CN113904837A - Attack detection method, device, electronic equipment and medium - Google Patents

Attack detection method, device, electronic equipment and medium Download PDF

Info

Publication number
CN113904837A
CN113904837A CN202111163045.7A CN202111163045A CN113904837A CN 113904837 A CN113904837 A CN 113904837A CN 202111163045 A CN202111163045 A CN 202111163045A CN 113904837 A CN113904837 A CN 113904837A
Authority
CN
China
Prior art keywords
transmission data
probability
character
data
attack detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111163045.7A
Other languages
Chinese (zh)
Inventor
杨鹤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202111163045.7A priority Critical patent/CN113904837A/en
Publication of CN113904837A publication Critical patent/CN113904837A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network

Abstract

The method comprises the steps of carrying out feature extraction on transmission data to be detected to obtain a feature set of the transmission data, and obtaining an attack detection result of the transmission data based on the feature set and a pre-trained attack detection model. Therefore, when the attack detection is carried out on the transmission data, the accuracy of the attack detection result is improved.

Description

Attack detection method, device, electronic equipment and medium
Technical Field
The present application relates to the field of network security detection, and in particular, to a method, an apparatus, an electronic device, and a medium for attack detection.
Background
Since an attacker usually accesses any file of the server through malicious attack characters, such as '///' and ' \\ \ and the like, and performs malicious attack on the server by modifying or deleting any file in the server, the malicious attack is usually detected based on the malicious attack characters, and a manner of filtering the malicious attack characters is adopted, so that malicious attack behaviors are reduced.
In the prior art, when detecting a malicious attack, a specific malicious attack character is usually regularly matched with transmission data to obtain a malicious attack detection result.
However, since there may be variant malicious attack characters in the transmission data, omission may exist when detecting whether there is a malicious attack by using a regular matching method, and the accuracy of detecting the malicious attack is poor.
Therefore, when detecting a malicious attack behavior, how to improve the accuracy of malicious attack detection is a technical problem to be solved.
Disclosure of Invention
The present application aims to provide a method, an apparatus, an electronic device, and a medium for attack detection, which are used to improve accuracy of attack detection when detecting a malicious attack behavior.
In one aspect, a method of attack detection includes:
carrying out feature extraction on transmission data to be detected to obtain a feature set of the transmission data;
and acquiring an attack detection result of the transmission data based on the feature set and a pre-trained attack detection model, wherein the attack detection model is constructed based on a random forest algorithm.
In the implementation process, the attack detection model constructed based on the random forest algorithm is adopted to extract the characteristics of the transmission data to be detected to obtain the characteristic set of the transmission data, and the attack detection result of the transmission data is obtained based on the characteristic set and the pre-trained attack detection model, so that the attack detection accuracy is improved.
In one embodiment, the feature set includes any one or any combination of the following features:
data length, symbol probability, letter probability, entropy value, and hidden markov value of the transmission data;
the symbol probability is determined according to the number of symbols contained in the transmission data and the data length;
the letter probability is determined according to the number of letters contained in the transmission data and the data length;
the entropy value is determined according to the character probability of each character in the transmission data;
the character probability of each character is determined according to the number of characters of each character and the data length;
the hidden markov value is obtained based on the hidden markov model and the transmission data.
In the implementation process, the feature extraction is performed on the transmission data to be detected, and the feature value of the transmission data is obtained, namely: and the data length, the symbol probability, the letter probability, the entropy value and the hidden Markov value of the transmission data are combined to obtain a characteristic set.
In one embodiment, performing feature extraction on transmission data to be detected to obtain a feature set of the transmission data includes:
acquiring the data length of transmission data, the number of symbols contained in the transmission data, the number of letters contained in the transmission data and the number of characters of each character;
determining a symbol probability according to the number of symbols and the data length, wherein the symbol probability is positively correlated with the number of symbols and negatively correlated with the data length;
determining letter probability according to the number of letters and the data length, wherein the letter probability is positively correlated with the number of letters and negatively correlated with the data length;
respectively determining the character probability of each character according to the character number and the data length of each character in the transmission data;
determining an entropy value according to the probability of each character;
determining a hidden Markov value of the transmission data based on the hidden Markov model;
and obtaining a characteristic set of the transmission data according to the symbol probability, the letter probability, the entropy value and the hidden Markov value.
In the implementation process, each eigenvalue is obtained according to each eigenvalue calculation formula, namely: and combining the characteristic values to obtain a characteristic set corresponding to the transmission data.
In one embodiment, obtaining an attack detection result of transmission data based on a feature set and a pre-trained attack detection model includes:
vectorizing the feature set to obtain a feature vector;
inputting the feature vectors into each decision tree in the attack detection model, and respectively obtaining an attack classification result corresponding to each decision tree;
and determining an attack detection result of the transmission data according to the proportion of the attack classification result in the attack classification result of the malicious attack.
In the implementation process, the random forest model has good tolerance to noise and abnormal values, the over-fitting problem of a decision tree cannot occur, the high-dimensional data classification problem has the advantages of good expandability and parallelism, the attack detection model established based on the random forest algorithm is used for detecting the transmission data, and the obtained attack detection result is more accurate.
In one embodiment, before obtaining the attack detection result of the transmission data based on the feature set and a pre-trained attack detection model, the method further includes:
acquiring a training data sample set, wherein the training data sample set comprises a plurality of transmission data and a malicious attack category corresponding to each transmission data;
extracting the characteristics of each transmission data in the training data sample set to respectively obtain the characteristic set of each transmission data;
vectorizing each feature set to obtain a plurality of feature vectors;
and training the random forest model based on the characteristic vectors corresponding to the transmission data and the corresponding malicious attack categories to obtain a trained attack detection model.
In the implementation process, the random forest model is subjected to model training to obtain a trained attack detection model, so that the trained attack detection model can be directly used for carrying out attack detection on the transmission data, and the accuracy of attack detection is improved.
In one aspect, an apparatus for attack detection is provided, including:
an extraction unit: the device comprises a data acquisition module, a data processing module and a data processing module, wherein the data acquisition module is used for acquiring transmission data to be detected;
a detection unit: and acquiring an attack detection result of the transmission data based on the feature set and a pre-trained attack detection model, wherein the attack detection model is constructed based on a random forest algorithm.
In one embodiment, the feature set includes any one or any combination of the following features:
data length, symbol probability, letter probability, entropy value, and hidden markov value of the transmission data;
the symbol probability is determined according to the number of symbols contained in the transmission data and the data length;
the letter probability is determined according to the number of letters contained in the transmission data and the data length;
the entropy value is determined according to the character probability of each character in the transmission data;
the character probability of each character is determined according to the number of characters of each character and the data length;
the hidden markov value is obtained based on the hidden markov model and the transmission data.
In the implementation process, the feature extraction is performed on the transmission data to be detected, and the feature value of the transmission data is obtained, namely: and the data length, the symbol probability, the letter probability, the entropy value and the hidden Markov value of the transmission data are combined to obtain a characteristic set.
In one embodiment, the extraction unit is configured to:
acquiring the data length of transmission data, the number of symbols contained in the transmission data, the number of letters contained in the transmission data and the number of characters of each character;
determining a symbol probability according to the number of symbols and the data length, wherein the symbol probability is positively correlated with the number of symbols and negatively correlated with the data length;
determining letter probability according to the number of letters and the data length, wherein the letter probability is positively correlated with the number of letters and negatively correlated with the data length;
respectively determining the character probability of each character according to the character number and the data length of each character in the transmission data;
determining an entropy value according to the probability of each character;
determining a hidden Markov value of the transmission data based on the hidden Markov model;
and obtaining a characteristic set of the transmission data according to the symbol probability, the letter probability, the entropy value and the hidden Markov value.
In the implementation process, each eigenvalue is respectively obtained according to each eigenvalue calculation formula, namely: and combining the characteristic values to obtain a characteristic set corresponding to the transmission data.
In one embodiment, the detection unit is configured to:
vectorizing the feature set to obtain a feature vector;
inputting the feature vectors into each decision tree in the attack detection model, and respectively obtaining an attack classification result corresponding to each decision tree;
and determining an attack detection result of the transmission data according to the proportion of the attack classification result in the attack classification result of the malicious attack.
In the implementation process, the random forest model has good tolerance to noise and abnormal values, so that the over-fitting problem of the decision tree and the high-dimensional data classification problem are avoided, and the accuracy of the attack detection result is improved.
In one embodiment, the detection unit is further configured to:
acquiring a plurality of transmission data samples and a malicious attack category corresponding to each transmission data sample;
extracting the characteristics of each transmission data sample to respectively obtain the characteristic set of each transmission data sample;
vectorizing each feature set to obtain a plurality of feature vectors;
and training the random forest model based on the characteristic vectors corresponding to the transmission data and the corresponding malicious attack categories to obtain a trained attack detection model.
In the implementation process, the attack detection model is constructed based on the random forest model, so that malicious attack detection can be performed on transmission data to be detected through the trained attack detection model in subsequent malicious attack detection.
In one aspect, an electronic device is provided, comprising a processor and a memory, the memory storing computer readable instructions which, when executed by the processor, perform the steps of the method provided in any of the various alternative implementations of attack detection described above.
In one aspect, a readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, is adapted to carry out the steps of the method as provided in any of the various alternative implementations of attack detection as described above.
In one aspect, a computer program product is provided which, when run on a computer, causes the computer to perform the steps of the method as provided in any of the various alternative implementations of attack detection described above.
In the embodiment of the application, the attack detection model constructed based on the random forest algorithm is adopted to perform feature extraction on transmission data to be detected to obtain a feature set of the transmission data, and the attack detection result of the transmission data is obtained based on the feature set and the pre-trained attack detection model, so that the accuracy of attack detection is improved.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of an attack detection system according to an embodiment of the present application;
fig. 2 is a flowchart of an implementation of a method for training an attack detection model according to an embodiment of the present disclosure;
fig. 3 is a flowchart of an implementation of a method for attack detection according to an embodiment of the present application;
FIG. 4 is a schematic structural diagram of a model training system according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a model detection system according to an embodiment of the present disclosure;
fig. 6 is a detailed implementation flowchart of a method for attack detection according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an attack detection apparatus according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
First, some terms referred to in the embodiments of the present application will be described to facilitate understanding by those skilled in the art.
The terminal equipment: may be a mobile terminal, a fixed terminal, or a portable terminal such as a mobile handset, station, unit, device, multimedia computer, multimedia tablet, internet node, communicator, desktop computer, laptop computer, notebook computer, netbook computer, tablet computer, personal communication system device, personal navigation device, personal digital assistant, audio/video player, digital camera/camcorder, positioning device, television receiver, radio broadcast receiver, electronic book device, gaming device, or any combination thereof, including the accessories and peripherals of these devices, or any combination thereof. It is also contemplated that the terminal device can support any type of interface to the user (e.g., wearable device), and the like.
A server: the cloud server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and can also be a cloud server for providing basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud functions, cloud storage, network service, cloud communication, middleware service, domain name service, security service, big data and artificial intelligence platform and the like.
Decision Tree (Decision Tree): the system comprises a plurality of layers and is a tree structure for classifying the examples based on the characteristic parameters. The generation process of the decision tree is a process of continuously dividing the data set into subsets with higher purity and smaller uncertainty by using the characteristic parameters meeting the division criterion.
Random forest algorithm (Random forest): the decision tree classifier is a classifier comprising a plurality of decision trees and is used for determining a classification result according to the class output by each decision tree.
Hidden Markov Model (HMM): is a statistical model used to describe a markov process with hidden unknown parameters.
Firewall (Firewall): based on the application security technology established on the basis of the modern communication network technology and the information security technology, the intranet and the public access network are isolated.
Uniform Resource Locator (URL): is a representation method for specifying the location of information on a web service program of the internet.
Hypertext Transfer Protocol (HTTP): is a simple request-response protocol that typically runs on top of the transmission control protocol. It specifies what messages the client may send to the server and what responses to get.
Bootstrapping algorithm (Bootstrapping) algorithm: a finite number of repeated samplings are performed to obtain new samples that are sufficient to represent the distribution of the maternal sample.
Directory traversal (directory traversal): the method is a security vulnerability, namely an attacker can traverse and modify or delete any file in the server through malicious attack characters to realize malicious attack on the server.
In order to improve the accuracy of attack detection when detecting a malicious attack behavior, embodiments of the present application provide a method, an apparatus, an electronic device, and a medium for attack detection.
Referring to fig. 1, an architecture diagram of an attack detection system is shown, and the system includes a user terminal, a malicious attack detection device, and a server.
The user terminal is used for: and carrying out data transmission with the server through the malicious attack detection equipment.
The malicious attack detection device is configured to: and carrying out malicious attack detection on the transmission data to be detected by adopting a trained attack detection model, intercepting the transmission data to be detected if the detection result represents a malicious attack, and transmitting the transmission data to be detected to a server if the detection result represents a non-malicious attack.
The server is used for: and receiving transmission data sent by the user terminal through the malicious attack detection equipment.
In the embodiment of the application, the random forest model is trained in advance based on the training data sample to obtain the trained attack detection model, and when malicious attack detection is performed, the trained attack detection model is adopted to detect the transmission data to be detected to obtain an attack detection result, so that the accuracy of malicious attack detection is improved through the trained attack detection model.
In the embodiment of the present application, the execution subject may be malicious attack detection equipment in the attack detection system shown in fig. 1, and in practical application, the malicious attack detection equipment may be electronic equipment such as a terminal device, a server, a firewall, and the like, which is not limited herein.
Referring to fig. 2, an implementation flow chart of a method for training an attack detection model according to an embodiment of the present application is shown, and with reference to the attack detection system shown in fig. 1, a specific implementation flow of the method is as follows:
step 200: a set of training data samples is obtained.
Specifically, the training data sample set includes a plurality of transmission data and a malicious attack category corresponding to each transmission data.
And acquiring a plurality of transmission data and a malicious attack category corresponding to each transmission data.
Specifically, the transmission data includes malicious attack samples and non-malicious attack samples. The malicious attack categories include malicious attacks and non-malicious attacks.
The malicious attack sample can be directly obtained or obtained after filling the non-malicious attack sample.
This is because the number of malicious attack samples may be small, and thus, a large number of malicious attack samples may be obtained by filling non-malicious attack samples.
The characters filled in the non-malicious attack sample can be designated malicious attack characters, such as './', variants of the designated malicious attack characters, such as '.// ' and ' \\ ', and coded characters, such as. - > -2 c ' and '/> -2 f ', which can bypass the traditional malicious attack detection.
Therefore, a large number of malicious attack samples can be obtained by filling the non-malicious attack samples, so that the attack detection model can be trained through the large number of malicious attack samples in the subsequent training step of the attack detection model.
Step 201: and performing feature extraction on each transmission data in the training data sample set to respectively obtain a feature set of each transmission data.
Specifically, the following steps are performed for each piece of transmission data:
based on the transmission data, obtaining characteristic values of a plurality of characteristics of the transmission data, and combining the characteristic values of the characteristics to obtain a characteristic set of the transmission data.
In this way, the feature values of each transmission data are combined, and a feature set of each transmission data can be obtained.
Wherein, the feature set comprises any one or any combination of the following features: data length, symbol probability, letter probability, entropy value, and hidden markov value.
Wherein the symbol probability is determined according to the number of symbols included in the transmission data and the data length. The letter probability is determined according to the number of letters contained in the transmission data and the data length. The entropy value is determined based on the character probability of each character in the transmission data. The character probability of each character is determined based on the number of characters per character and the data length. The hidden markov value is obtained based on the hidden markov model and the transmission data.
When determining the symbol probability, the following steps may be adopted:
and determining the symbol probability according to the number of the symbols in the transmission data and the data length of the transmission data.
When determining the letter probability, the following steps may be adopted:
and determining the symbol probability according to the number of letters in the transmission data and the data length of the transmission data.
When determining the entropy, the following steps may be adopted:
and determining an entropy value according to the probability of each character in the transmission data.
When determining the character probability, the following steps may be adopted:
and respectively determining the character probability of each character according to the character number of each character in the transmission data and the data length of the transmission data.
When determining the hidden markov value, the following steps may be adopted:
a hidden Markov value of the transmission data is determined based on the hidden Markov model.
In this way, the characteristic values of the characteristics such as data length, symbol probability, letter probability, entropy value, hidden markov value and the like in the transmission data can be extracted to obtain the characteristic set of the transmission data.
Step 202: and respectively carrying out vectorization processing on each feature set to obtain a plurality of feature vectors.
Specifically, for each feature set, the following steps are performed:
based on the feature values of the features in the feature set, a feature vector including the feature values in the feature set is generated.
Therefore, the characteristic vector of each characteristic value in the transmission data can be obtained, and the characteristic vector of the transmission data can be used as a model input to carry out model training in the subsequent steps.
Step 203: and training the random forest model based on each feature vector and the corresponding malicious attack category to obtain a trained attack detection model.
Specifically, each feature vector is respectively labeled according to the malicious attack category of each feature vector, each labeled feature vector is input into a random forest model and is detected to obtain an attack detection result, the attack detection result is compared with the malicious attack category, and the random forest model parameters are adjusted according to the comparison result to obtain a trained attack detection model.
In one embodiment, the malicious attacks in the malicious attack category may be labeled with "1" and the corresponding non-malicious attacks may be labeled with "0".
It should be noted that, the labeling manner may be set according to an actual application scenario, and is not limited herein.
In one embodiment, a Bootstrap algorithm is used to perform n _ tree sampling on a training data sample set, and m samples are taken out each time of sampling to generate n _ tree training sets. Wherein, m and n _ tree are positive integers, and each training set comprises m samples.
And respectively training n _ tree decision tree models through n _ tree training sets. For a single decision tree model, assuming that the number of features of transmitted data is x and the malicious attack category is k, the decision tree model selects the best feature of the features according to the kini index to split, each tree outputs an attack classification result, malicious attack detection categories are output according to the attack classification results of a plurality of decision trees, and model parameters in the random forest model are adjusted according to the comparison result of the attack detection results and the malicious attack detection categories to obtain a trained attack detection model. Wherein x and k are both positive integers, and optionally, k may be 2.
When the trained attack detection model is obtained, the following steps can be executed in a circulating manner:
s2031: and inputting the characteristic vector of each transmission data into an attack detection training model, and outputting an attack detection result corresponding to each transmission data.
S2032: and respectively determining the comparison result between the attack detection result of each transmission data and the corresponding malicious attack category.
S2033: and judging whether the comparison result between the attack detection result of each transmission data and the corresponding malicious attack category meets the preset training condition, if so, executing S2034, and otherwise, executing S2035.
S2034: : and obtaining a trained attack detection model, and terminating the training process of the attack detection model.
S2035: and adjusting model parameters of the attack detection model, and executing S2031.
In practical application, the preset training condition may be set according to a practical application scenario, which is not limited herein. For example, the preset training condition may also be set according to the number of times of model training to determine whether a trained attack detection model is obtained.
Therefore, the attack detection model can be constructed based on the random forest model, so that the malicious attack detection can be carried out on the transmission data to be detected through the trained attack detection model in the subsequent malicious attack detection.
Referring to fig. 3, an implementation flow chart of a method for attack detection provided in the embodiment of the present application is shown, and a specific implementation flow of the method is as follows:
step 300: and performing feature extraction on the transmission data to be detected to obtain a feature set of the transmission data.
Specifically, based on transmission data to be detected, characteristic values of a plurality of characteristics of the transmission data are determined, and a characteristic set of the transmission data is obtained.
Optionally, the feature set includes any one or any combination of data length, symbol probability, letter probability, entropy value, and hidden markov value of the transmission data.
For example, the feature set includes a data length, a symbol probability, a letter probability, an entropy value, and a hidden markov value of the transmission data.
As another example, the feature set includes a data length, a symbol probability, a letter probability, and an entropy value of the transmission data.
This is because an attacker usually needs to add malicious attack characters in legal transmission data, so compared with legal transmission data, illegal transmission data used for malicious attack is longer, the format of the legal transmission data is usually more regular, the frequency of occurrence of symbols and letters is more stable, and the illegal transmission data contains specific characters such as directory jumpers, and the encoding of the transmission data is usually more disordered, and the frequency of symbols and letters is unstable, further, the degree of disorder of the transmission data can be determined by entropy, the smaller the entropy, the more uniform the field distribution of the transmission data is, conversely, the more disordered the field distribution of the transmission data is, obviously, the entropy of the legal transmission data is smaller, the larger the entropy of the illegal transmission data is, and finally, whether the transmission data is abnormal can be judged by hidden markov value of the transmission data, the smaller the hidden Markov value is, the higher the legal probability of the transmitted data is, and on the contrary, the higher the illegal probability of the transmitted data is. Based on the above consideration, in the embodiment of the present application, the above features of the transmission data, that is, the data length, the symbol probability, the letter probability, the entropy value, and the hidden markov value are extracted, and in the subsequent step, whether the transmission data is legal or not is detected through the above features.
In one embodiment, the feature set includes a data length, a symbol probability, a letter probability, an entropy value, and a hidden markov value of the transmission data, and the following steps may be performed when performing step 200:
s3001: the data length of the transmission data, the number of symbols contained in the transmission data, the number of letters contained in the transmission data, and the number of characters per character are obtained.
In one embodiment, the total length of the transmission data is obtained, as well as the number of all symbols, the number of all letters, and the number of characters per character contained in the transmission data.
Further, according to a character string extraction rule, a target character string in transmission data can be extracted, the length of the target character string is determined as the data length of the transmission data, the number of symbols meeting a preset symbol condition in the target character string is counted, the number of symbols meeting the preset symbol condition is determined as the number of symbols contained in the transmission data, the number of letters meeting the preset letter condition in the target character string is counted, the number of letters meeting the preset letter condition is determined as the number of letters contained in the transmission data, the number of characters meeting the preset character condition in the target character string is counted, and the number of characters meeting the preset character condition is determined as the number of characters of each character in the transmission data.
In practical application, the preset symbol condition, the preset letter condition and the preset character condition may be set according to a practical application scenario, which is not limited herein.
In one embodiment, the following calculation formula may be used in determining the data length of the transmission data:
L(X)=count(x)
where l (X) represents the data length of the transmission data X, X represents the transmission data, and X represents a character in the transmission data.
S3002: and determining the symbol probability according to the number of the symbols and the data length.
In one embodiment, the following calculation formula may be used in determining the symbol probability:
Figure BDA0003290894830000151
where p(s) represents a symbol probability of transmission data, s represents a symbol in transmission data X, and l (X) represents a data length of transmission data X.
S3003: and determining letter probability according to the number of letters and the data length.
In one embodiment, the following calculation formula may be used in determining the letter probability:
Figure BDA0003290894830000152
where p (z) represents the letter probability of the transmission data, z represents the letter in the transmission data X, and l (X) represents the data length of the transmission data X.
S3004: and respectively determining the character probability of each character according to the character number and the data length of each character in the transmission data.
Specifically, the following steps are performed for each character respectively:
and determining the ratio of the number of characters of one character in the transmission data to the data length as the character probability of the character.
S3005: and determining an entropy value according to the probability of each character.
In one embodiment, the following calculation formula may be used in determining the entropy value:
Figure BDA0003290894830000153
where h (X) represents an entropy value of transmission data X, X represents transmission data, X represents an arbitrary character in the transmission data X, and p (X) represents a probability of X appearing in the transmission data X.
S3006: a hidden Markov value of the transmission data is determined based on the hidden Markov model.
In one embodiment, the hidden markov value may be determined using the following calculation:
Figure BDA0003290894830000154
wherein, p (x)i|yi) As hidden Markov follow probability, xi,yiRepresenting a combination, y, in the transmitted dataiIs the first character, xiTwo characters, X represents transmission data, and i represents status.
Figure BDA0003290894830000161
Wherein, p (x)1,…,xn) Representing hidden Markov values, x1,…,xnAre all arbitrary characters in the transmission data X, (X)1,…,xn) For the character string, N represents the number of characters in the transmission data X, and N represents the number of all characters in the transmission data.
S3007: and obtaining a characteristic set of the transmission data according to the symbol probability, the letter probability, the entropy value and the hidden Markov value.
Specifically, the obtained feature values are combined to obtain a feature set of the transmission data.
In the embodiment of the present application, only the feature set including the symbol probability, the letter probability, the entropy value, and the hidden markov value is taken as an example for explanation, and in practical application, the feature set may include any one or any combination of the symbol probability, the letter probability, the entropy value, and the hidden markov value.
Step 301: and acquiring an attack detection result of the transmission data based on the feature set and a pre-trained attack detection model.
Specifically, when step 301 is executed, the following steps may be adopted:
s3011: and vectorizing the feature set to obtain a feature vector.
Specifically, a feature vector including each feature value in the feature set is generated based on the feature value of each feature in the feature set.
In this way, the generated feature vector including the feature values in the feature set can be used as an input of the attack detection training model to train the attack detection model.
S3012: and inputting the feature vectors into each decision tree in the attack detection model to respectively obtain an attack classification result corresponding to each decision tree.
It should be noted that the layer structure of different decision trees may be the same, and the decision trees are independent and do not interfere with each other.
S3013: and determining an attack detection result of the transmission data according to the proportion of the attack classification result in the attack classification result of the malicious attack.
Specifically, counting each attack classification result, determining a first number of the attack classification results representing malicious attacks and a second number of all the attack classification results, and judging whether the ratio of the first number is higher than a preset ratio threshold of the second number, if so, obtaining the attack detection result of the transmission data as malicious attacks, otherwise, obtaining the attack detection result of the transmission data as non-malicious attacks.
In practical applications, the preset occupation ratio threshold of the second number may be set according to practical application scenarios, and is not limited herein, for example, the preset occupation ratio threshold of the second number is 0.7.
Further, if the attack detection result of the transmission data is malicious attack, the transmission data is intercepted and a warning is sent, and if the attack detection result of the transmission data is non-malicious attack, the transmission data is sent to the user terminal.
The random forest model has good tolerance to noise and abnormal values, so that the problems of over-fitting of a decision tree and high-dimensional data classification are avoided, the method has the advantages of good expandability and parallelism, and the accuracy of an attack detection result is improved.
In the embodiment of the application, the feature set of the transmission data is obtained by extracting the features of the transmission data to be detected, vectorization processing is performed on the feature set to obtain the feature vector, the obtained feature vector is input to each decision tree in an attack detection model constructed based on a random forest algorithm, each attack classification result corresponding to each decision tree is obtained respectively, the attack detection result of the transmission data is determined according to the ratio of each attack classification result, the malicious attack of malicious attack characters based on variants can be detected, and the accuracy of the attack detection result is improved.
Fig. 4 is a schematic structural diagram of a model training system according to an embodiment of the present disclosure. The model training system comprises a sample acquisition module, a data preprocessing module, a model training module and a classification module.
Wherein the sample acquisition module: for obtaining a plurality of sets of training data samples.
A data preprocessing module: the device is used for extracting the characteristics of each transmission data sample, respectively obtaining the characteristic set of each transmission data sample, and respectively carrying out vectorization processing on each characteristic set to obtain a plurality of characteristic vectors.
A model training module: the method is used for training the random forest model based on the feature vectors corresponding to the transmission data in the training data sample set and the corresponding malicious attack categories to obtain a trained attack detection model.
A classification module: and receiving the trained attack detection model sent by the model training module.
Specifically, the specific implementation of the model training system can be seen in fig. 2, and repeated details are not repeated. Fig. 5 is a schematic structural diagram of a model detection system according to an embodiment of the present disclosure. The model detection module comprises a data acquisition module, a data preprocessing module, a detection module, a malicious attack module and a legal data module.
Wherein, the data acquisition module: for obtaining transmission data to be detected.
A data preprocessing module: the device is used for extracting the characteristics of the transmission data to be detected to obtain a characteristic set of the transmission data, and vectorizing the characteristic set to obtain a characteristic vector.
A detection module: and the method is used for obtaining the attack detection result of the transmission data based on the feature set and the pre-trained attack detection model.
And a malicious attack module: and the system is used for judging the attack detection result and intercepting and warning the transmission data of which the detection result is malicious attack.
A legal data module: and the server is used for receiving the transmission data of which the detection result is the non-malicious attack and sending the transmission data of the non-malicious attack to the server.
Specifically, the specific implementation of the model training system can be seen in fig. 2, and repeated details are not repeated.
Referring to fig. 6, a detailed implementation flowchart of a method for attack detection provided in the embodiment of the present application is shown, and a specific implementation flow of the method is as follows:
step 600: and performing feature extraction on the transmission data to be detected to obtain a feature set of the transmission data.
Step 601: and vectorizing the feature set to obtain a feature vector.
Step 602: and inputting the feature vectors into each decision tree in the attack detection model to respectively obtain an attack classification result corresponding to each decision tree.
Step 603: and determining an attack detection result of the transmission data according to the proportion of the attack classification result in the attack classification result of the malicious attack.
Step 604: and judging whether the attack detection result of the transmitted data is a malicious attack.
Step 605: if yes, intercepting the transmission data and sending warning information to the server.
Step 606: and if not, sending the transmission data to the server.
Specifically, when step 600 to step 606 are executed, the specific steps refer to step 300 to step 301, which are not described herein again.
In the embodiment of the application, the feature set of the transmission data is obtained by extracting the features of the transmission data to be detected, vectorization processing is performed on the feature set to obtain the feature vector, the obtained feature vector is input to each decision tree in an attack detection model constructed based on a random forest algorithm, each attack classification result corresponding to each decision tree is obtained respectively, and the attack detection result of the transmission data is determined according to the ratio of each attack classification result. The malicious attack of the variant-based malicious attack characters can be detected, and the attack detection accuracy is improved.
Based on the same inventive concept, the embodiment of the present application further provides an attack detection device, and as the principles of the device and the apparatus for solving the problems are similar to those of an attack detection method, the implementation of the device can refer to the implementation of the method, and repeated details are not repeated.
Fig. 7 is a schematic structural diagram of an attack detection apparatus according to an embodiment of the present application, including:
an extraction unit 701: the device comprises a data acquisition module, a data processing module and a data processing module, wherein the data acquisition module is used for acquiring transmission data to be detected;
the detection unit 702: and obtaining an attack detection result of the transmission data based on the feature set and a pre-trained attack detection model.
In one embodiment, the extracting unit 701 is configured to:
acquiring the data length of transmission data, the number of symbols contained in the transmission data, the number of letters contained in the transmission data and the number of characters of each character;
determining a symbol probability according to the number of symbols and the data length, wherein the symbol probability is positively correlated with the number of symbols and negatively correlated with the data length;
determining letter probability according to the number of letters and the data length, wherein the letter probability is positively correlated with the number of letters and negatively correlated with the data length;
respectively determining the character probability of each character according to the character number and the data length of each character in the transmission data;
determining an entropy value according to the probability of each character;
determining a hidden Markov value of the transmission data based on the hidden Markov model;
and obtaining a characteristic set of the transmission data according to the symbol probability, the letter probability, the entropy value and the hidden Markov value.
In one embodiment, the detection unit 702 is configured to:
vectorizing the feature set to obtain a feature vector;
inputting the feature vectors into each decision tree in the attack detection model, and respectively obtaining each attack classification result corresponding to each decision tree;
and determining the attack detection result of the transmission data according to the ratio of the attack classification results.
In one embodiment, the detection unit 702 is further configured to:
acquiring a plurality of transmission data samples and a malicious attack category corresponding to each transmission data sample;
extracting the characteristics of each transmission data sample to respectively obtain the characteristic set of each transmission data sample;
vectorizing each feature set to obtain a plurality of feature vectors;
and training the random forest model based on each feature vector and the corresponding malicious attack category to obtain a trained attack detection model.
In one embodiment, the first target object is a piston and the second target object is a piston ring.
Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
The electronic device 8000 includes: the processor 8010 and the memory 8020 may further include a power supply 8030, a display unit 8040, and an input unit 8050.
The processor 8010 is the control center of the electronic device 8000, and it is to be understood that various functions of the electronic device 8000 may be performed by operating or executing software programs and/or data stored in the memory 8020 by connecting various components using various interfaces and lines, thereby performing overall monitoring of the electronic device 8000.
In this embodiment, the processor 8010, when calling the computer program stored in the memory 8020, executes the method of training the attack detection model provided in the embodiment shown in fig. 2, and the method of attack detection provided in the embodiment shown in fig. 3.
Alternatively, the processor 8010 may comprise one or more processing units; preferably, the processor 8010 may integrate the application processor, which handles primarily the operating system, user interface, applications, etc., and the modem processor, which handles primarily the wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 8010. In some embodiments, the processor, memory, and/or memory may be implemented on a single chip, or in some embodiments, they may be implemented separately on separate chips.
The memory 8020 may mainly include a program storage area and a data storage area, in which an operating system, various applications, and the like may be stored; the stored data area may store data created according to the use of the electronic device 8000, and the like. Further, the memory 8020 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.
The electronic device 8000 may also include a power supply 8030 (e.g., a battery) that may be used to provide power to the various components, which may be logically coupled to the processor 8010 via a power management system, which may be used to manage charging, discharging, and power consumption.
The display unit 8040 may be used to display information input by a user or information provided to the user, various menus of the electronic device 8000, and the like, and in the embodiment of the present invention, the display unit is mainly used to display a display interface of each application in the electronic device 8000 and objects such as texts and pictures displayed in the display interface. The display unit 8040 may include a display panel 8041. The Display panel 8041 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like.
The input unit 8050 can be used to receive information such as numbers or characters input by a user. The input unit 8050 may include a touch panel 8051 and other input devices 8052. Among other things, the touch panel 8051, also referred to as a touch screen, can collect touch operations by a user on or near the touch panel 8051 (e.g., operations by a user on or near the touch panel 8051 using any suitable object or accessory such as a finger, a stylus, etc.).
Specifically, the touch panel 8051 can detect a touch operation of a user, detect signals caused by the touch operation, convert the signals into touch point coordinates, send the touch point coordinates to the processor 8010, receive a command sent by the processor 8010, and execute the command. In addition, the touch panel 8051 can be implemented by various types such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. Other input devices 8052 can include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, power on/off keys, etc.), a trackball, a mouse, a joystick, and the like.
Of course, the touch panel 8051 can cover the display panel 8041, and when the touch panel 8051 detects a touch operation thereon or nearby, the touch panel 8051 is transmitted to the processor 8010 to determine the type of the touch event, and then the processor 8010 provides a corresponding visual output on the display panel 8041 according to the type of the touch event. Although in FIG. 8, the touch panel 8051 and the display panel 8041 are shown as two separate components to implement the input and output functions of the electronic device 8000, in some embodiments, the touch panel 8051 and the display panel 8041 can be integrated to implement the input and output functions of the electronic device 8000.
The electronic device 8000 may also include one or more sensors, such as pressure sensors, gravitational acceleration sensors, proximity light sensors, and the like. Of course, the electronic device 8000 may also include other components such as a camera, as required in a particular application, and these components are not shown in fig. 8 and will not be described in detail since they are not components that are used in the embodiments of the present application.
Those skilled in the art will appreciate that fig. 8 is merely an example of an electronic device and is not limiting of electronic devices and may include more or fewer components than those shown, or some components may be combined, or different components.
In an embodiment of the present application, a readable storage medium has a computer program stored thereon, and when the computer program is executed by a processor, the communication device may perform the steps in the above embodiments.
For convenience of description, the above parts are separately described as modules (or units) according to functional division. Of course, the functionality of the various modules (or units) may be implemented in the same one or more pieces of software or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Claims (12)

1. An attack detection method, comprising:
carrying out feature extraction on transmission data to be detected to obtain a feature set of the transmission data;
and acquiring an attack detection result of the transmission data based on the feature set and a pre-trained attack detection model, wherein the attack detection model is constructed based on a random forest algorithm.
2. The method of claim 1, wherein the feature set comprises any one or any combination of the following features:
a data length, a symbol probability, a letter probability, an entropy value, and a hidden Markov value of the transmission data;
the symbol probability is determined according to the number of symbols contained in the transmission data and the data length;
the letter probability is determined according to the number of letters contained in the transmission data and the data length;
the entropy value is determined according to a character probability of each character in the transmission data;
the character probability of each character is determined according to the number of the characters of each character and the data length;
the hidden Markov value is obtained based on a hidden Markov model and the transmission data.
3. The method according to claim 2, wherein the performing feature extraction on the transmission data to be detected to obtain a feature set of the transmission data comprises:
acquiring the data length of the transmission data, the number of symbols contained in the transmission data, the number of letters contained in the transmission data and the number of characters of each character;
determining the symbol probability according to the symbol number and the data length, wherein the symbol probability is positively correlated with the symbol number and negatively correlated with the data length;
determining the letter probability according to the letter number and the data length, wherein the letter probability is positively correlated with the letter number and negatively correlated with the data length;
respectively determining the character probability of each character according to the character number and the data length of each character in the transmission data;
determining the entropy value according to the probability of each character;
determining the hidden Markov value of the transmission data based on the hidden Markov model;
and obtaining a characteristic set of the transmission data according to the symbol probability, the letter probability, the entropy value and the hidden Markov value.
4. The method according to any one of claims 1 to 3, wherein obtaining the attack detection result of the transmission data based on the feature set and a pre-trained attack detection model comprises:
vectorizing the feature set to obtain a feature vector;
inputting the feature vectors into each decision tree in the attack detection model, and respectively obtaining an attack classification result corresponding to each decision tree;
and determining the attack detection result of the transmission data according to the proportion of the attack classification result in the attack classification result of the malicious attack.
5. The method according to any one of claims 1 to 3, wherein before obtaining the attack detection result of the transmission data based on the feature set and a pre-trained attack detection model, the method further comprises:
acquiring a training data sample set, wherein the training data sample set comprises a plurality of transmission data and a malicious attack category corresponding to each transmission data;
extracting the characteristics of each transmission data in the training data sample set to respectively obtain the characteristic set of each transmission data;
vectorizing each feature set to obtain a plurality of feature vectors;
and training the random forest model based on the characteristic vector and the malicious attack category corresponding to each transmission data to obtain a trained attack detection model.
6. An attack detection apparatus, comprising:
an extraction unit: the device comprises a data acquisition module, a data processing module and a data processing module, wherein the data acquisition module is used for acquiring transmission data to be detected;
a detection unit: and acquiring an attack detection result of the transmission data based on the feature set and a pre-trained attack detection model, wherein the attack detection model is constructed based on a random forest algorithm.
7. The apparatus of claim 6, wherein the feature set comprises any one or any combination of the following features:
a data length, a symbol probability, a letter probability, an entropy value, and a hidden Markov value of the transmission data;
the symbol probability is determined according to the number of symbols contained in the transmission data and the data length;
the letter probability is determined according to the number of letters contained in the transmission data and the data length;
the entropy value is determined according to a character probability of each character in the transmission data;
the character probability of each character is determined according to the number of the characters of each character and the data length;
the hidden Markov value is obtained based on a hidden Markov model.
8. The apparatus of claim 7, wherein the extraction unit is configured to:
acquiring the data length of the transmission data, the number of symbols contained in the transmission data, the number of letters contained in the transmission data and the number of characters of each character;
determining the symbol probability according to the symbol number and the data length, wherein the symbol probability is positively correlated with the symbol number and negatively correlated with the data length;
determining the letter probability according to the letter number and the data length, wherein the letter probability is positively correlated with the letter number and negatively correlated with the data length;
respectively determining the character probability of each character according to the character number and the data length of each character in the transmission data;
determining the entropy value according to the probability of each character;
determining the hidden Markov value of the transmission data based on the hidden Markov model;
and obtaining a characteristic set of the transmission data according to the symbol probability, the letter probability, the entropy value and the hidden Markov value.
9. The apparatus according to any one of claims 6-8, wherein the unit is configured to:
vectorizing the feature set to obtain a feature vector;
inputting the feature vectors into each decision tree in the attack detection model, and respectively obtaining each attack classification result corresponding to each decision tree;
and determining the attack detection result of the transmission data according to the ratio of the attack classification results.
10. The apparatus according to any one of claims 6-8, wherein the detection unit is further configured to:
acquiring a plurality of transmission data samples and a malicious attack category corresponding to each transmission data sample;
extracting the characteristics of each transmission data sample to respectively obtain the characteristic set of each transmission data sample;
vectorizing each feature set to obtain a plurality of feature vectors;
and training the random forest model based on each feature vector and the corresponding malicious attack category to obtain a trained attack detection model.
11. An electronic device comprising a processor and a memory, the memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 1-5.
12. A readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-5.
CN202111163045.7A 2021-09-30 2021-09-30 Attack detection method, device, electronic equipment and medium Pending CN113904837A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111163045.7A CN113904837A (en) 2021-09-30 2021-09-30 Attack detection method, device, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111163045.7A CN113904837A (en) 2021-09-30 2021-09-30 Attack detection method, device, electronic equipment and medium

Publications (1)

Publication Number Publication Date
CN113904837A true CN113904837A (en) 2022-01-07

Family

ID=79189967

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111163045.7A Pending CN113904837A (en) 2021-09-30 2021-09-30 Attack detection method, device, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN113904837A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115086044A (en) * 2022-06-17 2022-09-20 湖北天融信网络安全技术有限公司 Attack characteristic processing method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107786575A (en) * 2017-11-11 2018-03-09 北京信息科技大学 A kind of adaptive malice domain name detection method based on DNS flows
CN107872460A (en) * 2017-11-10 2018-04-03 重庆邮电大学 A kind of wireless sense network dos attack lightweight detection method based on random forest
CN110808968A (en) * 2019-10-25 2020-02-18 新华三信息安全技术有限公司 Network attack detection method and device, electronic equipment and readable storage medium
CN113452648A (en) * 2020-03-24 2021-09-28 北京沃东天骏信息技术有限公司 Method, device, equipment and computer readable medium for detecting network attack

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107872460A (en) * 2017-11-10 2018-04-03 重庆邮电大学 A kind of wireless sense network dos attack lightweight detection method based on random forest
CN107786575A (en) * 2017-11-11 2018-03-09 北京信息科技大学 A kind of adaptive malice domain name detection method based on DNS flows
CN110808968A (en) * 2019-10-25 2020-02-18 新华三信息安全技术有限公司 Network attack detection method and device, electronic equipment and readable storage medium
CN113452648A (en) * 2020-03-24 2021-09-28 北京沃东天骏信息技术有限公司 Method, device, equipment and computer readable medium for detecting network attack

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115086044A (en) * 2022-06-17 2022-09-20 湖北天融信网络安全技术有限公司 Attack characteristic processing method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
Mehtab et al. AdDroid: rule-based machine learning framework for android malware analysis
US10430718B2 (en) Automatic social media content timeline summarization method and apparatus
CN106874253A (en) Recognize the method and device of sensitive information
CN111368290A (en) Data anomaly detection method and device and terminal equipment
CN108701155A (en) Expert's detection in social networks
US20230104757A1 (en) Techniques for input classification and response using generative neural networks
CN111314388B (en) Method and apparatus for detecting SQL injection
CN114253866B (en) Malicious code detection method and device, computer equipment and readable storage medium
Thiyagarajan et al. Improved real‐time permission based malware detection and clustering approach using model independent pruning
CN116010630A (en) Real-time screening method and device for recommended video, electronic equipment and storage medium
CN114357278A (en) Topic recommendation method, device and equipment
CN111586695A (en) Short message identification method and related equipment
CN108509794A (en) A kind of malicious web pages defence detection method based on classification learning algorithm
CN113904837A (en) Attack detection method, device, electronic equipment and medium
Liu et al. MMWD: An efficient mobile malicious webpage detection framework based on deep learning and edge cloud
CN116778306A (en) Fake object detection method, related device and storage medium
CN115168568B (en) Data content identification method, device and storage medium
CN109670105B (en) Searching method and mobile terminal
US20230315993A1 (en) Systems and processes for natural language processing
US20230109260A1 (en) Techniques for cursor trail capture using generative neural networks
CN113780318B (en) Method, device, server and medium for generating prompt information
CN113987496A (en) Malicious attack detection method and device, electronic equipment and readable storage medium
CN113922998A (en) Vulnerability risk assessment method and device, electronic equipment and readable storage medium
US9426173B2 (en) System and method for elimination of spam in a data stream according to information density
CN113626815A (en) Virus information identification method, virus information identification device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination