posterior probability self-adaption.
In the embodiment of the present application, an association analysis algorithm based on GMM-UBM (gaussian mixture model-universal background model) is adopted.
It can be understood that, although the feature distribution for the target device does not follow a certain distribution form, all distributions can be formed by overlapping a plurality of gaussian models, and the gaussian mixture model adopts a weighted sum of the plurality of gaussian models to represent probability density distribution functions of different user behavior events, where the formula is as follows:
wherein, x is a user behavior feature vector, K is the number of components of the Gaussian mixture model, and p (K) is the probability of each Gaussian model being selected and is also marked as pi k N is the number of user behavior events, p (x | k) is a single component of a Gaussian mixture model, and each component is composed of various types of mean values mu k And various types of covariance ∑ k.
The parameter estimation of the Gaussian mixture model is a supervised training process, based on the maximum likelihood criterion, the parameter values of the most probable result are deduced reversely according to the result of the known sample, and iteration is carried out by utilizing a maximum expectation algorithm until the result is converged. It will be appreciated that a set of parameters may be determined, the probability distribution determined for which produces the highest probability of generating the given user behavior characteristic data points, which probability is substantially equal to
Wherein i is the ordinal number of the user action event. And substituting the probability result into the formula (1) to obtain a parameter value to be estimated, namely completing the estimation process of the parameter.
However, the gaussian mixture model is adopted to accurately depict the network behavior characteristics of the target device, and a large amount of sample behavior characteristic data of the target device is generally needed to train the model, and if the sample behavior characteristic data is too little, the trained low-order gaussian mixture model has poor representativeness, so that the accuracy of the subsequent distribution result is poor.
Therefore, in this embodiment, a GMM-UBM (gaussian mixture model-universal background model) is adopted, and first, sample behavior feature data of all target devices is regarded as sample behavior feature data of one device and input into the gaussian mixture model, and a high-order large gaussian mixture model is obtained through training, where the model is a universal background model, that is, a second distribution behavior feature model.
And then, a Gaussian mixture model which accords with the behavior feature distribution of the target equipment user is obtained by utilizing the limited sample behavior feature data of the target equipment on the general background model through maximum posterior probability self-adaptation, namely a first behavior feature distribution model.
According to the embodiment of the application, the behavior characteristic distribution model of the target equipment is described through a large amount of sample behavior characteristic data of the non-target equipment, and the problem that the accuracy of subsequent distribution results is poor due to insufficient sample behavior characteristic data of the target equipment is solved in the reverse direction.
The maximum posterior probability self-adaptive algorithm is used for correspondingly adjusting each Gaussian component in the general background model to adapt to the sample behavior characteristic of the target equipment by calculating the similarity between the sample behavior characteristic of the target equipment and the general background model. Usually, the adjustment is to update the weight, the mean value and the variance of the general background model, and a large amount of research shows that the good identification effect can be obtained only by updating the mean value.
Step S103: and judging whether the network behavior event is an abnormal behavior event or not according to the difference between the actual behavior track and at least one standard behavior track, wherein the standard behavior track is a normal network user behavior track.
It is understood that the actual behavior trace of the target user on the network may include actual distribution results composed of actual distribution probabilities of the target user for each actual network behavior event of the target device; the normal network user behavior trace comprises a standard distribution result composed of standard distribution probabilities for each standard network behavior event of the target device.
If a deviation occurs between the two results, it indicates that various network behavior events of the target user on the target device may be abnormal behavior events, it should be noted that the network behavior event is an abnormal behavior event, which is not an independent network behavior event but an abnormal behavior event, but a series of network behavior events of the target user for the target device in the process that the network program is executed are abnormal behavior events.
By detecting the abnormal behavior event, the data security of the target equipment can be ensured by timely processing.
In an embodiment of the present application, determining whether a network behavior event is an abnormal behavior event according to a difference between an actual behavior trajectory and at least one standard behavior trajectory includes:
and if the offset of the actual behavior track and the at least one standard behavior track exceeds a preset offset range, determining the network behavior event as an abnormal behavior event.
It can be understood that the offset of the actual behavior trajectory and the standard behavior trajectory can be measured by the difference between the actual distribution and the standard distribution, specifically, since the two distributions respectively reflect the actual distribution probability and the standard distribution probability of the behavior feature of the target user, in an embodiment of the present application, the difference between the two distribution areas can be used as the offset of the two distributions, and when the difference between the two distribution areas reaches a preset offset range, the actual network behavior event of the target user is determined as an abnormal network behavior event.
The method and the device can simultaneously process a large batch of behavior characteristic data by acquiring the network behavior characteristic data of the target user on the target device, and then determining the actual behavior track of the target user on the network based on the network behavior characteristic data; and the actual behavior track of the target user is compared with the preset standard behavior track, so that whether the behavior characteristic data of the target user belongs to the abnormal behavior can be rapidly identified, the identification rate of the abnormal behavior event is improved, and the data safety of the target equipment is guaranteed.
In addition, a possible implementation manner is provided in the embodiment of the present application, as shown in fig. 3, after determining a network behavior event as an abnormal behavior event, the abnormal behavior detection method further includes:
step S104: and determining the identity of the target user based on the network behavior characteristic data of the target user on the target device.
Step S105: and when the network program is started again, limiting the operation of the target user based on the identity of the target user.
It can be understood that, when the offset between the actual behavior trajectory of the target user and the standard behavior trajectory exceeds the preset offset range, the network behavior event at this time is an abnormal behavior event, it should be noted that the network behavior event is an abnormal behavior event, which is not an independent network behavior event but an abnormal behavior event, but a series of network behavior events for the target device in the process of executing the network program by the target user are abnormal behavior events.
At this time, the identity of the target user may be determined through a tracing technique, where the identity of the target user includes a user name of logging in to the target device, a user name of logging in to the network program, a user name of starting a process, or a network card ip of the target device.
When the network program is restarted, the operation of the target user may be limited according to the identity of the target user, for example, the process of an abnormal user is limited to be started before the process is started, or a system call white list is set to prohibit application starting, or the operation of the target user on the target device is limited according to the name of the user of the target device, or the operation of the target user on the network program is displayed according to the name of the user who logs in the network program.
By carrying out policy interception on the user identity process corresponding to the abnormal behavior event, the privacy security of the target equipment data can be effectively protected.
An embodiment of the present application provides an abnormal behavior detection apparatus, and as shown in fig. 4, the abnormal behavior detection apparatus 40 may include: an acquisition module 401, a first determination module 402 and a judgment module 403.
The obtaining module 401 is configured to obtain network behavior feature data of a target user on a target device, where the network behavior feature data is used to describe at least one network behavior event of the target user.
It should be understood that the target device includes a mobile terminal, but is not limited to a mobile terminal, and the following description will be given by taking the mobile terminal as an example. The target user may be a user who directly uses the mobile terminal, or may be a user who uses other devices, but manipulates the mobile terminal, or transmits data to the mobile terminal.
It can be understood that the network behavior feature data of the target user on the target device includes device behaviors, such as connection, downloading, execution, file reading and writing and the like, which are responded after the target user performs various behavior operations on the target device and the target device receives the various behavior operations.
The network behavior feature data may be a network behavior event of the target user, and in an embodiment of the present application, the network behavior event may include a plurality of events such as connection, use, operation, access, upload, download, successful login, restart, shutdown, login failure, attack, infection, and the like.
In an embodiment of the present application, the obtaining module 401 includes:
and the acquisition submodule is used for acquiring the network behavior characteristic data of the target user in the process of executing the network program when the target user accesses the network program based on the target equipment.
It is understood that the mobile terminal generally performs data exchange with the outside world through the network, and therefore, in an embodiment of the present application, when the user accesses the network program using the mobile terminal, the network behavior feature data of the user during the execution of the network program, that is, various device behaviors that the target device responds to during the execution of the network program, may be acquired.
In an embodiment of the application, the network behavior feature data includes a sequence of network behaviors for the target device during execution of the network program, and the obtaining sub-module includes:
the acquiring unit is used for acquiring at least one function calling symbol in the executed process of the network program, and the function calling symbol is used for describing a function identifier of a function called by the network program in the executed process;
it is understood that the device behavior for the target device in the process of executing the network program may be obtained by obtaining and analyzing the function called in the process of executing the network program. Specifically, for example, in a Linux system, when a network program is executed, a kernel records the network program and a linker into a memory together, the linker completes a loading process of a dynamic link, and a base library on which the network program depends is loaded to obtain at least one function call symbol in the executed process of the network program, that is, a function identifier of a function called by the network program in the executed process.
The analysis unit is used for analyzing and acquiring a network behavior event corresponding to at least one function calling symbol, wherein the network behavior event can comprise any one of starting, logging in, accessing, uploading and downloading;
specifically, the preset classification model can divide the calling behavior corresponding to the calling function into a conventional behavior, a file system behavior and the like according to the calling time duration of the function calling symbol, and then can further determine the network behavior events corresponding to the network calling symbol, such as connection, download, execution, file read-write access and the like, according to the equipment behaviors included in different behaviors.
And the determining unit is used for determining a network behavior sequence aiming at the target device in the process that the network program is executed based on the time stamp of at least one network behavior event, and determining the feature vector of the network behavior sequence in the process that the network program is executed as the network behavior feature data of the target user.
The timestamp of the network behavior event includes a time when the network form event occurs, and the network behavior sequence for the target device includes a series of device behaviors of the target device in a period of time, such as the target device logging on to a certain website at a first time and previewing and downloading a picture of the certain website at a second time.
It can be understood that, after determining the network behavior event corresponding to each function call symbol according to the preset classification model, a series of device behaviors of the target device within a certain period of time in the process of executing the network program may be determined according to the occurrence time of each network behavior event.
In an embodiment of the present application, after a series of device behaviors of a target device within a certain period of time is determined, the user identity of an operation user who operates the series of device behaviors may be traced, and then the identity feature of the operation user and the feature of a network behavior sequence are determined as network behavior feature data of the target user.
The user identity characteristics of the operation user comprise at least one of a user name and login of the operation user to the target equipment.
A first determining module 402, configured to determine an actual behavior trace of the target user on the network according to the network behavior feature data.
For example, the actual behavior trace of the target user on the network may include that a certain user logs on to a certain website on the target device at a first time, and previews and downloads a picture of a certain website at a second time.
In one embodiment of the present application, the first determining module 402 includes:
the first determining submodule is used for inputting the network behavior feature data into a first pre-trained behavior feature distribution model to obtain a first distribution probability for each network behavior event, and determining an actual behavior track of a target user on the network according to the first distribution probability of each network behavior event, wherein the first behavior feature distribution model is a mixed Gaussian model aiming at the behavior feature data of target equipment distributed in a feature space.
The first behavior feature distribution model is a pre-trained Gaussian mixture model which accords with the behavior feature distribution of the target equipment user and can be used for determining the actual network behavior distribution result of the target user.
Specifically, the network behavior feature data may be input into a first behavior feature distribution model trained in advance, so as to obtain a first distribution probability for each network behavior event, where the first distribution probability for each network behavior event is related to the name of the network behavior event and the position of the network behavior event in the whole network program execution process.
It can be understood that, for each network program, when it needs to achieve a specific execution purpose in the executed process, the network behavior event that occurs in the executed process time period, that is, the device behavior of the target device, is generally relatively fixed, so that the distribution probability of various network behavior events at each location in the executed process of the network program can be obtained in advance, and the network behavior event with the maximum probability at each location is determined as a standard behavior event, where the distribution probability of various network behavior events at each location is obtained based on a large number of statistical results.
After inputting actual network behavior feature data of a target user, i.e., a series of network behavior events in a period of time, such as in the process of executing a network program, into a pre-trained first feature distribution model, a first distribution probability, i.e., an actual distribution probability, of the actual network behavior event at each position can be obtained, the actual distribution probabilities of the actual network behavior events in the period of time are combined into an actual distribution result in the period of time, and the actual distribution result not only represents an actual behavior trajectory of the target user in the period of time, but also represents an actual distribution probability of each actual network behavior event.
In an embodiment of the present application, the first determining module 402 further includes:
and the second determining submodule is used for inputting the network behavior feature data into a second behavior feature distribution model trained in advance to obtain a second distribution probability aiming at each network behavior event, and determining a standard behavior track of the target user on the network according to the second distribution probability of each network behavior event, wherein the second behavior feature distribution model is a general background model about the distribution of the standard behavior feature data in a feature space.
The second behavior feature distribution model is a pre-trained general background model which accords with the behavior feature distribution of a plurality of devices and a plurality of users, and can be used for determining a standard network behavior distribution result of a target user.
Specifically, the network behavior feature data may be input into a second behavior feature distribution model trained in advance, so as to obtain a second distribution probability for each network behavior event, where the second distribution probability for each network behavior event is related to a position of the network behavior event in the whole network program execution process.
It can be understood that, for each network program, when it needs to achieve a specific execution purpose in the executed process, the network behavior events occurring within the executed process time period are generally fixed, so that the network behavior event with the highest probability of various network behavior events at each position in the executed process of the network program may be determined as the standard network behavior event, and the probability of the standard network behavior event may be determined as the second distribution probability, that is, the standard distribution probability.
And forming a standard distribution result in the time period by the standard distribution probability of the standard network behavior event in the time period, wherein the standard distribution result not only represents the standard behavior track of the target user in the time period, but also represents the standard distribution probability of each standard network behavior event.
It should be noted that, in the embodiment of the present application, a possible implementation manner is provided, as shown in fig. 5, a device for establishing a first behavior feature distribution model is provided:
the training module 501 is configured to train the gaussian mixture model through the sample behavior feature data of the non-target device, so as to obtain a second feature distribution model.
And the self-adapting module 502 is configured to input the sample behavior feature data of the target device into the second feature distribution model, and obtain the first behavior feature distribution model through maximum posterior probability self-adaptation.
In the embodiment of the present application, a correlation analysis algorithm based on GMM-UBM (gaussian mixture model-general background model) is used.
It can be understood that, although the target device feature distribution does not follow a specific distribution form, all distributions can be formed by overlapping a plurality of gaussian models, and the gaussian mixture model adopts a weighted sum of the plurality of gaussian models to represent probability density distribution functions of different user behavior events, and the formula is as follows:
wherein, x is a user behavior feature vector, K is the number of components of the Gaussian mixture model, and p (K) is the probability of each Gaussian model being selected and is also marked as pi k N is the number of user behavior events, p (x | k) is a single component of a Gaussian mixture model, and each component is composed of various types of mean values mu k And various covariance Σ k.
The parameter estimation of the Gaussian mixture model is a supervised training process, based on the maximum likelihood criterion, the parameter values of the most probable result are deduced reversely according to the result of the known sample, and iteration is carried out by utilizing a maximum expectation algorithm until the result is converged. It will be appreciated that a set of parameters may be determined, the probability distribution determined for which produces the highest probability of generating the given user behavior characteristic data points, which probability is substantially equal to
Wherein i is the ordinal number of the user action event. Substituting the probability result into the formula (1) can obtain the parameter value to be estimated, namely the parameter estimation process is completed.
However, the gaussian mixture model is adopted to accurately depict the network behavior characteristics of the target device, and a large amount of sample behavior characteristic data of the target device is generally needed to train the model, and if the sample behavior characteristic data is too little, the trained low-order gaussian mixture model has poor representativeness, so that the accuracy of the subsequent distribution result is poor.
Therefore, in this embodiment, a GMM-UBM (gaussian mixture model-universal background model) is adopted, and first, sample behavior feature data of all target devices is regarded as sample behavior feature data of one device and input into the gaussian mixture model, and a high-order large gaussian mixture model is obtained through training, where the model is a universal background model, that is, a second distribution behavior feature model.
And then, a Gaussian mixture model which accords with the behavior feature distribution of the target equipment user is obtained by utilizing the limited sample behavior feature data of the target equipment on the general background model through maximum posterior probability self-adaptation, namely a first behavior feature distribution model.
According to the embodiment of the application, the behavior characteristic distribution model of the target equipment is described through a large amount of sample behavior characteristic data of the non-target equipment, and the problem that the accuracy of subsequent distribution results is poor due to insufficient sample behavior characteristic data of the target equipment is solved in the reverse direction.
The maximum posterior probability self-adaptive algorithm is used for correspondingly adjusting each Gaussian component in the general background model to adapt to the sample behavior characteristic of the target equipment by calculating the similarity between the sample behavior characteristic of the target equipment and the general background model. Usually, the adjustment is to update the weight, the mean value and the variance of the general background model, and a large amount of research shows that the good identification effect can be obtained only by updating the mean value.
The determining module 403 is configured to determine whether the network behavior event is an abnormal behavior event according to a difference between the actual behavior trajectory and at least one standard behavior trajectory, where the standard behavior trajectory is a normal network user behavior trajectory.
It is understood that the actual behavior trace of the target user on the network may include an actual distribution result composed of actual distribution probabilities of the target user for each actual network behavior event of the target device; the normal network user behavior trace comprises a standard distribution result formed by standard distribution probabilities of each standard network behavior event aiming at the target equipment.
If a deviation occurs between the two results, it indicates that various network behavior events of the target user on the target device may be abnormal behavior events, and it should be noted that the network behavior event is an abnormal behavior event, which is not an independent network behavior event but an abnormal behavior event, but a series of network behavior events of the target user for the target device in the process of executing the network program are abnormal behavior events.
By detecting the abnormal behavior event, the data security of the target equipment can be ensured by timely processing.
In an embodiment of the present application, the determining module 403 includes:
and the third determining submodule is used for determining the network behavior event as an abnormal behavior event if the offset of the actual behavior track and the at least one standard behavior track exceeds a preset offset range.
It can be understood that the offset of the actual behavior trajectory and the standard behavior trajectory can be measured by the difference between the actual distribution and the standard distribution, specifically, since the two distributions respectively reflect the actual distribution probability and the standard distribution probability of the behavior feature of the target user, in an embodiment of the present application, the difference between the two distribution areas can be used as the offset of the two distributions, and when the difference between the two distribution areas reaches a preset offset range, the actual network behavior event of the target user is determined as an abnormal network behavior event.
The method and the device can simultaneously process a large batch of behavior characteristic data by acquiring the network behavior characteristic data of the target user on the target device, and then determining the actual behavior track of the target user on the network based on the network behavior characteristic data; and the actual behavior track of the target user is compared with the preset standard behavior track, so that whether the behavior characteristic data of the target user belongs to the abnormal behavior can be rapidly identified, the identification rate of the abnormal behavior event is improved, and the data safety of the target equipment is guaranteed.
In addition, a possible implementation manner is provided in the embodiment of the present application, as shown in fig. 6, after determining the network behavior event as an abnormal behavior event, the abnormal behavior detecting device 40 further includes:
a second determining module 404, configured to determine an identity of the target user based on the network behavior feature data of the target user on the target device.
And a limiting module 405, configured to limit the operation of the target user based on the identity of the target user when the network program is restarted.
It can be understood that, when the offset between the actual behavior trajectory of the target user and the standard behavior trajectory exceeds the preset offset range, the network behavior event at this time is an abnormal behavior event, it should be noted that the network behavior event is an abnormal behavior event, which is not an independent network behavior event but an abnormal behavior event, but a series of network behavior events for the target device during the execution of the network program by the target user.
At this time, the identity of the target user may be determined through a tracing technique, where the identity of the target user includes a user name of logging in to the target device, a user name of logging in to the network program, a user name of starting a process, or a network card ip of the target device.
When the network program is restarted, the operation of the target user may be limited according to the identity of the target user, for example, the process of an abnormal user is limited to be started before the process is started, or a system call white list is set to prohibit application starting, or the operation of the target user on the target device is limited according to the name of the user of the target device, or the operation of the target user on the network program is displayed according to the name of the user who logs in the network program.
By carrying out policy interception on the user identity process corresponding to the abnormal behavior event, the privacy and the safety of the target equipment data can be effectively protected.
An embodiment of the present application provides an electronic device, including: a memory and a processor; at least one program stored in the memory for execution by the processor, which when executed by the processor, implements: the method and the device can simultaneously process a large batch of behavior characteristic data by acquiring the network behavior characteristic data of the target user on the target device, and then determining the actual behavior track of the target user on the network based on the network behavior characteristic data; and by comparing the actual behavior track of the target user with the preset standard behavior track, whether the behavior characteristic data of the target user belongs to the abnormal behavior can be rapidly identified, the identification rate of the abnormal behavior event is improved, and the data safety of the target equipment is guaranteed.
In an alternative embodiment, an electronic device is provided, as shown in fig. 7, the electronic device 4000 shown in fig. 7 comprising: a processor 4001 and a memory 4003. Processor 4001 is coupled to memory 4003, such as via bus 4002. Optionally, the electronic device 4000 may further comprise a transceiver 4004. In addition, the transceiver 4004 is not limited to one in practical applications, and the structure of the electronic device 4000 is not limited to the embodiment of the present application.
The Processor 4001 may be a CPU (Central Processing Unit), a general-purpose Processor, a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor 4001 may also be a combination that performs a computing function, e.g., comprising one or more microprocessors, a combination of DSPs and microprocessors, etc.
The Memory 4003 may be a ROM (Read Only Memory) or other type of static storage device that can store static information and instructions, a RAM (Random Access Memory) or other type of dynamic storage device that can store information and instructions, an EEPROM (Electrically Erasable Programmable Read Only Memory), a CD-ROM (Compact Disc Read Only Memory) or other optical Disc storage, optical Disc storage (including Compact Disc, laser Disc, optical Disc, digital versatile Disc, blu-ray Disc, etc.), a magnetic Disc storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto.
The memory 4003 is used for storing application codes for executing the scheme of the present application, and the execution is controlled by the processor 4001. Processor 4001 is configured to execute application code stored in memory 4003 to implement what is shown in the foregoing method embodiments.
The embodiment of the application provides a computer storage medium, on which a computer program is stored, and when the computer program runs on a computer, the computer is enabled to execute the corresponding content in the foregoing method embodiment. Compared with the prior art, the method and the device have the advantages that the network behavior characteristic data of the target user on the target device are obtained, then the actual behavior track of the target user on the network can be determined based on the network behavior characteristic data, and a large amount of behavior characteristic data can be processed at the same time; and the actual behavior track of the target user is compared with the preset standard behavior track, so that whether the behavior characteristic data of the target user belongs to the abnormal behavior can be rapidly identified, the identification rate of the abnormal behavior event is improved, and the data safety of the target equipment is guaranteed.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
The foregoing is only a partial embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (8)
1. An abnormal behavior detection method, comprising:
acquiring network behavior characteristic data of a target user on target equipment, wherein the network behavior characteristic data is used for describing at least one network behavior event of the target user;
determining an actual behavior track of the target user on the network according to the network behavior feature data;
judging whether the network behavior event is an abnormal behavior event or not according to the difference between the actual behavior track and at least one standard behavior track, wherein the standard behavior track is a normal network user behavior track;
the network behavior feature data comprises a network behavior sequence aiming at the target device in the process of executing the network program, and the network behavior feature data of the target user in the process of executing the network program is obtained, and comprises the following steps:
acquiring at least one function calling symbol in the executed process of the network program, wherein the function calling symbol is used for describing a function identifier of a function called by the network program in the executed process;
analyzing and acquiring a network behavior event corresponding to the at least one function call symbol, wherein the network behavior event comprises any one of starting, logging in, accessing, uploading and downloading;
determining a network behavior sequence aiming at the target device in the process that the network program is executed based on the time stamp of the at least one network behavior event, and determining a feature vector of the network behavior sequence in the process that the network program is executed as network behavior feature data of the target user;
the analyzing and acquiring the network behavior event corresponding to the at least one function call symbol includes:
analyzing a calling behavior corresponding to a calling function according to the calling time duration of a function calling symbol through a preset classification model, and determining the network behavior event according to equipment behaviors included in the calling behavior;
determining an actual behavior track of the target user on the network according to the network behavior feature data includes:
inputting the network behavior feature data into a first pre-trained behavior feature distribution model to obtain a first distribution probability for each network behavior event, and determining an actual behavior track of the target user on the network according to the first distribution probability of each network behavior event, wherein the first behavior feature distribution model is a Gaussian mixture model of behavior feature data of the target device distributed in a feature space;
the first behavior feature distribution model is obtained based on maximum posterior probability self-adaptive algorithm training.
2. The method of claim 1, wherein obtaining a standard behavior trace of a target user over a network comprises:
inputting the network behavior feature data into a second behavior feature distribution model trained in advance to obtain a second distribution probability for each network behavior event, and determining a standard behavior track of the target user on the network according to the second distribution probability of each network behavior event, wherein the second behavior feature distribution model is a general background model about the distribution of the standard behavior feature data in a feature space.
3. The method of claim 2, wherein determining whether the network behavior event is an abnormal behavior event according to the difference between the actual behavior trace and at least one standard behavior trace comprises:
and if the offset of the actual behavior track and at least one standard behavior track exceeds a preset offset range, determining the network behavior event as an abnormal behavior event.
4. The method according to claim 2, wherein the first behavior feature distribution model establishing process comprises the following steps:
training the Gaussian mixture model through sample behavior characteristic data of non-target equipment to obtain a second behavior characteristic distribution model;
and inputting the sample behavior feature data of the target equipment into the second behavior feature distribution model, and obtaining the first behavior feature distribution model through maximum posterior probability self-adaption.
5. The method according to any one of claims 1-4, wherein after determining the network behavior event as an abnormal behavior event, the method further comprises:
determining the identity of the target user based on the network behavior characteristic data of the target user on the target device;
and when the network program is started again, limiting the operation of the target user based on the identification of the target user.
6. An abnormal behavior detection apparatus, comprising:
the network behavior feature data acquisition module is used for acquiring network behavior feature data of a target user on target equipment, wherein the network behavior feature data is used for describing at least one network behavior event of the target user;
the first determining module is used for determining the actual behavior track of the target user on the network according to the network behavior characteristic data;
the judging module is used for judging whether the network behavior event is an abnormal behavior event or not according to the difference between the actual behavior track and at least one standard behavior track, wherein the standard behavior track is a normal network user behavior track;
the network behavior feature data includes a network behavior sequence for the target device in a process of executing a network program, and the obtaining module specifically includes:
the obtaining unit is used for obtaining at least one function calling symbol in the executed process of the network program, and the function calling symbol is used for describing a function identifier of a function called by the network program in the executed process;
the analysis unit is used for analyzing and acquiring a network behavior event corresponding to the at least one function call symbol, wherein the network behavior event comprises any one of starting, logging in, accessing, uploading and downloading;
a determining unit, configured to determine, based on the timestamp of the at least one network behavior event, a network behavior sequence for the target device during the execution of the network program, and determine, as network behavior feature data of the target user, a feature vector of the network behavior sequence during the execution of the network program;
the analysis unit is specifically configured to:
analyzing a calling behavior corresponding to a calling function according to the calling time duration of a function calling symbol through a preset classification model, and determining the network behavior event according to equipment behaviors included in the calling behavior;
the first determining submodule is used for inputting the network behavior feature data into a first pre-trained behavior feature distribution model to obtain a first distribution probability for each network behavior event, and determining an actual behavior track of the target user on the network according to the first distribution probability of each network behavior event, wherein the first behavior feature distribution model is a mixed Gaussian model aiming at the behavior feature data of the target device distributed in a feature space;
the first behavior feature distribution model is obtained based on maximum posterior probability self-adaptive algorithm training.
7. An electronic device, comprising:
one or more processors;
a memory;
one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the one or more processors, the one or more applications configured to: performing the abnormal behavior detection method according to any one of claims 1 to 5.
8. A computer storage medium having a computer program stored thereon, the program, when executed by a processor, implementing the abnormal behavior detection method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010943289.6A CN112087452B (en) | 2020-09-09 | 2020-09-09 | Abnormal behavior detection method and device, electronic equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010943289.6A CN112087452B (en) | 2020-09-09 | 2020-09-09 | Abnormal behavior detection method and device, electronic equipment and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112087452A CN112087452A (en) | 2020-12-15 |
| CN112087452B true CN112087452B (en) | 2022-11-15 |
Family
ID=73732508
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010943289.6A Active CN112087452B (en) | 2020-09-09 | 2020-09-09 | Abnormal behavior detection method and device, electronic equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112087452B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11503054B2 (en) * | 2020-03-05 | 2022-11-15 | Aetna Inc. | Systems and methods for identifying access anomalies using network graphs |
| CN112231700B (en) * | 2020-12-17 | 2021-05-11 | 腾讯科技(深圳)有限公司 | Behavior recognition method and apparatus, storage medium, and electronic device |
| CN114826707B (en) * | 2022-04-13 | 2022-11-25 | 中国人民解放军战略支援部队航天工程大学 | Method, apparatus, electronic device and computer readable medium for handling user threats |
| CN115174217B (en) * | 2022-07-04 | 2023-03-31 | 北京华清信安科技有限公司 | SOAR-based automatic analysis method for security data arrangement |
| CN116185672B (en) * | 2023-04-28 | 2023-08-22 | 北京亿赛通科技发展有限责任公司 | Data monitoring method, device and storage medium |
| CN116707940B (en) * | 2023-06-26 | 2024-02-13 | 天翼安全科技有限公司 | Data security visual analysis method and system based on big data |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
| CN106657410A (en) * | 2017-02-28 | 2017-05-10 | 国家电网公司 | Detection method for abnormal behaviors based on user access sequence |
| CN107306252A (en) * | 2016-04-21 | 2017-10-31 | 中国移动通信集团河北有限公司 | A kind of data analysing method and system |
| CN108156146A (en) * | 2017-12-19 | 2018-06-12 | 北京盖娅互娱网络科技股份有限公司 | A kind of method and apparatus for being used to identify abnormal user operation |
| CN110365703A (en) * | 2019-07-30 | 2019-10-22 | 国家电网有限公司 | Internet-of-things terminal abnormal state detection method, apparatus and terminal device |
| CN110798440A (en) * | 2019-08-13 | 2020-02-14 | 腾讯科技(深圳)有限公司 | Abnormal user detection method, device and system and computer storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150235152A1 (en) * | 2014-02-18 | 2015-08-20 | Palo Alto Research Center Incorporated | System and method for modeling behavior change and consistency to detect malicious insiders |
| CN104866296B (en) * | 2014-02-25 | 2019-05-28 | 腾讯科技(北京)有限公司 | Data processing method and device |
| CN109727027B (en) * | 2018-06-01 | 2024-05-03 | 深圳市秋雨电子科技有限公司 | Account identification method, device, equipment and storage medium |
| CN110489263A (en) * | 2019-08-12 | 2019-11-22 | 腾讯科技(深圳)有限公司 | The abnormality recognition method and device that process is called |
-
2020
- 2020-09-09 CN CN202010943289.6A patent/CN112087452B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
| CN107306252A (en) * | 2016-04-21 | 2017-10-31 | 中国移动通信集团河北有限公司 | A kind of data analysing method and system |
| CN106657410A (en) * | 2017-02-28 | 2017-05-10 | 国家电网公司 | Detection method for abnormal behaviors based on user access sequence |
| CN108156146A (en) * | 2017-12-19 | 2018-06-12 | 北京盖娅互娱网络科技股份有限公司 | A kind of method and apparatus for being used to identify abnormal user operation |
| CN110365703A (en) * | 2019-07-30 | 2019-10-22 | 国家电网有限公司 | Internet-of-things terminal abnormal state detection method, apparatus and terminal device |
| CN110798440A (en) * | 2019-08-13 | 2020-02-14 | 腾讯科技(深圳)有限公司 | Abnormal user detection method, device and system and computer storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112087452A (en) | 2020-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112087452B (en) | Abnormal behavior detection method and device, electronic equipment and computer storage medium | |
| CN112417439B (en) | Account detection method, device, server and storage medium | |
| CN108924118B (en) | Method and system for detecting database collision behavior | |
| CN112685739B (en) | Malicious code detection method, data interaction method and related equipment | |
| KR20190126046A (en) | Risk identification methods, apparatus and electronic devices related to transactions to be processed | |
| CN111740977B (en) | Voting detection method and device, electronic equipment and computer readable storage medium | |
| CN114553523A (en) | Attack detection method and device based on attack detection model, medium and equipment | |
| CN111641588A (en) | Webpage analog input detection method and device, computer equipment and storage medium | |
| CN111953665B (en) | Server attack access identification method and system, computer equipment and storage medium | |
| CN113468520A (en) | Data intrusion detection method applied to block chain service and big data server | |
| CN117579395B (en) | Method and system for scanning network security vulnerabilities by applying artificial intelligence | |
| CN112488138A (en) | User category identification method and device, electronic equipment and storage medium | |
| CN111898035B (en) | Data processing strategy configuration method and device based on Internet of things and computer equipment | |
| CN110503296B (en) | Test method, test device, computer equipment and storage medium | |
| CN115359575A (en) | Identity recognition method and device and computer equipment | |
| CN115391188A (en) | Scene test case generation method, device, equipment and storage medium | |
| CN111143644B (en) | Identification method and device of Internet of things equipment | |
| CN110795706B (en) | Hash-based verification method, equipment, storage medium and device | |
| CN114297735A (en) | Data processing method and related device | |
| CN109359462B (en) | Virtual standby identification method, equipment, storage medium and device | |
| CN111385342B (en) | Internet of things industry identification method and device, electronic equipment and storage medium | |
| CN111177656A (en) | Behavior detection method, computer equipment and computer-readable storage medium | |
| CN115599312B (en) | Big data processing method and AI system based on storage cluster | |
| CN107346279B (en) | Method and device for judging whether mobile equipment is virtual equipment or not | |
| CN112637830B (en) | Terminal retrieving method and device and network equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230519 Address after: Room 401, Floor 4, No. 2, Haidian East Third Street, Haidian District, Beijing 100080 Patentee after: Yuanxin Information Technology Group Co.,Ltd. Address before: 100080 401-06, 4th floor, 2 Haidian East 3rd Street, Haidian District, Beijing Patentee before: YUANXIN TECHNOLOGY |