CN113098884A - Network security monitoring method based on big data, cloud platform system and medium - Google Patents

Network security monitoring method based on big data, cloud platform system and medium Download PDF

Info

Publication number
CN113098884A
CN113098884A CN202110396269.6A CN202110396269A CN113098884A CN 113098884 A CN113098884 A CN 113098884A CN 202110396269 A CN202110396269 A CN 202110396269A CN 113098884 A CN113098884 A CN 113098884A
Authority
CN
China
Prior art keywords
risk attack
behavior
attack
risk
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110396269.6A
Other languages
Chinese (zh)
Inventor
黄岳荣
郭栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202110396269.6A priority Critical patent/CN113098884A/en
Publication of CN113098884A publication Critical patent/CN113098884A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/906Clustering; Classification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Abstract

The invention relates to the technical field of big data, and relates to a network security monitoring method based on big data, a cloud platform system and a medium. According to the invention, the initial risk attack behavior can be determined from the risk attack behavior data cluster, and the target risk attack flow is detected and obtained by further dividing the initial risk attack behavior into a plurality of flow monitoring objects, so that the whole flow monitoring traceability operation process has more accurate information positioning performance, the flow monitoring traceability operation efficiency is improved, the real-time rapid flow monitoring requirement is met, the plurality of risk attack behavior data clusters can be processed, the risk attack flow where the reference risk attack behavior is located can be accurately determined, the accurate information positioning flow monitoring of the target key behavior monitoring scheme is carried out, and the accuracy and the accurate information positioning performance of the flow monitoring traceability operation are improved.

Description

Network security monitoring method based on big data, cloud platform system and medium
Technical Field
The invention relates to the technical field of big data, in particular to a network security monitoring method based on big data, a cloud platform system and a medium.
Background
Under the existing business background, a plurality of information popularization services can be provided for users on new media, the users who put into the information popularization services hope to use the information popularization services for their client groups really, but the information popularization services have risk attacks, so that the intermediate benefits are usually illegally occupied by some intermediate service providers.
Based on this, after risk attack confirmation is carried out on the risk attack behavior trajectory data needing to be collected from the information popularization service platform, the process monitoring traceability is carried out so as to facilitate subsequent business optimization, how to improve the accurate information positioning performance in the process monitoring traceability operation process, ensure the accuracy of the process monitoring traceability operation process, and ensure the correct operation of the information popularization service, which is a technical problem to be solved urgently in the field.
Disclosure of Invention
In order to overcome at least the above-mentioned deficiencies in the prior art, the present invention provides a big data based network security monitoring method, a cloud platform system and a medium, the initial risk attack behavior can be determined from the risk attack behavior data cluster, and the target risk attack flow is detected and obtained by further dividing the initial risk attack behavior into a plurality of flow monitoring objects, so that the whole flow monitoring and tracing operation process has more accurate information positioning, therefore, the efficiency of the process monitoring and tracing operation is improved, the real-time and rapid process monitoring requirement is met, the risk attack processes where a plurality of risk attack behaviors are clustered and referred to can be accurately determined to carry out accurate information positioning process monitoring of the target key behavior monitoring scheme, and the accuracy and the accurate information positioning performance of the process monitoring and tracing operation are improved.
In a first aspect, the present invention provides a big data-based network security monitoring method, which is applied to a server, where the server is in communication connection with multiple information promotion service platforms, and the method includes:
acquiring risk attack behavior track data which completes risk attack confirmation analysis in the information popularization service platform, and clustering the risk attack behavior track data according to different risk label attributes to obtain a plurality of risk attack behavior data clusters;
and determining a target risk attack flow where a reference risk attack behavior is located according to the risk attack behavior data cluster, and performing flow monitoring and tracing operation on the target risk attack flow according to a flow monitoring strategy corresponding to the target key behavior monitoring scheme, wherein the reference risk attack behavior is an initial risk attack behavior screened out from the risk attack behavior data cluster, and is obtained by screening after the initial risk attack behavior is further divided into a plurality of flow monitoring objects.
In a second aspect, an embodiment of the present invention further provides a network security monitoring apparatus based on big data, which is applied to a server, where the server is in communication connection with a plurality of information promotion service platforms, and the apparatus includes:
the clustering module is used for acquiring risk attack behavior track data which completes risk attack confirmation analysis in the information popularization service platform, and clustering the risk attack behavior track data according to different risk label attributes to obtain a plurality of risk attack behavior data clusters;
and the source tracing module is used for determining a target risk attack flow where the reference risk attack behavior is located according to the risk attack behavior data clustering, and performing flow monitoring source tracing operation on the target risk attack flow according to a flow monitoring strategy corresponding to the target key behavior monitoring scheme.
In a third aspect, an embodiment of the present invention further provides a network security monitoring cloud platform system based on big data, where the network security monitoring cloud platform system based on big data includes a server and multiple information promotion service platforms in communication connection with the server;
the server is configured to:
acquiring risk attack behavior track data which completes risk attack confirmation analysis in the information popularization service platform, and clustering the risk attack behavior track data according to different risk label attributes to obtain a plurality of risk attack behavior data clusters;
and determining a target risk attack flow where the reference risk attack behavior is located according to the risk attack behavior data clustering, and performing flow monitoring and tracing operation on the target risk attack flow according to a flow monitoring strategy corresponding to the target key behavior monitoring scheme.
In a fourth aspect, an embodiment of the present invention further provides a readable storage medium, where the readable storage medium stores computer-executable instructions, and when a processor executes the computer-executable instructions, the method for monitoring network security based on big data as above is implemented.
According to any one of the aspects, the initial risk attack behavior can be determined from the risk attack behavior data cluster, the target risk attack process is detected and obtained by further dividing the initial risk attack behavior into a plurality of process monitoring objects, so that the whole process monitoring traceability operation process has more accurate information positioning performance, the process monitoring traceability operation efficiency is improved, the real-time rapid process monitoring requirement is met, the plurality of risk attack behavior data clusters can be processed, the risk attack process where the reference risk attack behavior is located can be accurately determined, the accurate information positioning process monitoring of the target key behavior monitoring scheme is carried out, and the accuracy and the accurate information positioning performance of the process monitoring traceability operation are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that need to be called in the embodiments are briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention, and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic application scenario diagram of a big data-based network security monitoring cloud platform system according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a big data-based network security monitoring method according to an embodiment of the present invention;
fig. 3 is a functional block diagram of a big data-based network security monitoring apparatus according to an embodiment of the present invention;
fig. 4 is a schematic risk attack intelligence diagram of structural components of a server for implementing the above-described big data-based network security monitoring method according to an embodiment of the present invention.
Detailed Description
The present invention is specifically described below with reference to the drawings in the specification, and the specific operation method in the method embodiment may also be applied to the apparatus embodiment or the cloud platform system embodiment.
Fig. 1 is an interaction schematic diagram of a big data based network security monitoring cloud platform system 10 according to an embodiment of the present invention. The big data based network security monitoring cloud platform system 10 may include a server 100 and an information promotion service platform 200 communicatively connected to the server 100. The big data based network security monitoring cloud platform system 10 shown in fig. 1 is only one possible example, and in other possible embodiments, the big data based network security monitoring cloud platform system 10 may also include only at least some of the components shown in fig. 1 or may also include other components.
In this embodiment, the server 100 and the information popularization service platform 200 in the big data based network security monitoring cloud platform system 10 may cooperatively execute the big data based network security monitoring method described in the following method embodiment, and the detailed description of the following method embodiment may be referred to in the execution step sections of the server 100 and the information popularization service platform 200.
To solve the technical problem in the foregoing background, fig. 2 is a schematic flowchart of a big data based network security monitoring method according to an embodiment of the present invention, where the big data based network security monitoring method provided in this embodiment may be executed by the server 100 shown in fig. 1, and the details of the big data based network security monitoring method are described below.
Step S110, acquiring risk attack behavior track data, and clustering the risk attack behavior track data according to different risk label attributes to obtain a plurality of risk attack behavior data clusters.
The risk attack behavior trajectory data may include risk attack behavior trajectory data such as payment attack behavior, tampering attack behavior, and the like, and may further include other risk attack behavior trajectory data.
The obtaining mode of the risk attack behavior trajectory data may include: and in the service operation process, acquiring risk attack behavior track data through various data acquisition programs. Or loading pre-stored risk attack behavior trace data from a local storage container. Or, the risk attack behavior trajectory data and the like are downloaded from a third-party database, and of course, the risk attack behavior trajectory data may also be acquired by other manners, and the specific acquisition manner is not limited here.
After the risk attack behavior trajectory data is obtained, in order to obtain big data sequences with different behavior characteristics, the risk attack behavior trajectory data may be filtered according to different risk label attributes, so as to obtain a plurality of risk attack behavior data clusters with different risk label attributes, where the plurality of risk attack behavior data clusters may include risk attack behavior trajectory data that is not clustered, and the plurality of risk attack behavior data clusters may form a big data hierarchy.
And step S120, determining a target risk attack flow where the reference risk attack behavior is located according to the risk attack behavior data clustering, and performing flow monitoring and tracing operation on the target risk attack flow according to a flow monitoring strategy corresponding to the target key behavior monitoring scheme.
In this embodiment, the reference risk attack behavior is an initial risk attack behavior obtained by screening the risk attack behavior data cluster, and is obtained by screening after further dividing the initial risk attack behavior into a plurality of process monitoring objects.
After the target risk attack flow where the reference risk attack behavior is located is determined, flow monitoring and tracing operation can be performed on the target risk attack flow according to a flow monitoring strategy corresponding to the target key behavior monitoring scheme. For example, when the target key behavior monitoring scheme is the key behavior monitoring scheme of the information tampering behavior, the process monitoring traceability operation can be performed on the target risk attack process through the process monitoring traceability operation model corresponding to the pre-trained key behavior monitoring scheme of the information tampering behavior. For another example, when the target key behavior monitoring scheme is a key behavior monitoring scheme for a payment interception behavior, a process monitoring traceability operation can be performed on the target risk attack process through a process monitoring traceability operation model corresponding to the pre-trained key behavior monitoring scheme for the payment interception behavior.
Based on the above steps, the initial risk attack behavior can be determined from the risk attack behavior data cluster, and the target risk attack flow can be detected and obtained by further dividing the initial risk attack behavior into a plurality of flow monitoring objects, so that the whole flow monitoring traceability operation process has more accurate information positioning performance, thereby improving the flow monitoring traceability operation efficiency, satisfying the real-time fast flow monitoring requirement, and processing the plurality of risk attack behavior data clusters and accurately determining the risk attack flow where the reference risk attack behavior is located to perform accurate information positioning flow monitoring of the target key behavior monitoring scheme, thereby improving the accuracy and the accurate information positioning performance of the flow monitoring traceability operation.
In one embodiment, step S120 may be implemented by the following exemplary substeps.
And a substep S121, determining a risk attack flow which accords with the target key behavior monitoring scheme from each risk attack behavior data cluster respectively to obtain a plurality of initial risk attack behaviors.
In this embodiment, after obtaining a plurality of risk attack behavior data clusters, a risk attack procedure conforming to the target key behavior monitoring scheme may be determined from each risk attack behavior data cluster, for example, it can be detected that each risk attack behavior data cluster is divided into a plurality of process monitoring objects respectively, then detecting the service characteristic distribution in each process monitoring object, determining the probability that the process monitoring object belongs to the target key behavior monitoring scheme according to the service characteristic distribution in the region, and determining a risk attack flow with a probability greater than a preset probability threshold from the plurality of flow monitoring objects, the determined risk attack flow is a risk attack flow which accords with the target key behavior monitoring scheme, therefore, the determined risk attack flow can be used as an initial risk attack behavior to obtain a plurality of initial risk attack behaviors.
In an embodiment, determining a risk attack flow that meets a target key behavior monitoring scheme from each risk attack behavior data cluster, respectively, and obtaining a plurality of initial risk attack behaviors may include: and acquiring a plurality of initial risk attack intelligence preset on each risk attack behavior data cluster. And calling the first machine learning network after the model is updated, and predicting the risk attack flow in each initial risk attack information through the first machine learning network after the model is updated to obtain behavior monitoring prediction information corresponding to each initial risk attack information. And determining a risk attack flow where the initial risk attack information which accords with the target key behavior monitoring scheme is located from each risk attack behavior data cluster according to the behavior monitoring prediction information corresponding to each initial risk attack information to obtain a plurality of initial risk attack behaviors.
In order to improve the accuracy of the process monitoring traceability operation, the risk attack behavior data cluster can be divided by using the form of the initial risk attack intelligence, and the risk attack process in each initial risk attack intelligence is detected, wherein, a plurality of initial risk attack intelligence can be preset on each risk attack behavior data cluster, the initial risk attack intelligence may be used to cluster risk attack behavior data into a plurality of process monitoring objects, the information category, information coverage part (behavior characteristics), quantity and behavior attribute of the initial risk attack information can be flexibly set according to the actual requirement, for example, the intelligence type, intelligence coverage portion (i.e., behavioral characteristics), quantity, behavioral attributes, and the like of each initial risk attack intelligence may be different, or there may be partial overlap between the initial risk attack intelligence, and the like. When identification and analysis are needed, a plurality of initial risk attack messages preset on each risk attack behavior data cluster can be obtained, so that risk attack processes in the initial risk attack messages can be predicted, and the like.
It should be noted that a plurality of initial risk attack messages may also be preset on the risk attack behavior trajectory data, and when the risk attack behavior trajectory data is clustered according to different risk label attributes, the plurality of initial risk attack messages are also correspondingly clustered along with the risk attack behavior trajectory data, so that a plurality of initial risk attack messages may also exist on the obtained plurality of risk attack behavior data clusters, and at this time, a plurality of initial risk attack messages preset on each risk attack behavior data cluster may be obtained.
In one embodiment, obtaining a plurality of initial risk attack intelligence preset on each risk attack behavior data cluster may include: and setting target quantity of initial risk attack intelligence on each risk attack behavior data cluster. And when the initial risk attack information of the target quantity on each risk attack behavior data cluster cannot cover the risk attack behavior data cluster, expanding the initial risk attack information according to a preset strategy until a plurality of initial risk attack information can cover the risk attack behavior data cluster to obtain a plurality of initial risk attack information.
Therefore, in order to improve the analysis effect, the initial risk attack intelligence can be optimized. For example, after setting a target amount of initial risk attack intelligence on each risk attack behavior data cluster, it may be determined whether the target amount of initial risk attack intelligence on the risk attack behavior data cluster can cover the risk attack behavior data cluster, and if so, the optimization operation of the initial risk attack intelligence is not required to be performed. When the initial risk attack information of the target quantity on the risk attack behavior data cluster cannot cover the risk attack behavior data cluster, the optimization operation of the initial risk attack information can be executed, the optimization process of the initial risk attack information can be that the initial risk attack information is increased on the basis of the initial risk attack information of the target quantity which is already set according to a preset strategy until a plurality of initial risk attack information can cover the risk attack behavior data cluster, and a plurality of initial risk attack information is obtained.
After obtaining a plurality of initial risk attack messages preset on each risk attack behavior data cluster, a first machine learning network with updated models can be called, the type of the first machine learning network can be flexibly set according to actual needs, a network model of the first machine learning network can be subjected to model optimization and network layer determination according to the requirements of actual computing resources, the first machine learning network can further comprise functions of service label prediction, behavior attribute prediction and the like, and the first machine learning network is used for determining initial risk attack behaviors conforming to a target key behavior monitoring scheme.
At this time, the risk attack flow in each initial risk attack intelligence can be predicted through the first machine learning network after the model is updated. For example, each risk attack behavior data cluster may be respectively input to the first machine learning network after model update, feature extraction operation is sequentially performed through the first machine learning network after model update, a feature vector corresponding to each risk attack behavior data cluster is output, then a risk attack flow in each initial risk attack intelligence is predicted based on the feature vector, and behavior monitoring prediction information corresponding to each initial risk attack intelligence is obtained, where the behavior monitoring prediction information may include a scheme to which the behavior monitoring prediction information belongs, a probability that the behavior monitoring prediction information belongs to the category, and the like.
For example, when the scheme to which the risk attack flow in the initial risk attack information a belongs is the key behavior monitoring scheme of the information tampering behavior, the probability of the key behavior monitoring scheme belonging to the information tampering behavior and the probability of the key behavior monitoring scheme not belonging to the information tampering behavior in the flow monitoring object may be calculated, and when the scheme to which the risk attack flow in the initial risk attack information B belongs is the key behavior monitoring scheme of the payment interception behavior, the probability of the key behavior monitoring scheme belonging to the payment interception behavior and the probability of the key behavior monitoring scheme not belonging to the payment interception behavior in the flow monitoring object may be calculated. The first machine learning network after the model is updated is used for forecasting, and behavior monitoring forecasting information can be quickly and accurately detected.
In this embodiment, after obtaining the behavior monitoring prediction information corresponding to each initial risk attack information, the risk attack flow where the initial risk attack information that conforms to the target key behavior monitoring scheme is located may be determined from each risk attack behavior data cluster according to the behavior monitoring prediction information corresponding to each initial risk attack information, so as to obtain a plurality of initial risk attack behaviors.
In one embodiment, determining a risk attack flow where initial risk attack intelligence meeting a target key behavior monitoring scheme is located from each risk attack behavior data cluster according to behavior monitoring prediction information corresponding to each initial risk attack intelligence, and obtaining a plurality of initial risk attack behaviors may include: and according to the behavior monitoring prediction information corresponding to each initial risk attack intelligence, determining the initial risk attack intelligence which accords with the target key behavior monitoring scheme from each risk attack behavior data cluster to obtain the target initial risk attack intelligence. And performing behavior attribute prediction on each target initial risk attack information through the first machine learning network after the model is updated to obtain behavior attribute information corresponding to each target initial risk attack information, and extracting a risk attack flow where the target initial risk attack information is located from each risk attack behavior data cluster according to the behavior attribute information to obtain a plurality of initial risk attack behaviors.
In order to accurately extract the required initial risk attack behavior, behavior attribute information can be obtained by predicting the behavior attribute of the initial risk attack intelligence through the first machine learning network after the model is updated. For example, according to behavior monitoring prediction information corresponding to each initial risk attack intelligence, initial risk attack intelligence which accords with a target key behavior monitoring scheme is determined from each risk attack behavior data cluster, and target initial risk attack intelligence is obtained. For example, according to behavior monitoring prediction information such as the category of the key behavior monitoring scheme of the information tampering behavior to which the region belongs and the probability of the category of the key behavior monitoring scheme of the information tampering behavior in each initial risk attack intelligence region, the initial risk attack intelligence of the tracing operation node is monitored by the key behavior monitoring scheme process belonging to the information tampering behavior from each risk attack behavior data cluster, and the target initial risk attack intelligence is obtained.
And then, performing behavior attribute prediction on each target initial risk attack intelligence through the first machine learning network after the model is updated to obtain behavior attribute information corresponding to each target initial risk attack intelligence, wherein the behavior attribute information can be flexibly set according to actual needs. At this time, a risk attack flow where the target initial risk attack information is located can be extracted from each risk attack behavior data cluster according to the behavior attribute information, so as to obtain a plurality of initial risk attack behaviors.
In an embodiment, before predicting a risk attack flow in each initial risk attack intelligence through a first machine learning network after model update to obtain behavior monitoring prediction information corresponding to each initial risk attack intelligence, the network security monitoring method based on big data may further include: and acquiring reference risk attack behavior track data of a plurality of matching target key behavior monitoring schemes, and respectively setting a plurality of reference risk attack intelligence on each reference risk attack behavior track data. And calculating behavior monitoring and predicting information and behavior attribute information corresponding to a risk attack flow in each reference risk attack intelligence on each reference risk attack behavior trajectory data through the first machine learning network to obtain target predicted behavior monitoring information and predicted behavior attribute information. And acquiring actual behavior monitoring and predicting information and actual behavior attribute information corresponding to each reference risk attack intelligence on each reference risk attack behavior trajectory data. And performing model evaluation index calculation on the target predicted behavior monitoring information and the actual behavior monitoring predicted information by adopting a third model evaluation index function, and performing model evaluation index calculation on the predicted behavior attribute information and the actual behavior attribute information by adopting a fourth model evaluation index function so as to perform model updating on the first machine learning network and obtain the first machine learning network after model updating.
After obtaining the reference risk attack behavior trace data, a plurality of reference risk attack intelligence can be respectively set on each reference risk attack behavior trace data, the reference risk attack intelligence can be used for dividing the reference risk attack behavior trace data into a plurality of process monitoring objects, the intelligence type, the intelligence coverage part (behavior characteristic), the quantity, the behavior attribute and the like of the reference risk attack intelligence can be flexibly set according to the actual needs, for example, the intelligence type, the intelligence coverage part (behavior characteristic) and the like of each initial risk attack intelligence can be different. And then, respectively calculating behavior monitoring and predicting information corresponding to the risk attack flow in each reference risk attack information on each reference risk attack behavior track data through the first machine learning network to obtain target predicted behavior monitoring information, and respectively calculating behavior attribute information corresponding to the risk attack flow in each reference risk attack information on each reference risk attack behavior track data through the first machine learning network to obtain predicted behavior attribute information. And acquiring actual behavior monitoring and predicting information of the area in each reference risk attack intelligence on each reference risk attack behavior trajectory data to acquire actual behavior monitoring and predicting information, and acquiring actual behavior attribute information of the area in each reference risk attack intelligence on each reference risk attack behavior trajectory data to acquire actual behavior attribute information, wherein the actual behavior monitoring and predicting information and the actual behavior attribute information can be accurate information obtained in advance.
Secondly, a third model evaluation index function is adopted to perform model evaluation index calculation on the target predicted behavior monitoring information and the actual behavior monitoring prediction information, for example, the error between the target predicted behavior monitoring information and the actual behavior monitoring prediction information is reduced by adjusting parameters or weights of the first machine learning network to appropriate values, and a fourth model evaluation index function is adopted to perform model evaluation index calculation on the predicted behavior attribute information and the actual behavior attribute information, for example, the error between the predicted behavior attribute information and the actual behavior attribute information is reduced by adjusting parameters or weights of the first machine learning network to appropriate values, so that model updating can be performed on the first machine learning network, and finally the first machine learning network after model updating can be obtained. The third model evaluation index function and the fourth model evaluation index function can be flexibly set according to actual application requirements.
And a substep S122, dividing each initial risk attack behavior into a plurality of process monitoring objects respectively, and acquiring the probability that each process monitoring object belongs to the target key behavior monitoring scheme.
After obtaining a plurality of initial risk attack behaviors, each initial risk attack behavior may be divided into a plurality of process monitoring objects, for example, a plurality of initial risk attack intelligence may be set on each initial risk attack behavior, a risk attack process in each initial risk attack intelligence is a process monitoring object divided by the initial risk attack behavior, the intelligence type, the intelligence coverage portion (i.e., behavior characteristics), the quantity, the behavior attribute, and the like of the process monitoring object may be flexibly set according to actual needs, for example, the process monitoring object may be divided into 4 process monitoring objects, and a portion or a portion that does not overlap may exist between each process monitoring object. Then, the service feature distribution in each process monitoring object is detected, and the probability that the process monitoring object belongs to the target key behavior monitoring scheme is determined according to the service feature distribution in the region, for example, a risk attack process that the probability that the process monitoring object belongs to the target key behavior monitoring scheme is greater than a preset probability threshold value can be determined from a plurality of process monitoring objects, and the determined risk attack process is a risk attack process that conforms to the target key behavior monitoring scheme, so that the probability that the process monitoring object belongs to the target key behavior monitoring scheme can be obtained.
In one embodiment, dividing each initial risk attack behavior into a plurality of process monitoring objects, and obtaining a probability that each process monitoring object belongs to the target key behavior monitoring scheme may include: and performing behavior characteristic normalization on the initial risk attack behaviors to obtain a plurality of normalized initial risk attack behaviors matched with the behavior characteristics. And dividing each normalized initial risk attack behavior into a plurality of process monitoring objects respectively, and acquiring the probability that each process monitoring object belongs to the target key behavior monitoring scheme.
Because the obtained behavior characteristics of the multiple initial risk attack behaviors may be different, in order to improve the efficiency and accuracy of identifying the initial risk attack behaviors, the behavior characteristics of the multiple initial risk attack behaviors may be normalized to obtain multiple normalized initial risk attack behaviors matched with the behavior characteristics. The behavior characteristics of the normalized initial risk attack behavior can be flexibly set according to actual needs. At this time, only the normalized initial risk attack behavior needs to be processed subsequently, that is, each normalized initial risk attack behavior is divided into a plurality of process monitoring objects, and the probability that each process monitoring object belongs to the target key behavior monitoring scheme is obtained, so that the identification efficiency of the initial risk attack behavior is greatly improved.
In one embodiment, dividing each normalized initial risk attack behavior into a plurality of process monitoring objects, and obtaining a probability that each process monitoring object belongs to the target key behavior monitoring scheme may include: and dividing each normalized initial risk attack behavior into a plurality of process monitoring objects respectively. And calling the second machine learning network after the model is updated, and predicting each process monitoring object through the second machine learning network after the model is updated to obtain behavior monitoring prediction information corresponding to each process monitoring object. And determining the probability that each process monitoring object belongs to the target key behavior monitoring scheme according to the behavior monitoring prediction information corresponding to each process monitoring object.
In order to improve the identification accuracy, behavior monitoring prediction information can be obtained by using a second machine learning network after model updating, specifically, each normalized initial risk attack behavior is divided into a plurality of process monitoring objects, the information types, the information covering parts (namely behavior characteristics), the quantity, the behavior attributes and the like of the process monitoring objects can be flexibly set according to actual needs, then, the second machine learning network after model updating is called, and the type of the second machine learning network after model updating can be flexibly set according to actual needs. The second machine learning network can also have the functions of prediction, behavior attribute prediction and the like, and is used for calculating the probability that each process monitoring object in the initial risk attack behavior belongs to the target key behavior monitoring scheme and determining the reference risk attack behavior meeting the conditions.
At this time, each flow monitoring object divided on each normalized initial risk attack behavior may be predicted by the second machine learning network after the model is updated, for example, each normalized initial risk attack behavior may be respectively input to the second machine learning network after the model is updated, feature extraction is sequentially performed by the second machine learning network after the model is updated, a feature vector corresponding to each normalized initial risk attack behavior is output, and then each flow monitoring object divided on each normalized initial risk attack behavior is predicted based on the feature vector to obtain behavior monitoring prediction information corresponding to each flow monitoring object, where the behavior monitoring prediction information may include a scheme to which it belongs, a probability that it belongs to the category, and the like. Finally, the probability that each process monitoring object belongs to the target key behavior monitoring scheme can be determined according to the behavior monitoring prediction information corresponding to each process monitoring object, for example, when the scheme to which the process monitoring object a belongs is the key behavior monitoring scheme of the information tampering behavior, the probability that the process monitoring object a belongs to the key behavior monitoring scheme of the information tampering behavior can be calculated, and when the scheme to which the process monitoring object B belongs is the key behavior monitoring scheme of the payment interception behavior, the probability that the process monitoring object B belongs to the key behavior monitoring scheme of the payment interception behavior can be calculated. And predicting through the second machine learning network after the model is updated, so that the probability that each region belongs to the target key behavior monitoring scheme can be quickly and accurately detected.
And a substep S123 of extracting a process monitoring object with the probability greater than the target set probability from each initial risk attack behavior to obtain a plurality of reference risk attack behaviors.
In an embodiment, extracting a process monitoring object with a probability greater than a target set probability from each initial risk attack behavior, and obtaining a plurality of reference risk attack behaviors may include: and performing behavior attribute prediction on each process monitoring object through the second machine learning network after the model is updated to obtain behavior attribute information corresponding to each process monitoring object. And determining the behavior attribute of the process monitoring object with the probability greater than the target set probability in each initial risk attack behavior according to the behavior attribute information. And extracting a process monitoring object with the probability greater than the target set probability from each initial risk attack behavior according to the behavior attributes to obtain a plurality of reference risk attack behaviors.
After the probability that each process monitoring object belongs to the target key behavior monitoring scheme on each initial risk attack behavior is obtained, the process monitoring object with the probability greater than the target set probability can be extracted from each initial risk attack behavior, and the target set probability can be flexibly set according to actual needs. In order to accurately extract a required reference risk attack behavior, behavior attribute information can be obtained by predicting the behavior attribute of each process monitoring object on the initial risk attack behavior through the second machine learning network after the model is updated, specifically, behavior attribute information corresponding to each process monitoring object can be obtained by predicting the behavior attribute of each process monitoring object through the second machine learning network after the model is updated, the behavior attribute information can be flexibly set according to actual needs, and the embodiment described above can be referred to, and the description is omitted here. At this time, the behavior attribute of the process monitoring object with the probability greater than the target set probability in each initial risk attack behavior can be determined according to the behavior attribute information, so that the process monitoring object with the probability greater than the target set probability can be extracted from each initial risk attack behavior according to the position, a plurality of reference risk attack behaviors are obtained, and the accuracy of extracting the reference risk attack behaviors meeting the conditions is improved.
In an embodiment, before predicting each process monitoring object through the second machine learning network after the model is updated and obtaining behavior monitoring prediction information corresponding to each process monitoring object, the network security monitoring method based on big data may further include: and acquiring a plurality of reference risk attack behavior track data matched with the target key behavior monitoring scheme, and dividing each reference risk attack behavior track data into a plurality of process monitoring objects. And calling a preset first machine learning network, and determining a risk attack flow which accords with the target key behavior monitoring scheme through the first machine learning network to obtain a plurality of target risk attack behaviors. And calculating behavior monitoring and predicting information and behavior attribute information corresponding to each target risk attack behavior through a second machine learning network to obtain target predicted behavior monitoring information and predicted behavior attribute information. And acquiring actual behavior monitoring and predicting information and actual behavior attribute information corresponding to each target risk attack behavior. And performing model evaluation index calculation on the target predicted behavior monitoring information and the actual behavior monitoring predicted information by adopting a first model evaluation index function, and performing model evaluation index calculation on the predicted behavior attribute information and the actual behavior attribute information by adopting a second model evaluation index function so as to update the model of the second machine learning network, thereby obtaining the second machine learning network after the model is updated.
In order to improve the accuracy and reliability of the identification analysis performed by the second machine learning network, the model of the second machine learning network may be updated before the identification analysis is performed by the second machine learning network. For example, first, a plurality of reference risk attack behavior trajectory data matching the target key behavior monitoring scheme are obtained, for example, the plurality of reference risk attack behavior trajectory data may be collected by a pre-configured data collection program, or the plurality of reference risk attack behavior trajectory data may be obtained from a local storage space. The target key behavior monitoring scheme may include any one or a combination of a key behavior monitoring scheme range of the information tampering behavior, a key behavior monitoring scheme range of the payment interception behavior, and the like, that is, when only the key behavior monitoring scheme of the information tampering behavior needs to be detected, the reference risk attack behavior trajectory data includes the key behavior monitoring scheme range of the information tampering behavior. When the key behavior monitoring scheme of the information tampering behavior and the key behavior monitoring scheme of the payment intercepting behavior need to be detected, different labels can be set for the key behavior monitoring scheme range of the information tampering behavior and the key behavior monitoring scheme range of the payment intercepting behavior in reference to the fact that the risk attack behavior trajectory data contains the key behavior monitoring scheme range of the information tampering behavior and the key behavior monitoring scheme range of the payment intercepting behavior, so that the key behavior monitoring scheme range of the information tampering behavior and the key behavior monitoring scheme range of the payment intercepting behavior can be distinguished.
After obtaining the reference risk attack behavior trace data, each reference risk attack behavior trace data may be divided into a plurality of process monitoring objects, for example, a plurality of reference risk attack intelligence may be respectively set on each reference risk attack behavior trace data, the reference risk attack intelligence may be used to divide the reference risk attack behavior trace data into a plurality of process monitoring objects, and the intelligence type, intelligence coverage portion (i.e., behavior characteristics), quantity, behavior attribute, and the like of the reference risk attack intelligence may be flexibly set according to actual needs. And then, calling a preset first machine learning network, and determining a risk attack flow which accords with the target key behavior monitoring scheme through the first machine learning network to obtain a plurality of target risk attack behaviors, for example, determining a risk attack flow which accords with the key behavior monitoring scheme flow of the information tampering behavior and monitors the traceable operation node to obtain a plurality of key behavior monitoring scheme risk attack behaviors of the information tampering behavior. The first machine learning network is consistent with the first machine learning network mentioned above, and the first machine learning network is cascaded with the second machine learning network, and the first machine learning network may be the first machine learning network after model updating, or the first machine learning network may be trained together with the second machine learning network.
Secondly, dividing each target risk attack behavior into a plurality of process monitoring objects, wherein the intelligence type, the intelligence covering part (behavior characteristics), the quantity, the behavior attribute and the like of the process monitoring objects can be flexibly set according to actual needs, respectively calculating behavior monitoring prediction information corresponding to each process monitoring object on each target risk attack behavior through a second machine learning network to obtain target prediction behavior monitoring information, and respectively calculating behavior attribute information corresponding to each process monitoring object on each target risk attack behavior through the second machine learning network to obtain prediction behavior attribute information. And acquiring actual behavior monitoring prediction information of each process monitoring object on each target risk attack behavior to obtain actual behavior monitoring prediction information, and acquiring actual behavior attribute information of each process monitoring object on each target risk attack behavior to obtain actual behavior attribute information, wherein the actual behavior monitoring prediction information and the actual behavior attribute information can be accurate information obtained in advance.
Finally, a first model evaluation index function is used for carrying out model evaluation index calculation on the target predicted behavior monitoring information and the actual behavior monitoring prediction information, for example, the error between the target predicted behavior monitoring information and the actual behavior monitoring prediction information is reduced by adjusting parameters or weights of a second machine learning network to appropriate values, and a second model evaluation index function is used for carrying out model evaluation index calculation on the predicted behavior attribute information and the actual behavior attribute information, for example, the error between the predicted behavior attribute information and the actual behavior attribute information is reduced by adjusting parameters or weights of the second machine learning network to appropriate values, so that model updating can be carried out on the second machine learning network, and the second machine learning network after model updating can be obtained. The first model evaluation index function and the second model evaluation index function can be flexibly set according to actual application requirements.
It should be noted that the first machine learning network and the second machine learning network may be replaced by other network structures according to actual needs, and are not limited specifically.
And a substep S124 of mapping the multiple reference risk attack behaviors to the risk attack behavior trajectory data, and determining a risk attack flow where the reference risk attack behaviors meeting preset conditions are located according to the attack triggering correlation among the multiple reference risk attack behaviors to obtain a target risk attack flow.
In this embodiment, after obtaining the plurality of reference risk attack behaviors, a target risk attack flow may be determined on the risk attack behavior trajectory data based on the plurality of reference risk attack behaviors.
In one embodiment, mapping a plurality of reference risk attack behaviors to risk attack behavior trajectory data, and determining a risk attack flow where the reference risk attack behavior meeting a preset condition is located according to an attack trigger correlation between the plurality of reference risk attack behaviors, to obtain a target risk attack flow may include: and respectively adjusting the behavior characteristic distribution conditions of the reference risk attack behaviors to be consistent with the behavior characteristic distribution conditions of the risk attack behavior trajectory data to obtain the target reference risk attack behaviors. And searching a risk attack flow matched with each target reference risk attack behavior from the risk attack behavior track data to obtain a plurality of matched risk attack flows. And determining the risk attack flow where the reference risk attack behavior according with the preset condition is located according to the attack triggering correlation among the multiple matched risk attack flows to obtain the target risk attack flow.
Specifically, after the risk attack behavior trajectory data is obtained, clustering is performed on the risk attack behavior trajectory data according to different risk label attributes to obtain a plurality of risk attack behavior data clusters, and the risk attack behavior data clusters are subsequently processed to obtain a reference risk attack behavior, so that the subsequently obtained reference risk attack behavior is extracted from the risk attack behavior data clusters, and at this time, in order to determine a target risk attack flow on the risk attack behavior trajectory data, behavior feature distribution conditions of the plurality of reference risk attack behaviors need to be respectively adjusted to be consistent with preset behavior feature distribution conditions of the risk attack behavior trajectory data to obtain the target reference risk attack behavior.
Then, a risk attack flow matched with each target reference risk attack behavior is searched from the risk attack behavior trajectory data to obtain a plurality of matched risk attack flows, for example, a service feature distribution value on the target reference risk attack behavior may be compared with a service feature distribution value of the risk attack behavior trajectory data to search a risk attack flow having the highest similarity with all service feature distribution values on the target reference risk attack behavior to obtain a matched risk attack flow. Secondly, after the matching risk attack flow corresponding to each target reference risk attack behavior is obtained, the attack triggering correlation degree among the matching risk attack flows can be calculated, and finally the risk attack flow where the reference risk attack behavior meeting the preset conditions is located can be determined according to the attack triggering correlation degree among the matching risk attack flows, so that the target risk attack flow is obtained.
In an embodiment, determining a risk attack flow where a reference risk attack behavior meeting a preset condition is located according to an attack trigger correlation between a plurality of matching risk attack flows, and obtaining a target risk attack flow may include: and obtaining the probability that each matching risk attack flow belongs to the target key behavior monitoring scheme, and determining the matching risk attack flow with the highest probability from the multiple matching risk attack flows as the current matching risk attack flow. And respectively calculating the attack trigger correlation degrees between other matching risk attack flows except the current matching risk attack flow in the multiple matching risk attack flows and the current matching risk attack flow to obtain multiple attack trigger correlation degrees. According to the multiple attack trigger correlation degrees, removing the risk attack flow with the attack trigger correlation degree smaller than the preset correlation degree interval from other matching risk attack flows, returning to execute the operation of determining the matching risk attack flow with the highest probability from the multiple matching risk attack flows as the current matching risk attack flow until the preset number of matching risk attack flows are left, and summarizing to obtain the target risk attack flow.
For example, since the probability that each process monitoring object belongs to the target key behavior monitoring scheme on the initial risk attack behavior can be obtained, and the reference risk attack behavior is a process monitoring object of which the probability of the initial risk attack behavior is greater than the target set probability, therefore, the probability that the reference risk attack behavior belongs to the target key behavior monitoring scheme can be used as the probability that the corresponding matching risk attack flow belongs to the target key behavior monitoring scheme, after the probability that each matching risk attack flow belongs to the target key behavior monitoring scheme is obtained, the matching risk attack flow with the highest probability can be determined from the multiple matching risk attack flows to be used as the current matching risk attack flow, when the multiple matching risk attack flows with the highest probability exist, one of the matching risk attack flows with the highest probability can be randomly used as the current matching risk attack flow. And then, acquiring other matching risk attack flows except the current matching risk attack flow in the multiple matching risk attack flows, and respectively calculating the attack trigger correlation between the other matching risk attack flows and the current matching risk attack flow.
After the attack trigger correlation degree is obtained, whether the attack trigger correlation degree is smaller than a preset correlation degree interval or not can be judged, the preset correlation degree interval can be flexibly set according to actual needs, if the attack trigger correlation degree is smaller than the preset correlation degree interval, other matching risk attack processes corresponding to the attack trigger correlation degree smaller than the preset correlation degree interval are removed, and the current matching risk attack process is reserved. If the attack trigger correlation degree is larger than the preset value, the current matching risk attack process and other matching risk attack processes corresponding to the attack trigger correlation degree interval larger than the preset correlation degree interval are reserved.
For example, when the process monitoring object a is a matching risk attack process with the highest probability, the process monitoring object a is the current matching risk attack process, at this time, the attack trigger correlation between the process monitoring object a and the process monitoring object B is calculated, and if the attack trigger correlation is judged to be smaller than the preset correlation interval, the process monitoring object B is removed, and the process monitoring object a is reserved.
If the attack trigger correlation degree is judged to be larger than or equal to the preset value, the process monitoring object A and the process monitoring object B are reserved.
After the attack trigger correlation degrees between each other matching risk attack flow and the current matching risk attack flow are calculated, a plurality of attack trigger correlation degrees can be obtained, then based on the obtained plurality of attack trigger correlation degrees, risk attack flows with the attack trigger correlation degrees smaller than a preset correlation degree interval are removed from other matching risk attack flows, the matching risk attack flow with the highest probability determined from the matching risk attack flows is returned to be executed as the operation of the current matching risk attack flow until a preset number of matching risk attack flows are left, and the target risk attack flow is obtained in a summarizing mode. The target risk attack flow can be quickly determined by the method, and the determination method of the target risk attack flow can be other methods, and specific contents are not limited here.
Therefore, the initial risk attack behavior can be determined from the risk attack behavior data cluster, the target risk attack flow is detected and obtained by further dividing the initial risk attack behavior into a plurality of flow monitoring objects, the whole flow monitoring traceability operation process has more accurate information positioning performance, the flow monitoring traceability operation efficiency is improved, the real-time quick flow monitoring requirement is met, the risk attack flows where the reference risk attack behaviors are located can be processed and accurately determined, the accurate information positioning flow monitoring of the target key behavior monitoring scheme is carried out, and the accuracy and the accurate information positioning performance of the flow monitoring traceability operation are improved.
In an embodiment, further to step S110, a specific implementation manner of obtaining risk attack behavior trace data that completes risk attack confirmation analysis in the information popularization service platform may be implemented by the following exemplary sub-steps.
Step S111, risk attack behavior track data to be confirmed and analyzed by risk attack is obtained, and risk attack log information of a plurality of risk attack nodes mapped by the risk attack behavior track data is obtained.
And step S112, analyzing the risk attack log information into a corresponding risk attack log line sequence, and inputting the risk attack log line sequence into a corresponding attack recognition structure in the trained risk attack recognition network. Each attack identification structure at least comprises an attack identification layer, and the attack identification layer of each attack identification structure processes a risk attack log line sequence corresponding to a risk attack node.
The risk attack identification network can have a plurality of groups of attack identification structures, and can input a plurality of groups of data. The data input from each group of attack recognition structures are processed by a separate attack recognition layer, and finally, the classified network structure fuses the outputs of different attack recognition structures together to be used as the input of the classified network structure.
In the risk attack identification network adopted in the embodiment, the feature matrix output by the front layer can be mapped into data corresponding to each preset risk attack confirmation attribute, so that the risk attack confirmation attributes to which a plurality of groups of risk attack log line sequences input through the regression layer belong are output.
For example, the server 100 may obtain an attack recognition structure corresponding to a risk attack node to which risk attack log information corresponding to a risk attack log line sequence belongs, and input the risk attack log line sequence into a corresponding attack recognition structure in a trained risk attack recognition network. Each attack identification structure at least comprises an attack identification layer, and the attack identification layer of each attack identification structure processes a risk attack log line sequence corresponding to a risk attack node.
In an embodiment, when training the risk attack recognition network, the server 100 may preset a corresponding relationship between an input risk attack log line sequence and an attack recognition structure. For example, the risk attack log line sequence is added with the identifier corresponding to the corresponding risk attack node, and then different attack identification structures in the risk attack identification network are set to input only one risk attack log line sequence corresponding to the identifier. Therefore, the training algorithm of the corresponding attack recognition structure can be ensured to correctly train corresponding data in the training process of the risk attack recognition network. And when the risk attack log line sequence is input into the attack recognition structure in the trained risk attack recognition network, the risk attack log line sequence is input into the corresponding attack recognition structure according to the preset corresponding relation between the input risk attack log line sequence and the attack recognition structure.
And S113, identifying classification network structures in the network through the risk attack, predicting according to the risk attack confirmation analysis decision characteristics output by the plurality of attack identification structures, and outputting the risk attack confirmation attribute to which the risk attack behavior trajectory data belongs.
For example, the server 100 may fuse risk attack validation analysis decision features output by a plurality of attack recognition structures to obtain a fused risk attack validation analysis decision feature, use the fused risk attack validation analysis decision feature as an input of a classification network structure in a trained risk attack recognition network, and output a risk attack validation attribute to which risk attack behavior trajectory data belongs through the classification network structure.
And step S114, according to the risk attack confirmation attribute to which the risk attack behavior track data belongs, performing risk attack confirmation analysis on the risk attack behavior track data.
Based on the steps, the risk attack log information of a plurality of risk attack nodes mapped by the risk attack behavior track data to be confirmed and analyzed by risk attack is analyzed into corresponding risk attack log line sequences, the risk attack log line sequences are respectively input into the trained risk attack recognition network, the attack recognition structures corresponding to the risk attack nodes to which the risk attack log line sequences belong are arranged, and the attack recognition layer of each attack recognition structure processes the risk attack log line sequence corresponding to one risk attack node, so that a plurality of groups of risk attack log line sequences of the risk attack behavior track data to be confirmed and analyzed by the risk attack can be convoluted. And then, a classification network structure in the network is identified through risk attack, prediction is carried out according to risk attack confirmation analysis decision characteristics output by the plurality of attack identification structures, and a risk attack confirmation attribute to which the risk attack behavior trajectory data belongs is output. Therefore, risk attack log information of a plurality of risk attack nodes mapped by risk attack behavior track data to be subjected to risk attack confirmation analysis can be fully utilized, accurate information positioning risk attack confirmation analysis is carried out by combining different risk attack nodes in the practical application process, so that the risk attack log information of each risk attack node can be utilized to complement mutual risk attack confirmation analysis in the subsequent risk attack confirmation analysis process, and the accuracy of the risk attack confirmation analysis is greatly improved.
In an embodiment, further to step S114, the following exemplary substeps can be implemented, as described in detail below.
Step S1141, obtaining target track data including at least one track segment sent by the risk attack confirmation service, obtaining a risk attack characteristic template of the track segment, and respectively obtaining a core risk attack confirmation rule and an initial subordinate risk attack confirmation rule of the track segment based on a dynamic risk attack characteristic and a non-dynamic risk attack characteristic according to the risk attack characteristic template.
The core risk attack validation rule may be a risk attack validation rule for describing track segment core information. The subordinate risk attack validation rule may be a risk attack validation rule for describing track segment unit information, and may be a risk attack validation rule corresponding to at least one unit process, and a rule attribute of the subordinate risk attack validation rule may be less than that of the core risk attack validation rule.
In one embodiment, the core risk attack validation rule based on the dynamic risk attack feature may be a risk attack validation rule of the core dynamic risk attack feature, and the core risk attack validation rule based on the non-dynamic risk attack feature may be a risk attack validation rule of the core non-dynamic risk attack feature. The initial dependent risk attack validation rule based on the dynamic risk attack feature may be a risk attack validation rule of the initial dependent dynamic risk attack feature, and the initial dependent risk attack validation rule based on the non-dynamic risk attack feature may be a risk attack validation rule of the initial unit non-dynamic risk attack feature.
In one embodiment, the risk attack validation rules of the core dynamic risk attack features and the risk attack validation rules of the initial dependent dynamic risk attack features of the track segments can be obtained according to the dynamic risk attack feature vector information, and the risk attack validation rules of the core non-dynamic risk attack features and the risk attack validation rules of the initial unit non-dynamic risk attack features of the track segments can be obtained according to the non-dynamic risk attack feature vector information.
Step S1142, performing risk attack confirmation analysis tag expansion on the initial subordinate risk attack confirmation rule to obtain a target subordinate risk attack confirmation rule.
Step S1143, the core risk attack confirmation rule and the target subordinate risk attack confirmation rule are subjected to rule splicing respectively based on the dynamic risk attack characteristic and the non-dynamic risk attack characteristic, and target dynamic risk attack comparison configuration information and target non-dynamic risk attack comparison configuration information are obtained.
The target dynamic risk attack comparison configuration information is dynamic risk attack comparison configuration information obtained by integrating the core dynamic risk attack characteristic vector and the subordinate dynamic risk attack characteristic vector, and the target non-dynamic risk attack comparison configuration information is non-dynamic risk attack comparison configuration information obtained by integrating the core non-dynamic risk attack characteristic vector and the unit non-dynamic risk attack characteristic vector.
Step S1144, updating the risk attack confirmation analysis model according to the target dynamic risk attack comparison configuration information and the target non-dynamic risk attack comparison configuration information to obtain a target risk attack confirmation analysis model, and performing risk attack confirmation analysis on the target track data by using the target risk attack confirmation analysis model.
Fig. 3 is a schematic functional block diagram of a big data based network security monitoring apparatus 300 according to an embodiment of the present disclosure, and the functions of the functional blocks of the big data based network security monitoring apparatus 300 are described in detail below.
And the clustering module 310 is configured to acquire risk attack behavior trajectory data that completes risk attack confirmation analysis in the information popularization service platform, and cluster the risk attack behavior trajectory data according to different risk label attributes to obtain multiple risk attack behavior data clusters. The clustering module 310 may be configured to perform the step S110, and the detailed implementation of the clustering module 310 may refer to the detailed description of the step S110.
And the tracing module 320 is configured to determine a target risk attack flow where a reference risk attack behavior is located according to the risk attack behavior data clustering, and perform flow monitoring tracing operation on the target risk attack flow according to a flow monitoring policy corresponding to the target key behavior monitoring scheme. The tracing module 320 may be configured to perform the step S120, and the detailed implementation manner of the tracing module 320 may refer to the detailed description of the step S120.
Fig. 4 is a schematic diagram illustrating a hardware structure of a server 100 for implementing the big data based network security monitoring method according to the embodiment of the present disclosure, and as shown in fig. 4, the server 100 may include a processor 110, a machine-readable storage medium 120, a bus 130, and a transceiver 140.
In a specific implementation process, at least one processor 110 executes computer-executable instructions stored in a machine-readable storage medium 120 (for example, a clustering module 310 and a tracing module 320 included in the big-data-based network security monitoring apparatus 300 shown in fig. 3), so that the processor 110 may execute the big-data-based network security monitoring method according to the above method embodiment, where the processor 110, the machine-readable storage medium 120, and the transceiver 140 are connected by a bus 130, and the processor 110 may be configured to control a transceiving action of the transceiver 140, so as to perform data transceiving with the information popularization service platform 200.
For a specific implementation process of the processor 110, reference may be made to the above-mentioned method embodiments executed by the server 100, which implement similar principles and technical effects, and this embodiment is not described herein again.
In addition, an embodiment of the present invention further provides a readable storage medium, where a computer executing instruction is stored in the readable storage medium, and when a processor executes the computer executing instruction, the network security monitoring method based on big data is implemented.
Finally, it should be understood that the examples in this specification are only intended to illustrate the principles of the examples in this specification. Other variations are also possible within the scope of this description. Thus, by way of example, and not limitation, alternative configurations of the embodiments of the specification can be considered consistent with the teachings of the specification. Accordingly, the embodiments of the present description are not limited to only those embodiments explicitly described and depicted herein.

Claims (10)

1. A network security monitoring method based on big data is applied to a server, the server is in communication connection with a plurality of information promotion service platforms, and the method comprises the following steps:
acquiring risk attack behavior track data which completes risk attack confirmation analysis in the information popularization service platform, and clustering the risk attack behavior track data according to different risk label attributes to obtain a plurality of risk attack behavior data clusters;
and determining a target risk attack flow where a reference risk attack behavior is located according to the risk attack behavior data cluster, and performing flow monitoring and tracing operation on the target risk attack flow according to a flow monitoring strategy corresponding to a target key behavior monitoring scheme, wherein the reference risk attack behavior is an initial risk attack behavior screened out from the risk attack behavior data cluster, and is obtained by screening after the initial risk attack behavior is further divided into a plurality of flow monitoring objects.
2. The big-data-based network security monitoring method according to claim 1, wherein the step of determining a target risk attack flow where a reference risk attack behavior is located according to the risk attack behavior data clustering, and performing flow monitoring and tracing operation on the target risk attack flow according to a flow monitoring policy corresponding to the target key behavior monitoring scheme comprises:
respectively determining a risk attack flow which accords with a target key behavior monitoring scheme from each risk attack behavior data cluster to obtain a plurality of initial risk attack behaviors;
dividing each initial risk attack behavior into a plurality of process monitoring objects respectively, acquiring the probability that each process monitoring object belongs to a target key behavior monitoring scheme, extracting the process monitoring objects of which the probability is greater than a target set probability from each initial risk attack behavior, and acquiring a plurality of reference risk attack behaviors;
mapping the multiple reference risk attack behaviors to the risk attack behavior trajectory data, determining a risk attack flow where the reference risk attack behaviors meeting preset conditions are located according to attack trigger correlation among the multiple reference risk attack behaviors to obtain a target risk attack flow, and performing flow monitoring and tracing operation on the target risk attack flow according to a flow monitoring strategy corresponding to the target key behavior monitoring scheme.
3. The big data-based network security monitoring method according to claim 1, wherein the step of dividing each initial risk attack behavior into a plurality of process monitoring objects and obtaining the probability that each process monitoring object belongs to the target key behavior monitoring scheme comprises:
performing behavior characteristic normalization on the initial risk attack behaviors to obtain normalized initial risk attack behaviors matched with behavior characteristics;
and dividing each normalized initial risk attack behavior into a plurality of process monitoring objects respectively, and acquiring the probability that each process monitoring object belongs to the target key behavior monitoring scheme.
4. The big data-based network security monitoring method according to claim 3, wherein the step of dividing each normalized initial risk attack behavior into a plurality of process monitoring objects and obtaining the probability that each process monitoring object belongs to the target key behavior monitoring scheme comprises:
dividing each normalized initial risk attack behavior into a plurality of process monitoring objects respectively;
calling a second machine learning network after model updating, and predicting each process monitoring object through the second machine learning network after the model updating to obtain behavior monitoring prediction information corresponding to each process monitoring object;
determining the probability that each process monitoring object belongs to the target key behavior monitoring scheme according to the behavior monitoring prediction information corresponding to each process monitoring object;
the step of extracting the process monitoring object with the probability greater than the target set probability from each initial risk attack behavior to obtain a plurality of reference risk attack behaviors includes:
performing behavior attribute prediction on each process monitoring object through the second machine learning network after the model is updated to obtain behavior attribute information corresponding to each process monitoring object;
determining the behavior attribute of the process monitoring object with the probability greater than the target set probability in each initial risk attack behavior according to the behavior attribute information;
and extracting a process monitoring object with the probability greater than the target set probability from each initial risk attack behavior according to the behavior attributes to obtain a plurality of reference risk attack behaviors.
5. The big-data-based network security monitoring method according to claim 4, wherein before the step of predicting each process monitoring object through the second machine learning network after the model is updated to obtain behavior monitoring prediction information corresponding to each process monitoring object, the method further comprises:
acquiring reference risk attack behavior track data of a plurality of matching target key behavior monitoring schemes, and dividing each reference risk attack behavior track data into a plurality of process monitoring objects;
calling a preset first machine learning network, and determining a risk attack flow which accords with a target key behavior monitoring scheme through the first machine learning network to obtain a plurality of target risk attack behaviors;
calculating behavior monitoring and predicting information and behavior attribute information corresponding to each target risk attack behavior through a second machine learning network to obtain target predicted behavior monitoring information and predicted behavior attribute information;
acquiring actual behavior monitoring and predicting information and actual behavior attribute information corresponding to each target risk attack behavior;
and performing model evaluation index calculation on the target predicted behavior monitoring information and the actual behavior monitoring predicted information by adopting a first model evaluation index function, and performing model evaluation index calculation on the predicted behavior attribute information and the actual behavior attribute information by adopting a second model evaluation index function so as to perform model updating on a second machine learning network to obtain the second machine learning network after model updating.
6. The big data-based network security monitoring method according to claim 2, wherein the step of determining a risk attack flow that meets a target key behavior monitoring scheme from each risk attack behavior data cluster to obtain a plurality of initial risk attack behaviors comprises:
acquiring a plurality of initial risk attack messages preset on each risk attack behavior data cluster;
calling the first machine learning network after the model is updated, and predicting the risk attack flow in each initial risk attack information through the first machine learning network after the model is updated to obtain behavior monitoring prediction information corresponding to each initial risk attack information;
determining a risk attack flow where initial risk attack information conforming to a target key behavior monitoring scheme is located from each risk attack behavior data cluster according to behavior monitoring prediction information corresponding to each initial risk attack information to obtain a plurality of initial risk attack behaviors;
wherein, the step of obtaining a plurality of initial risk attack intelligence preset on each risk attack behavior data cluster comprises:
setting target quantity of initial risk attack information on each risk attack behavior data cluster;
when the target amount of initial risk attack information on each risk attack behavior data cluster cannot cover the risk attack behavior data cluster, expanding the initial risk attack information according to a preset strategy until a plurality of initial risk attack information can cover the risk attack behavior data cluster to obtain a plurality of initial risk attack information;
the method comprises the following steps of obtaining a plurality of initial risk attack behaviors, wherein the step of determining a risk attack flow where initial risk attack information conforming to a target key behavior monitoring scheme is located from each risk attack behavior data cluster according to behavior monitoring prediction information corresponding to each initial risk attack information to obtain a plurality of initial risk attack behaviors comprises the following steps:
according to behavior monitoring prediction information corresponding to each initial risk attack information, determining initial risk attack information which accords with a target key behavior monitoring scheme from each risk attack behavior data cluster to obtain target initial risk attack information;
performing behavior attribute prediction on each target initial risk attack information through the first machine learning network after the model is updated to obtain behavior attribute information corresponding to each target initial risk attack information;
and extracting a risk attack flow where the target initial risk attack information is located from each risk attack behavior data cluster according to the behavior attribute information to obtain a plurality of initial risk attack behaviors.
7. The network security monitoring method based on big data according to any one of claims 2 to 6, wherein the step of mapping the multiple reference risk attack behaviors to the risk attack behavior trajectory data, and determining a risk attack flow where the reference risk attack behaviors meeting preset conditions are located according to the attack trigger correlation among the multiple reference risk attack behaviors to obtain a target risk attack flow comprises:
respectively adjusting the behavior characteristic distribution conditions of the reference risk attack behaviors to be consistent with the behavior characteristic distribution conditions of the risk attack behavior trajectory data to obtain target reference risk attack behaviors;
searching a risk attack flow matched with each target reference risk attack behavior from the risk attack behavior track data to obtain a plurality of matched risk attack flows;
obtaining the probability that each matching risk attack flow belongs to the target key behavior monitoring scheme, and determining the matching risk attack flow with the highest probability from the multiple matching risk attack flows as the current matching risk attack flow;
respectively calculating attack trigger correlation degrees between other matching risk attack flows except the current matching risk attack flow in the multiple matching risk attack flows and the current matching risk attack flow to obtain multiple attack trigger correlation degrees;
according to the attack trigger correlation degrees, removing the risk attack flow with the attack trigger correlation degree smaller than the preset correlation degree interval from the other matching risk attack flows, returning to execute the operation of determining the matching risk attack flow with the highest probability from the matching risk attack flows as the current matching risk attack flow until the matching risk attack flows with the preset number are left, and summarizing to obtain the target risk attack flow.
8. The big data-based network security monitoring method according to any one of claims 1 to 7, wherein the step of obtaining risk attack behavior trajectory data that completes risk attack validation analysis in the information popularization service platform includes:
acquiring risk attack behavior track data to be confirmed and analyzed by risk attack, and acquiring risk attack log information of a plurality of risk attack nodes mapped by the risk attack behavior track data;
analyzing the risk attack log information into a corresponding risk attack log line sequence, and inputting the risk attack log line sequence into a corresponding attack identification structure in a trained risk attack identification network; each attack identification structure at least comprises an attack identification layer, and the attack identification layer of each attack identification structure processes a risk attack log line sequence corresponding to a risk attack node;
through the classified network structure in the risk attack recognition network, predicting according to the risk attack confirmation analysis decision characteristics output by the plurality of attack recognition structures, and outputting the risk attack confirmation attribute to which the risk attack behavior trajectory data belongs;
according to the risk attack confirmation attribute to which the risk attack behavior track data belongs, performing risk attack confirmation analysis on the risk attack behavior track data;
wherein, the step of performing risk attack confirmation analysis on the risk attack behavior trajectory data according to the risk attack confirmation attribute to which the risk attack behavior trajectory data belongs includes:
acquiring target track data of at least one track segment of the risk attack confirmation attribute corresponding to the risk attack behavior track data, acquiring a risk attack characteristic template of the track segment, and respectively acquiring a core risk attack confirmation rule and an initial subordinate risk attack confirmation rule of the track segment based on a dynamic risk attack characteristic and a non-dynamic risk attack characteristic according to the risk attack characteristic template;
performing risk attack confirmation analysis tag expansion on the initial subordinate risk attack confirmation rule to obtain a target subordinate risk attack confirmation rule;
performing rule splicing on the core risk attack confirmation rule and the target dependent risk attack confirmation rule respectively based on a dynamic risk attack characteristic and a non-dynamic risk attack characteristic to obtain target dynamic risk attack comparison configuration information and target non-dynamic risk attack comparison configuration information;
and updating a risk attack confirmation analysis model according to the target dynamic risk attack comparison configuration information and the target non-dynamic risk attack comparison configuration information to obtain a target risk attack confirmation analysis model, and performing risk attack confirmation analysis on the target track data by using the target risk attack confirmation analysis model.
9. The network security monitoring cloud platform system based on the big data is characterized by comprising a server and a plurality of information promotion service platforms which are in communication connection with the server;
the server is configured to:
acquiring risk attack behavior track data which completes risk attack confirmation analysis in the information popularization service platform, and clustering the risk attack behavior track data according to different risk label attributes to obtain a plurality of risk attack behavior data clusters;
and determining a target risk attack flow where the reference risk attack behavior is located according to the risk attack behavior data clustering, and performing flow monitoring and tracing operation on the target risk attack flow according to a flow monitoring strategy corresponding to the target key behavior monitoring scheme.
10. A readable storage medium, wherein the readable storage medium stores computer-executable instructions, and when a processor executes the computer-executable instructions, the method for monitoring network security based on big data is implemented.
CN202110396269.6A 2021-04-13 2021-04-13 Network security monitoring method based on big data, cloud platform system and medium Withdrawn CN113098884A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110396269.6A CN113098884A (en) 2021-04-13 2021-04-13 Network security monitoring method based on big data, cloud platform system and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110396269.6A CN113098884A (en) 2021-04-13 2021-04-13 Network security monitoring method based on big data, cloud platform system and medium

Publications (1)

Publication Number Publication Date
CN113098884A true CN113098884A (en) 2021-07-09

Family

ID=76676917

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110396269.6A Withdrawn CN113098884A (en) 2021-04-13 2021-04-13 Network security monitoring method based on big data, cloud platform system and medium

Country Status (1)

Country Link
CN (1) CN113098884A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114757790A (en) * 2022-04-06 2022-07-15 山东新潮信息技术有限公司 Method for evaluating multi-source information risk by using neural network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114757790A (en) * 2022-04-06 2022-07-15 山东新潮信息技术有限公司 Method for evaluating multi-source information risk by using neural network
CN114757790B (en) * 2022-04-06 2022-10-11 山东新潮信息技术有限公司 Method for evaluating multi-source information risk by using neural network

Similar Documents

Publication Publication Date Title
CN113704771B (en) Service vulnerability mining method based on artificial intelligence analysis and big data mining system
CN106708738B (en) Software test defect prediction method and system
CN113422782A (en) Cloud service vulnerability analysis method and artificial intelligence analysis system based on big data
CN103577514A (en) Method and apparatus automated data exploration
CN113407951A (en) Cloud service vulnerability repairing method based on artificial intelligence and big data analysis system
CN112446637A (en) Building construction quality safety online risk detection method and system
CN113722719A (en) Information generation method and artificial intelligence system for security interception big data analysis
CN113610156A (en) Artificial intelligence model machine learning method and server for big data analysis
CN115048370A (en) Artificial intelligence processing method for big data cleaning and big data cleaning system
CN112818343B (en) Block chain big data analysis early warning method and system and cloud platform
CN114492601A (en) Resource classification model training method and device, electronic equipment and storage medium
CN113098884A (en) Network security monitoring method based on big data, cloud platform system and medium
CN111090401B (en) Storage device performance prediction method and device
CN113722711A (en) Data adding method based on big data security vulnerability mining and artificial intelligence system
CN113704751B (en) Vulnerability repairing method based on artificial intelligence decision and big data mining system
CN115439928A (en) Operation behavior identification method and device
CN113032547B (en) Big data processing method and system based on artificial intelligence and cloud platform
CN111814909B (en) Information processing method based on network live broadcast and online e-commerce delivery and cloud server
CN114911677A (en) Monitoring method and device for containers in cluster and computer readable storage medium
CN113297582A (en) Safety portrait generation method based on information safety big data and big data system
CN112434650A (en) Multi-spectral image building change detection method and system
CN112434648A (en) Wall shape change detection method and system
CN112579457B (en) Data architecture management and control method and system based on artificial intelligence
US11316746B1 (en) Generating a representation of program processes executing on an information technology environment
CN115086000B (en) Network intrusion detection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20210709