CN113556338B - Computer network security abnormal operation interception method - Google Patents
Computer network security abnormal operation interception method Download PDFInfo
- Publication number
- CN113556338B CN113556338B CN202110820755.6A CN202110820755A CN113556338B CN 113556338 B CN113556338 B CN 113556338B CN 202110820755 A CN202110820755 A CN 202110820755A CN 113556338 B CN113556338 B CN 113556338B
- Authority
- CN
- China
- Prior art keywords
- behaviors
- behavior
- abnormal
- operation behavior
- combined
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The application provides a method for intercepting abnormal operation of computer network security, and relates to the technical field of computer network security. The method comprises the following steps: receiving an operation instruction sent by target equipment; analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library, and judging whether an abnormal operation behavior exists in the plurality of operation behaviors; when determining that no abnormal operation behavior exists in the plurality of operation behaviors, generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors; a plurality of combined operational behaviors are extracted from the plurality of operational links. The combined operation behaviors comprise at least two operation behaviors; analyzing the plurality of combined operation behaviors according to a preset abnormal operation behavior library, and judging whether the plurality of combined operation behaviors have abnormal operation behaviors or not; and intercepting the operation instruction when determining that the abnormal operation behavior exists in the plurality of combined operation behaviors. The method realizes effective interception of abnormal operation and improves the security of the computer network.
Description
Technical Field
The application relates to the technical field of computer network security, in particular to a method for intercepting abnormal operation of computer network security.
Background
In a computer network, various security risks exist, such as the security risk brought by abnormal operation (such as stealing core data by invading a core database). Therefore, network devices in the computer network can set corresponding abnormal operation interception strategies to avoid potential safety hazards caused by abnormal operation.
In the prior art, an abnormal operation feature library is usually preset, and when an operation request is received, the abnormal operation feature library is used for analyzing the operation request to judge whether the corresponding operation request is an abnormal operation, so as to intercept the abnormal operation.
However, this determination method is too simple, and the device that issues the abnormal operation request can easily avoid the abnormal operation, for example, package the abnormal operation, and therefore, effective interception of the abnormal operation cannot be achieved.
Disclosure of Invention
In order to overcome at least the above disadvantages in the prior art, the present application aims to provide a method for intercepting abnormal operations in computer network security, so as to effectively intercept the abnormal operations and improve the security of the computer network.
In a first aspect, an embodiment of the present application provides a method for intercepting a security abnormal operation of a computer network, including:
receiving an operation instruction sent by target equipment; the operation instruction comprises a plurality of operation behaviors;
analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library, and judging whether an abnormal operation behavior exists in the plurality of operation behaviors;
when determining that no abnormal operation behaviors exist in the plurality of operation behaviors, generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors;
extracting a plurality of combined operation behaviors from the plurality of operation links; the combined operation behavior comprises at least two operation behaviors;
analyzing the plurality of combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the plurality of combined operation behaviors have abnormal operation behaviors or not;
intercepting the operation instruction when determining that abnormal operation behaviors exist in the plurality of combined operation behaviors.
Has the advantages that: by generating a plurality of operation links by preliminarily determining the operation behavior of the non-abnormal operation and then extracting the combined operation behavior, different modes of combination of the operation behaviors can be realized. Then, by analyzing the combined operation behavior, the judgment of whether the combined operation behavior is an abnormal operation behavior can be realized. That is, the method can not only realize the judgment of a single abnormal operation behavior, but also realize the judgment of a combined abnormal operation behavior, and if the abnormal operation request device splits the abnormal operation behavior into a plurality of non-abnormal operation behaviors, the method can also detect and intercept the packaged abnormal operation behavior; thereby ensuring effective interception of abnormal operation.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the analyzing the multiple operation behaviors according to a preset abnormal operation behavior library, and determining whether an abnormal operation behavior exists in the multiple operation behaviors includes:
determining a first similarity between each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors;
determining a second similarity degree of a superior operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors;
determining a third similarity between a lower-level operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors;
and judging whether abnormal operation behaviors exist in the plurality of operation behaviors according to the first similarity, the second similarity and the third similarity.
Has the advantages that: when the operation behaviors are analyzed, the direct similarity between each operation behavior and the abnormal operation behavior can be determined through the determination of the first similarity; through the determination of the second similarity, the similarity between each operation behavior and the superior operation behavior of the abnormal operation behavior can be determined, and the first extension judgment of the abnormal operation behavior in the abnormal operation behavior library is realized; through the determination of the third similarity, the similarity between each operation behavior and the lower-level operation behavior of the abnormal operation behavior can be determined, and the second extension judgment of the abnormal operation behavior in the abnormal operation behavior library is realized. Finally, whether each operation behavior is an abnormal operation behavior is judged through the combination of the three similarities, the judging mode is more comprehensive, and the accuracy of judging the abnormal operation behavior can be improved.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors includes:
determining a first operational behavior of the plurality of operational behaviors; the average similarity of the first operation behavior and each abnormal operation behavior in the abnormal operation behavior library is lowest;
determining a second operational behavior of the plurality of operational behaviors; the average similarity of the second operation behaviors and each abnormal operation behavior in the abnormal operation behavior library is highest;
using the first operation behavior as a first operation behavior, using the second operation behavior as a last operation behavior, and inserting other operation behaviors except the first operation behavior and the second operation behavior between the first operation behavior and the last operation behavior according to different insertion orders to generate the plurality of operation links; the different insertion order comprises at least two insertion orders.
Has the advantages that: and determining the first operation behavior and the last operation behavior of the operation link through the determination of the first operation behavior and the second operation behavior, wherein after the first operation behavior and the last operation behavior are determined, other operation behaviors can be determined according to different insertion orders. On one hand, the generation of various possible operation links can be realized, and on the other hand, the generation efficiency of the operation links can be improved.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the generating a plurality of operation links according to different operation orders of the plurality of operation behaviors includes:
determining an average similarity of the plurality of operation behaviors to each abnormal operation behavior in the abnormal operation behavior library;
generating a first operation link according to the sequence from low to high of the difference between the average similarity and the first calibration value;
and generating a second operation link according to the sequence of the difference between the average similarity and a second calibration value from high to low.
Has the advantages that: and generating different operation links by averaging the magnitude relation of the difference between the similarity and different calibration values. On one hand, the generation of various possible operation links can be realized, and on the other hand, the generation efficiency of the operation links can be improved.
With reference to the first aspect, in a fourth possible implementation manner of the first aspect, the extracting a plurality of combined operation behaviors from the plurality of operation links includes:
extracting a first plurality of combined operational behaviors from the plurality of operational links; the first combined operation behavior comprises two adjacent operation behaviors belonging to the same operation link;
extracting a plurality of second combined operational behaviors from the plurality of operational links; the second combined operation behavior comprises at least two operation behaviors which belong to the same operation link and are separated by preset values between operation sequences;
extracting a plurality of third combined operational behaviors from the plurality of operational links; the third combined operation behavior comprises at least two operation behaviors which belong to the same operation link and have a specified sequence.
Has the advantages that: the method comprises the steps that the restoration of a first possible abnormal operation behavior encapsulation mode is realized through the combination of two adjacent operation behaviors of the same operation link; restoring a second possible abnormal operation behavior packaging mode through the same operation link and at least two operation behaviors with preset values spaced between operation sequences; and the recovery of a third possible abnormal operation behavior encapsulation mode is realized through the same operation link and at least two operation behaviors with the operation sequences in the specified sequence. And the effectiveness of finally detecting the abnormal operation behaviors is improved by restoring a plurality of possible abnormal operation behavior packaging modes.
With reference to the first aspect, in a fifth possible implementation manner of the first aspect, the analyzing, according to the preset abnormal operation behavior library, the multiple combined operation behaviors to determine whether an abnormal operation behavior exists in the multiple combined operation behaviors includes:
determining a fourth similarity of each abnormal operation behavior in the abnormal operation behavior library and the plurality of combined operation behaviors;
determining a plurality of combined abnormal operation behaviors corresponding to each abnormal operation behavior in the abnormal operation behavior library;
determining a fifth similarity of the plurality of combined abnormal operating behaviors to the plurality of combined operating behaviors;
determining a sixth similarity of an upper level operational behavior or a lower level operational behavior of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors;
and judging whether an abnormal operation behavior exists in the plurality of combined operation behaviors according to the fourth similarity, the fifth similarity and the sixth similarity.
Has the advantages that: through the determination of the fourth similarity, the direct similarity of the combined operation behavior and the abnormal operation behavior can be determined; through the determination of the fifth similarity, the first type of expansion similarity of the combined operation behavior and the combined abnormal operation behavior can be determined; through the determination of the sixth similarity, a second kind of expansion similarity of the combined operation behavior and the abnormal operation behavior can be determined; finally, the three similarities are combined to judge whether each combined operation behavior is an abnormal operation behavior, the judging mode is more comprehensive, and the accuracy of judging the abnormal operation behavior can be improved.
With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, after the intercepting the operation instruction when it is determined that an abnormal operation behavior exists in the multiple combined operation behaviors, the method further includes:
receiving a new operation instruction sent by the target equipment; the new operation instruction comprises a third operation behavior and a fourth operation behavior, the third operation behavior belongs to the operation behaviors in the operation behaviors, and the fourth operation behavior does not belong to the operation behaviors in the operation behaviors;
analyzing the fourth operation behavior according to a preset abnormal operation behavior library, and judging whether the fourth operation behavior has an abnormal operation behavior;
when it is determined that no abnormal operation behavior exists in the fourth operation behaviors, combining the fourth operation behaviors and the third operation behaviors in different modes to obtain a plurality of new combined operation behaviors; each new combined operation behavior comprises at least one fourth operation behavior;
analyzing the plurality of new combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the abnormal operation behaviors exist in the plurality of new combined operation behaviors or not;
and intercepting the new operation instruction when the abnormal operation behavior exists in the plurality of new combined operation behaviors.
Has the beneficial effects that: after intercepting the abnormal operation behavior, the target device may initiate a new operation instruction again, and focus detection may be performed for the operation behavior (fourth operation behavior) changed in the new operation instruction. Therefore, by determining the combined operation behavior comprising at least one fourth operation behavior and then judging the abnormal operation behavior, the effective judgment of the specific abnormal operation behavior is realized, and the more effective abnormal operation interception is realized.
With reference to the sixth possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, after the intercepting the new operation instruction when it is determined that an abnormal operation behavior exists in the multiple new combined operation behaviors, the method further includes:
determining an original operation behavior corresponding to the fourth operation behavior; the original operation behavior comprises other operation behaviors in the plurality of operation behaviors except the third operation behavior;
determining a relationship between the fourth operation behavior and the original operation behavior;
determining an abnormal operation hiding strategy of the target equipment according to the relation;
and synchronizing the hidden strategy to the equipment with the interactive relation with the target equipment.
Has the advantages that: determining the relation between the fourth operation behavior and the original operation behavior to determine an abnormal operation hiding strategy of the target equipment; by synchronizing the abnormal operation hiding strategy of the target equipment to the equipment with interactive relation with the target equipment, the equipment can be helped to more effectively detect and intercept the abnormal operation of the target equipment.
With reference to the first aspect, in an eighth possible implementation manner of the first aspect, the method further includes:
screening out suspicious operation behaviors from the plurality of combined operation behaviors when the plurality of combined operation behaviors are determined not to have abnormal operation behaviors; the similarity between the suspicious operation behavior and the target abnormal operation behavior in the abnormal operation behavior library is greater than a preset value;
generating a protection program based on the suspicious operation behavior;
and executing the operation instruction on an operation object corresponding to the operation instruction, and running the protection program.
Has the advantages that: even if the combined operation behavior has no abnormal operation behavior, the safety of the operation instruction cannot be guaranteed in percentage, the protection function on the operation object is achieved by generating the protection program and running the protection program on the operation object corresponding to the operation instruction, and the potential safety hazard brought to the operation object by the execution of the operation instruction is avoided.
In a second aspect, an embodiment of the present application provides a computer network security abnormal operation intercepting apparatus, including:
the receiving module is used for receiving an operation instruction sent by target equipment; the operation instruction comprises a plurality of operation behaviors;
the first processing module is used for analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library and judging whether the plurality of operation behaviors have abnormal operation behaviors or not;
the second processing module is used for generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors when the abnormal operation behaviors are determined not to exist in the plurality of operation behaviors; extracting a plurality of combined operation behaviors from the plurality of operation links; the combined operation behavior comprises at least two operation behaviors; analyzing the plurality of combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the plurality of combined operation behaviors have abnormal operation behaviors or not;
and the intercepting module is used for intercepting the operation instruction when determining that abnormal operation behaviors exist in the plurality of combined operation behaviors.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
To more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
FIG. 1 is a schematic diagram of a computer network provided by an embodiment of the present application;
fig. 2 is a block diagram of an electronic device according to an embodiment of the present disclosure;
fig. 3 is a flowchart of a method for intercepting a security abnormal operation of a computer network according to an embodiment of the present application;
fig. 4 is a block diagram illustrating a structure of a computer network security abnormal operation intercepting apparatus according to an embodiment of the present disclosure.
Icon: 100-a computer network; 110-a network device; 120-a central device; 200-an electronic device; 210-a memory; 220-a communication module; 230-a bus; 240-a processor; 300-computer network security abnormal operation intercepting device; 310-a receiving module; 320-a first processing module; 330-a second processing module; 340-interception module.
Detailed Description
The present application is described in detail below with reference to the accompanying drawings, and the specific operation methods in the method embodiments can also be applied to the device embodiments or the system embodiments. In the description of the present application, "at least one" includes one or more unless otherwise specified. "plurality" means two or more. For example, at least one of A, B and C, comprising: a alone, B alone, a and B in combination, a and C in combination, B and C in combination, and A, B and C in combination. In this application, "/" means "or, for example, A/B may mean A or B; "and/or" herein is merely an association describing an associated object, and means that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone.
As shown in fig. 1, the present application provides a schematic diagram of a computer network 100.
In this embodiment, the computer network 100 may include one or more network devices 110 and a central device 120, each network device 110 is connected to the central device 120, and data communication, such as data transmission, data access, and the like, between the network 110 and the central device 120 may be implemented. And a plurality of network devices 110, that is, data communication, such as data transmission, data access, etc., can also be implemented between the plurality of network devices 110. Whether data transmission or data access is performed, various operations may be involved in data communication between the network devices 110 or between the network devices 110 and the central device 120.
Whether it is the center device 120 or the network device 110, various operations are performed, but before performing various operations, it is necessary to determine the operation to be performed, and if the operation to be performed is an abnormal operation with a potential safety hazard, it cannot be performed; if the operation to be performed is a normal operation, it can be performed.
Based on this, the embodiment of the present application provides a method for intercepting a security abnormal operation of a computer network, so as to implement effective interception of the abnormal operation and improve the security of the computer network 100. Before introducing the interception of the abnormal operation of the computer network security, the environment for the method operation is introduced.
As shown in fig. 2, the electronic device 200 may be a server (i.e., the center device 120) or a terminal (i.e., the network device 110). When the electronic device 200 is a server, for example, it may be a web server, a database server, a cloud server, or a server assembly composed of a plurality of sub servers; alternatively, when the electronic device 200 is a terminal, it may be a Personal Computer (PC), a tablet PC, a smart phone, a Personal Digital Assistant (PDA), or the like. Of course, the above-mentioned devices are for easy understanding of the present embodiment, and should not be taken as limiting the present embodiment.
In this embodiment, the electronic device 200 may include: memory 210, communication module 220, bus 230, and processor 240. Wherein the processor 240, the communication module 220, and the memory 210 are connected by a bus 230.
The processor 240 is used to execute executable modules, such as computer programs, stored in the memory 210. The components and configuration of the electronic device 200 shown in FIG. 3 are exemplary only, and not limiting, as the electronic device 200 may have other components and configurations as desired.
The Memory 210 may include a Random Access Memory (RAM) and may also include a Non-Volatile Memory (Non-Volatile Memory), such as at least two disk memories. In this embodiment, the memory 210 stores a program required for implementing the method for intercepting a security abnormal operation of a computer network provided in the embodiment of the present application.
The processor 240 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the method implemented by the electronic device 200 may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 240. The Processor 240 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method executed by the electronic device 200 may be directly implemented by a hardware decoding processor, or may be implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art.
The method performed by the flow process or the defined apparatus disclosed in any of the embodiments of the present application may be applied to the processor 240 or implemented by the processor 240. After the processor 240 receives the execution instruction and calls the program stored in the memory 210 through the bus 230, the processor 240 controls the communication module 220 through the bus 230 to implement the process of running the computer network security abnormal operation interception method.
In this embodiment, the method for intercepting the abnormal operation of the computer network security may be executed by the network device 110, or may be executed by the central device 120, which is not limited herein, and may be set according to actual needs.
As shown in fig. 3, fig. 3 is a flowchart of a method for intercepting a security abnormal operation of a computer network according to an embodiment of the present application. In this embodiment, the method for intercepting a security abnormal operation of a computer network may include: step S10, step S20, step S30, step S40, step S50, and step S60.
Step S10: and receiving an operation instruction sent by the target equipment. The operation instruction comprises a plurality of operation behaviors.
Step S20: and analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library, and judging whether an abnormal operation behavior exists in the plurality of operation behaviors.
Step S30: when it is determined that there is no abnormal operation behavior among the plurality of operation behaviors, a plurality of operation links are generated in a different operation order of the plurality of operation behaviors.
Step S40: a plurality of combined operational behaviors are extracted from the plurality of operational links. The combined operation behavior comprises at least two operation behaviors.
Step S50: and analyzing the plurality of combined operation behaviors according to a preset abnormal operation behavior library, and judging whether the abnormal operation behaviors exist in the plurality of combined operation behaviors.
Step S60: and intercepting the operation instruction when determining that the abnormal operation behavior exists in the plurality of combined operation behaviors.
In the embodiment of the present application, different operation instructions correspond to different operation command words (which may be understood as code forms of the operation instructions), such as: the operating command words for the windows operating system, the android operating system, the ios operating system, and the like. In order to facilitate the generation and transmission of the operation command word, the operation command word is divided according to different operation behaviors, such as: in a complete operation instruction, multiple sections of operation command words may be included, where each section of operation command word corresponds to an operation behavior.
Based on this, when detecting whether the operation instruction is abnormal, the determination may be made based on the operation behavior in the operation instruction. For example, the operation instruction is to access the target data, and if the target data is normally accessed, only the relevant operation behavior related to reading the target data is needed. If the target data is accessed abnormally, the related behavior operation of tampering the target data is also involved in the operation instruction.
If the abnormal operation behavior of the target device can be judged directly through feature analysis, the abnormal operation behavior is a direct abnormal operation behavior. However, in practical applications, there is also abnormal operation behavior through encapsulation. Such as: the abnormal operation behaviors are divided into a plurality of normal operation behaviors, and when the plurality of normal operation behaviors are executed independently, the abnormality does not occur, but when the plurality of normal operation behaviors are executed in a combined mode, the abnormality occurs.
Therefore, by generating a plurality of operation links by the operation behavior preliminarily determined as the non-abnormal operation and then extracting the combined operation behavior, it is possible to realize different ways of combining the operation behaviors. Then, by analyzing the combined operation behavior, the judgment of whether the combined operation behavior is an abnormal operation behavior can be realized. That is, the method can not only realize the judgment of a single abnormal operation behavior, but also realize the judgment of a combined abnormal operation behavior, and if the abnormal operation request device splits the abnormal operation behavior into a plurality of non-abnormal operation behaviors, the method can also detect and intercept the packaged abnormal operation behavior; thereby ensuring effective interception of abnormal operation.
As an alternative embodiment, step S10 includes: determining a first similarity of each abnormal operation behavior in the abnormal operation behavior library and a plurality of operation behaviors; determining a second similarity between the upper-level operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors; determining a third similarity between the lower-level operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors; and judging whether an abnormal operation behavior exists in the plurality of operation behaviors according to the first similarity, the second similarity and the third similarity.
The abnormal operation behaviors stored in the abnormal operation behavior library correspond to command words, a plurality of operation behaviors in the operation instruction also correspond to the command words, and the similarity between the operation behaviors can be determined by calculating the similarity between the command words corresponding to the operation behaviors.
In calculating the similarity of the command words, a sophisticated calculation algorithm of the similarity may be employed. Such as: the two sections of command words respectively contain three commands, similarity between the three commands is calculated respectively, and then the similarity of the two sections of command words is determined by combining the similarity between the three commands.
For the upper-level operation behavior and the lower-level operation behavior of the abnormal operation behavior, in the local device, when the abnormal operation behavior library is preset, the upper-level operation behavior and the lower-level operation behavior of each abnormal operation can be stored separately, and the like, and can be directly obtained when the abnormal operation behavior library is required to be used. Similarly, the upper operation behavior and the lower operation behavior correspond to a command word.
For example: if the abnormal operation behavior is illegal tampering, the upper level operation behavior of the abnormal operation behavior may be: the password is broken, because many data are provided with passwords, if the data are tampered, the passwords need to be broken first. The next level of the abnormal operation behavior may be: the traces are deleted and the tamper traces need to be deleted in order to avoid detection.
When the judgment is performed according to the three similarities, various judgment methods can be adopted, such as: and taking the average value of the three similarity degrees, and judging that the operation is abnormal when the average value is greater than a preset value. For another example: and carrying out weighted summation on the three similarities, and judging that the operation is abnormal when the weighted summation value is greater than a preset value.
When the operation behaviors are analyzed, the direct similarity between each operation behavior and the abnormal operation behavior can be determined through the determination of the first similarity; through the determination of the second similarity, the similarity between each operation behavior and the superior operation behavior of the abnormal operation behavior can be determined, and the first extension judgment of the abnormal operation behavior in the abnormal operation behavior library is realized; through the determination of the third similarity, the similarity between each operation behavior and the lower-level operation behavior of the abnormal operation behavior can be determined, and the second extension judgment of the abnormal operation behavior in the abnormal operation behavior library is realized. Finally, whether each operation behavior is an abnormal operation behavior is judged through the combination of the three similarities, the judging mode is more comprehensive, and the accuracy of judging the abnormal operation behavior can be improved.
A first alternative implementation of step S30 includes: determining a first operational behavior of a plurality of operational behaviors; the average similarity between the first operation behavior and each abnormal operation behavior in the abnormal operation behavior library is the lowest; determining a second operational behavior of the plurality of operational behaviors; the average similarity of the second operation behaviors and each abnormal operation behavior in the abnormal operation behavior library is highest; taking the first operation behavior as a first operation behavior, taking the second operation behavior as a last operation behavior, and inserting other operation behaviors except the first operation behavior and the second operation behavior between the first operation behavior and the last operation behavior according to different insertion orders to generate a plurality of operation links; the different insertion order comprises at least two insertion orders.
Having calculated the similarities between the plurality of operation behaviors and the abnormal operation behavior in step S20, the similarity obtained in step S20 may be directly applied when determining the first operation behavior.
The different insertion sequences include: insert from high to low according to average similarity; interpolated from low to high in average similarity.
And determining the first operation behavior and the last operation behavior of the operation link through the determination of the first operation behavior and the second operation behavior, wherein after the first operation behavior and the last operation behavior are determined, other operation behaviors can be determined according to different insertion orders. On one hand, the generation of various possible operation links can be realized, and on the other hand, the generation efficiency of the operation links can be improved.
A second alternative implementation of step S30 includes: determining the average similarity of the plurality of operation behaviors and each abnormal operation behavior in the abnormal operation behavior library; generating a first operation link according to the sequence from low to high of the difference between the average similarity and the first calibration value; and generating a second operation link according to the sequence of the difference between the average similarity and the second calibration value from high to low.
The first calibration may be a value between 50% -100% and the second calibration may be a value between 0% -50%.
And generating different operation links by averaging the magnitude relation of the difference between the similarity and different calibration values. On one hand, the generation of various possible operation links can be realized, and on the other hand, the generation efficiency of the operation links can be improved.
As an alternative embodiment, step S40 includes: extracting a plurality of first combined operational behaviors from a plurality of operational links; the first combined operation behavior comprises two adjacent operation behaviors belonging to the same operation link; extracting a plurality of second combined operational behaviors from the plurality of operational links; the second combined operation behavior comprises at least two operation behaviors which belong to the same operation link and are separated by preset values between operation sequences; extracting a plurality of third combined operational behaviors from the plurality of operational links; the third combined operation behavior comprises at least two operation behaviors which belong to the same operation link and have the operation sequence of a specified sequence.
The preset value may be a value that ensures a correlation between two operational behaviors, such as a value between 2-5. The specified order may be an order in which the abnormal operation behavior is most likely to correspond in one operation link, such as: a total of 10 operational behaviors are included, and the 5 th-8 th operational behaviors are most likely to be abnormal operational behaviors, then the specified order may be 5-8.
The method comprises the steps that the restoration of a first possible abnormal operation behavior encapsulation mode is realized through the combination of two adjacent operation behaviors of the same operation link; restoring a second possible abnormal operation behavior packaging mode through the same operation link and at least two operation behaviors with preset values spaced between operation sequences; and restoring the encapsulation mode of the third possible abnormal operation behavior through the same operation link and at least two operation behaviors with the operation sequence being the specified sequence. And the effectiveness of finally detecting the abnormal operation behaviors is improved by restoring a plurality of possible abnormal operation behavior packaging modes.
As an alternative embodiment, step S50 includes: determining a fourth similarity of each abnormal operation behavior in the abnormal operation behavior library and the plurality of combined operation behaviors; determining a plurality of combined abnormal operation behaviors corresponding to each abnormal operation behavior in an abnormal operation behavior library; determining a fifth similarity of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors; determining a sixth similarity of an upper-level operation behavior or a lower-level operation behavior of the plurality of combined abnormal operation behaviors to the plurality of combined operation behaviors; and judging whether an abnormal operation behavior exists in the plurality of combined operation behaviors according to the fourth similarity, the fifth similarity and the sixth similarity.
Wherein, the abnormal operation behaviors corresponding to the same superior operation behavior and/or the same inferior operation behavior may be combined. The upper-level or lower-level operation behaviors of the plurality of combined abnormal operation behaviors may be the same upper-level operation behavior and/or the upper-level or lower-level operation behavior of the same lower-level operation behavior.
Through the determination of the fourth similarity, the direct similarity of the combined operation behavior and the abnormal operation behavior can be determined; through the determination of the fifth similarity, the first type of expanded similarity of the combined operation behavior and the combined abnormal operation behavior can be determined; through the determination of the sixth similarity, a second type of expanded similarity of the combined operation behavior and the abnormal operation behavior can be determined; finally, the three similarities are combined to judge whether each combined operation behavior is an abnormal operation behavior, the judging mode is more comprehensive, and the accuracy of judging the abnormal operation behavior can be improved.
Step S60, such as: transferring the abnormal operation instruction to a virtual device for execution; or directly not executing the abnormal operation instruction, etc.
After step S60, the target device may assume that the operation instruction was intercepted because its operation instruction was not successfully executed, and at this time, the target device may repackage the operation instruction to attempt interception again. To cope with this, the method further comprises:
receiving a new operation instruction sent by target equipment; the new operation instruction comprises a third operation behavior and a fourth operation behavior, the third operation behavior belongs to the operation behaviors in the plurality of operation behaviors, and the fourth operation behavior does not belong to the operation behaviors in the plurality of operation behaviors; analyzing the fourth operation behavior according to a preset abnormal operation behavior library, and judging whether the fourth operation behavior has abnormal operation behavior; when the fourth operation behavior is determined to have no abnormal operation behavior, combining the fourth operation behavior and the third operation behavior in different modes to obtain a plurality of new combined operation behaviors; each new combined operation behavior comprises at least one fourth operation behavior; analyzing the plurality of new combined operation behaviors according to a preset abnormal operation behavior library, and judging whether the abnormal operation behaviors exist in the plurality of new combined operation behaviors or not; and intercepting a new operation instruction when the abnormal operation behavior exists in the plurality of new combined operation behaviors.
Wherein the fourth operational behavior may be combined with one or more of the third operational behaviors, such as: and combining the fourth operation behavior with each operation behavior in the third operation behaviors to obtain a plurality of combined operation behaviors.
After intercepting the abnormal operation behavior, the target device may initiate a new operation instruction again, and focus detection may be performed for the operation behavior (fourth operation behavior) changed in the new operation instruction. Therefore, by determining the combined operation behavior including at least one fourth operation behavior and then judging the abnormal operation behavior, the effective judgment of the specific abnormal operation behavior is realized, and the more effective abnormal operation interception is realized.
After intercepting the new operation instruction, the method further comprises the following steps: determining an original operation behavior corresponding to the fourth operation behavior; the original operation behaviors comprise other operation behaviors except the third operation behavior in the plurality of operation behaviors; determining the relationship between the fourth operation behavior and the original operation behavior; determining an abnormal operation hiding strategy of the target equipment according to the relation; and synchronizing the hidden strategy to the equipment with the interactive relation with the target equipment.
For example, if the action of command 1 in the fourth operation behavior is the same as that of command 2 in the previous operation behavior, the operation behavior may be the original operation behavior corresponding to the fourth operation behavior; for another example: if the operation result of the fourth operation behavior is the same as the operation result of the previous operation behavior, the operation behavior may be the original operation behavior corresponding to the fourth operation behavior.
Further, if the fourth operation behavior and the original operation behavior comprise commands with the same function, the command replacement is an operation hiding strategy; and if the operation result of the fourth operation behavior is the same as that of the original operation behavior, the operation replacement with the same result is an operation hiding strategy. One or more policies may be included in the abnormal operation hiding policy.
Determining the relation between the fourth operation behavior and the original operation behavior to determine an abnormal operation hiding strategy of the target equipment; by synchronizing the abnormal operation hiding strategy of the target equipment to the equipment with interactive relation with the target equipment, the equipment can be helped to more effectively detect and intercept the abnormal operation of the target equipment.
Even if there is no abnormal operation behavior in the combined operation behavior, but the security of the operation instruction cannot be guaranteed by one hundred percent, in order to guarantee the security in the computer network 100, the method further includes: screening out suspicious operation behaviors from the plurality of combined operation behaviors when the plurality of combined operation behaviors are determined to have no abnormal operation behaviors; similarity between the suspicious operation behavior and a target abnormal operation behavior in the abnormal operation behavior library is larger than a preset value; generating a protection program based on the suspicious operation behavior; and executing the operation instruction on the operation object corresponding to the operation instruction, and running the protection program.
For example, if the suspicious operation behavior is data uploading, the protection program may be a program that protects other data in the database to prevent the uploaded data from affecting the other data.
For another example, if the operation object corresponding to the data upload is a C disk, the data upload operation is executed on the C disk, and the corresponding protection program is allowed.
By generating the protection program and running the protection program on the operation object corresponding to the operation instruction, the protection function on the operation object is realized, and the potential safety hazard brought to the operation object by executing the operation instruction is avoided.
As shown in fig. 4, an embodiment of the present invention further provides a computer network security abnormal operation intercepting apparatus 300, which is applied to any one of the network devices 110 or the central device 120, and the computer network security abnormal operation intercepting apparatus 300 includes:
a receiving module 310, configured to receive an operation instruction sent by a target device; the operation instruction comprises a plurality of operation behaviors.
The first processing module 320 is configured to analyze the multiple operation behaviors according to a preset abnormal operation behavior library, and determine whether an abnormal operation behavior exists in the multiple operation behaviors;
a second processing module 330, configured to generate a plurality of operation links according to different operation orders of the plurality of operation behaviors when it is determined that there is no abnormal operation behavior in the plurality of operation behaviors; extracting a plurality of combined operation behaviors from the plurality of operation links; the combined operation behavior comprises at least two operation behaviors; analyzing the plurality of combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the plurality of combined operation behaviors have abnormal operation behaviors or not;
the intercepting module 340 is configured to intercept the operation instruction when it is determined that an abnormal operation behavior exists in the multiple combined operation behaviors.
In this embodiment, the first processing module 320 is specifically configured to: determining a first similarity between each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors; determining a second similarity between a superior operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors; determining a third similarity between a lower-level operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors; and judging whether abnormal operation behaviors exist in the plurality of operation behaviors according to the first similarity, the second similarity and the third similarity.
In this embodiment of the application, the second processing module 330 is specifically configured to: determining a first operational behavior of the plurality of operational behaviors; the average similarity of the first operation behavior and each abnormal operation behavior in the abnormal operation behavior library is the lowest; determining a second operational behavior of the plurality of operational behaviors; the average similarity of the second operation behaviors and each abnormal operation behavior in the abnormal operation behavior library is highest; using the first operation behavior as a first operation behavior, using the second operation behavior as a last operation behavior, and inserting other operation behaviors except the first operation behavior and the second operation behavior between the first operation behavior and the last operation behavior according to different insertion orders to generate the plurality of operation links; the different insertion order comprises at least two insertion orders.
In this embodiment, the second processing module 330 is further specifically configured to: determining an average similarity of the plurality of operation behaviors to each abnormal operation behavior in the abnormal operation behavior library; generating a first operation link according to the sequence from low to high of the difference between the average similarity and the first calibration value; and generating a second operation link according to the sequence of the difference between the average similarity and a second calibration value from high to low.
In this embodiment of the application, the second processing module 330 is further specifically configured to: extracting a first plurality of combined operational behaviors from the plurality of operational links; the first combined operation behavior comprises two adjacent operation behaviors belonging to the same operation link; extracting a plurality of second combined operational behaviors from the plurality of operational links; the second combined operation behavior comprises at least two operation behaviors which belong to the same operation link and are separated by preset values between operation sequences; extracting a plurality of third combined operational behaviors from the plurality of operational links; the third combined operation behavior comprises at least two operation behaviors which belong to the same operation link and have a specified operation sequence.
In this embodiment, the second processing module 330 is further specifically configured to: determining a fourth similarity of each abnormal operation behavior in the abnormal operation behavior library and the plurality of combined operation behaviors; determining a plurality of combined abnormal operation behaviors corresponding to each abnormal operation behavior in the abnormal operation behavior library; determining a fifth similarity of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors; determining a sixth similarity of an upper level operational behavior or a lower level operational behavior of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors; and judging whether an abnormal operation behavior exists in the plurality of combined operation behaviors according to the fourth similarity, the fifth similarity and the sixth similarity.
In this embodiment of the present application, the receiving module 310 is further configured to: receiving a new operation instruction sent by the target equipment; the new operation instruction comprises a third operation behavior and a fourth operation behavior, the third operation behavior belongs to the operation behaviors in the operation behaviors, and the fourth operation behavior does not belong to the operation behaviors in the operation behaviors; the first processing module 320 is further configured to analyze the fourth operation behavior according to a preset abnormal operation behavior library, and determine whether an abnormal operation behavior exists in the fourth operation behavior; the second processing module 330 is further configured to, when it is determined that there is no abnormal operation behavior in the fourth operation behaviors, combine the fourth operation behavior and the third operation behavior in different manners to obtain a plurality of new combined operation behaviors; each new combined operation behavior comprises at least one fourth operation behavior; analyzing the plurality of new combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the abnormal operation behaviors exist in the plurality of new combined operation behaviors or not; the intercept module 340 is further configured to: intercepting the new operation instruction when determining that abnormal operation behaviors exist in the plurality of new combined operation behaviors.
In this embodiment, the intercepting module 340 is further configured to: determining an original operation behavior corresponding to the fourth operation behavior; the original operation behavior comprises other operation behaviors in the plurality of operation behaviors except the third operation behavior; determining a relationship between the fourth operation behavior and the original operation behavior; determining an abnormal operation hiding strategy of the target equipment according to the relation; and synchronizing the hidden strategy to the equipment with the interactive relation with the target equipment.
In this embodiment of the present application, the intercepting module 340 is further configured to: screening out suspicious operation behaviors from the plurality of combined operation behaviors when determining that no abnormal operation behaviors exist in the plurality of combined operation behaviors; the similarity between the suspicious operation behavior and the target abnormal operation behavior in the abnormal operation behavior library is greater than a preset value; generating a protection program based on the suspicious operation behavior; and executing the operation instruction on an operation object corresponding to the operation instruction, and running the protection program.
The embodiment of the present application further provides a storage medium, where one or more programs are stored, and the one or more programs may be executed by one or more processors to implement the method for intercepting a security abnormal operation of a computer network in the embodiment.
It is to be understood that various changes and modifications may be made to the embodiments of the present application by those skilled in the art without departing from the spirit and scope of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.
Claims (8)
1. A computer network security abnormal operation interception method is characterized by comprising the following steps:
receiving an operation instruction sent by target equipment; the operation instruction comprises a plurality of operation behaviors;
analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library, and judging whether an abnormal operation behavior exists in the plurality of operation behaviors;
when determining that no abnormal operation behavior exists in the plurality of operation behaviors, generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors;
extracting a plurality of combined operation behaviors from the plurality of operation links; the combined operation behavior comprises at least two operation behaviors;
analyzing the plurality of combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the plurality of combined operation behaviors have abnormal operation behaviors or not;
intercepting the operation instruction when determining that abnormal operation behaviors exist in the plurality of combined operation behaviors;
the generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors comprises:
determining a first operational behavior of the plurality of operational behaviors; the average similarity of the first operation behavior and each abnormal operation behavior in the abnormal operation behavior library is the lowest;
determining a second operational behavior of the plurality of operational behaviors; the average similarity of the second operation behaviors and each abnormal operation behavior in the abnormal operation behavior library is highest;
using the first operation behavior as a first operation behavior, using the second operation behavior as a last operation behavior, and inserting other operation behaviors except the first operation behavior and the second operation behavior between the first operation behavior and the last operation behavior according to different insertion orders to generate the plurality of operation links; the different insertion orders comprise at least two insertion orders;
alternatively, the method comprises the following steps:
determining an average similarity of the plurality of operation behaviors to each abnormal operation behavior in the abnormal operation behavior library;
generating a first operation link according to the sequence from low to high of the difference between the average similarity and the first calibration value;
and generating a second operation link according to the sequence from high to low of the difference value between the average similarity and a second calibration value.
2. The method according to claim 1, wherein the analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library to determine whether an abnormal operation behavior exists in the plurality of operation behaviors comprises:
determining a first similarity between each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors;
determining a second similarity between a superior operation behavior of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors;
determining a third similarity degree of subordinate operation behaviors of each abnormal operation behavior in the abnormal operation behavior library and the plurality of operation behaviors;
and judging whether an abnormal operation behavior exists in the plurality of operation behaviors according to the first similarity, the second similarity and the third similarity.
3. The method of claim 1, wherein extracting the plurality of combined operational behaviors from the plurality of operational links comprises:
extracting a first plurality of combined operational behaviors from the plurality of operational links; the first combined operation behavior comprises two adjacent operation behaviors belonging to the same operation link;
extracting a plurality of second combined operational behaviors from the plurality of operational links; the second combined operation behavior comprises at least two operation behaviors which belong to the same operation link and are separated by preset values between operation sequences;
extracting a plurality of third combined operational behaviors from the plurality of operational links; the third combined operation behavior comprises at least two operation behaviors which belong to the same operation link and have a specified sequence.
4. The method according to claim 1, wherein the analyzing the plurality of combined operation behaviors according to the preset abnormal operation behavior library to determine whether an abnormal operation behavior exists in the plurality of combined operation behaviors comprises:
determining a fourth similarity of each abnormal operation behavior in the abnormal operation behavior library and the plurality of combined operation behaviors;
determining a plurality of combined abnormal operation behaviors corresponding to each abnormal operation behavior in the abnormal operation behavior library;
determining a fifth similarity of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors;
determining a sixth similarity of a superior operational behavior or an inferior operational behavior of the plurality of combined abnormal operational behaviors to the plurality of combined operational behaviors;
and judging whether an abnormal operation behavior exists in the plurality of combined operation behaviors according to the fourth similarity, the fifth similarity and the sixth similarity.
5. The method of claim 1, wherein after intercepting the operation instruction upon the determination that there is an abnormal operation behavior among the plurality of combined operation behaviors, the method further comprises:
receiving a new operation instruction sent by the target equipment; the new operation instruction comprises a third operation behavior and a fourth operation behavior, the third operation behavior belongs to the operation behaviors in the operation behaviors, and the fourth operation behavior does not belong to the operation behaviors in the operation behaviors;
analyzing the fourth operation behavior according to a preset abnormal operation behavior library, and judging whether the fourth operation behavior has an abnormal operation behavior;
when it is determined that no abnormal operation behavior exists in the fourth operation behaviors, combining the fourth operation behaviors and the third operation behaviors in different modes to obtain a plurality of new combined operation behaviors; each new combined operation behavior comprises at least one fourth operation behavior;
analyzing the plurality of new combined operation behaviors according to the preset abnormal operation behavior library, and judging whether abnormal operation behaviors exist in the plurality of new combined operation behaviors or not;
intercepting the new operation instruction when determining that abnormal operation behaviors exist in the plurality of new combined operation behaviors.
6. The method of claim 5, wherein upon said intercepting the new operation instruction upon determining that there is an abnormal operation behavior among the plurality of new combined operation behaviors, the method further comprises:
determining an original operation behavior corresponding to the fourth operation behavior; the original operation behavior comprises other operation behaviors in the plurality of operation behaviors except the third operation behavior;
determining a relationship between the fourth operation behavior and the original operation behavior;
determining an abnormal operation hiding strategy of the target equipment according to the relation;
and synchronizing the hidden strategy to the equipment with the interactive relation with the target equipment.
7. The method of claim 1, further comprising:
screening out suspicious operation behaviors from the plurality of combined operation behaviors when determining that no abnormal operation behaviors exist in the plurality of combined operation behaviors; the similarity between the suspicious operation behavior and the target abnormal operation behavior in the abnormal operation behavior library is greater than a preset value;
generating a protection program based on the suspicious operation behavior;
and executing the operation instruction on an operation object corresponding to the operation instruction, and running the protection program.
8. A computer network security abnormal operation intercepting apparatus, comprising:
the receiving module is used for receiving an operation instruction sent by target equipment; the operation instruction comprises a plurality of operation behaviors;
the first processing module is used for analyzing the plurality of operation behaviors according to a preset abnormal operation behavior library and judging whether the plurality of operation behaviors have abnormal operation behaviors or not;
the second processing module is used for generating a plurality of operation links according to different operation sequences of the plurality of operation behaviors when the abnormal operation behaviors are determined not to exist in the plurality of operation behaviors; extracting a plurality of combined operation behaviors from the plurality of operation links; the combined operation behavior comprises at least two operation behaviors; analyzing the plurality of combined operation behaviors according to the preset abnormal operation behavior library, and judging whether the plurality of combined operation behaviors have abnormal operation behaviors or not;
the intercepting module is used for intercepting the operation instruction when abnormal operation behaviors exist in the plurality of combined operation behaviors;
the second processing module is specifically configured to: determining a first operational behavior of the plurality of operational behaviors; the average similarity of the first operation behavior and each abnormal operation behavior in the abnormal operation behavior library is the lowest; determining a second operational behavior of the plurality of operational behaviors; the average similarity of the second operation behaviors and each abnormal operation behavior in the abnormal operation behavior library is highest; using the first operation behavior as a first operation behavior, using the second operation behavior as a last operation behavior, and inserting other operation behaviors except the first operation behavior and the second operation behavior between the first operation behavior and the last operation behavior according to different insertion orders to generate the plurality of operation links; the different insertion orders comprise at least two insertion orders;
or, determining an average similarity between the plurality of operation behaviors and each abnormal operation behavior in the abnormal operation behavior library; generating a first operation link according to the sequence from low to high of the difference between the average similarity and a first calibration value; and generating a second operation link according to the sequence of the difference between the average similarity and a second calibration value from high to low.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110820755.6A CN113556338B (en) | 2021-07-20 | 2021-07-20 | Computer network security abnormal operation interception method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110820755.6A CN113556338B (en) | 2021-07-20 | 2021-07-20 | Computer network security abnormal operation interception method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113556338A CN113556338A (en) | 2021-10-26 |
| CN113556338B true CN113556338B (en) | 2022-08-30 |
Family
ID=78103513
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110820755.6A Active CN113556338B (en) | 2021-07-20 | 2021-07-20 | Computer network security abnormal operation interception method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113556338B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114048455A (en) * | 2021-11-19 | 2022-02-15 | 北京天融信网络安全技术有限公司 | Abnormal login detection method and device, terminal device and storage medium |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1333552C (en) * | 2005-03-23 | 2007-08-22 | 北京首信科技有限公司 | Detecting system and method for user behaviour abnormal based on machine study |
| KR101057432B1 (en) * | 2010-02-23 | 2011-08-22 | 주식회사 이세정보 | System, method, program and recording medium for detection and blocking the harmful program in a real-time throught behavior analysis of the process |
| US20150073894A1 (en) * | 2013-09-06 | 2015-03-12 | Metamarkets Group Inc. | Suspect Anomaly Detection and Presentation within Context |
| US9565203B2 (en) * | 2014-11-13 | 2017-02-07 | Cyber-Ark Software Ltd. | Systems and methods for detection of anomalous network behavior |
| CN106789837B (en) * | 2015-11-20 | 2019-11-15 | 腾讯科技(深圳)有限公司 | Network anomalous behaviors detection method and detection device |
| US11062230B2 (en) * | 2017-02-28 | 2021-07-13 | International Business Machines Corporation | Detecting data anomalies |
| CN109842628A (en) * | 2018-12-13 | 2019-06-04 | 成都亚信网络安全产业技术研究院有限公司 | A kind of anomaly detection method and device |
| CN111064710A (en) * | 2019-11-27 | 2020-04-24 | 张齐全 | Computer network security abnormal operation intercepting method and device and electronic equipment |
| CN111178890A (en) * | 2019-12-31 | 2020-05-19 | 中国银行股份有限公司 | Account protection method, device and equipment |
-
2021
- 2021-07-20 CN CN202110820755.6A patent/CN113556338B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN113556338A (en) | 2021-10-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108932426B (en) | Unauthorized vulnerability detection method and device | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN109101815B (en) | Malicious software detection method and related equipment | |
| CN111131221B (en) | Interface checking device, method and storage medium | |
| CN111191226A (en) | Method, device, equipment and storage medium for determining program by using privilege-offering vulnerability | |
| CN111628990A (en) | Attack recognition method and device and server | |
| CN113556338B (en) | Computer network security abnormal operation interception method | |
| CN108804914B (en) | Abnormal data detection method and device | |
| CN114826639B (en) | Application attack detection method and device based on function call chain tracking | |
| CN111104670B (en) | APT attack identification and protection method | |
| CN117076301A (en) | System performance test method and device and electronic equipment | |
| CN105893877B (en) | Method for secure data reading and data processing system | |
| JP2006268775A (en) | Software operation modeling device and software operation monitoring device | |
| KR100976961B1 (en) | Security system for internet site and method thereof | |
| EP3535681B1 (en) | System and method for detecting and for alerting of exploits in computerized systems | |
| CN113704749B (en) | Malicious mining detection processing method and device | |
| CN114422186A (en) | Attack detection method and device, electronic equipment and storage medium | |
| CN110135152B (en) | Application program attack detection method and device | |
| KR20210076455A (en) | Method and apparatus for automated verifying of xss attack | |
| JP7427146B1 (en) | Attack analysis device, attack analysis method, and attack analysis program | |
| KR102541888B1 (en) | Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same | |
| CN115225387B (en) | Data security tamper-proof method and system based on big data and cloud platform | |
| CN117579385B (en) | Method, system and equipment for rapidly screening novel WebShell flow | |
| CN113076540B (en) | Attack detection method and device, electronic equipment and storage medium | |
| WO2022219806A1 (en) | Determination device, determination method, and determination program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220815 Address after: Unit 101, No. 23, Hope Sea Road, Second Software Park, Xiamen City, Fujian Province, 361000 Applicant after: Fujian Yinshu Information Technology Co.,Ltd. Address before: 430040 national network security talent and innovation base at the intersection of linkanggang Avenue and Xinjing Road, Dongxihu District, Wuhan City, Hubei Province Applicant before: Long Hai |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |