CN112887162A - Method and apparatus for detecting anomalies - Google Patents
Method and apparatus for detecting anomalies Download PDFInfo
- Publication number
- CN112887162A CN112887162A CN201911202522.9A CN201911202522A CN112887162A CN 112887162 A CN112887162 A CN 112887162A CN 201911202522 A CN201911202522 A CN 201911202522A CN 112887162 A CN112887162 A CN 112887162A
- Authority
- CN
- China
- Prior art keywords
- information
- feedback information
- address
- feedback
- sending
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0823—Errors, e.g. transmission errors
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/08—Testing, supervising or monitoring using real traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the disclosure discloses a method and a device for detecting an abnormality, and relates to the field of cloud computing. One embodiment of the method comprises: responding to the detected data sending request, and acquiring a destination address and a receiving address of the data sending request; modifying the receiving address to obtain an updated receiving address, replacing the receiving address in the data sending request with the updated receiving address to obtain an updated data sending request, wherein the updated receiving address is used for storing the received information to a specified position; transmitting the update data transmission request to the destination address, and storing feedback information corresponding to the update data transmission request transmitted from the destination address in the designated location; and carrying out abnormity detection on the feedback information to obtain abnormal information. The method and the device improve the efficiency and the accuracy of the terminal for detecting the abnormity.
Description
Technical Field
The embodiment of the disclosure relates to the technical field of computers, in particular to a method and a device for detecting abnormity.
Background
At present, a server performs information interaction with a large number of terminal devices. In order to improve the effectiveness of information transfer, the server typically performs anomaly detection on the information. The server may perform abnormality detection on information sent to the server by the terminal device, or may perform abnormality detection on information sent to the terminal device.
Disclosure of Invention
The embodiment of the disclosure provides a method and a device for detecting an abnormality.
In a first aspect, an embodiment of the present disclosure provides a method for detecting an anomaly, the method including: responding to the detected data sending request, and acquiring a destination address and a receiving address of the data sending request; modifying the receiving address to obtain an updated receiving address, replacing the receiving address in the data sending request with the updated receiving address to obtain an updated data sending request, wherein the updated receiving address is used for storing the received information to a specified position; transmitting the update data transmission request to the destination address, and storing feedback information corresponding to the update data transmission request transmitted from the destination address in the designated location; and carrying out abnormity detection on the feedback information to obtain abnormal information.
In some embodiments, the obtaining the destination address and the receiving address of the data sending request includes: inquiring the information sending application sending the data sending request; acquiring at least one original function corresponding to the data transmission request from the information transmission application; and screening an information sending function from the at least one original function, and analyzing the data sending request according to the information sending function to obtain a destination address and a receiving address, wherein the information sending function is used for sending the data sending request.
In some embodiments, the information sending application includes at least one data port, and the querying the information sending application that issues the data sending request includes: and for a data port in the at least one data port, acquiring at least one piece of state feedback information of the data port, wherein the state feedback information is used for representing whether the information received by the corresponding data port is abnormal or not and comprises a reference state identifier, a reference information format and reference information content.
In some embodiments, the feedback information includes a target feedback address, a feedback state identifier, a feedback information format, and a feedback information content, and the performing the anomaly detection on the feedback information to obtain the anomaly information includes: inquiring a target data port corresponding to the target feedback address; determining a target reference state identifier corresponding to the feedback state identifier from the target data port; and marking the feedback information as abnormal information in response to the characteristic information abnormality of the target reference state identification.
In some embodiments, the performing abnormality detection on the feedback information to obtain abnormality information includes: responding to the normal representation information of the target reference state identifier, and comparing the feedback information format of the feedback information with the target reference information format of the target state feedback information; and marking the feedback information as abnormal information in response to the difference between the feedback information format and the target reference information format.
In some embodiments, the performing abnormality detection on the feedback information to obtain abnormality information includes: comparing the feedback information content of the feedback information with the target reference information content of the target state feedback information in response to the feedback information format being the same as the target reference information format; and marking the feedback information as abnormal information in response to the difference between the feedback information content and the target reference information content.
In some embodiments, the feedback information includes source address information, where the source address information is used to characterize a network address for sending the feedback information, and the performing the anomaly detection on the feedback information to obtain the anomaly information further includes: and in response to that the network address of the current equipment and the source address information are not in the same network domain and the feedback information is normal, sending the feedback information to the information sending application according to the receiving address.
In some embodiments, the above method comprises: and sending the abnormal information according to a setting mode, wherein the setting mode comprises at least one of the following items: offline transmission, delayed transmission and sampling transmission.
In a second aspect, embodiments of the present disclosure provide an apparatus for detecting an anomaly, the apparatus comprising: an address acquisition unit configured to acquire a destination address and a reception address of a data transmission request in response to detection of the data transmission request; a request updating unit configured to modify the receiving address to obtain an updated receiving address, and replace the receiving address in the data sending request with the updated receiving address to obtain an updated data sending request, where the updated receiving address is used to store the received information to a specified location; an information transmitting/receiving unit configured to transmit the update data transmission request to the destination address, and store feedback information corresponding to the update data transmission request transmitted from the destination address in the designated location; and an abnormality detection unit configured to perform abnormality detection on the feedback information to obtain abnormality information.
In some embodiments, the address obtaining unit includes: an application query subunit configured to query an information sending application that issues the data sending request; an original function acquiring subunit configured to acquire at least one original function corresponding to the data transmission request from the information transmission application; and the address acquisition subunit is configured to screen an information sending function from the at least one original function, and analyze the data sending request according to the information sending function to obtain a destination address and a receiving address, wherein the information sending function is used for sending the data sending request.
In some embodiments, the information delivery application includes at least one data port, and the application querying subunit includes: and the application query module is configured to acquire at least one piece of state feedback information of the data port for the data port in the at least one data port, wherein the state feedback information is used for representing whether the information received by the corresponding data port is abnormal or not and comprises a reference state identifier, a reference information format and reference information content.
In some embodiments, the feedback information includes a target feedback address, a feedback status identifier, a feedback information format, and a feedback information content, and the anomaly detection unit includes: a target data port query subunit configured to query a target data port corresponding to the target feedback address; a target reference state identifier determining subunit configured to determine, from the target data port, a target reference state identifier corresponding to the feedback state identifier; and the first abnormity marking subunit is used for responding to the target reference state identification characterization information abnormity and marking the feedback information as abnormity information.
In some embodiments, the abnormality detection unit includes: a format comparison subunit, configured to compare a feedback information format of the feedback information with a target reference information format of the target state feedback information in response to the target reference state identification characterization information being normal; and the second abnormity marking subunit is used for marking the feedback information as abnormal information in response to the difference between the feedback information format and the target reference information format.
In some embodiments, the abnormality detection unit includes: a content comparison subunit, configured to compare, in response to the feedback information format being the same as a target reference information format, a feedback information content of the feedback information with a target reference information content of the target state feedback information; and a third anomaly marking subunit, which marks the feedback information as anomaly information in response to the feedback information content and the target reference information content being different.
In some embodiments, the feedback information includes source address information, where the source address information is used to characterize a network address for sending the feedback information, and the anomaly detection unit further includes: and the information returning subunit is used for responding that the network address of the current equipment is not in the same network domain with the source address information and the feedback information is normal, and is configured to send the feedback information to the information sending application according to the receiving address.
In some embodiments, the apparatus comprises: an information sending unit configured to send the abnormality information in a set manner, the set manner including at least one of: offline transmission, delayed transmission and sampling transmission.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including: one or more processors; memory having one or more programs stored thereon which, when executed by the one or more processors, cause the one or more processors to perform the method for detecting anomalies of the first aspect.
In a fourth aspect, an embodiment of the present disclosure provides a computer-readable medium on which a computer program is stored, wherein the program, when executed by a processor, implements the method for detecting an anomaly of the first aspect.
The method and the device for detecting the abnormity provided by the embodiment of the disclosure comprise the following steps of firstly, when a data sending request is detected, obtaining a destination address and a receiving address of the data sending request; then, modifying the receiving address to obtain an updated receiving address, replacing the receiving address in the data sending request with the updated receiving address to obtain an updated data sending request so as to receive information at the specified position corresponding to the updated receiving address, and avoiding that the application corresponding to the data sending request directly receives the information; then, the update data transmission request is transmitted to the destination address, and the feedback information corresponding to the update data transmission request transmitted from the destination address is stored in the designated location. The method and the device avoid the terminal from independently carrying out anomaly detection on each piece of feedback information of each application, and improve the anomaly detection efficiency of the terminal on the feedback information; and finally, carrying out anomaly detection on the feedback information to obtain anomaly information. The method and the device can improve the efficiency and accuracy of the terminal in anomaly detection.
Drawings
Other features, objects and advantages of the disclosure will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 is an exemplary system architecture diagram in which one embodiment of the present disclosure may be applied;
FIG. 2 is a flow diagram of one embodiment of a method for detecting anomalies according to the present disclosure;
FIG. 3 is a schematic diagram of one application scenario of a method for detecting anomalies in accordance with the present disclosure;
FIG. 4 is a flow diagram of yet another embodiment of a method for detecting anomalies in accordance with the present disclosure;
FIG. 5 is a schematic block diagram of one embodiment of an apparatus for detecting anomalies in accordance with the present disclosure;
FIG. 6 is a schematic diagram of an electronic device suitable for use in implementing embodiments of the present disclosure.
Detailed Description
The present disclosure is described in further detail below with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that, in the present disclosure, the embodiments and features of the embodiments may be combined with each other without conflict. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Fig. 1 illustrates an exemplary system architecture 100 of a method for detecting anomalies or an apparatus for detecting anomalies to which embodiments of the present disclosure may be applied.
As shown in fig. 1, the system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have various communication client applications installed thereon, such as a web browser application, a shopping application, a search application, an instant messaging tool, a mailbox client, social platform software, and the like.
The terminal apparatuses 101, 102, and 103 may be hardware or software. When the terminal devices 101, 102, 103 are hardware, they may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like. When the terminal apparatuses 101, 102, 103 are software, they can be installed in the electronic apparatuses listed above. It may be implemented as a plurality of software or software modules (for example, for providing distributed services), or as a single software or software module, which is not specifically limited herein.
The server 105 may be a server that provides various services, such as a server that provides data support for web pages on the terminal devices 101, 102, 103. The server may analyze and/or otherwise process the received data, such as the web page request, and send the processing result (e.g., feedback information) to the terminal device.
It should be noted that the method for detecting an abnormality provided by the embodiment of the present disclosure is generally performed by the terminal devices 101, 102, 103, and accordingly, the apparatus for detecting an abnormality is generally disposed in the terminal devices 101, 102, 103.
The server may be hardware or software. When the server is hardware, it may be implemented as a distributed server cluster formed by multiple servers, or may be implemented as a single server. When the server is software, it may be implemented as a plurality of software or software modules (for example, to provide distributed services), or may be implemented as a single software or software module, and is not limited specifically herein.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
With continued reference to FIG. 2, a flow 200 of one embodiment of a method for detecting anomalies in accordance with the present disclosure is shown. The method for detecting an abnormality includes the steps of:
In the present embodiment, the execution subject of the method for detecting an abnormality (e.g., the terminal apparatuses 101, 102, 103 shown in fig. 1) may detect the data transmission request by a wired connection manner or a wireless connection manner. It should be noted that the wireless connection means may include, but is not limited to, a 3G/4G connection, a WiFi connection, a bluetooth connection, a WiMAX connection, a Zigbee connection, a uwb (ultra wideband) connection, and other wireless connection means now known or developed in the future.
In the prior art, performing anomaly detection between the subject and the server 105 is typically done by the server 105. However, as the number of execution subjects increases, the data processing pressure of the server 105 becomes greater, and the data processing efficiency of the server 105 is reduced. In the conventional method, the terminal devices 101, 102, and 103 can also perform abnormality detection, but the capability of the terminal devices 101, 102, and 103 to detect an abnormality is limited, and the conventional terminal devices 101, 102, and 103 can only detect a limited abnormality and the accuracy of detecting the abnormality is not high.
Therefore, when the execution subject of the present application performs the anomaly detection on the data transmission request, the execution subject first acquires the destination address and the receiving address of the data transmission request. The data transmission request may be a request issued by an application on the execution subject to perform information interaction with the server 105. For example, the data transmission request may be an Ajax request. The Ajax (Asynchronous Javascript And XML) refers to a web page development technology for creating interactive web page applications. When a user accesses the server 105 through a browser, an Ajax request may be sent to the server 105. Server 105 may then return information corresponding to the Ajax request. The execution subject may acquire the destination address and the receiving address from the data transmission request by analyzing the data transmission request, or the like. The destination address is an address (for example, an address of the server 105 on the network) for receiving the data transmission request. The receiving address is an address of the execution subject on the network, that is, an address at which the execution subject receives information.
In some optional implementation manners of this embodiment, the obtaining the destination address and the receiving address of the data sending request may include the following steps:
first, an information sending application which sends the data sending request is inquired.
The execution body can be provided with a plurality of applications, and the data types processed by different applications can be different. Accordingly, the manner in which the anomaly is detected may vary from application to application. In order to accurately detect the abnormality, the execution subject of the present application may query an information sending application that issues a data sending request. For example, the information transmission application that issues the data transmission request may be a browser or the like.
And secondly, acquiring at least one original function corresponding to the data transmission request from the information transmission application.
Typically, an application contains a plurality of primitive functions. The application performs the corresponding data processing through the original function. To accurately detect the anomaly, the executing agent may retrieve at least one original function associated with the data send request. The original function may be an open file function: open, conditional function: if. The round function: while, etc. The original function may be different depending on the application.
And thirdly, screening an information sending function from the at least one original function, and analyzing the data sending request according to the information sending function to obtain a destination address and a receiving address.
The execution main body can screen an information sending function from a plurality of original functions, and further can analyze a data sending request according to the data format of the information sending function, so that a destination address and a receiving address are obtained. Wherein the information sending function is configured to send the data sending request. For example, the browser includes the information delivery function: and (6) send. The execution body may screen the send function from the plurality of original functions. Then, the execution body may parse the destination address and the receiving address from the data transmission request according to the information format of the send function.
In some optional implementation manners of this embodiment, the information sending application includes at least one data port, and the querying the information sending application that sends the data sending request may include: and acquiring at least one piece of state feedback information of the data port for the data port in the at least one data port.
The information delivery application includes at least one data port. For each data port, it may be used to receive data of a specified type. In general, in order to detect an abnormality, each data port of the information transmission application is previously set with state feedback information for determining an abnormality. That is, the status feedback information may be used to characterize whether the information received by the corresponding data port is abnormal. The state feedback information may include a reference state identification, a reference information format, and a reference information content. When the reference state identifier is used for representing that the information is normal, the reference state identifier may be: true; when the reference state identifier is used for representing information abnormality, the reference state identifier may be: false. The reference information format may be used for representing that the information is normal: information including setting data format; on the contrary, the reference information format does not include information of the set data format for representing information abnormality. The reference information content may be used for representing that the information is normal: comprises setting keywords; when the reference information content is used for representing information abnormality, the reference information content may be: no setting key is included, or a setting key is missing, etc.
As can be seen from the above description, the existing terminal device has limited abnormalities that can be detected, and the detection accuracy is not high. On the one hand, since the application directly intercepts the exception information, it is impossible to determine what the exception is. On the other hand, the application may receive the anomaly information, but the application can only identify the anomaly information in a limited number of ways, so that the accuracy of anomaly detection is not high.
In order to avoid that the abnormality cannot be accurately identified due to the two situations, the execution main body of the application can modify the receiving address to obtain an updated receiving address. And then replacing the receiving address in the data sending request with the updated receiving address to obtain an updated data sending request. Therefore, the information can be prevented from being directly detected by the application, the accuracy of abnormal detection is improved, and meanwhile, all application information on the execution main body can be detected abnormally at the same address, so that the efficiency of detecting the abnormality is improved. Wherein, the updated receiving address is used for storing the received information to a designated position. The designated location may be a location where the received information is directly stored without being processed by another application after the information received by the main body is executed. The designated location may be a data storage area independently divided in a hard disk or a memory of the execution main body, depending on the actual requirement.
The execution body may send the update data transmission request to the destination address. In general, the execution agent may receive feedback information corresponding to the update data transmission request from the destination address. The execution body may store the feedback information directly in a designated location, rather than directly sending it to the corresponding application. Therefore, the accuracy of detecting the abnormity is improved.
And 204, performing abnormity detection on the feedback information to obtain abnormal information.
The execution main body can perform abnormity detection on the feedback information at a designated position, and then obtain abnormity information. Thus, the defects of low detection capability of the application on the abnormality and the like are avoided, the accuracy of detecting the abnormality is improved, and the data processing pressure of the server 105 is reduced.
In some optional implementation manners of this embodiment, the feedback information includes a target feedback address, a feedback state identifier, a feedback information format, and a feedback information content, and the performing abnormality detection on the feedback information to obtain abnormality information may include the following steps:
firstly, a target data port corresponding to the target feedback address is inquired.
As can be seen from the above description, the exceptions that occur may be different for different data ports. In order to accurately detect the abnormality, the execution subject needs to first query the target data port corresponding to the target feedback address. The query mode may be to directly obtain the target data port information from the feedback information. And querying a corresponding update receiving address, finding out the receiving address before modification from the update receiving address, and further determining the target data port.
And secondly, determining a target reference state identifier corresponding to the feedback state identifier from the target data port.
As can be seen from the above description, the status feedback information of the data port may include information such as a reference status identifier, a reference information format, and reference information content. The execution subject may determine a target reference state identifier corresponding to the feedback state identifier from the target data port.
And thirdly, responding to the abnormity of the target reference state identification representation information, and marking the feedback information as abnormal information.
When the target reference state identification representation information is abnormal, the execution subject may mark the feedback information as abnormal information. For example, a target reference state is identified in the following table: the sample was normal at 400 ℃. But the feedback status is identified as: 200. at this time, the execution body may mark the feedback information as abnormal information.
In some optional implementation manners of this embodiment, the performing abnormality detection on the feedback information to obtain abnormal information may include the following steps:
and step one, responding to the fact that the target reference state identification representation information is normal, and comparing the feedback information format of the feedback information with the target reference information format of the target state feedback information.
When the target reference state identification representation information is normal, the execution main body may compare the feedback information format of the feedback information with the target reference information format of the target state feedback information to further detect the abnormality.
And secondly, in response to the fact that the feedback information format is different from the target reference information format, marking the feedback information as abnormal information.
When the feedback information format and the target reference information format are different, the feedback information may be considered abnormal.
In some optional implementation manners of this embodiment, the performing abnormality detection on the feedback information to obtain abnormal information may include the following steps:
the method comprises a first step of comparing the feedback information content of the feedback information with the target reference information content of the target state feedback information in response to the same feedback information format and target reference information format.
When the feedback information format is normal, the execution main body can further compare the feedback information content with the target reference information content of the target state feedback information.
And secondly, in response to the fact that the content of the feedback information is different from that of the target reference information, marking the feedback information as abnormal information.
And when the content of the feedback information is different from that of the target reference information, marking the feedback information as abnormal information.
In some optional implementation manners of this embodiment, the feedback information may include source address information, where the source address information may be used to characterize a network address for sending the feedback information, and the performing the anomaly detection on the feedback information to obtain the anomaly information may further include: and in response to that the network address of the current equipment and the source address information are not in the same network domain and the feedback information is normal, sending the feedback information to the information sending application according to the receiving address.
The feedback information may also include source address information. When the execution subject and the source address information are not in the same network domain, in order to ensure security, the information sending application usually directly intercepts feedback information from different network domains, and the feedback information at this time may not have a security risk. For this reason, when the network address and the source address information are not in the same network domain and the feedback information is normal, the execution body may send the feedback information to the information sending application according to the receiving address. For example, the execution subject can utilize a try catch component of the browser to capture the abnormal feedback information of different network domains, and can bypass the interception of the browser to realize the interaction of data between different network domains. In this way, the information sending application is prevented from intercepting the feedback information, and normal information interaction between the server 105 and the information sending application is ensured.
The above-mentioned contents realize the anomaly detection of the feedback information outside the information sending application, overcome the defects that the existing information sending application cannot detect the anomaly or has low accuracy of detecting the anomaly, realize the accurate detection of the anomaly at the terminal side, and are beneficial to reducing the data processing pressure of the server 105.
With continued reference to fig. 3, fig. 3 is a schematic diagram of an application scenario of the method for detecting an anomaly according to the present embodiment. In the application scenario of fig. 3, the browser on the executing agent (terminal device 103) may send an Ajax request to the server 105 requesting to obtain the specified information on the server 105. The execution main body can extract a destination address and a receiving address in the Ajax request firstly; then, the execution main body modifies the receiving address into an updated receiving address corresponding to the designated position on the execution main body, so that the feedback information received by the execution main body is stored to the designated position, and the feedback information is not directly sent to the browser; then, the execution subject may send the modified Ajax request at the designated location and receive the corresponding feedback information; and finally, the execution main body performs abnormity detection on the feedback information at the specified position to obtain abnormal information.
In the method provided by the above embodiment of the present disclosure, first, when a data transmission request is detected, a destination address and a receiving address of the data transmission request are obtained; then, modifying the receiving address to obtain an updated receiving address, replacing the receiving address in the data sending request with the updated receiving address to obtain an updated data sending request so as to receive information at the specified position corresponding to the updated receiving address, and avoiding that the application corresponding to the data sending request directly receives the information; then, the update data transmission request is transmitted to the destination address, and the feedback information corresponding to the update data transmission request transmitted from the destination address is stored in the designated location. The method and the device avoid the terminal from independently carrying out anomaly detection on each piece of feedback information of each application, and improve the anomaly detection efficiency of the terminal on the feedback information; and finally, carrying out anomaly detection on the feedback information to obtain anomaly information. The method and the device can improve the efficiency and accuracy of the terminal in anomaly detection.
With further reference to FIG. 4, a flow 400 of yet another embodiment of a method for detecting anomalies is shown. The flow 400 of the method for detecting anomalies includes the steps of:
The content of step 401 is the same as that of step 201, and is not described in detail here.
Step 402 is the same as step 202, and is not described in detail here.
Step 403 is executed to transmit the update data transmission request to the destination address, and to store, in the designated location, feedback information corresponding to the update data transmission request transmitted from the destination address.
The contents of step 403 are the same as those of step 203, and are not described in detail here.
And step 404, performing anomaly detection on the feedback information to obtain anomaly information.
Step 404 is the same as step 204, and is not described in detail here.
After obtaining the anomaly information, the execution agent may send the anomaly information to the server 105 in a set manner to reduce the data processing pressure of the server 105 when detecting anomalies. Wherein, the setting mode may include at least one of the following: offline transmission, delayed transmission and sampling transmission.
The offline transmission method may be a method of transmitting a log related to the abnormal information to the server 105 at a fixed time after the abnormal information is determined. The delayed transmission may be to transmit the log related to the abnormal information to the server 105 at intervals set, and may prevent a large amount of data transmission requests from being issued to the server 105 in a short time, thereby reducing the data processing pressure of the server 105. The sampling transmission may be that the user determines whether to upload a log related to the abnormal information to the server 105 according to the size of a random number between 0 and 1.
With further reference to fig. 5, as an implementation of the methods shown in the above figures, the present disclosure provides an embodiment of an apparatus for detecting an anomaly, which corresponds to the method embodiment shown in fig. 2, and which is particularly applicable in various electronic devices.
As shown in fig. 5, the apparatus 500 for detecting an abnormality of the present embodiment may include: an address acquisition unit 501, a request update unit 502, an information transceiving unit 503, and an abnormality detection unit 504. The address obtaining unit 501, in response to detecting a data transmission request, is configured to obtain a destination address and a receiving address of the data transmission request; a request updating unit 502 configured to modify the receiving address to obtain an updated receiving address, and replace the receiving address in the data sending request with the updated receiving address to obtain an updated data sending request, where the updated receiving address is used to store the received information to a specified location; an information transceiver unit 503 configured to transmit the update data transmission request to the destination address, and store feedback information corresponding to the update data transmission request transmitted from the destination address in the designated location; an abnormality detection unit 504 configured to perform abnormality detection on the feedback information to obtain abnormality information.
In some optional implementations of this embodiment, the address obtaining unit 501 may include: an application query subunit (not shown), an original function acquisition subunit (not shown), and an address acquisition subunit (not shown). Wherein, the application query subunit is configured to query the information sending application which sends the data sending request; the original function acquiring subunit is configured to acquire at least one original function corresponding to the data sending request from the information sending application; the address acquisition subunit is configured to screen out an information sending function from the at least one original function, and analyze the data sending request according to the information sending function to obtain a destination address and a receiving address, where the information sending function is used for sending the data sending request.
In some optional implementation manners of this embodiment, the information sending application includes at least one data port, and the application querying subunit may include: and an application query module (not shown in the figure) configured to, for a data port of the at least one data port, obtain at least one piece of state feedback information of the data port, where the state feedback information is used to characterize whether information received by the corresponding data port is abnormal, and includes a reference state identifier, a reference information format, and a reference information content.
In some optional implementation manners of this embodiment, the feedback information includes a target feedback address, a feedback state identifier, a feedback information format, and a feedback information content, and the abnormality detecting unit 504 may include: a target data port query subunit (not shown), a target reference state identification determining subunit (not shown), and a first anomaly marking subunit (not shown). The target data port query subunit is configured to query a target data port corresponding to the target feedback address; the target reference state identification determining subunit is configured to determine, from the target data port, a target reference state identification corresponding to the feedback state identification; and the first abnormity marking subunit is used for responding to the target reference state identification characterization information abnormity and marking the feedback information as abnormity information.
In some optional implementations of the present embodiment, the abnormality detecting unit 504 may include: a format comparison subunit (not shown) and a second anomaly marking subunit (not shown). The format comparison subunit, in response to that the target reference state identifier representation information is normal, is configured to compare a feedback information format of the feedback information with a target reference information format of the target state feedback information; and the second abnormity marking subunit is used for marking the feedback information as abnormal information in response to the difference between the feedback information format and the target reference information format.
In some optional implementations of the present embodiment, the abnormality detecting unit 504 may include: a content comparison subunit (not shown in the figure) and a third anomaly marking subunit (not shown in the figure). Wherein, the content comparison subunit, in response to the feedback information format being the same as the target reference information format, is configured to compare the feedback information content of the feedback information with the target reference information content of the target state feedback information; and a third anomaly marking subunit, which marks the feedback information as anomaly information in response to the feedback information content and the target reference information content being different.
In some optional implementation manners of this embodiment, the feedback information includes source address information, where the source address information is used to characterize a network address for sending the feedback information, and the anomaly detection unit 504 may further include: and an information returning subunit (not shown in the figure), in response to that the network address of the current device is not in the same network domain as the source address information and the feedback information is normal, configured to send the feedback information to the information sending application according to the receiving address.
In some optional implementations of the present embodiment, the apparatus 500 for detecting an abnormality may include: an information sending unit (not shown in the figure) configured to send the abnormality information according to a setting mode, wherein the setting mode includes at least one of the following modes: offline transmission, delayed transmission and sampling transmission.
The present embodiment also provides an electronic device, including: one or more processors; a memory having one or more programs stored thereon that, when executed by the one or more processors, cause the one or more processors to perform the method for detecting anomalies described above.
The present embodiment also provides a computer-readable medium, on which a computer program is stored, which program, when being executed by a processor, carries out the above-mentioned method for detecting an abnormality.
Referring now to FIG. 6, shown is a block diagram of a computer system 600 suitable for use with an electronic device (e.g., terminal devices 101, 102, 103 of FIG. 1) implementing an embodiment of the present disclosure. The electronic device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 6, electronic device 600 may include a processing means (e.g., central processing unit, graphics processor, etc.) 601 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage means 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are also stored. The processing device 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
Generally, the following devices may be connected to the I/O interface 605: input devices 606 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 607 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 608 including, for example, tape, hard disk, etc.; and a communication device 609. The communication means 609 may allow the electronic device 600 to communicate with other devices wirelessly or by wire to exchange data. While fig. 6 illustrates an electronic device 600 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided. Each block shown in fig. 6 may represent one device or may represent multiple devices as desired.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication means 609, or may be installed from the storage means 608, or may be installed from the ROM 602. The computer program, when executed by the processing device 601, performs the above-described functions defined in the methods of embodiments of the present disclosure.
It should be noted that the computer readable medium mentioned above in the embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In embodiments of the disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In embodiments of the present disclosure, however, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: responding to the detected data sending request, and acquiring a destination address and a receiving address of the data sending request; modifying the receiving address to obtain an updated receiving address, replacing the receiving address in the data sending request with the updated receiving address to obtain an updated data sending request, wherein the updated receiving address is used for storing the received information to a specified position; transmitting the update data transmission request to the destination address, and storing feedback information corresponding to the update data transmission request transmitted from the destination address in the designated location; and carrying out abnormity detection on the feedback information to obtain abnormal information.
Computer program code for carrying out operations for embodiments of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. The described units may also be provided in a processor, and may be described as: a processor includes an address acquisition unit, a request update unit, an information transceiving unit, and an abnormality detection unit. Here, the names of these units do not constitute a limitation to the unit itself in some cases, and for example, the abnormality detection unit may also be described as "a unit for detecting abnormality of feedback information".
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the present disclosure is not limited to the specific combination of the above-mentioned features, but also encompasses other embodiments in which any combination of the above-mentioned features or their equivalents is possible without departing from the inventive concept as defined above. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.
Claims (18)
1. A method for detecting anomalies, comprising:
responding to the detected data sending request, and acquiring a destination address and a receiving address of the data sending request;
modifying the receiving address to obtain an updated receiving address, replacing the receiving address in the data sending request with the updated receiving address to obtain an updated data sending request, wherein the updated receiving address is used for storing the received information to a specified position;
sending the update data sending request to the destination address, and storing feedback information corresponding to the update data sending request sent from the destination address in the specified position;
and carrying out abnormity detection on the feedback information to obtain abnormal information.
2. The method of claim 1, wherein the obtaining a destination address and a receiving address of the data transmission request comprises:
inquiring an information sending application sending the data sending request;
acquiring at least one original function corresponding to the data transmission request from the information transmission application;
and screening an information sending function from the at least one original function, analyzing the data sending request according to the information sending function to obtain a destination address and a receiving address, wherein the information sending function is used for sending the data sending request.
3. The method of claim 2, wherein the information delivery application comprises at least one data port, an
The querying of the information sending application that sends the data sending request includes:
and for a data port in the at least one data port, acquiring at least one piece of state feedback information of the data port, wherein the state feedback information is used for representing whether the information received by the corresponding data port is abnormal or not, and comprises a reference state identifier, a reference information format and reference information content.
4. The method of claim 3, wherein the feedback information comprises a target feedback address, a feedback status identification, a feedback information format, and a feedback information content, an
The performing abnormality detection on the feedback information to obtain abnormal information includes:
inquiring a target data port corresponding to the target feedback address;
determining a target reference state identifier corresponding to the feedback state identifier from the target data port;
and responding to the abnormity of the target reference state identification characterization information, and marking the feedback information as abnormal information.
5. The method of claim 4, wherein the performing anomaly detection on the feedback information to obtain anomaly information comprises:
responding to the normal representation information of the target reference state identifier, and comparing the feedback information format of the feedback information with the target reference information format of the target state feedback information;
and in response to the feedback information format being different from the target reference information format, marking the feedback information as abnormal information.
6. The method of claim 5, wherein the performing anomaly detection on the feedback information to obtain anomaly information comprises:
in response to that the feedback information format is the same as the target reference information format, comparing the feedback information content of the feedback information with the target reference information content of the target state feedback information;
and in response to the feedback information content being different from the target reference information content, marking the feedback information as abnormal information.
7. The method of claim 4, wherein the feedback information comprises source address information characterizing a network address from which the feedback information is sent, and
the performing abnormality detection on the feedback information to obtain abnormality information further includes:
and responding to the situation that the network address of the current equipment and the source address information are not in the same network domain and the feedback information is normal, and sending the feedback information to the information sending application according to the receiving address.
8. The method according to any one of claims 1 to 7, wherein the method comprises:
sending the abnormal information according to a setting mode, wherein the setting mode comprises at least one of the following items: offline transmission, delayed transmission and sampling transmission.
9. An apparatus for detecting anomalies, comprising:
an address acquisition unit configured to acquire a destination address and a reception address of a data transmission request in response to detection of the data transmission request;
the request updating unit is configured to modify the receiving address to obtain an updated receiving address, replace the receiving address in the data sending request with the updated receiving address to obtain an updated data sending request, and store the received information to a specified position by the updated receiving address;
an information transceiving unit configured to transmit the update data transmission request to the destination address and store feedback information corresponding to the update data transmission request transmitted from the destination address at the designated location;
and the abnormality detection unit is configured to perform abnormality detection on the feedback information to obtain abnormal information.
10. The apparatus of claim 9, wherein the address fetch unit comprises:
an application query subunit configured to query an information sending application that issued the data sending request;
an original function acquiring subunit configured to acquire at least one original function corresponding to the data transmission request from the information transmission application;
and the address acquisition subunit is configured to screen an information sending function from the at least one original function, and analyze the data sending request according to the information sending function to obtain a destination address and a receiving address, wherein the information sending function is used for sending the data sending request.
11. The apparatus of claim 10, wherein the information delivery application comprises at least one data port, an
The application query subunit includes:
and the application query module is configured to acquire at least one piece of state feedback information of the data port for the data port in the at least one data port, wherein the state feedback information is used for representing whether the information received by the corresponding data port is abnormal or not and comprises a reference state identifier, a reference information format and reference information content.
12. The apparatus of claim 11, wherein the feedback information comprises a target feedback address, a feedback status identification, a feedback information format, and a feedback information content, an
The abnormality detection unit includes:
a target data port query subunit configured to query a target data port corresponding to the target feedback address;
a target reference state identification determining subunit configured to determine, from the target data port, a target reference state identification corresponding to the feedback state identification;
a first anomaly marking subunit, responsive to the target reference state identifying a characterization information anomaly, configured to mark the feedback information as anomaly information.
13. The apparatus of claim 12, wherein the abnormality detection unit comprises:
a format comparison subunit, configured to compare a feedback information format of the feedback information with a target reference information format of the target state feedback information in response to the target reference state identification characterization information being normal;
a second anomaly marking subunit, responsive to the feedback information format and a target reference information format being different, configured to mark the feedback information as anomalous information.
14. The apparatus of claim 13, wherein the abnormality detection unit comprises:
a content comparison subunit, responsive to the feedback information format being the same as a target reference information format, configured to compare a feedback information content of the feedback information with a target reference information content of the target state feedback information;
and the third anomaly marking subunit marks the feedback information as anomaly information in response to the feedback information content and the target reference information content being different.
15. The apparatus of claim 12, wherein the feedback information comprises source address information characterizing a network address from which the feedback information is sent, an
The abnormality detection unit further includes:
and the information returning subunit is used for responding that the network address of the current equipment is not in the same network domain with the source address information and the feedback information is normal, and is configured to send the feedback information to the information sending application according to the receiving address.
16. The apparatus of any of claims 9 to 15, wherein the apparatus comprises:
an information sending unit configured to send the abnormality information in a set manner, the set manner including at least one of: offline transmission, delayed transmission and sampling transmission.
17. An electronic device, comprising:
one or more processors;
a memory having one or more programs stored thereon,
the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-8.
18. A computer-readable medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911202522.9A CN112887162B (en) | 2019-11-29 | 2019-11-29 | Method and apparatus for detecting anomalies |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911202522.9A CN112887162B (en) | 2019-11-29 | 2019-11-29 | Method and apparatus for detecting anomalies |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112887162A true CN112887162A (en) | 2021-06-01 |
| CN112887162B CN112887162B (en) | 2022-03-29 |
Family
ID=76039062
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911202522.9A Active CN112887162B (en) | 2019-11-29 | 2019-11-29 | Method and apparatus for detecting anomalies |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112887162B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113945827A (en) * | 2021-10-13 | 2022-01-18 | 深圳康姆科技有限公司 | Abnormal chip identification method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104283972A (en) * | 2014-10-28 | 2015-01-14 | 成都西加云杉科技有限公司 | Message push method, device and system based on browser |
| WO2015124077A1 (en) * | 2014-02-24 | 2015-08-27 | Tencent Technology (Shenzhen) Company Limited | Method and system for transmitting browser web page information |
| CN106714082A (en) * | 2012-05-14 | 2017-05-24 | 华为技术有限公司 | Group communication method and group server |
| CN107635001A (en) * | 2017-09-20 | 2018-01-26 | 北京京东尚科信息技术有限公司 | Web scripts abnormality eliminating method and device |
| WO2018019241A1 (en) * | 2016-07-29 | 2018-02-01 | 腾讯科技(深圳)有限公司 | Update processing method and device for terminal application, and computer storage medium |
| CN109361685A (en) * | 2018-11-15 | 2019-02-19 | 北京农信互联科技集团有限公司 | Method and device for preventing malicious request |
-
2019
- 2019-11-29 CN CN201911202522.9A patent/CN112887162B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106714082A (en) * | 2012-05-14 | 2017-05-24 | 华为技术有限公司 | Group communication method and group server |
| WO2015124077A1 (en) * | 2014-02-24 | 2015-08-27 | Tencent Technology (Shenzhen) Company Limited | Method and system for transmitting browser web page information |
| CN104283972A (en) * | 2014-10-28 | 2015-01-14 | 成都西加云杉科技有限公司 | Message push method, device and system based on browser |
| WO2018019241A1 (en) * | 2016-07-29 | 2018-02-01 | 腾讯科技(深圳)有限公司 | Update processing method and device for terminal application, and computer storage medium |
| CN107635001A (en) * | 2017-09-20 | 2018-01-26 | 北京京东尚科信息技术有限公司 | Web scripts abnormality eliminating method and device |
| CN109361685A (en) * | 2018-11-15 | 2019-02-19 | 北京农信互联科技集团有限公司 | Method and device for preventing malicious request |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113945827A (en) * | 2021-10-13 | 2022-01-18 | 深圳康姆科技有限公司 | Abnormal chip identification method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112887162B (en) | 2022-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110120917B (en) | Routing method and device based on content | |
| US20190114365A1 (en) | Method and apparatus for displaying information | |
| CN110086895A (en) | Domain name analytic method, device, medium and electronic equipment | |
| CN106302445B (en) | Method and apparatus for handling request | |
| CN107302597B (en) | Message file pushing method and device | |
| US10630799B2 (en) | Method and apparatus for pushing information | |
| CN110134869B (en) | Information pushing method, device, equipment and storage medium | |
| CN110620806B (en) | Information generation method and device | |
| US9998559B2 (en) | Preemptive caching of data | |
| US11121912B2 (en) | Method and apparatus for processing information | |
| CN112887162B (en) | Method and apparatus for detecting anomalies | |
| CN109144864B (en) | Method and device for testing window | |
| CN111787041A (en) | Method and apparatus for processing data | |
| US20190253333A1 (en) | Methods and devices for network web resource performance | |
| US20230418470A1 (en) | Data processing method and apparatus, and electronic device | |
| CN111460020B (en) | Method, device, electronic equipment and medium for resolving message | |
| US20210365431A1 (en) | False submission filter device, false submission filter system, false submission filter method, and computer readable medium | |
| CN110084298B (en) | Method and device for detecting image similarity | |
| CN111597485B (en) | Information presentation method and device | |
| US10231095B2 (en) | Mobile community driven help for software applications | |
| CN113448578A (en) | Page data processing method, processing system, electronic device and readable storage medium | |
| CN111651330A (en) | Data acquisition method and device, electronic equipment and computer readable storage medium | |
| CN112732457A (en) | Image transmission method, image transmission device, electronic equipment and computer readable medium | |
| CN112883410B (en) | Method and device for displaying information | |
| CN112311842A (en) | Method and device for information interaction |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |