CN112307475A - System detection method and device - Google Patents
System detection method and device Download PDFInfo
- Publication number
- CN112307475A CN112307475A CN202011056513.6A CN202011056513A CN112307475A CN 112307475 A CN112307475 A CN 112307475A CN 202011056513 A CN202011056513 A CN 202011056513A CN 112307475 A CN112307475 A CN 112307475A
- Authority
- CN
- China
- Prior art keywords
- state
- current operation
- operation data
- behavior vector
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
One or more embodiments of the present disclosure provide a system detection method and apparatus, including: acquiring current operation data of the system; constructing a current operation behavior vector according to the current operation data; detecting by using a pre-constructed normal behavior vector model according to the current operation behavior vector to obtain a detection result; and outputting the detection result. The specification can detect the system in real time, find abnormality in time and has better overall performance.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of information security technologies, and in particular, to a system detection method and apparatus.
Background
With the rapid development of computer, communication and software technologies, various terminals have been commonly used, and application software installed on the terminals is various, however, some malicious software may be illegally installed under the condition that a user is not infected, or illegally access and acquire user data from the terminals, or even attack the terminals by using system bugs, which causes system abnormality. In order to ensure the data security of the terminal, the system needs to be detected in the system running state so as to find out the abnormality in time and avoid causing security threat to the system.
Disclosure of Invention
In view of the above, one or more embodiments of the present disclosure are directed to a system detection method and apparatus, which can detect a system.
In view of the above, one or more embodiments of the present specification provide a system detection method, including:
acquiring current operation data of the system;
constructing a current operation behavior vector according to the current operation data;
detecting by using a pre-constructed normal behavior vector model according to the current operation behavior vector to obtain a detection result;
and outputting the detection result.
Optionally, the current operation data includes system performance operation parameters, operation parameters of an application in an operation state, and network operation parameters;
constructing a current operation behavior vector according to the current operation data, wherein the construction comprises the following steps:
carrying out digital processing on the current operation data to obtain operation data suitable for operation processing;
and for the operation data, merging the parameters which are associated in the system operation, and forming the current operation behavior vector after merging.
Optionally, the system performance operation parameters include a total CPU occupation state, a total memory occupation state, and a total power consumption state, the operation parameters of the application in the operation state include an application type, an opening state of an authority, a CPU occupation state, a memory occupation state, and a power consumption state, and the network operation parameters include a network module opening and connection state;
the current operation data is subjected to digital processing to obtain operation data suitable for operation processing, and the operation data comprises the following steps:
according to pre-divided occupation levels, assigning the CPU total occupation state and the CPU occupation state to corresponding level numerical values;
according to the conditions of increase, decrease and invariance of memory occupation, assigning the total memory occupation state and the memory occupation state to corresponding state values;
according to the conditions of small power consumption amplification, general amplification and large amplification, assigning the total power consumption state and the power consumption state to corresponding state numerical values;
according to a preset application type, giving a corresponding type number to the application type;
according to the conditions of opening and closing the authority, endowing the opening state of the authority with a corresponding state numerical value;
and according to the conditions of opening, closing, connection and disconnection of the network module, giving corresponding state values to the opening and connection states of the network module.
Optionally, the type of the authority includes at least one, and the number of the network modules is at least one;
for the operation data, merging the parameters associated in the system operation, and forming the current behavior vector after merging, including:
combining and processing the CPU total occupation state, the memory total occupation state and the total power consumption state into one parameter;
combining and processing a CPU occupation state, a memory occupation state and a power consumption state corresponding to the application into a parameter;
merging the opening states of the authorities of all types into one parameter;
and merging the network module opening and connection states of the network modules into one parameter.
Optionally, the method for constructing the normal behavior vector model includes:
at least one group of current operation data is obtained in advance;
constructing at least one group of normal operation behavior vector samples according to at least one group of current operation data;
and performing cluster analysis processing on at least one group of normal operation behavior vector samples to obtain normal behavior feature vectors of a preset classification quantity and cluster radiuses corresponding to the normal behavior feature vectors.
Optionally, the constructing at least one set of normal operation behavior vector samples according to at least one set of current operation data includes:
carrying out invalid data filtering on at least one group of current operating data to obtain at least one group of filtered valid operating data;
carrying out digital processing on at least one group of effective operation data to obtain at least one group of operation data suitable for operation processing;
and for at least one group of operation data suitable for operation processing, merging the parameters associated in the system operation, and forming at least one group of normal operation behavior vector samples after merging.
Optionally, the pre-obtaining at least one group of current operation data is: collecting the current operation data at preset time intervals in a sampling period;
filtering invalid data of at least one group of current operation data to obtain at least one group of filtered valid operation data, wherein the filtering comprises the following steps: judging whether at least one group of current operation data acquired in at least one sampling period reaches a preset number, and if not, determining that the current operation data acquired in each sampling period is invalid data; resetting the sampling period, and acquiring the current operation data in the reset sampling period until the current operation data acquired in each sampling period reaches the preset number, and taking the current operation data reaching the preset number as the effective operation data.
Optionally, according to the current operation behavior vector, detecting by using a pre-constructed normal behavior vector model to obtain a detection result, including:
calculating the distance between the current operation behavior vector and each normal behavior feature vector;
determining a normal behavior feature vector with the minimum distance to the current operation behavior vector;
judging whether the current operation behavior vector is located in a clustering radius range corresponding to the normal behavior feature vector with the minimum distance; if so, the current operation behavior vector belongs to the normal behavior corresponding to the normal behavior feature vector with the minimum distance; if not, the current operation behavior vector belongs to abnormal behaviors.
Optionally, the current operation behavior vector includes at least one merged parameter, where the merged parameter is a binary string;
calculating the distance between the current operation behavior vector and each normal behavior feature vector comprises: and for the parameters after the merging processing in the current operation behavior vector and the parameters after the merging processing in each normal behavior feature vector, the difference value of the two parameters is the number of different corresponding bits.
This specification also provides a system detection apparatus comprising:
the acquisition module is used for acquiring the current operation data of the system;
the construction module is used for constructing a current operation behavior vector according to the current operation data;
and the detection module is used for detecting by utilizing a pre-constructed normal behavior vector model according to the current operation behavior vector to obtain a detection result.
And the output module is used for outputting the detection result.
As can be seen from the above description, in the system detection method and apparatus provided in one or more embodiments of the present disclosure, a current operation behavior vector is constructed according to current operation data by obtaining current operation data of a system, a detection result is obtained by using a pre-constructed normal behavior vector model according to the current operation behavior vector, and the detection result is output. The specification can detect the system in real time, find abnormality in time and has better overall performance.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings that are needed in the description of the embodiments or prior art will be briefly described below, and it is obvious that the drawings in the following description are only one or more embodiments of the present specification, and that other drawings may be obtained by those skilled in the art without inventive effort from these drawings.
FIG. 1 is a schematic flow chart of a method according to one or more embodiments of the present disclosure;
FIG. 2 is a schematic diagram of an apparatus according to one or more embodiments of the present disclosure;
fig. 3 is a schematic structural diagram of an electronic device according to one or more embodiments of the present disclosure.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
It is to be noted that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present specification should have the ordinary meaning as understood by those of ordinary skill in the art to which this disclosure belongs. The use of "first," "second," and similar terms in one or more embodiments of the specification is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
In some application scenarios, methods for detecting system anomalies mainly include detection methods based on an anomaly model, a misuse model, a cloud model and a knowledge-based time series model. The core of the detection method based on the abnormal model is to depict the behavior characteristics of normal operation, set an offset threshold value, compare and analyze the current behavior data of the system with the behavior characteristics of the normal operation, calculate whether the offset is within the offset threshold value and judge whether the system is abnormal, and the method needs to frequently adjust a reference model to adapt to different abnormal behavior models so that the models can correctly reflect normal behaviors; the detection method based on the misuse model is based on a knowledge base of a continuously abundant known attack behavior pattern, and judges the current state of the system so as to distinguish the normal state or the abnormal state, and the detection result of the method is limited by the updating of the knowledge base and cannot be suitable for the real-time use condition of the system; the anomaly detection method based on the cloud model is characterized in that the current data of the system is collected at a client, the current data of the system is sent to a server, the server performs anomaly detection analysis on the current data of the system, and then a detection result is returned to the client, so that the method consumes time and flow, and the overall operation efficiency of the system is influenced; the anomaly detection method of the knowledge-based time series model is used for monitoring the activity states of hardware and users and comparing the time trends of normal activities and abnormal activities so as to judge whether anomalies exist. Moreover, the detection method does not consider the influence of various parameters in the system operation on the system operation.
In order to solve the above problems, embodiments of the present specification provide a system detection method and apparatus, which integrate various parameters in a system operation process, establish a normal behavior vector model, detect current behavior data of the system by using the normal behavior vector model, can detect the system in real time, find an abnormality in time, and have good overall performance.
As shown in fig. 1, one or more embodiments of the present disclosure provide a system detection method, including:
s101: acquiring current operation data of the system;
in this embodiment, in the system operation process, the current operation data is acquired in real time. The current operation data comprises system performance operation parameters, operation parameters of the application in the operation state and network operation parameters.
In some modes, the system performance operation parameters are various performance parameters of the current operation of the system, including but not limited to parameters such as a total CPU occupation state, a total memory occupation state, a total power consumption state, an installation application number, a process number, a foreground process number, a service process number, a background process number, and an idle process number; the running parameters of the application in the running state are parameters of each application currently running in the system, and include, but are not limited to, application name, application type, application identifier, process ID, CPU occupation state, memory occupation state, power consumption state, authority type and opening state, traffic usage state, process number, foreground process number, service process number, background process number, idle process number and other parameters; the network operation parameters are network parameters of the current operation of the system, including but not limited to parameters such as a network module opening and connection state, wherein the current connection state of various network modules is determined according to the network modules configured by the system, for example, for a vehicle-mounted system, the configured network modules include but not limited to network modules such as a WIFI module, a bluetooth module, and a mobile network module, and the opening and connection state of the network modules may be a state where the WIFI module is opened and is not connected, a state where the bluetooth module is not opened, a state where the mobile network module is opened and is connected, and the like.
S102: constructing a current operation behavior vector according to the current operation data;
in this embodiment, the current operation data is preprocessed according to the current operation data acquired in real time, and a current operation behavior vector including various parameters in the system operation is constructed based on the preprocessed current operation data.
S103: detecting by using a pre-constructed normal behavior vector model according to the current operation behavior vector to obtain a detection result;
in this embodiment, a normal behavior vector model for detecting a system state is pre-constructed, and according to a current operation behavior vector and a normal behavior vector model obtained by real-time acquisition and processing, a current operation state of the system is detected, whether an abnormality exists is determined, and an abnormal or normal detection result of the system is obtained.
S104: and outputting a detection result.
According to the system detection method provided by the embodiment, the current operation data of the system is obtained, the current operation behavior vector is constructed according to the current operation data, the detection is carried out by utilizing the pre-constructed normal behavior vector model according to the current operation behavior vector, the detection result is obtained, and the detection result is output. The system detection method of the embodiment can detect the system state in real time, find abnormality in time, improve the early warning capability of the system and has good overall performance of the system.
In some embodiments, constructing the current operating behavior vector from the current operating data comprises:
carrying out digital processing on the current operation data to obtain operation data suitable for operation processing;
and for the operation data, merging the parameters which are associated in the system operation process to form the current operation behavior vector after merging.
In this embodiment, the acquired current operation data is preprocessed to construct a current operation vector. The preprocessing of the current operating data comprises: and carrying out digital processing on the current operation data to obtain operation data which can be subsequently subjected to operation processing, then combining at least one group of parameters which are associated in the operation data into at least one parameter, and obtaining a current operation behavior vector after combination processing. The preprocessed current operation behavior vector is simplified in data, is suitable for subsequent processing, and can improve the data processing efficiency.
In some embodiments, some of the system performance operating parameters, the operating parameters of the application in the operating state, and the network operating parameters are quantitatively describable parameters, and some of the system performance operating parameters and the network operating parameters are qualitatively describable parameters, and it is necessary to uniformly digitize the various parameters so as to perform subsequent operation processing.
The current operation data is processed digitally to obtain operation data suitable for operation processing, and the operation data comprises:
assigning a CPU total occupation state and a CPU occupation state to corresponding grade numerical values according to pre-divided occupation grades;
assigning the total memory occupation state and the memory occupation state to corresponding state values according to the conditions of increase, decrease and invariance of the memory occupation;
according to the conditions of small power consumption amplification, general amplification and large amplification, assigning the total power consumption state and the power consumption state to corresponding state numerical values;
according to a preset application type, assigning the application type to a corresponding type number;
according to the conditions of opening and closing the authority, endowing the opening state of the authority with a corresponding state numerical value;
and according to the conditions of opening, closing, connection and disconnection of the network module, giving corresponding state values to the opening and connection states of the network module.
In this embodiment, because the data formats of the acquired parameters are not uniform, in order to facilitate subsequent uniform operation processing, the parameters need to be subjected to uniform digital processing according to a predetermined rule.
For example, the system performance operation parameters include a total CPU occupation state, a total memory occupation state, a total power consumption state, a process number, a foreground process number, a service process number, a background process number, an idle process number, and the like; the process number, the foreground process number, the service process number, the background process number and the null process number are all specific numerical values suitable for operation processing, and digital processing is not required. For the flow use state of the application, the sent data flow and the received data flow are both specific numerical values, and digital processing is not needed.
For the total CPU occupancy state, the operation efficiency and accuracy are influenced because decimal points exist in the originally acquired total CPU occupancy, so that the occupancy levels are divided in advance, and the total CPU occupancy state is endowed with corresponding level numerical values. In some embodiments, the CPU total occupancy is greater than 50% and is classified as a high loss class, the corresponding class value is 3, the binary string is represented as "111", the CPU total occupancy is greater than 25% and less than or equal to 50% and is classified as a general loss class, the corresponding class value is 2, the binary string is represented as "011", the CPU total occupancy is greater than 5% and less than or equal to 25% and is classified as a low loss class, the corresponding class value is 1, the binary string is represented as "001", the CPU total occupancy is less than or equal to 5% and is classified as a no loss class, the corresponding class value is 0, and the binary string is represented as "000". And assigning the CPU occupation state of the application according to the same processing mode.
For the total memory occupancy state, dividing the total memory occupancy state into an increase state, a decrease state and an invariant state according to three conditions of increase, decrease and invariant (the variation range is within a preset variation range) of the total memory occupancy compared with the total memory occupancy acquired last time, wherein the state value corresponding to the invariant state is 0, the binary string is represented as '00', the state value corresponding to the increase state is 1, the binary string is represented as '01', the state value corresponding to the decrease state is 2, and the binary string is represented as '11'. And assigning the memory occupation state of the application according to the same processing mode.
For the total power consumption state, according to the increment compared with the power consumption acquired last time, dividing the increment smaller than a preset low amplitude value into a small increment state, wherein the corresponding state numerical value is 0, the binary string is represented as '00', the increment is divided into a general increment state between the preset low amplitude value and the high amplitude value, the corresponding state numerical value is 1, the binary string is represented as '01', the increment larger than the preset high amplitude value is divided into a large increment state, the corresponding state numerical value is 2, and the binary string is represented as '11'. The power consumption state of the application is assigned in the same way.
The application types of the applications can be divided into system applications and non-system applications, wherein the type number corresponding to the system applications is 1, and the type number corresponding to the non-system applications is 0.
For the authority type and the opening state of the application, corresponding state values can be given according to the opening or closing state of each authority. For example, the state value corresponding to the open state of the camera authority is 1, the state value corresponding to the closed state is 0, the state value corresponding to the open state of the address book authority is 1, the state value corresponding to the closed state is 0, the state value corresponding to the open state of the geographic location authority is 1, the state value corresponding to the closed state is 0, and the like. The number, type, and open state of the permissions may be set according to the configuration of the specific application, and this embodiment is not particularly limited.
For the network module opening and connecting states, dividing the network module into an unopened state, an opened unconnected state and an opened connected state according to the conditions of the network module opening, closing, connection and disconnection; the state value corresponding to the unopened state is 0, the binary string is represented as "00", the state value corresponding to the opened unconnected state is 1, the binary string is represented as "01", the state value corresponding to the opened and connected state is 2, and the binary string is represented as "11".
In some embodiments, the type of the authority of the application includes at least one, and the number of the network modules is at least one; optionally, the types of permissions of the application include, but are not limited to, camera permissions, geographic location permissions, address book permissions, and the like, and the network modules configured in the system include, but are not limited to, a bluetooth module, a mobile network module, a WIFI module, and the like.
For the operation data, merging the parameters associated in the system operation, and forming the current operation behavior vector after merging, including:
the CPU total occupation state, the memory total occupation state and the total power consumption state are combined and processed into a parameter;
combining and processing a CPU occupation state, a memory occupation state and a power consumption state corresponding to the application into a parameter;
merging the opening states of the authorities of all types into one parameter;
and merging the network module opening and connection states of the network modules into one parameter.
In this embodiment, in order to simplify data, improve data processing efficiency, and merge parameters having an association relationship. For example, for system performance operation parameters, in an actual operation state of the system, the total CPU occupancy state, the total memory occupancy state, and the total power consumption state are associated, and situations that the total CPU occupancy state is in a high-power consumption state but the total memory occupancy state is an unchanged state, the total CPU occupancy state is in a lossless state but the total memory occupancy state is an increased state, the total CPU occupancy state is in a lossless state but the total memory occupancy state is a reduced state, and the like do not conform to the actual situation do not occur, so that the total CPU occupancy state, the total memory occupancy state, and the total power consumption state can be combined into one parameter. For example, the total CPU occupancy state is represented as "001", the total memory occupancy state is represented as "01", the total power consumption state is represented as "00", and the three parameters are represented as "0010100" after being merged. Similarly, the CPU occupation state, the memory occupation state, and the power consumption state of the application may be merged and processed into one parameter according to the same processing manner.
For each type of authority, the open states of each type of authority may be merged and processed as one parameter. For example, if the open state of the camera right is 0, the open state of the address book is 1, and the open state of the geographic location right is 1, the open state of each right after the merging process is denoted as "011".
For the network module opening and connection states of each network module, the network module opening and connection states of each network module can be combined and processed into one parameter. For example, the state of the bluetooth module is represented as "00", the state of the WIFI module is represented as "01", the state of the mobile network module is represented as "11", and the network module open and connection state of each network module after the merging process is represented as "000111".
In one embodiment, the current behavior data obtained is:
1) system performance operating parameters: the total occupancy rate of the CPU is 50%, the total memory occupancy rate is 1000MB, the total power consumption is 50%, the number of installed applications is 160, the number of processes is 500, the number of foreground processes is 100, the number of visible processes is 100, the number of service processes is 100, the number of background processes is 100, and the number of idle processes is 100;
2) the WIFI module is in a connected state, the Bluetooth module is in an open and unconnected state, and the mobile network module is not opened;
3) the method comprises the following steps that an application A in a running state is marked with 10100, the application name is com.Autonavi.minimap, the application type is non-system application, the CPU occupancy rate is 20%, the memory occupancy rate is 180MB, the power consumption is 1.91, the process ID is 19671,20405,21177, the number of applied authorities is 16, the received data flow is 180MB, and the sent data flow is 50 MB; the foreground process number is 0, the visible process number is 1, the service process number is 2, the background process number is 0, and the null process number is 0;
carrying out digital processing on the acquired current behavior data to obtain:
the CPU total occupation state is 011, the memory total occupation state is 01, and the total power consumption state is 01; the starting state of the WIFI module is '11', the starting state of the Bluetooth module is '01', and the starting state of the mobile network module is '00'; the application type of the application A is 0, the CPU occupation state is '001', the memory occupation state is '01', the power consumption state is '01', and the opening states of the 16 authorities are 0, 1, 0, 0, 1, 1, 0, 0, 0, 1, 1 and 0 respectively.
The CPU total occupation state, the Memory total occupation state and the total power consumption state are combined and processed into 0110101 (CPU & Memory & Battery), the opening and connection states of the WIFI module, the Bluetooth module and the mobile network module are combined and processed into 110100 (WIFI & Bluetooth & cellular network), the CPU occupation state, the Memory occupation state and the power consumption state of the application A are combined and processed into 0010101 (CPU & Memory & Battery of the application A), and the opening states of 16 authorities are combined and processed into 0100110011000110;
after preprocessing, the current operation behavior vector is obtained as follows:
{ "0110101" (for CPU & Memory & Battery), "110100" (for WIFI & BlueTooth & cellular network), 160 (for installed application number), 500 (for process number), 100 (for foreground process number), 100 (for visible process number), 100 (for service process number), 100 (for background process number), 100 (for idle process number), 0 (for application type of application a), "0010101" (for CPU & Memory & Battery of application a), "0100110011000110" (for open state of 16 kinds of rights of application a, each bit represents open state of one kind of rights), 180 (for received data traffic of application a), 50 (for transmitted data traffic of application a), 1 (for foreground process number of application a), 0 (for visible process number of application a), 2 (for service process number of application a), 0 (for background process number of application a), 0 (number of empty runs corresponding to application a). Therefore, the current operation behavior vector obtained after preprocessing can not only represent the operation state of the system by using various parameters of the system operation, but also simplify data and improve the subsequent operation processing efficiency.
In some embodiments, the method for constructing the normal behavior vector model includes:
at least one group of current operation data is obtained in advance;
constructing at least one group of normal operation behavior vector samples according to at least one group of current operation data;
and performing cluster analysis processing on at least one group of normal operation behavior vector samples to obtain normal behavior feature vectors of a preset classification quantity and cluster radiuses corresponding to the normal behavior feature vectors.
In this embodiment, to detect the current operating state of the system, a normal behavior vector model is pre-constructed, and whether the system is operating normally is determined according to the current operating data obtained in real time based on the normal behavior vector model. The method for constructing the normal behavior vector model comprises the following steps: obtaining multiple groups of current operation data in advance, constructing multiple groups of normal operation behavior vector samples according to the current operation data of each group, and then carrying out cluster analysis processing on the normal operation behavior vector samples to obtain at least one classified normal behavior feature vector and a cluster radius corresponding to each normal behavior feature vector. Subsequently, after preprocessing the acquired current operation data to obtain a current operation behavior vector, calculating the distance between the current operation behavior vector and each normal behavior feature vector, and judging whether the current operation behavior vector belongs to one of the normal behavior feature vectors or not through each calculated distance so as to obtain whether the current operation state of the system is normal or not.
In some embodiments, constructing at least one set of normal operation behavior vector samples based on at least one set of current operation data comprises:
carrying out invalid data filtering on at least one group of current operating data to obtain at least one group of filtered valid operating data;
carrying out digital processing on at least one group of effective operation data to obtain at least one group of operation data suitable for operation processing;
and for at least one group of operation data suitable for operation processing, merging the parameters associated in the system operation, and forming at least one group of normal operation behavior vector samples after merging.
In this embodiment, to construct a normal operation behavior vector sample in a normal operation state of the system, first, invalid data filtering is performed on the obtained current operation data, valid operation data is retained, then, the valid operation data is digitally processed, operation data suitable for arithmetic processing is obtained, and then, to simplify the data size and improve the data processing efficiency, parameters having relevance are combined, and the normal operation behavior vector sample is obtained.
In some embodiments, the pre-obtaining at least one set of current operating data is: acquiring current operation data at preset time intervals in at least one sampling period; then the process of the first step is carried out,
carrying out invalid data filtering on at least one group of current operation data to obtain at least one group of filtered valid operation data, wherein the invalid data filtering comprises the following steps: judging whether the current operation data collected in each sampling period reaches a preset number, and if not, determining that the current operation data collected in each sampling period is invalid data; resetting the sampling period, and acquiring the current operation data in the reset sampling period until the current operation data acquired in each sampling period reaches a preset number, and taking the current operation data reaching the preset number as effective operation data.
In this embodiment, to construct the normal behavior vector model, effective current operation data needs to be collected to ensure that the obtained normal behavior vector model can reflect the normal operation state of the system. The invalid data filtering method for the current operation data comprises the steps of judging whether the data volume of the current operation data acquired in different sampling periods reaches a preset number, if not, enabling all the current operation data acquired in each sampling period to be invalid data, resetting the sampling periods, acquiring the current operation data again until the data volume of the current operation data acquired in each sampling period reaches the preset number, enabling the current operation data in each sampling period to be valid operation data, and enabling the valid operation data to be continuously subjected to subsequent processing. In some embodiments, the durations of the different sampling periods may be the same or different, the time intervals between the different sampling periods may be the same or different, and the time intervals for acquiring the current operation data in the same sampling period may be the same or different.
In this embodiment, considering that different systems are affected by different factors in the operation process, the operation may be interrupted due to adverse factors in the acquisition process of the current operation data, and the predetermined amount of current operation data cannot be acquired. For example, in the operation process of a vehicle-mounted system, the vehicle-mounted system is affected by environmental factors such as limited use space, large external vibration, difficult heat dissipation, electromagnetic interference and the like, and performance factors such as system version, vehicle-mounted application quality, driving performance and the like, and the system is interrupted to operate.
In some embodiments, the detecting, according to the current operation behavior vector, by using a pre-constructed normal behavior vector model, to obtain a detection result, includes:
calculating the distance between the current operation behavior vector and each normal behavior feature vector;
determining a normal behavior feature vector with the minimum distance to the current operation behavior vector;
judging whether the current operation behavior vector is located in a clustering radius range corresponding to the normal behavior feature vector with the minimum distance; if so, the current operation behavior vector belongs to the normal behavior corresponding to the normal behavior feature vector with the minimum distance; if not, the current operation behavior vector belongs to the abnormal behavior.
In this embodiment, the distance between the current operation behavior vector and each normal behavior feature vector is calculated to determine the normal behavior feature vector having the smallest distance from the current operation behavior vector, and then, whether the current operation behavior vector is within the clustering radius range of the normal behavior feature vector having the smallest distance is determined, if yes, the current operation behavior vector is classified as the normal behavior corresponding to the normal behavior feature vector, the system operates normally currently, and if not, the current operation behavior vector does not belong to any normal behavior, the system operates abnormally currently, and early warning and reminding can be further performed. Therefore, in the running process of the system, whether the system runs normally or not can be detected by using the normal behavior vector model as the reference by using the current running data acquired in real time.
In some embodiments, after the detection result is obtained, the detection result is output. For example, the detection result is a normal behavior, and the basic operation parameters and the detection result of the current system can be displayed and output; or the detection result is abnormal behavior, and the normal behavior between the output and the normal behavior feature vector with the minimum distance, the parameter with difference with the normal behavior and the like can be displayed, so that the early warning effect is realized.
For example, in a normal situation, after a certain application clicks a button, the next interface should be skipped to, and the detection result is a normal behavior; under the abnormal condition, replacing the normal application with a version containing malicious codes by utilizing the loophole of the application, clicking a button, starting downloading software by a background, accessing a certain link to increase the browsing times or returning privacy information such as an address book and the like to a remote server under the condition that a user does not sense, obviously increasing the flow using state in the current behavior data, not classifying the current operation behavior vector into any normal behavior characteristic vector, and in a user interface, giving an important alarm to the user about the abnormal phenomenon of flow consumption and showing the comparison of the normal flow consumption and the abnormal flow consumption value.
In some embodiments, the current operation behavior vector includes at least one merged parameter, and the merged parameter is a binary string;
calculating the distance between the current operation behavior vector and each normal behavior feature vector comprises the following steps: and for the parameters after the merging processing in the current operation behavior vector and the parameters after the merging processing in each normal behavior feature vector, the difference value of the two parameters is the number of different corresponding bits.
In this embodiment, because the parameters in the binary string form subjected to the merging processing exist in the current running behavior vector and the normal behavior feature vector, for the parameters subjected to the merging processing, the number of different corresponding bits of the two parameters is used as the difference value of the two parameters. For example, the parameter CPU & Memory & Battery in the current operation behavior vector is "0110101", and the parameter CPU & Memory & Battery in the normal behavior feature vector is "0010101", so that the number of different corresponding bits of the two parameters is 1, and the difference between the two is 1.
For the parameters which are not combined in the vectors, the distance between the current operation behavior vector and the normal behavior feature vector can be determined by calculating the Euclidean distance.
In some embodiments, K-means cluster analysis is performed based on at least one group of normal operation behavior vector samples and a preset cluster number K to obtain K types of normal behavior feature vectors and a cluster radius corresponding to each normal behavior feature vector. Specifically, the method comprises the following steps:
selecting the clustering quantity K as the number of initial centers, determining a density peak point as an initial center point, and selecting K samples from at least one group of normal operation behavior vector samples as the characteristics of the K clusters in the initial state. The density peak point is defined as a point which is closer to the center position than its surrounding points if the points to be clustered are concentrated on a certain point, and the distance between the point and a point with a larger density than the point is relatively far.
The density peak point is calculated by determining the point density rho of each point (i.e. normal operation behavior vector) in the selected normal operation behavior vector sampleiAnd the shortest distance gamma of each point to a point of higher densityiWherein, in the step (A),
point density ρ of point iiThe calculation formula of (2) is as follows:
wherein the content of the first and second substances,
where N is the number of normal operation behavior vector samples, d<i,j>Is the average of the distances between points i and j.
Shortest distance gamma from point i to a point of higher densityiThe calculation formula of (2) is as follows:
γigenerally the farthest distance from point i to other points, only the point density ρ of point iiAt maximum time, γiThe furthest distance from point i to the other points.
According to the dot density ρiAnd the shortest distance gammaiCalculating a density distance parameter:
ζi=ρi·γi (5)
according to equation (5), the greater the point density, the farther the distance from the higher density point, the greater the density distance parameter, and the greater the probability of becoming a density peak point, and the selected density peak point can be used as an initial center point for characterizing the features of each cluster.
After the initial central points of the K clusters are determined, adding the rest samples in at least one group of normal operation behavior vector samples into a training process, calculating the distance between each point and the initial central point, and adding the point into the cluster to which the initial central point with the minimum distance belongs according to the calculation result. Wherein, the formula for calculating the distance between two points is as follows:
after each point in at least one group of normal operation behavior vector samples is added into the cluster to which the normal operation behavior vector samples belong, calculating the addition and average value of each normal operation behavior vector in each cluster, taking the calculation result as the updated central point of the cluster, calculating the distance between the updated central point and the initial central point, repeating the central point updating process, stopping iteration of the clustering center when the distance between the updated central point and the previous central point is smaller than a preset value or the iteration times reach a preset value, finishing cluster division to obtain the central points of K clusters and K clusters, determining the distance between the central point and the point farthest from the central point for each cluster, taking the distance as the radius of the cluster, finally obtaining the cluster radii of the K clusters and the K clusters, and obtaining the classified K-class normal behaviors.
In some modes, parameters such as the number of clusters K and the number of iterations can be selected by combining normal behavior classification of the system and parameter selection experience, and the parameter with the best effect is determined through multiple tests. For example, the clustering number K may sequentially select a plurality of values to perform clustering analysis calculation, so as to obtain corresponding classification models, and then determine the most appropriate K value by using an elbow method.
The system detection method can acquire the current operation data of the system in real time, detect by utilizing the pre-constructed normal behavior vector model to obtain the normal or abnormal detection result of the system, can detect the state of the system in real time, discover the abnormality in time, and improve the early warning capability of the system.
It should be noted that the method of one or more embodiments of the present disclosure may be performed by a single device, such as a computer or server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the devices may perform only one or more steps of the method of one or more embodiments of the present disclosure, and the devices may interact with each other to complete the method.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
As shown in fig. 2, the present specification further provides a system detection apparatus, comprising:
the acquisition module is used for acquiring the current operation data of the system;
the construction module is used for constructing a current operation behavior vector according to the current operation data;
and the detection module is used for detecting by utilizing a pre-constructed normal behavior vector model according to the current operation behavior vector to obtain a detection result.
And the output module is used for outputting the detection result.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functionality of the modules may be implemented in the same one or more software and/or hardware implementations in implementing one or more embodiments of the present description.
The apparatus of the foregoing embodiment is used to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Fig. 3 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
Computer-readable media of the present embodiments, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the spirit of the present disclosure, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of different aspects of one or more embodiments of the present description as described above, which are not provided in detail for the sake of brevity.
In addition, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown in the provided figures, for simplicity of illustration and discussion, and so as not to obscure one or more embodiments of the disclosure. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the understanding of one or more embodiments of the present description, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the one or more embodiments of the present description are to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that one or more embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
It is intended that the one or more embodiments of the present specification embrace all such alternatives, modifications and variations as fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of one or more embodiments of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (10)
1. A method for system detection, comprising:
acquiring current operation data of the system;
constructing a current operation behavior vector according to the current operation data;
detecting by using a pre-constructed normal behavior vector model according to the current operation behavior vector to obtain a detection result;
and outputting the detection result.
2. The method of claim 1, wherein the current operational data includes system performance operational parameters, operational parameters of applications in an operational state, and network operational parameters;
constructing a current operation behavior vector according to the current operation data, wherein the construction comprises the following steps:
carrying out digital processing on the current operation data to obtain operation data suitable for operation processing;
and for the operation data, merging the parameters which are associated in the system operation, and forming the current operation behavior vector after merging.
3. The method according to claim 2, wherein the system performance operation parameters include a total CPU occupation state, a total memory occupation state, and a total power consumption state, the operation parameters of the application in the operation state include an application type, an open state of a right, a CPU occupation state, a memory occupation state, and a power consumption state, and the network operation parameters include a network module open and connection state;
the current operation data is subjected to digital processing to obtain operation data suitable for operation processing, and the operation data comprises the following steps:
according to pre-divided occupation levels, assigning the CPU total occupation state and the CPU occupation state to corresponding level numerical values;
according to the conditions of increase, decrease and invariance of memory occupation, assigning the total memory occupation state and the memory occupation state to corresponding state values;
according to the conditions of small power consumption amplification, general amplification and large amplification, assigning the total power consumption state and the power consumption state to corresponding state numerical values;
according to a preset application type, giving a corresponding type number to the application type;
according to the conditions of opening and closing the authority, endowing the opening state of the authority with a corresponding state numerical value;
and according to the conditions of opening, closing, connection and disconnection of the network module, giving corresponding state values to the opening and connection states of the network module.
4. The method of claim 3, wherein the type of the authority comprises at least one, and the number of the network modules is at least one;
for the operation data, merging the parameters associated in the system operation, and forming the current behavior vector after merging, including:
combining and processing the CPU total occupation state, the memory total occupation state and the total power consumption state into one parameter;
combining and processing a CPU occupation state, a memory occupation state and a power consumption state corresponding to the application into a parameter;
merging the opening states of the authorities of all types into one parameter;
and merging the network module opening and connection states of the network modules into one parameter.
5. The method of claim 1, wherein the normal behavior vector model is constructed by a method comprising:
at least one group of current operation data is obtained in advance;
constructing at least one group of normal operation behavior vector samples according to at least one group of current operation data;
and performing cluster analysis processing on at least one group of normal operation behavior vector samples to obtain normal behavior feature vectors of a preset classification quantity and cluster radiuses corresponding to the normal behavior feature vectors.
6. The method of claim 5,
constructing at least one set of normal operation behavior vector samples according to at least one set of current operation data, comprising:
carrying out invalid data filtering on at least one group of current operating data to obtain at least one group of filtered valid operating data;
carrying out digital processing on at least one group of effective operation data to obtain at least one group of operation data suitable for operation processing;
and for at least one group of operation data suitable for operation processing, merging the parameters associated in the system operation, and forming at least one group of normal operation behavior vector samples after merging.
7. The method of claim 6, wherein pre-fetching at least one set of the current operating data is: collecting the current operation data at preset time intervals in a sampling period;
filtering invalid data of at least one group of current operation data to obtain at least one group of filtered valid operation data, wherein the filtering comprises the following steps: judging whether at least one group of current operation data acquired in at least one sampling period reaches a preset number, and if not, determining that the current operation data acquired in each sampling period is invalid data; resetting the sampling period, and acquiring the current operation data in the reset sampling period until the current operation data acquired in each sampling period reaches the preset number, and taking the current operation data reaching the preset number as the effective operation data.
8. The method of claim 5, wherein detecting according to the current operating behavior vector by using a pre-constructed normal behavior vector model to obtain a detection result comprises:
calculating the distance between the current operation behavior vector and each normal behavior feature vector;
determining a normal behavior feature vector with the minimum distance to the current operation behavior vector;
judging whether the current operation behavior vector is located in a clustering radius range corresponding to the normal behavior feature vector with the minimum distance; if so, the current operation behavior vector belongs to the normal behavior corresponding to the normal behavior feature vector with the minimum distance; if not, the current operation behavior vector belongs to abnormal behaviors.
9. The method according to claim 8, wherein the current running behavior vector includes at least one merged parameter, and the merged parameter is a binary string;
calculating the distance between the current operation behavior vector and each normal behavior feature vector comprises: and for the parameters after the merging processing in the current operation behavior vector and the parameters after the merging processing in each normal behavior feature vector, the difference value of the two parameters is the number of different corresponding bits.
10. A system detection apparatus, comprising:
the acquisition module is used for acquiring the current operation data of the system;
the construction module is used for constructing a current operation behavior vector according to the current operation data;
and the detection module is used for detecting by utilizing a pre-constructed normal behavior vector model according to the current operation behavior vector to obtain a detection result.
And the output module is used for outputting the detection result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011056513.6A CN112307475A (en) | 2020-09-29 | 2020-09-29 | System detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011056513.6A CN112307475A (en) | 2020-09-29 | 2020-09-29 | System detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112307475A true CN112307475A (en) | 2021-02-02 |
Family
ID=74488449
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011056513.6A Pending CN112307475A (en) | 2020-09-29 | 2020-09-29 | System detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112307475A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116305105A (en) * | 2023-05-25 | 2023-06-23 | 湖南警察学院 | Information security monitoring method and system based on big data |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105830081A (en) * | 2013-12-06 | 2016-08-03 | 高通股份有限公司 | Methods and systems of generating application-specific models for the targeted protection of vital applications |
| CN106650446A (en) * | 2016-12-26 | 2017-05-10 | 北京邮电大学 | Identification method and system of malicious program behavior, based on system call |
| CN107209832A (en) * | 2015-02-09 | 2017-09-26 | 高通股份有限公司 | Based on the Malicious Code Detection in similar installation come the model protection grade in determining device |
| CN107567628A (en) * | 2015-05-07 | 2018-01-09 | 高通股份有限公司 | For identifying and responding the method and system of non-benign behavior using the causality analysis for enhanced decision-making stub |
| CN108027859A (en) * | 2015-09-17 | 2018-05-11 | 高通股份有限公司 | Detect the software attacks to the process in computing device |
| CN108491720A (en) * | 2018-03-20 | 2018-09-04 | 腾讯科技(深圳)有限公司 | A kind of application and identification method, system and relevant device |
| CN108520178A (en) * | 2018-04-08 | 2018-09-11 | 长春理工大学 | A kind of Android platform intrusion detection method based on CFSFDP clusters |
| CN108809745A (en) * | 2017-05-02 | 2018-11-13 | 中国移动通信集团重庆有限公司 | A kind of user's anomaly detection method, apparatus and system |
| CN111191239A (en) * | 2019-12-30 | 2020-05-22 | 北京邮电大学 | Process detection method and system for application program |
| US20200210592A1 (en) * | 2018-12-26 | 2020-07-02 | Vdoo Connected Trust Ltd. | Detecting Firmware Vulnerabilities |
-
2020
- 2020-09-29 CN CN202011056513.6A patent/CN112307475A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105830081A (en) * | 2013-12-06 | 2016-08-03 | 高通股份有限公司 | Methods and systems of generating application-specific models for the targeted protection of vital applications |
| CN107209832A (en) * | 2015-02-09 | 2017-09-26 | 高通股份有限公司 | Based on the Malicious Code Detection in similar installation come the model protection grade in determining device |
| CN107567628A (en) * | 2015-05-07 | 2018-01-09 | 高通股份有限公司 | For identifying and responding the method and system of non-benign behavior using the causality analysis for enhanced decision-making stub |
| CN108027859A (en) * | 2015-09-17 | 2018-05-11 | 高通股份有限公司 | Detect the software attacks to the process in computing device |
| CN106650446A (en) * | 2016-12-26 | 2017-05-10 | 北京邮电大学 | Identification method and system of malicious program behavior, based on system call |
| CN108809745A (en) * | 2017-05-02 | 2018-11-13 | 中国移动通信集团重庆有限公司 | A kind of user's anomaly detection method, apparatus and system |
| CN108491720A (en) * | 2018-03-20 | 2018-09-04 | 腾讯科技(深圳)有限公司 | A kind of application and identification method, system and relevant device |
| CN108520178A (en) * | 2018-04-08 | 2018-09-11 | 长春理工大学 | A kind of Android platform intrusion detection method based on CFSFDP clusters |
| US20200210592A1 (en) * | 2018-12-26 | 2020-07-02 | Vdoo Connected Trust Ltd. | Detecting Firmware Vulnerabilities |
| CN111191239A (en) * | 2019-12-30 | 2020-05-22 | 北京邮电大学 | Process detection method and system for application program |
Non-Patent Citations (2)
| Title |
|---|
| MA Z, GE H, LIU Y, ET AL: "A Combination Method for Android Malware Detection Based on Control Flow Graphs and Machine Learning Algorithms", 《IEEE ACCESS》, pages 1 - 10 * |
| 潘夏福: "基于kNN算法和K-means算法的Android恶意软件检测", 《电脑知识与技术》, pages 216 - 218 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116305105A (en) * | 2023-05-25 | 2023-06-23 | 湖南警察学院 | Information security monitoring method and system based on big data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112417439B (en) | Account detection method, device, server and storage medium | |
| US9710977B2 (en) | Vehicle data collection and verification | |
| CN106716382B (en) | The method and system of aggregation multiple utility program behavioural analysis for mobile device behavior | |
| CN111178760B (en) | Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium | |
| US11316851B2 (en) | Security for network environment using trust scoring based on power consumption of devices within network | |
| CN103077344A (en) | Terminal and method for providing risk of application using the same | |
| CN106982230B (en) | Flow detection method and system | |
| CN109933984B (en) | Optimal clustering result screening method and device and electronic equipment | |
| CN108053653B (en) | Vehicle behavior prediction method and device based on LSTM | |
| CN113489713A (en) | Network attack detection method, device, equipment and storage medium | |
| CN114422267A (en) | Flow detection method, device, equipment and medium | |
| CN113419971B (en) | Android system service vulnerability detection method and related device | |
| CN109697155B (en) | IT system performance evaluation method, device, equipment and readable storage medium | |
| CN112085588B (en) | Method and device for determining safety of rule model and data processing method | |
| CN112307475A (en) | System detection method and device | |
| CN116204871A (en) | Abnormal behavior recognition method and device, electronic equipment and storage medium | |
| CN112671724A (en) | Terminal security detection analysis method, device, equipment and readable storage medium | |
| CN111460448A (en) | Malicious software family detection method and device | |
| CN112685799A (en) | Device fingerprint generation method and device, electronic device and computer readable medium | |
| CN112307477A (en) | Code detection method, device, storage medium and terminal | |
| Middya et al. | CityLightSense: a participatory sensing-based system for monitoring and mapping of illumination levels | |
| CN115987549A (en) | Abnormal behavior detection method and device of mobile terminal and storage medium | |
| CN110417744B (en) | Security determination method and device for network access | |
| CN112953723B (en) | Vehicle-mounted intrusion detection method and device | |
| CN114760087A (en) | DDoS attack detection method and system in software defined industrial internet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210603 Address after: 100085 room 0106-640, 1st floor, No.26, shangdixinxi Road, Haidian District, Beijing Applicant after: Beijing Zhilian Anhang Technology Co.,Ltd. Address before: 100876 No.406, 4th floor, building 21, 10 Xitucheng Road, Haidian District, Beijing Applicant before: Beijing ruanhui Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right |