CN113556338A - Computer network security abnormal operation interception method - Google Patents

Computer network security abnormal operation interception method Download PDF

Info

Publication number
CN113556338A
CN113556338A CN202110820755.6A CN202110820755A CN113556338A CN 113556338 A CN113556338 A CN 113556338A CN 202110820755 A CN202110820755 A CN 202110820755A CN 113556338 A CN113556338 A CN 113556338A
Authority
CN
China
Prior art keywords
behaviors
behavior
abnormal
operation behavior
combined
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110820755.6A
Other languages
Chinese (zh)
Other versions
CN113556338B (en
Inventor
龙海
张红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Yinshu Information Technology Co ltd
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202110820755.6A priority Critical patent/CN113556338B/en
Publication of CN113556338A publication Critical patent/CN113556338A/en
Application granted granted Critical
Publication of CN113556338B publication Critical patent/CN113556338B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application provides a computer network security abnormal operation intercepting method, and relates to the technical field of computer network security. The method comprises the following steps: receiving an operation instruction sent by target equipment; analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library, and judging whether an abnormal operation behavior exists in the plurality of operation behaviors; when determining that no abnormal operation behavior exists in the plurality of operation behaviors, generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors; a plurality of combined operational behaviors are extracted from the plurality of operational links. The combined operation behaviors comprise at least two operation behaviors; analyzing the plurality of combined operation behaviors according to a preset abnormal operation behavior library, and judging whether the plurality of combined operation behaviors have abnormal operation behaviors or not; and intercepting the operation instruction when determining that the abnormal operation behavior exists in the plurality of combined operation behaviors. The method realizes effective interception of abnormal operation and improves the security of the computer network.

Description

Computer network security abnormal operation interception method
Technical Field
The application relates to the technical field of computer network security, in particular to a method for intercepting abnormal operation of computer network security.
Background
In a computer network, various safety hazards exist, such as safety hazards caused by abnormal operations (such as stealing core data by invading a core database). Therefore, network devices in the computer network can set corresponding abnormal operation interception strategies to avoid potential safety hazards caused by abnormal operation.
In the prior art, an abnormal operation feature library is usually preset, and when an operation request is received, the abnormal operation feature library is used for analyzing the operation request to judge whether the corresponding operation request is an abnormal operation, so as to intercept the abnormal operation.
However, this determination method is too simple, and the device that issues the abnormal operation request can easily avoid the abnormal operation, for example, package the abnormal operation, and therefore, effective interception of the abnormal operation cannot be achieved.
Disclosure of Invention
In order to overcome at least the above disadvantages in the prior art, the present application aims to provide a method for intercepting abnormal operations in computer network security, so as to effectively intercept the abnormal operations and improve the security of the computer network.
In a first aspect, an embodiment of the present application provides a method for intercepting a security abnormal operation of a computer network, including:
receiving an operation instruction sent by target equipment; the operation instruction comprises a plurality of operation behaviors;
analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library, and judging whether an abnormal operation behavior exists in the plurality of operation behaviors;
when determining that no abnormal operation behavior exists in the plurality of operation behaviors, generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors;
extracting a plurality of combined operation behaviors from the plurality of operation links; the combined operation behavior comprises at least two operation behaviors;
analyzing the plurality of combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the plurality of combined operation behaviors have abnormal operation behaviors or not;
intercepting the operation instruction when determining that abnormal operation behaviors exist in the plurality of combined operation behaviors.
Has the advantages that: by generating a plurality of operation links by preliminarily determining the operation behavior of the non-abnormal operation and then extracting the combined operation behavior, different modes of combination of the operation behaviors can be realized. Then, by analyzing the combined operation behavior, the judgment of whether the combined operation behavior is an abnormal operation behavior can be realized. That is, the method can not only realize the judgment of a single abnormal operation behavior, but also realize the judgment of a combined abnormal operation behavior, and if the abnormal operation request device splits the abnormal operation behavior into a plurality of non-abnormal operation behaviors, the method can also detect and intercept the packaged abnormal operation behavior; thereby ensuring effective interception of abnormal operation.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the analyzing, according to a preset abnormal operation behavior library, the determining whether an abnormal operation behavior exists in the plurality of operation behaviors includes:
determining a first similarity between each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors;
determining a second similarity between a superior operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors;
determining a third similarity between a lower-level operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors;
and judging whether an abnormal operation behavior exists in the plurality of operation behaviors according to the first similarity, the second similarity and the third similarity.
Has the advantages that: when the operation behaviors are analyzed, the direct similarity between each operation behavior and the abnormal operation behavior can be determined through the determination of the first similarity; through the determination of the second similarity, the similarity between each operation behavior and the superior operation behavior of the abnormal operation behavior can be determined, and the first extension judgment of the abnormal operation behavior in the abnormal operation behavior library is realized; through the determination of the third similarity, the similarity between each operation behavior and the lower-level operation behavior of the abnormal operation behavior can be determined, and the second extension judgment of the abnormal operation behavior in the abnormal operation behavior library is realized. Finally, whether each operation behavior is an abnormal operation behavior is judged through the combination of the three similarities, the judging mode is more comprehensive, and the accuracy of judging the abnormal operation behavior can be improved.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors includes:
determining a first operational behavior of the plurality of operational behaviors; the average similarity of the first operation behavior and each abnormal operation behavior in the abnormal operation behavior library is the lowest;
determining a second operational behavior of the plurality of operational behaviors; the average similarity of the second operation behaviors and each abnormal operation behavior in the abnormal operation behavior library is highest;
using the first operation behavior as a first operation behavior, using the second operation behavior as a last operation behavior, and inserting other operation behaviors except the first operation behavior and the second operation behavior between the first operation behavior and the last operation behavior according to different insertion orders to generate the plurality of operation links; the different insertion order comprises at least two insertion orders.
Has the advantages that: and determining the first operation behavior and the last operation behavior of the operation link through the determination of the first operation behavior and the second operation behavior, wherein after the first operation behavior and the last operation behavior are determined, other operation behaviors can be determined according to different insertion orders. On one hand, the generation of various possible operation links can be realized, and on the other hand, the generation efficiency of the operation links can be improved.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the generating a plurality of operation links according to different operation orders of the plurality of operation behaviors includes:
determining an average similarity of the plurality of operation behaviors to each abnormal operation behavior in the abnormal operation behavior library;
generating a first operation link according to the sequence from low to high of the difference between the average similarity and the first calibration value;
and generating a second operation link according to the sequence of the difference between the average similarity and a second calibration value from high to low.
Has the advantages that: and generating different operation links by averaging the magnitude relation of the difference between the similarity and different calibration values. On one hand, the generation of various possible operation links can be realized, and on the other hand, the generation efficiency of the operation links can be improved.
With reference to the first aspect, in a fourth possible implementation manner of the first aspect, the extracting a plurality of combined operation behaviors from the plurality of operation links includes:
extracting a first plurality of combined operational behaviors from the plurality of operational links; the first combined operation behavior comprises two adjacent operation behaviors belonging to the same operation link;
extracting a plurality of second combined operational behaviors from the plurality of operational links; the second combined operation behavior comprises at least two operation behaviors which belong to the same operation link and are separated by preset values between operation sequences;
extracting a plurality of third combined operational behaviors from the plurality of operational links; the third combined operation behavior comprises at least two operation behaviors which belong to the same operation link and have a specified sequence.
Has the advantages that: the method comprises the steps that the restoration of a first possible abnormal operation behavior encapsulation mode is realized through the combination of two adjacent operation behaviors of the same operation link; restoring a second possible abnormal operation behavior packaging mode through the same operation link and at least two operation behaviors with preset values spaced between operation sequences; and restoring the encapsulation mode of the third possible abnormal operation behavior through the same operation link and at least two operation behaviors with the operation sequence being the specified sequence. And the effectiveness of finally detecting the abnormal operation behaviors is improved by restoring a plurality of possible abnormal operation behavior packaging modes.
With reference to the first aspect, in a fifth possible implementation manner of the first aspect, the analyzing, according to the preset abnormal operation behavior library, the multiple combined operation behaviors to determine whether an abnormal operation behavior exists in the multiple combined operation behaviors includes:
determining a fourth similarity of each abnormal operation behavior in the abnormal operation behavior library and the plurality of combined operation behaviors;
determining a plurality of combined abnormal operation behaviors corresponding to each abnormal operation behavior in the abnormal operation behavior library;
determining a fifth similarity of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors;
determining a sixth similarity of an upper level operational behavior or a lower level operational behavior of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors;
and judging whether an abnormal operation behavior exists in the plurality of combined operation behaviors according to the fourth similarity, the fifth similarity and the sixth similarity.
Has the advantages that: through the determination of the fourth similarity, the direct similarity of the combined operation behavior and the abnormal operation behavior can be determined; through the determination of the fifth similarity, the first type of expanded similarity of the combined operation behavior and the combined abnormal operation behavior can be determined; through the determination of the sixth similarity, a second type of expanded similarity of the combined operation behavior and the abnormal operation behavior can be determined; finally, the three similarities are combined to judge whether each combined operation behavior is an abnormal operation behavior, the judging mode is more comprehensive, and the accuracy of judging the abnormal operation behavior can be improved.
With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, after the intercepting the operation instruction when it is determined that an abnormal operation behavior exists in the multiple combined operation behaviors, the method further includes:
receiving a new operation instruction sent by the target equipment; the new operation instruction comprises a third operation behavior and a fourth operation behavior, the third operation behavior belongs to the operation behaviors in the operation behaviors, and the fourth operation behavior does not belong to the operation behaviors in the operation behaviors;
analyzing the fourth operation behavior according to a preset abnormal operation behavior library, and judging whether the fourth operation behavior has an abnormal operation behavior;
when it is determined that no abnormal operation behavior exists in the fourth operation behaviors, combining the fourth operation behaviors and the third operation behaviors in different modes to obtain a plurality of new combined operation behaviors; each new combined operation behavior comprises at least one fourth operation behavior;
analyzing the plurality of new combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the abnormal operation behaviors exist in the plurality of new combined operation behaviors or not;
intercepting the new operation instruction when determining that abnormal operation behaviors exist in the plurality of new combined operation behaviors.
Has the advantages that: after intercepting the abnormal operation behavior, the target device may initiate a new operation instruction again, and focus detection may be performed for the operation behavior (fourth operation behavior) changed in the new operation instruction. Therefore, by determining the combined operation behavior including at least one fourth operation behavior and then judging the abnormal operation behavior, the effective judgment of the specific abnormal operation behavior is realized, and the more effective abnormal operation interception is realized.
With reference to the sixth possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, after the intercepting the new operation instruction when it is determined that an abnormal operation behavior exists in the multiple new combined operation behaviors, the method further includes:
determining an original operation behavior corresponding to the fourth operation behavior; the original operation behavior comprises other operation behaviors in the plurality of operation behaviors except the third operation behavior;
determining a relationship between the fourth operation behavior and the original operation behavior;
determining an abnormal operation hiding strategy of the target equipment according to the relation;
and synchronizing the hidden strategy to the equipment with the interactive relation with the target equipment.
Has the advantages that: determining the relation between the fourth operation behavior and the original operation behavior to determine an abnormal operation hiding strategy of the target equipment; by synchronizing the abnormal operation hiding strategy of the target equipment to the equipment with interactive relation with the target equipment, the equipment can be helped to more effectively detect and intercept the abnormal operation of the target equipment.
With reference to the first aspect, in an eighth possible implementation manner of the first aspect, the method further includes:
screening out suspicious operation behaviors from the plurality of combined operation behaviors when determining that no abnormal operation behaviors exist in the plurality of combined operation behaviors; the similarity between the suspicious operation behavior and the target abnormal operation behavior in the abnormal operation behavior library is greater than a preset value;
generating a protection program based on the suspicious operation behavior;
and executing the operation instruction on an operation object corresponding to the operation instruction, and running the protection program.
Has the advantages that: even if the combined operation behavior has no abnormal operation behavior, the safety of the operation instruction cannot be guaranteed in percentage, the protection function on the operation object is achieved by generating the protection program and running the protection program on the operation object corresponding to the operation instruction, and the potential safety hazard brought to the operation object by the execution of the operation instruction is avoided.
In a second aspect, an embodiment of the present application provides a computer network security abnormal operation intercepting apparatus, including:
the receiving module is used for receiving an operation instruction sent by target equipment; the operation instruction comprises a plurality of operation behaviors;
the first processing module is used for analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library and judging whether the plurality of operation behaviors have abnormal operation behaviors or not;
the second processing module is used for generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors when the abnormal operation behaviors are determined not to exist in the plurality of operation behaviors; extracting a plurality of combined operation behaviors from the plurality of operation links; the combined operation behavior comprises at least two operation behaviors; analyzing the plurality of combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the plurality of combined operation behaviors have abnormal operation behaviors or not;
and the intercepting module is used for intercepting the operation instruction when determining that abnormal operation behaviors exist in the plurality of combined operation behaviors.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
FIG. 1 is a schematic diagram of a computer network provided by an embodiment of the present application;
fig. 2 is a block diagram of an electronic device according to an embodiment of the present disclosure;
fig. 3 is a flowchart of a method for intercepting a security abnormal operation of a computer network according to an embodiment of the present application;
fig. 4 is a block diagram illustrating a structure of a computer network security abnormal operation intercepting apparatus according to an embodiment of the present disclosure.
Icon: 100-a computer network; 110-a network device; 120-a central device; 200-an electronic device; 210-a memory; 220-a communication module; 230-a bus; 240-a processor; 300-computer network security abnormal operation intercepting device; 310-a receiving module; 320-a first processing module; 330-a second processing module; 340-interception module.
Detailed Description
The present application will now be described in detail with reference to the drawings, and the specific operations in the method embodiments may also be applied to the apparatus embodiments or the system embodiments. In the description of the present application, "at least one" includes one or more unless otherwise specified. "plurality" means two or more. For example, at least one of A, B and C, comprising: a alone, B alone, a and B in combination, a and C in combination, B and C in combination, and A, B and C in combination. In this application, "/" means "or, for example, A/B may mean A or B; "and/or" herein is merely an association describing an associated object, and means that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone.
As shown in fig. 1, the present application provides a schematic diagram of a computer network 100.
In this embodiment, the computer network 100 may include one or more network devices 110 and a central device 120, each network device 110 is connected to the central device 120, and data communication, such as data transmission, data access, and the like, between the network 110 and the central device 120 may be implemented. And a plurality of network devices 110, that is, data communication, such as data transmission, data access, etc., may also be implemented between the plurality of network devices 110. Whether data transmission or data access is performed, various operations may be involved in data communication between the network devices 110 or between the network devices 110 and the central device 120.
Whether it is the center device 120 or the network device 110, various operations are performed, but before performing various operations, it is necessary to determine the operation to be performed, and if the operation to be performed is an abnormal operation with a potential safety hazard, it cannot be performed; if the operation to be performed is a normal operation, it can be performed.
Based on this, the embodiment of the present application provides a method for intercepting a security abnormal operation of a computer network, so as to implement effective interception of the abnormal operation and improve the security of the computer network 100. Before introducing the interception of the abnormal operation of the computer network security, the environment for the method operation is introduced.
As shown in fig. 2, the electronic device 200 may be a server (i.e., the center device 120) or a terminal (i.e., the network device 110). When the electronic device 200 is a server, for example, it may be a web server, a database server, a cloud server, or a server assembly composed of a plurality of sub servers; alternatively, when the electronic device 200 is a terminal, it may be a Personal Computer (PC), a tablet PC, a smart phone, a Personal Digital Assistant (PDA), or the like. Of course, the above-mentioned devices are for easy understanding of the present embodiment, and should not be taken as limiting the present embodiment.
In this embodiment, the electronic device 200 may include: memory 210, communication module 220, bus 230, and processor 240. Wherein the processor 240, the communication module 220, and the memory 210 are connected by a bus 230.
The processor 240 is used to execute executable modules, such as computer programs, stored in the memory 210. The components and configuration of the electronic device 200 shown in FIG. 3 are exemplary only, and not limiting, as the electronic device 200 may have other components and configurations as desired.
The Memory 210 may include a Random Access Memory (RAM) and may also include a Non-Volatile Memory (Non-Volatile Memory), such as at least two disk memories. In this embodiment, the memory 210 stores a program required for implementing the method for intercepting a security abnormal operation of a computer network provided in the embodiment of the present application.
Bus 230 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 2, but this does not indicate only one bus or one type of bus.
The processor 240 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the method implemented by the electronic device 200 may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 240. The Processor 240 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method executed by the electronic device 200 may be directly implemented by a hardware decoding processor, or may be implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art.
The method performed by the flow process or the defined apparatus disclosed in any of the embodiments of the present application may be applied to the processor 240 or implemented by the processor 240. After the processor 240 receives the execution instruction and calls the program stored in the memory 210 through the bus 230, the processor 240 controls the communication module 220 through the bus 230 to implement the process of running the computer network security abnormal operation interception method.
In this embodiment, the method for intercepting the abnormal operation of the computer network security may be executed by the network device 110, or may be executed by the central device 120, which is not limited herein, and may be set according to actual needs.
As shown in fig. 3, fig. 3 is a flowchart of a method for intercepting a security abnormal operation of a computer network according to an embodiment of the present application. In this embodiment, the method for intercepting a security abnormal operation of a computer network may include: step S10, step S20, step S30, step S40, step S50, and step S60.
Step S10: and receiving an operation instruction sent by the target equipment. The operation instruction comprises a plurality of operation behaviors.
Step S20: and analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library, and judging whether the plurality of operation behaviors have abnormal operation behaviors or not.
Step S30: when it is determined that there is no abnormal operation behavior among the plurality of operation behaviors, a plurality of operation links are generated in a different operation order of the plurality of operation behaviors.
Step S40: a plurality of combined operational behaviors are extracted from the plurality of operational links. The combined operation behavior comprises at least two operation behaviors.
Step S50: and analyzing the plurality of combined operation behaviors according to a preset abnormal operation behavior library, and judging whether the abnormal operation behaviors exist in the plurality of combined operation behaviors.
Step S60: and intercepting the operation instruction when determining that the abnormal operation behavior exists in the plurality of combined operation behaviors.
In the embodiment of the present application, different operation instructions correspond to different operation command words (which may be understood as code forms of the operation instructions), such as: the operating command words for the windows operating system, the android operating system, the ios operating system, and the like. In order to facilitate the generation and transmission of the operation command word, the operation command word is divided according to different operation behaviors, such as: in a complete operation instruction, multiple sections of operation command words may be included, where each section of operation command word corresponds to an operation behavior.
Based on this, when detecting whether the operation instruction is abnormal, the determination may be made based on the operation behavior in the operation instruction. For example, the operation instruction is to access the target data, and if the target data is normally accessed, only the relevant operation behavior related to reading the target data is needed. If the target data is accessed abnormally, the related behavior operation of tampering the target data is also involved in the operation instruction.
If the abnormal operation behavior of the target device can be judged directly through feature analysis, the abnormal operation behavior is a direct abnormal operation behavior. However, in practical applications, there is also abnormal operation behavior through encapsulation. Such as: the abnormal operation behaviors are divided into a plurality of normal operation behaviors, and when the plurality of normal operation behaviors are executed independently, the abnormality does not occur, but when the plurality of normal operation behaviors are executed in a combined mode, the abnormality occurs.
Therefore, by generating a plurality of operation links by the operation behavior preliminarily determined as the non-abnormal operation and then extracting the combined operation behavior, it is possible to realize different ways of combining the operation behaviors. Then, by analyzing the combined operation behavior, the judgment of whether the combined operation behavior is an abnormal operation behavior can be realized. That is, the method can not only realize the judgment of a single abnormal operation behavior, but also realize the judgment of a combined abnormal operation behavior, and if the abnormal operation request device splits the abnormal operation behavior into a plurality of non-abnormal operation behaviors, the method can also detect and intercept the packaged abnormal operation behavior; thereby ensuring effective interception of abnormal operation.
As an alternative embodiment, step S10 includes: determining a first similarity of each abnormal operation behavior in the abnormal operation behavior library and a plurality of operation behaviors; determining a second similarity between the upper-level operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors; determining a third similarity between the lower-level operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors; and judging whether an abnormal operation behavior exists in the plurality of operation behaviors according to the first similarity, the second similarity and the third similarity.
The abnormal operation behaviors stored in the abnormal operation behavior library correspond to command words, a plurality of operation behaviors in the operation instruction also correspond to the command words, and the similarity between the operation behaviors can be determined by calculating the similarity between the command words corresponding to the operation behaviors.
In calculating the similarity of the command words, a sophisticated calculation algorithm of the similarity may be employed. Such as: the two sections of command words respectively contain three commands, similarity between the three commands is calculated respectively, and then the similarity of the two sections of command words is determined by combining the similarity between the three commands.
For the upper-level operation behavior and the lower-level operation behavior of the abnormal operation behavior, in the local device, when the abnormal operation behavior library is preset, the upper-level operation behavior and the lower-level operation behavior of each abnormal operation can be stored separately, and the like, and can be directly obtained when the abnormal operation behavior library is required to be used. Similarly, the upper operation behavior and the lower operation behavior correspond to a command word.
For example: if the abnormal operation behavior is illegal tampering, the upper level operation behavior of the abnormal operation behavior may be: the password is broken, because many data are provided with passwords, if the data are tampered, the passwords need to be broken first. The next level of the abnormal operation behavior may be: the traces are deleted and the tamper traces need to be deleted in order to avoid detection.
When the judgment is performed according to the three similarities, various judgment methods can be adopted, such as: and taking the average value of the three similarity degrees, and judging that the operation is abnormal when the average value is greater than a preset value. For another example: and carrying out weighted summation on the three similarities, and judging that the operation is abnormal when the weighted summation value is greater than a preset value.
When the operation behaviors are analyzed, the direct similarity between each operation behavior and the abnormal operation behavior can be determined through the determination of the first similarity; through the determination of the second similarity, the similarity between each operation behavior and the superior operation behavior of the abnormal operation behavior can be determined, and the first extension judgment of the abnormal operation behavior in the abnormal operation behavior library is realized; through the determination of the third similarity, the similarity between each operation behavior and the lower-level operation behavior of the abnormal operation behavior can be determined, and the second extension judgment of the abnormal operation behavior in the abnormal operation behavior library is realized. Finally, whether each operation behavior is an abnormal operation behavior is judged through the combination of the three similarities, the judging mode is more comprehensive, and the accuracy of judging the abnormal operation behavior can be improved.
A first alternative implementation of step S30 includes: determining a first operational behavior of a plurality of operational behaviors; the average similarity between the first operation behavior and each abnormal operation behavior in the abnormal operation behavior library is the lowest; determining a second operational behavior of the plurality of operational behaviors; the average similarity of the second operation behaviors and each abnormal operation behavior in the abnormal operation behavior library is highest; taking the first operation behavior as a first operation behavior, taking the second operation behavior as a last operation behavior, and inserting other operation behaviors except the first operation behavior and the second operation behavior between the first operation behavior and the last operation behavior according to different insertion orders to generate a plurality of operation links; the different insertion order comprises at least two insertion orders.
Having calculated the similarities between the plurality of operation behaviors and the abnormal operation behavior in step S20, the similarity obtained in step S20 may be directly applied when determining the first operation behavior.
The different insertion sequences include: insert from high to low according to average similarity; interpolated from low to high in average similarity.
And determining the first operation behavior and the last operation behavior of the operation link through the determination of the first operation behavior and the second operation behavior, wherein after the first operation behavior and the last operation behavior are determined, other operation behaviors can be determined according to different insertion orders. On one hand, the generation of various possible operation links can be realized, and on the other hand, the generation efficiency of the operation links can be improved.
A second alternative implementation of step S30 includes: determining the average similarity of the plurality of operation behaviors and each abnormal operation behavior in the abnormal operation behavior library; generating a first operation link according to the sequence from low to high of the difference between the average similarity and the first calibration value; and generating a second operation link according to the sequence of the difference between the average similarity and the second calibration value from high to low.
The first calibration may be a value between 50% -100% and the second calibration may be a value between 0% -50%.
And generating different operation links by averaging the magnitude relation of the difference between the similarity and different calibration values. On one hand, the generation of various possible operation links can be realized, and on the other hand, the generation efficiency of the operation links can be improved.
As an alternative embodiment, step S40 includes: extracting a plurality of first combined operational behaviors from a plurality of operational links; the first combined operation behavior comprises two adjacent operation behaviors belonging to the same operation link; extracting a plurality of second combined operational behaviors from the plurality of operational links; the second combined operation behavior comprises at least two operation behaviors which belong to the same operation link and are separated by preset values between operation sequences; extracting a plurality of third combined operational behaviors from the plurality of operational links; the third combined operation behavior comprises at least two operation behaviors which belong to the same operation link and have the operation sequence of a specified sequence.
The preset value may be a value that ensures a correlation between two operational behaviors, such as a value between 2-5. The specified order may be an order in which the abnormal operation behavior is most likely to correspond in one operation link, such as: a total of 10 operational behaviors are included, then the 5 th-8 th operational behavior is most likely an abnormal operational behavior, and then the specified order may be 5-8.
The method comprises the steps that the restoration of a first possible abnormal operation behavior encapsulation mode is realized through the combination of two adjacent operation behaviors of the same operation link; restoring a second possible abnormal operation behavior packaging mode through the same operation link and at least two operation behaviors with preset values spaced between operation sequences; and restoring the encapsulation mode of the third possible abnormal operation behavior through the same operation link and at least two operation behaviors with the operation sequence being the specified sequence. And the effectiveness of finally detecting the abnormal operation behaviors is improved by restoring a plurality of possible abnormal operation behavior packaging modes.
As an alternative embodiment, step S50 includes: determining a fourth similarity of each abnormal operation behavior in the abnormal operation behavior library and the plurality of combined operation behaviors; determining a plurality of combined abnormal operation behaviors corresponding to each abnormal operation behavior in an abnormal operation behavior library; determining a fifth similarity of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors; determining a sixth similarity of an upper-level operation behavior or a lower-level operation behavior of the plurality of combined abnormal operation behaviors to the plurality of combined operation behaviors; and judging whether an abnormal operation behavior exists in the plurality of combined operation behaviors according to the fourth similarity, the fifth similarity and the sixth similarity.
Wherein, the abnormal operation behaviors corresponding to the same superior operation behavior and/or the same inferior operation behavior may be combined. The upper-level or lower-level operation behaviors of the plurality of combined abnormal operation behaviors may be the same upper-level operation behavior and/or the upper-level or lower-level operation behavior of the same lower-level operation behavior.
Through the determination of the fourth similarity, the direct similarity of the combined operation behavior and the abnormal operation behavior can be determined; through the determination of the fifth similarity, the first type of expanded similarity of the combined operation behavior and the combined abnormal operation behavior can be determined; through the determination of the sixth similarity, a second type of expanded similarity of the combined operation behavior and the abnormal operation behavior can be determined; finally, the three similarities are combined to judge whether each combined operation behavior is an abnormal operation behavior, the judging mode is more comprehensive, and the accuracy of judging the abnormal operation behavior can be improved.
Step S60, such as: transferring the abnormal operation instruction to a virtual device for execution; or directly not executing the abnormal operation instruction, etc.
After step S60, the target device may assume that the operation instruction was intercepted because its operation instruction was not successfully executed, and at this time, the target device may repackage the operation instruction to attempt interception again. To cope with this, the method further comprises:
receiving a new operation instruction sent by target equipment; the new operation instruction comprises a third operation behavior and a fourth operation behavior, the third operation behavior belongs to the operation behaviors in the plurality of operation behaviors, and the fourth operation behavior does not belong to the operation behaviors in the plurality of operation behaviors; analyzing the fourth operation behavior according to a preset abnormal operation behavior library, and judging whether the fourth operation behavior has abnormal operation behavior; when it is determined that the fourth operation behavior does not have the abnormal operation behavior, combining the fourth operation behavior and the third operation behavior in different modes to obtain a plurality of new combined operation behaviors; each new combined operation behavior comprises at least one fourth operation behavior; analyzing the plurality of new combined operation behaviors according to a preset abnormal operation behavior library, and judging whether the abnormal operation behaviors exist in the plurality of new combined operation behaviors or not; and intercepting a new operation instruction when the abnormal operation behavior exists in the plurality of new combined operation behaviors.
Wherein the fourth operational behavior may be combined with one or more of the third operational behaviors, such as: and combining the fourth operation behavior with each operation behavior in the third operation behaviors to obtain a plurality of combined operation behaviors.
After intercepting the abnormal operation behavior, the target device may initiate a new operation instruction again, and focus detection may be performed for the operation behavior (fourth operation behavior) changed in the new operation instruction. Therefore, by determining the combined operation behavior including at least one fourth operation behavior and then judging the abnormal operation behavior, the effective judgment of the specific abnormal operation behavior is realized, and the more effective abnormal operation interception is realized.
After intercepting the new operation instruction, the method further comprises the following steps: determining an original operation behavior corresponding to the fourth operation behavior; the original operation behaviors comprise other operation behaviors except the third operation behavior in the plurality of operation behaviors; determining the relationship between the fourth operation behavior and the original operation behavior; determining an abnormal operation hiding strategy of the target equipment according to the relation; and synchronizing the hidden strategy to the equipment with the interactive relation with the target equipment.
For example, if the action of command 1 in the fourth operation behavior is the same as that of command 2 in the previous operation behavior, the operation behavior may be the original operation behavior corresponding to the fourth operation behavior; for another example: if the operation result of the fourth operation behavior is the same as the operation result of the previous operation behavior, the operation behavior may be the original operation behavior corresponding to the fourth operation behavior.
Further, if the fourth operation behavior and the original operation behavior comprise commands with the same function, the command replacement is an operation hiding strategy; and if the operation result of the fourth operation behavior is the same as that of the original operation behavior, the operation replacement with the same result is an operation hiding strategy. One or more policies may be included in the abnormal operation hiding policy.
Determining the relation between the fourth operation behavior and the original operation behavior to determine an abnormal operation hiding strategy of the target equipment; by synchronizing the abnormal operation hiding strategy of the target equipment to the equipment with interactive relation with the target equipment, the equipment can be helped to more effectively detect and intercept the abnormal operation of the target equipment.
Even if there is no abnormal operation behavior in the combined operation behavior, but the security of the operation instruction cannot be guaranteed by one hundred percent, in order to guarantee the security in the computer network 100, the method further includes: screening out suspicious operation behaviors from the plurality of combined operation behaviors when the plurality of combined operation behaviors are determined to have no abnormal operation behaviors; the similarity between the suspicious operation behavior and the target abnormal operation behavior in the abnormal operation behavior library is greater than a preset value; generating a protection program based on the suspicious operation behavior; and executing the operation instruction on the operation object corresponding to the operation instruction, and running the protection program.
For example, if the suspicious operation behavior is data uploading, the protection program may be a program that protects other data in the database to prevent the uploaded data from affecting the other data.
For another example, if the operation object corresponding to the data upload is a C disk, the data upload operation is executed on the C disk, and the corresponding protection program is allowed.
By generating the protection program and running the protection program on the operation object corresponding to the operation instruction, the protection function on the operation object is achieved, and the potential safety hazard brought to the operation object by executing the operation instruction is avoided.
As shown in fig. 4, an embodiment of the present invention further provides a computer network security abnormal operation intercepting apparatus 300, which is applied to any one of the network devices 110 or the central device 120, and the computer network security abnormal operation intercepting apparatus 300 includes:
a receiving module 310, configured to receive an operation instruction sent by a target device; the operation instruction comprises a plurality of operation behaviors.
The first processing module 320 is configured to analyze the multiple operation behaviors according to a preset abnormal operation behavior library, and determine whether an abnormal operation behavior exists in the multiple operation behaviors;
a second processing module 330, configured to generate a plurality of operation links according to different operation orders of the plurality of operation behaviors when it is determined that there is no abnormal operation behavior in the plurality of operation behaviors; extracting a plurality of combined operation behaviors from the plurality of operation links; the combined operation behavior comprises at least two operation behaviors; analyzing the plurality of combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the plurality of combined operation behaviors have abnormal operation behaviors or not;
the intercepting module 340 is configured to intercept the operation instruction when it is determined that an abnormal operation behavior exists in the multiple combined operation behaviors.
In this embodiment of the application, the first processing module 320 is specifically configured to: determining a first similarity between each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors; determining a second similarity between a superior operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors; determining a third similarity between a lower-level operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors; and judging whether an abnormal operation behavior exists in the plurality of operation behaviors according to the first similarity, the second similarity and the third similarity.
In this embodiment of the application, the second processing module 330 is specifically configured to: determining a first operational behavior of the plurality of operational behaviors; the average similarity of the first operation behavior and each abnormal operation behavior in the abnormal operation behavior library is the lowest; determining a second operational behavior of the plurality of operational behaviors; the average similarity of the second operation behaviors and each abnormal operation behavior in the abnormal operation behavior library is highest; using the first operation behavior as a first operation behavior, using the second operation behavior as a last operation behavior, and inserting other operation behaviors except the first operation behavior and the second operation behavior between the first operation behavior and the last operation behavior according to different insertion orders to generate the plurality of operation links; the different insertion order comprises at least two insertion orders.
In this embodiment of the application, the second processing module 330 is further specifically configured to: determining an average similarity of the plurality of operation behaviors to each abnormal operation behavior in the abnormal operation behavior library; generating a first operation link according to the sequence from low to high of the difference between the average similarity and the first calibration value; and generating a second operation link according to the sequence of the difference between the average similarity and a second calibration value from high to low.
In this embodiment of the application, the second processing module 330 is further specifically configured to: extracting a first plurality of combined operational behaviors from the plurality of operational links; the first combined operation behavior comprises two adjacent operation behaviors belonging to the same operation link; extracting a plurality of second combined operational behaviors from the plurality of operational links; the second combined operation behavior comprises at least two operation behaviors which belong to the same operation link and are separated by preset values between operation sequences; extracting a plurality of third combined operational behaviors from the plurality of operational links; the third combined operation behavior comprises at least two operation behaviors which belong to the same operation link and have a specified sequence.
In this embodiment of the application, the second processing module 330 is further specifically configured to: determining a fourth similarity of each abnormal operation behavior in the abnormal operation behavior library and the plurality of combined operation behaviors; determining a plurality of combined abnormal operation behaviors corresponding to each abnormal operation behavior in the abnormal operation behavior library; determining a fifth similarity of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors; determining a sixth similarity of an upper level operational behavior or a lower level operational behavior of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors; and judging whether an abnormal operation behavior exists in the plurality of combined operation behaviors according to the fourth similarity, the fifth similarity and the sixth similarity.
In this embodiment of the present application, the receiving module 310 is further configured to: receiving a new operation instruction sent by the target equipment; the new operation instruction comprises a third operation behavior and a fourth operation behavior, the third operation behavior belongs to the operation behaviors in the operation behaviors, and the fourth operation behavior does not belong to the operation behaviors in the operation behaviors; the first processing module 320 is further configured to analyze the fourth operation behavior according to a preset abnormal operation behavior library, and determine whether an abnormal operation behavior exists in the fourth operation behavior; the second processing module 330 is further configured to, when it is determined that there is no abnormal operation behavior in the fourth operation behaviors, combine the fourth operation behavior and the third operation behavior in different manners to obtain a plurality of new combined operation behaviors; each new combined operation behavior comprises at least one fourth operation behavior; analyzing the plurality of new combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the abnormal operation behaviors exist in the plurality of new combined operation behaviors or not; the interception module 340 is further configured to: intercepting the new operation instruction when determining that abnormal operation behaviors exist in the plurality of new combined operation behaviors.
In this embodiment of the present application, the intercepting module 340 is further configured to: determining an original operation behavior corresponding to the fourth operation behavior; the original operation behavior comprises other operation behaviors in the plurality of operation behaviors except the third operation behavior; determining a relationship between the fourth operation behavior and the original operation behavior; determining an abnormal operation hiding strategy of the target equipment according to the relation; and synchronizing the hidden strategy to the equipment with the interactive relation with the target equipment.
In this embodiment of the present application, the intercepting module 340 is further configured to: screening out suspicious operation behaviors from the plurality of combined operation behaviors when determining that no abnormal operation behaviors exist in the plurality of combined operation behaviors; the similarity between the suspicious operation behavior and the target abnormal operation behavior in the abnormal operation behavior library is greater than a preset value; generating a protection program based on the suspicious operation behavior; and executing the operation instruction on an operation object corresponding to the operation instruction, and running the protection program.
The embodiment of the present application further provides a storage medium, where one or more programs are stored, and the one or more programs may be executed by one or more processors to implement the method for intercepting a security abnormal operation of a computer network in the embodiment.
It is to be understood that various changes and modifications may be made to the embodiments of the present application by those skilled in the art without departing from the spirit and scope of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.

Claims (10)

1. A computer network security abnormal operation interception method is characterized by comprising the following steps:
receiving an operation instruction sent by target equipment; the operation instruction comprises a plurality of operation behaviors;
analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library, and judging whether an abnormal operation behavior exists in the plurality of operation behaviors;
when determining that no abnormal operation behavior exists in the plurality of operation behaviors, generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors;
extracting a plurality of combined operation behaviors from the plurality of operation links; the combined operation behavior comprises at least two operation behaviors;
analyzing the plurality of combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the plurality of combined operation behaviors have abnormal operation behaviors or not;
intercepting the operation instruction when determining that abnormal operation behaviors exist in the plurality of combined operation behaviors.
2. The method according to claim 1, wherein the analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library to determine whether an abnormal operation behavior exists in the plurality of operation behaviors comprises:
determining a first similarity between each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors;
determining a second similarity between a superior operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors;
determining a third similarity between a lower-level operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors;
and judging whether an abnormal operation behavior exists in the plurality of operation behaviors according to the first similarity, the second similarity and the third similarity.
3. The method of claim 1, wherein generating the plurality of operational links in different operational sequences of the plurality of operational behaviors comprises:
determining a first operational behavior of the plurality of operational behaviors; the average similarity of the first operation behavior and each abnormal operation behavior in the abnormal operation behavior library is the lowest;
determining a second operational behavior of the plurality of operational behaviors; the average similarity of the second operation behaviors and each abnormal operation behavior in the abnormal operation behavior library is highest;
using the first operation behavior as a first operation behavior, using the second operation behavior as a last operation behavior, and inserting other operation behaviors except the first operation behavior and the second operation behavior between the first operation behavior and the last operation behavior according to different insertion orders to generate the plurality of operation links; the different insertion order comprises at least two insertion orders.
4. The method of claim 1, wherein generating the plurality of operational links in different operational sequences of the plurality of operational behaviors comprises:
determining an average similarity of the plurality of operation behaviors to each abnormal operation behavior in the abnormal operation behavior library;
generating a first operation link according to the sequence from low to high of the difference between the average similarity and the first calibration value;
and generating a second operation link according to the sequence of the difference between the average similarity and a second calibration value from high to low.
5. The method of claim 1, wherein extracting the plurality of combined operational behaviors from the plurality of operational links comprises:
extracting a first plurality of combined operational behaviors from the plurality of operational links; the first combined operation behavior comprises two adjacent operation behaviors belonging to the same operation link;
extracting a plurality of second combined operational behaviors from the plurality of operational links; the second combined operation behavior comprises at least two operation behaviors which belong to the same operation link and are separated by preset values between operation sequences;
extracting a plurality of third combined operational behaviors from the plurality of operational links; the third combined operation behavior comprises at least two operation behaviors which belong to the same operation link and have a specified sequence.
6. The method according to claim 1, wherein the analyzing the plurality of combined operation behaviors according to the preset abnormal operation behavior library to determine whether an abnormal operation behavior exists in the plurality of combined operation behaviors comprises:
determining a fourth similarity of each abnormal operation behavior in the abnormal operation behavior library and the plurality of combined operation behaviors;
determining a plurality of combined abnormal operation behaviors corresponding to each abnormal operation behavior in the abnormal operation behavior library;
determining a fifth similarity of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors;
determining a sixth similarity of an upper level operational behavior or a lower level operational behavior of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors;
and judging whether an abnormal operation behavior exists in the plurality of combined operation behaviors according to the fourth similarity, the fifth similarity and the sixth similarity.
7. The method of claim 1, wherein after intercepting the operation instruction upon the determination that the abnormal operation behavior exists in the plurality of combined operation behaviors, the method further comprises:
receiving a new operation instruction sent by the target equipment; the new operation instruction comprises a third operation behavior and a fourth operation behavior, the third operation behavior belongs to the operation behaviors in the operation behaviors, and the fourth operation behavior does not belong to the operation behaviors in the operation behaviors;
analyzing the fourth operation behavior according to a preset abnormal operation behavior library, and judging whether the fourth operation behavior has an abnormal operation behavior;
when it is determined that no abnormal operation behavior exists in the fourth operation behaviors, combining the fourth operation behaviors and the third operation behaviors in different modes to obtain a plurality of new combined operation behaviors; each new combined operation behavior comprises at least one fourth operation behavior;
analyzing the plurality of new combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the abnormal operation behaviors exist in the plurality of new combined operation behaviors or not;
intercepting the new operation instruction when determining that abnormal operation behaviors exist in the plurality of new combined operation behaviors.
8. The method of claim 7, wherein upon said intercepting the new operation instruction upon determining that there is an abnormal operation behavior among the plurality of new combined operation behaviors, the method further comprises:
determining an original operation behavior corresponding to the fourth operation behavior; the original operation behavior comprises other operation behaviors in the plurality of operation behaviors except the third operation behavior;
determining a relationship between the fourth operation behavior and the original operation behavior;
determining an abnormal operation hiding strategy of the target equipment according to the relation;
and synchronizing the hidden strategy to the equipment with the interactive relation with the target equipment.
9. The method of claim 1, further comprising:
screening out suspicious operation behaviors from the plurality of combined operation behaviors when determining that no abnormal operation behaviors exist in the plurality of combined operation behaviors; the similarity between the suspicious operation behavior and the target abnormal operation behavior in the abnormal operation behavior library is greater than a preset value;
generating a protection program based on the suspicious operation behavior;
and executing the operation instruction on an operation object corresponding to the operation instruction, and running the protection program.
10. A computer network security abnormal operation intercepting apparatus, comprising:
the receiving module is used for receiving an operation instruction sent by target equipment; the operation instruction comprises a plurality of operation behaviors;
the first processing module is used for analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library and judging whether the plurality of operation behaviors have abnormal operation behaviors or not;
the second processing module is used for generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors when the abnormal operation behaviors are determined not to exist in the plurality of operation behaviors; extracting a plurality of combined operation behaviors from the plurality of operation links; the combined operation behavior comprises at least two operation behaviors; analyzing the plurality of combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the plurality of combined operation behaviors have abnormal operation behaviors or not;
and the intercepting module is used for intercepting the operation instruction when determining that abnormal operation behaviors exist in the plurality of combined operation behaviors.
CN202110820755.6A 2021-07-20 2021-07-20 Computer network security abnormal operation interception method Active CN113556338B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110820755.6A CN113556338B (en) 2021-07-20 2021-07-20 Computer network security abnormal operation interception method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110820755.6A CN113556338B (en) 2021-07-20 2021-07-20 Computer network security abnormal operation interception method

Publications (2)

Publication Number Publication Date
CN113556338A true CN113556338A (en) 2021-10-26
CN113556338B CN113556338B (en) 2022-08-30

Family

ID=78103513

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110820755.6A Active CN113556338B (en) 2021-07-20 2021-07-20 Computer network security abnormal operation interception method

Country Status (1)

Country Link
CN (1) CN113556338B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114048455A (en) * 2021-11-19 2022-02-15 北京天融信网络安全技术有限公司 Abnormal login detection method and device, terminal device and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1649311A (en) * 2005-03-23 2005-08-03 北京首信科技有限公司 Detecting system and method for user behaviour abnormal based on machine study
US20120324575A1 (en) * 2010-02-23 2012-12-20 ISE Information Co., Ltd. System, Method, Program, and Recording Medium for Detecting and Blocking Unwanted Programs in Real Time Based on Process Behavior Analysis and Recording Medium for Storing Program
US20150073894A1 (en) * 2013-09-06 2015-03-12 Metamarkets Group Inc. Suspect Anomaly Detection and Presentation within Context
US20160142435A1 (en) * 2014-11-13 2016-05-19 Cyber-Ark Software Ltd. Systems and methods for detection of anomalous network behavior
CN106789837A (en) * 2015-11-20 2017-05-31 腾讯科技(深圳)有限公司 Network anomalous behaviors detection method and detection means
US20180247220A1 (en) * 2017-02-28 2018-08-30 International Business Machines Corporation Detecting data anomalies
CN109842628A (en) * 2018-12-13 2019-06-04 成都亚信网络安全产业技术研究院有限公司 A kind of anomaly detection method and device
CN111064710A (en) * 2019-11-27 2020-04-24 张齐全 Computer network security abnormal operation intercepting method and device and electronic equipment
CN111178890A (en) * 2019-12-31 2020-05-19 中国银行股份有限公司 Account protection method, device and equipment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1649311A (en) * 2005-03-23 2005-08-03 北京首信科技有限公司 Detecting system and method for user behaviour abnormal based on machine study
US20120324575A1 (en) * 2010-02-23 2012-12-20 ISE Information Co., Ltd. System, Method, Program, and Recording Medium for Detecting and Blocking Unwanted Programs in Real Time Based on Process Behavior Analysis and Recording Medium for Storing Program
US20150073894A1 (en) * 2013-09-06 2015-03-12 Metamarkets Group Inc. Suspect Anomaly Detection and Presentation within Context
US20160142435A1 (en) * 2014-11-13 2016-05-19 Cyber-Ark Software Ltd. Systems and methods for detection of anomalous network behavior
CN106789837A (en) * 2015-11-20 2017-05-31 腾讯科技(深圳)有限公司 Network anomalous behaviors detection method and detection means
US20180247220A1 (en) * 2017-02-28 2018-08-30 International Business Machines Corporation Detecting data anomalies
CN109842628A (en) * 2018-12-13 2019-06-04 成都亚信网络安全产业技术研究院有限公司 A kind of anomaly detection method and device
CN111064710A (en) * 2019-11-27 2020-04-24 张齐全 Computer network security abnormal operation intercepting method and device and electronic equipment
CN111178890A (en) * 2019-12-31 2020-05-19 中国银行股份有限公司 Account protection method, device and equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114048455A (en) * 2021-11-19 2022-02-15 北京天融信网络安全技术有限公司 Abnormal login detection method and device, terminal device and storage medium

Also Published As

Publication number Publication date
CN113556338B (en) 2022-08-30

Similar Documents

Publication Publication Date Title
CN108932426B (en) Unauthorized vulnerability detection method and device
CN111274583A (en) Big data computer network safety protection device and control method thereof
CN109101815B (en) Malicious software detection method and related equipment
CN113489713B (en) Network attack detection method, device, equipment and storage medium
US20180075233A1 (en) Systems and methods for agent-based detection of hacking attempts
US20180365416A1 (en) System and method for detection of anomalous events based on popularity of their convolutions
CN111191243B (en) Vulnerability detection method, vulnerability detection device and storage medium
CN108256322B (en) Security testing method and device, computer equipment and storage medium
CN111191226A (en) Method, device, equipment and storage medium for determining program by using privilege-offering vulnerability
US9405936B2 (en) Code integrity protection by computing target addresses from checksums
CN109145651B (en) Data processing method and device
CN113556338B (en) Computer network security abnormal operation interception method
CN108804914B (en) Abnormal data detection method and device
CN105893877B (en) Method for secure data reading and data processing system
CN114826639A (en) Application attack detection method and device based on function call chain tracking
CN111104670B (en) APT attack identification and protection method
CN117076301A (en) System performance test method and device and electronic equipment
CN117118661A (en) Automatic identification method, system and equipment for closed source attack contract based on fuzzy test
KR100976961B1 (en) Security system for internet site and method thereof
EP3535681B1 (en) System and method for detecting and for alerting of exploits in computerized systems
KR102541888B1 (en) Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same
US10637877B1 (en) Network computer security system
CN113704749B (en) Malicious mining detection processing method and device
CN110135152B (en) Application program attack detection method and device
CN113645198A (en) Computer network information safety monitoring method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20220815

Address after: Unit 101, No. 23, Hope Sea Road, Second Software Park, Xiamen City, Fujian Province, 361000

Applicant after: Fujian Yinshu Information Technology Co.,Ltd.

Address before: 430040 national network security talent and innovation base at the intersection of linkanggang Avenue and Xinjing Road, Dongxihu District, Wuhan City, Hubei Province

Applicant before: Long Hai

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant