CN113918937B - Illegal event identification method and system based on big data - Google Patents
Illegal event identification method and system based on big data Download PDFInfo
- Publication number
- CN113918937B CN113918937B CN202111059891.4A CN202111059891A CN113918937B CN 113918937 B CN113918937 B CN 113918937B CN 202111059891 A CN202111059891 A CN 202111059891A CN 113918937 B CN113918937 B CN 113918937B
- Authority
- CN
- China
- Prior art keywords
- big data
- data set
- abnormal session
- session event
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/30—Semantic analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/33—Querying
- G06F16/3331—Query processing
- G06F16/334—Query execution
- G06F16/3344—Query execution using natural language analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Computational Linguistics (AREA)
- Virology (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
According to the illegal event identification method and system based on big data, in the embodiment of the invention, the business big data set comprising the first abnormal session event can be determined from the business big data log by analyzing the business big data log to be subjected to protection analysis, the theme description of the first abnormal session event is acquired from the business big data set, then the distribution condition of the first abnormal session event in the subsequent business big data set is screened out by carrying out theme positioning on the business big data log, and the abnormal session event can be completely captured and positioned through the distribution condition, so that the reliability of positioning the abnormal session event is improved.
Description
Technical Field
The invention relates to the technical field of illegal data identification, in particular to an illegal event identification method and system based on big data.
Background
In the actual operation process of the big data service, the related service processor can receive viruses and related contents threatening the information security, which may cause the situation that the stored data is damaged or lost, so that the security of the stored data may be seriously threatened, and therefore, a feasible way needs to be adopted to avoid the threat of the stored data. The related art improves the threat of stored data by performing security detection on input data and screening out data with potential safety hazards. However, this method is huge in workload and is difficult to guarantee the credibility of the security detection. It follows that how to perform reliable threat identification or abnormal information localization through other angles is a technical problem that needs to be solved urgently.
Disclosure of Invention
In view of the above, the invention provides an illegal event identification method and system based on big data.
In a first aspect, an illegal event recognition method based on big data is provided, and is applied to an illegal event recognition system, and the method at least comprises the following steps:
analyzing a business big data log to be subjected to protection analysis, and determining a first business big data set comprising a first abnormal session event in the business big data log, wherein the first abnormal session event comprises one or more abnormal session events;
obtaining a key description of the first abnormal session event based on the first business big data set, wherein the key description at least comprises a theme description; performing theme positioning on the business big data log based on the theme description of the first abnormal session event, and judging whether a second business big data set of the business big data log contains the first abnormal session event or not;
on the basis that the second business big data set contains the first abnormal conversation event, determining a first distribution condition of the first abnormal conversation event in the second business big data set; and on the basis that the second business big data set does not contain the first abnormal conversation event, re-executing keyword analysis on the business big data log, capturing the second abnormal conversation event and positioning.
In an independent embodiment, analyzing a service big data log to be subjected to protection analysis, determining a first service big data set including a first abnormal session event in the service big data log, including: and carrying out keyword analysis on the business big data log to be subjected to protection analysis, and determining a first business big data set comprising a first abnormal session event in the business big data log.
In an independent embodiment, analyzing a service big data log to be subjected to protection analysis, determining a first service big data set including a first abnormal session event in the service big data log, including: performing theme positioning on a business big data log to be subjected to protection analysis, and determining an alternative abnormal session event in the business big data log;
determining an abnormal session event meeting the set requirement in the alternative abnormal session events as a first abnormal session event;
and determining the business big data set carrying the first abnormal session event as a first business big data set.
In an independent embodiment, the re-performing keyword resolution on the business big data log, capturing and locating the second abnormal session event includes:
On the basis that the second business big data set does not contain the first abnormal conversation event, carrying out keyword analysis on the business big data log again, and determining a third business big data set of the business big data log, wherein the third business big data set comprises the captured second abnormal conversation event;
obtaining a key description of the second abnormal session event based on the third business big data set, wherein the key description at least comprises a theme description;
performing theme positioning on the business big data log based on the theme description of the second abnormal session event, and judging whether a fourth business big data set of the business big data log contains the second abnormal session event or not;
and on the basis that the fourth business big data set contains the second abnormal conversation event, determining a second distribution condition of the second abnormal conversation event in the fourth business big data set.
In an independently implemented embodiment, the method further comprises:
carrying out keyword analysis on the business big data log, and judging whether a fourth business big data set of the business big data log contains the first abnormal session event or not;
And on the basis that the fourth business big data set contains the first abnormal conversation event, determining a third distribution condition of the first abnormal conversation event in the fourth business big data set.
In an independently implemented embodiment, the method further comprises:
acquiring an operation state expression of the first abnormal session event in the second business big data set on the basis that the second business big data set contains the first abnormal session event;
based on the operational state expression of the first abnormal session event, a reverse threat mechanism for the first abnormal session event is activated.
In an independently implemented embodiment, the method further comprises:
acquiring an operation state expression of the second abnormal session event in the fourth business big data set on the basis that the fourth business big data set contains the second abnormal session event;
and activating a reverse threat mechanism for the second abnormal session event based on the operational state expression of the second abnormal session event.
In an independently implemented embodiment, the method further comprises:
acquiring an operation state expression of the first abnormal session event in the fourth business big data set on the basis that the fourth business big data set contains the first abnormal session event;
Based on the operational state expression of the first abnormal session event, a reverse threat mechanism for the first abnormal session event is activated.
In an independent embodiment, performing keyword analysis on a business big data log to be subjected to protection analysis, and determining a first business big data set including a first abnormal session event in the business big data log, where the keyword analysis includes:
and based on a first abnormal session event which is set in advance, carrying out keyword analysis on a plurality of business big data sets of the business big data log one by one, and determining the first business big data set comprising the first abnormal session event from the plurality of business big data sets.
In an independent embodiment, performing keyword analysis on a business big data log to be subjected to protection analysis, and determining a first business big data set including a first abnormal session event in the business big data log, where the keyword analysis includes:
carrying out keyword analysis on a business big data set of the business big data log to determine an alternative abnormal session event in the business big data set;
determining an abnormal session event meeting the set requirement in the alternative abnormal session events as a first abnormal session event;
And determining the business big data set carrying the first abnormal session event as a first business big data set.
In an independent embodiment, performing theme positioning on the service big data log based on the theme description of the first abnormal session event, and determining whether the second service big data set of the service big data log includes the first abnormal session event includes:
performing theme positioning on a second business big data set of the business big data log, and determining theme description of alternative abnormal session events in the second business big data set;
and when the topic description matched with the topic description of the first abnormal session event is included, determining that the first abnormal session event is included in the second business big data set.
In an independent embodiment, the method is implemented by an intelligent thread, where the intelligent thread includes at least a keyword parsing sub-thread, where performing keyword parsing on a large business data log to be subjected to protection analysis, and determining a first large business data set including a first abnormal session event in the large business data log includes:
loading each business big data set of the business big data log into the keyword analysis sub-thread one by one for processing, and mining keyword description of alternative abnormal session events in each business big data set;
And determining a first business big data set comprising the first abnormal session event according to the keyword description of the alternative abnormal session event.
In an independent embodiment, the intelligent thread further includes a topic location sub-thread, wherein topic locating is performed on a second large business data set of the large business data log, and determining a topic description of an alternative abnormal session event in the second large business data set includes:
and loading the second business big data set into a theme positioning sub-thread for processing, and mining theme descriptions of alternative abnormal session events in the second business big data set.
In an independent embodiment, the intelligent thread further includes an operation state expression mining sub-thread, wherein, based on the second traffic volume data set including the first abnormal session event, obtaining the operation state expression of the first abnormal session event in the second traffic volume data set includes:
and loading the second business big data set into an operation state expression mining sub-thread for processing, and mining the operation state expression of the first abnormal session event in the second business big data set.
In an independent embodiment, the business big data log is a business big data log in a set business scenario crawled by a crawler.
In a second aspect, an illegal event recognition system based on big data is provided, comprising a processor and a memory in communication with each other, the processor being adapted to read a computer program from the memory and execute the computer program to implement the method described above.
According to the illegal event identification method and system based on big data, in the embodiment of the invention, the business big data set comprising the first abnormal session event can be determined from the business big data log by analyzing the business big data log to be subjected to protection analysis, the topic description of the first abnormal session event is acquired from the business big data set, then the distribution condition of the first abnormal session event in the subsequent business big data set is screened out by carrying out topic positioning on the business big data log, and the abnormal session event can be completely captured and positioned through the distribution condition, so that the reliability of positioning the abnormal session event is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of an illegal event recognition method based on big data according to an embodiment of the present invention.
Fig. 2 is a block diagram of an illegal event recognition device based on big data according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of an illegal event recognition system based on big data according to an embodiment of the present invention.
Detailed Description
In order to better understand the above technical solutions, the following detailed description of the technical solutions of the present invention is made by using the accompanying drawings and specific embodiments, and it should be understood that the specific features of the embodiments and the embodiments of the present invention are detailed descriptions of the technical solutions of the present invention, and not limiting the technical solutions of the present invention, and the technical features of the embodiments and the embodiments of the present invention may be combined with each other without conflict.
Referring to fig. 1, a big data based illegal event recognition method is shown, which may include the following technical solutions described by STEP11-STEP 14.
STEP11 analyzes a business big data log to be subjected to protection analysis, and determines a first business big data set comprising a first abnormal session event in the business big data log, wherein the first abnormal session event comprises one or more abnormal session events.
STEP12, based on the first service big data set, obtaining a key description of the first abnormal session event, where the key description includes at least a theme description.
STEP13, based on the theme description of the first abnormal session event, performs theme positioning on the service big data log, and determines whether the second service big data set of the service big data log contains the first abnormal session event.
STEP14, on the basis that the second service big data set contains the first abnormal session event, determining a first distribution condition of the first abnormal session event in the second service big data set.
In the embodiment of the invention, the business big data log to be subjected to protection analysis can be analyzed to determine the business big data set comprising the first abnormal conversation event from the business big data log, the theme description of the first abnormal conversation event is obtained from the business big data set, and then the distribution condition of the first abnormal conversation event in the subsequent business big data set is screened out by carrying out theme positioning on the business big data log, so that the reliability of positioning the abnormal conversation event is improved.
In a separate embodiment, the business big data log to be subjected to the protection analysis may be a business big data log within a set business scenario crawled (by authorized or legal) crawlers (also known as web spiders, web robots, more often referred to as web chasers, among FOAF communities). The set business scenario may be a set theme of a crawler program crawling business big data logs, and in the set business scenario, the business big data logs of one or more abnormal session events may be crawled.
In an alternative embodiment, the traffic big data log may be parsed in STEP11, and a first traffic big data set including a first abnormal session event may be determined from the traffic big data log. Analyzing the business big data log may include analyzing keywords of the business big data log, and capturing a first abnormal session event through the keyword analysis; the method can also comprise the step of performing theme positioning on the business big data log, and capturing the first abnormal session event through theme positioning. The invention does not describe the analysis mode of the business big data log one by one.
In a possible embodiment, the first abnormal session event may include one abnormal session event or may include a plurality of abnormal session events, and may be set according to actual operation steps, and the present invention does not limit the number of the first abnormal session events.
In a separate embodiment, STEP11 may comprise: and carrying out keyword analysis on the business big data log to be subjected to protection analysis, and determining a first business big data set comprising a first abnormal session event in the business big data log. Wherein, the first abnormal session event may be an abnormal standard set in advance. The keyword of the illegal event can be stored in the service client or the system in advance, and the first service big data set comprising the first abnormal session event is determined by respectively analyzing and comparing each service big data set of the service big data log. In addition, the first abnormal session event may be an abnormal session event analyzed from each service big data set of the service big data log, for example, one or more abnormal session events may be included in the set service scenario, and the first abnormal session event may be automatically determined from the abnormal session events.
In one possible embodiment, performing keyword parsing on a service big data log to be subjected to protection analysis, and determining a first service big data set including a first abnormal session event in the service big data log may include: and based on a first abnormal session event which is set in advance, carrying out keyword analysis on a plurality of business big data sets of the business big data log one by one, and determining the first business big data set comprising the first abnormal session event from the plurality of business big data sets.
For example, a first abnormal session event may be set in advance, such as: related data (such as a computer malicious virus) which is set in advance and possibly causes big data errors or turbulence can mine out keyword description of the first abnormal session event according to the content attribute of the first abnormal session event so as to analyze the first abnormal session event in a business big data log. The description of the keyword for mining the first abnormal session event is not repeated here.
In an alternative embodiment, keyword analysis may be performed on a plurality of service big data sets of the service big data log one by one, and the analyzed keyword description is compared with the keyword description of the first abnormal session event, so as to determine a first service big data set including the first abnormal session event from the plurality of service big data sets. It can be understood that keyword analysis can be realized by adopting an AI intelligent learning model and other modes, and the keyword analysis is not described in detail herein.
By the technical scheme, the preset abnormal session event can be accurately analyzed, and the business big data set comprising the preset abnormal session event can be determined, so that the positioning accuracy of the abnormal session event is improved.
In an independent embodiment, performing keyword analysis on a service big data log to be subjected to protection analysis, and determining a first service big data set including a first abnormal session event in the service big data log may include: carrying out keyword analysis on a business big data set of the business big data log to determine an alternative abnormal session event in the business big data set; determining an abnormal session event meeting the set requirement in the alternative abnormal session events as a first abnormal session event; and determining the business big data set carrying the first abnormal session event as a first business big data set.
The method includes the steps of analyzing keywords of a business big data set of a business big data log, determining alternative abnormal session events in the business big data set, judging the alternative abnormal session events in the business big data set according to set requirements, determining the abnormal session events meeting the set requirements as first abnormal session events, and determining the business big data set comprising the first abnormal session events as a first business big data set. The setting requirement may be one or more conditions set in advance, for example, the setting requirement may be understood as an abnormal session event with a large abnormal sequence in the candidate abnormal session event, and may be understood as an abnormal session event with an optimal keyword description in the candidate abnormal session event. Those skilled in the art can configure the setting requirements according to actual operation conditions, which will not be described in detail in the present invention.
By the technical scheme, the abnormal session event meeting the requirements can be determined in real time, and the corresponding service big data set is determined, so that the reliability of positioning the abnormal session event is improved.
In a separate embodiment, the above method may be implemented by an intelligent thread that includes at least a keyword resolution sub-thread. The keyword analysis sub-thread is used for carrying out keyword analysis on the abnormal session events in the business big data set. The keyword resolution sub-thread may, for example, include an AI intelligent thread, etc., and the present invention does not describe the type of the keyword resolution sub-thread one by one.
In an alternative embodiment, performing keyword parsing on a service big data log to be subjected to protection analysis, and determining a first service big data set including a first abnormal session event in the service big data log may include: loading each business big data set of the business big data log into the keyword analysis sub-thread one by one for processing, and mining keyword description of alternative abnormal session events in each business big data set; and determining a first business big data set comprising the first abnormal session event according to the keyword description of the alternative abnormal session event.
For example, keyword resolution may be performed by a keyword resolution sub-thread. Each business big data set of the business big data log can be loaded into the keyword analysis sub-thread one by one to be processed, and keyword description of alternative abnormal session events is mined from each business big data set; according to the keyword description of the alternative abnormal session event, a first business big data set comprising a preset first abnormal session event can be determined, or an abnormal session event meeting the set requirement can be determined, the abnormal session event is taken as the first abnormal session event, and the business big data set comprising the first abnormal session event is determined as the first business big data set.
By the technical scheme, the accuracy of positioning the abnormal session event can be improved.
In an alternative embodiment, STEP11 may comprise: performing theme positioning on a business big data log to be subjected to protection analysis, and determining an alternative abnormal session event in the business big data log; determining an abnormal session event meeting the set requirement in the alternative abnormal session events as a first abnormal session event; and determining the business big data set carrying the first abnormal session event as a first business big data set.
For example, the theme positioning (for example, positioning of the abnormal key feature) may be performed on the service big data set of the service big data log, the candidate abnormal session event in the service big data set is determined, then the candidate abnormal session event in the service big data set is determined according to the setting requirement, the abnormal session event meeting the setting requirement is determined as the first abnormal session event, and the service big data set including the first abnormal session event is determined as the first service big data set. The setting requirement may be one or more conditions set in advance, for example, the setting requirement may be that the abnormal key features of the candidate abnormal session event are completely presented, or that the reliability of each abnormal key feature of the candidate abnormal session event is highest.
By the embodiment, the abnormal session event meeting the requirement can be determined in real time, and the corresponding business big data set is determined, so that the reliability of positioning the abnormal session event is improved.
In an alternative embodiment, after the first business big dataset is determined by topic localization, a keyword description of the first abnormal session event may be obtained. According to the keyword description, keyword analysis can be performed when the first abnormal session event is lost. It can be understood that, the keyword description of the first abnormal session event may be obtained in different manners, and the method for obtaining the keyword description is not repeated in the present invention.
In an alternative embodiment, after the first large traffic data set is determined, a key description of the first abnormal session event may be obtained in STEP12, the key description including at least a topic description (e.g., the topic of the abnormal key feature in the large traffic data set). The key description of the first abnormal session event may be various, such as a keyword description, a theme description, an operation state expression, and the like. In the first business big data set, a key description that the first abnormal session event at least includes a subject description may be obtained. It can be understood that the topic description of the first abnormal session event can be obtained in a plurality of ways, and the method for obtaining the topic description is not repeated in detail.
In an independent embodiment, the topic description of the first abnormal session event may be described by the topic of the abnormal key feature in the traffic volume data set, and further, the topic description of the first abnormal session event may be determined by the location of the abnormal key feature of the first abnormal session event in the first traffic volume data set. For example, the first abnormal session event may be set to have 10 abnormal key features, and the topic description of the first abnormal session event may be determined according to topics of the 10 abnormal key features in the first service big data set. The number of the abnormal key features can be set according to the actual operation condition, and the specific number of the abnormal key features is not repeated one by one.
In an alternative embodiment, according to the topic description of the first abnormal session event, the topic positioning may be performed on the service big data log in STEP13, to determine whether the second service big data set of the service big data log includes the first abnormal session event. That is, the attribute screening is performed on the first abnormal session event within the set business scenario (analysis subject). If the first abnormal session event is screened, the first abnormal session event can be considered to be in a set service scene, and the distribution condition of the first abnormal session event in the service big data set can be determined in STEP 14; if the first abnormal session event is not screened, the first abnormal session event can be considered to be in accordance with the set business scenario.
In a separate embodiment, STEP13 may comprise: performing topic location on a second business big data set of the business big data log, and determining topic description of an alternative abnormal session event in the second business big data set; and when the topic description matched with the topic description of the first abnormal session event is included, determining that the first abnormal session event is included in the second business big data set.
By way of example, the subject description may be represented by an outlier key feature. And performing theme positioning on the second business big data set of the business big data log, so that the theme of each abnormal key characteristic of the alternative abnormal session event in the second business big data set can be obtained. And comparing the theme of the abnormal key feature of the alternative abnormal session event acquired from the second business big data set with the theme of the abnormal key feature of the first abnormal session event one by one, and determining the similarity degree between the theme of the abnormal key feature of each abnormal session event and the theme of the abnormal key feature of the first abnormal session event. If the topic including the abnormal key feature having the similarity greater than or equal to the similarity set criterion value is included, the second traffic volume data set may be considered to include a topic description paired with the topic description of the first abnormal session event, and it may be determined that the second traffic volume data set includes the first abnormal session event.
And determining that the second business big data set contains the first abnormal session event through the association of the theme description, so that the reliability of positioning the abnormal session event can be improved.
In an independent embodiment, where the big data based illegal event recognition method is implemented by an intelligent thread, the intelligent thread may include at least a topic location sub-thread. The theme positioning sub-thread can be used for performing theme positioning on the business big data set. It is to be appreciated that the topic location sub-thread can include, for example, an AI-intelligent thread.
In an independent embodiment, performing topic location on the second service big data set of the service big data log, and determining the topic description of the candidate abnormal session event in the second service big data set may include: and loading the second business big data set into a theme positioning sub-thread for processing, and mining theme descriptions of alternative abnormal session events in the second business big data set.
The theme positioning sub-thread is used for performing theme positioning on the second business big data set, so that the accuracy of theme positioning can be improved, and the reliability of positioning abnormal session events is improved.
In an independently implemented embodiment, in STEP14, a first distribution of the first abnormal session event in the second large traffic data set may be determined based on the second large traffic data set including the first abnormal session event. By determining the first distribution condition of the first abnormal session event in the second business big data set, the accuracy of positioning the abnormal session event can be improved.
In an alternative embodiment, the method may further comprise: on the basis that the second business big data set contains the first abnormal conversation event, the operation state expression of the first abnormal conversation event in the second business big data set can be obtained; and activating a reverse threat mechanism aiming at the first abnormal session event according to the operation state expression of the first abnormal session event.
For example, when the second service big data set includes the first abnormal session event, an operation state expression of the first abnormal session event in the second service big data set may be obtained, where the operation state expression may be used to characterize the subject matter of the first abnormal session event in the second service big data set, and may be represented by an interrelated relationship of abnormal key features. Based on the operational state representation of the first abnormal session event, a reverse threat mechanism for the first abnormal session event may be activated. For example, the first abnormal session event may be visualized according to the content of the preset abnormal session event. Further, the anti-threat mechanism for the first abnormal session event may be to determine whether the operation state expression (the interrelationship of the abnormal key feature) of the first abnormal session event is associated with the operation state expression (the interrelationship of the abnormal key feature) of the preset abnormal session event, and give the scoring information according to the association, wherein the higher the association is, the higher the score is. The operation state expression of the first abnormal session event may be a dimension attribute when the first abnormal session event interacts with a preset abnormal session event, and correspondingly, the anti-threat mechanism for the first abnormal session event may also be to implement a corresponding countermeasure according to the operation state expression of the first abnormal session event.
It can be appreciated that various contents, such as an abnormal division rule, etc., can be determined according to the operation state expression of the first abnormal session event; according to the operation state expression, the anti-threat mechanism for the first abnormal session event can be activated in various ways, the relevance between the operation state expression of the first abnormal session event and the operation state expression of the preset abnormal session event can be evaluated and scoring information can be given, corresponding countermeasures can be implemented according to the operation state expression of the first abnormal session event, and other operations can be used.
By acquiring the operation state expression of the first abnormal session event and activating the anti-threat mechanism for the first abnormal session event according to the operation state expression, the reliability of locating and screening the first abnormal session event can be improved.
In an independent embodiment, where the big data based illegal event recognition method is implemented by an intelligent thread, the intelligent thread may include at least an operational state expression mining sub-thread. The operation state expression mining sub-thread can be used for mining the operation state expression of the first abnormal session event in the business big data set. It is understood that the operation state expression mining sub-thread may include, for example, an AI intelligent thread, and the present invention does not describe the type of the operation state expression mining sub-thread in detail.
In an alternative embodiment, based on the second service big data set including the first abnormal session event, obtaining the operation state expression of the first abnormal session event in the second service big data set may include: and loading the second business big data set into an operation state expression mining sub-thread for processing, and mining the operation state expression of the first abnormal session event in the second business big data set.
The operational state expression of the first abnormal session event is obtained through the operational state expression mining sub-thread, so that the reliability of the operational state expression of the first abnormal session event can be improved, and the reliability of positioning and screening the first abnormal session event can be improved.
According to the flow of the illegal event identification method based on big data, which is disclosed by the embodiment of the invention. In a separate embodiment, the big data based illegal event recognition method may further include the following.
STEP15, on the basis that the second service big data set does not contain the first abnormal session event, carrying out keyword analysis on the service big data log again, and determining a third service big data set of the service big data log, wherein the third service big data set comprises the captured second abnormal session event.
STEP16, based on the third service big data set, obtaining a key description of the second abnormal session event, wherein the key description at least comprises a theme description.
STEP17, based on the theme description of the second abnormal session event, performs theme positioning on the service big data log, and determines whether the fourth service big data set of the service big data log contains the second abnormal session event.
STEP18, on the basis that the fourth service big data set contains the second abnormal session event, determining a second distribution condition of the second abnormal session event in the fourth service big data set.
In the above embodiment, on the basis that the second service big data set does not include the first abnormal session event, keyword analysis may be performed on the service big data log again, a third service big data set including the second abnormal session event is determined, and a subject description of the second abnormal session event in the third service big data set is obtained; according to the topic description of the second abnormal session event, topic positioning can be carried out on the business big data log, and whether the fourth business big data set of the business big data log contains the second abnormal session event is determined; and determining a second distribution condition of the second abnormal session event in the fourth business big data set on the basis that the fourth business big data set contains the second abnormal session event.
And on the basis that the first abnormal session event is not contained in the second business big data set, the keyword analysis is carried out on the business big data log again, the second abnormal session event is captured, and the positioning and screening are carried out, so that the reliability of the positioning and screening of the abnormal session event can be improved.
In a separate embodiment, the method further comprises: acquiring an operation state expression of a second abnormal session event in a fourth business big data set on the basis that the fourth business big data set contains the second abnormal session event; and activating a reverse threat mechanism for the second abnormal session event based on the operational state expression of the second abnormal session event.
For example, when the fourth service big data set includes the second abnormal session event, an operation state expression of the second abnormal session event in the fourth service big data set may be obtained, where the operation state expression may be used to represent the subject content of the second abnormal session event in the fourth service big data set, and may be represented by an interrelated relationship of abnormal key features. Based on the operational state representation of the second abnormal session event, a anti-threat mechanism for the second abnormal session event may be activated. Accordingly, the anti-threat mechanism for the second abnormal session event may be to determine whether the operation state expression (the interrelation of the abnormal key features) of the second abnormal session event is associated with the operation state expression (the interrelation of the abnormal key features) of the preset abnormal session event, and give the scoring information according to the association, wherein the higher the association is, the higher the scoring information is. The operation state expression of the second abnormal session event may be a dimension attribute when the second abnormal session event interacts with the preset abnormal session event, and correspondingly, the anti-threat mechanism for the second abnormal session event may also be to implement a corresponding countermeasure according to the operation state expression of the second abnormal session event.
It will be appreciated that the various content may be determined based on the operational state representation of the second abnormal session event, and that the various anti-threat mechanisms for the second abnormal session event may be activated based on the operational state representation. The invention does not describe the operation state expression of the second abnormal conversation event and the anti-threat mechanism for the second abnormal conversation event executed according to the operation state expression one by one.
By acquiring the operation state expression of the second abnormal session event and activating the anti-threat mechanism for the second abnormal session event according to the operation state expression, the reliability of locating and screening the second abnormal session event can be improved.
In a separate embodiment, the method further comprises, based on the second traffic volume data set not including the first abnormal session event (first abnormal session event loss) and beginning to filter for a second abnormal session event: carrying out keyword analysis on the business big data log, and judging whether a fourth business big data set of the business big data log contains the first abnormal session event or not; and on the basis that the fourth business big data set contains the first abnormal conversation event, determining a third distribution condition of the first abnormal conversation event in the fourth business big data set.
For example, on the basis that the second service big data set does not include the first abnormal session event, when the second abnormal session event is located, keyword analysis may be performed on the service big data log again, so as to determine whether the fourth service big data set of the service big data log includes the first abnormal session event. The keyword analysis may be performed on the business big data log continuously, or intermittently (e.g., 6 seconds) or once at intervals of a plurality of business big data sets. The method for analyzing the keywords is not repeated one by one.
In an independent embodiment, based on the fourth traffic volume data set including the first abnormal session event, a third distribution of the first abnormal session event in the fourth traffic volume data set may be determined, i.e. the localization of the first abnormal session event is started here.
By the technical scheme, the accuracy of locating and screening the first abnormal session event can be improved.
In a separate embodiment, the method further comprises: acquiring an operation state expression of the first abnormal session event in the fourth business big data set on the basis that the fourth business big data set contains the first abnormal session event; based on the operational state expression of the first abnormal session event, a reverse threat mechanism for the first abnormal session event is activated.
For example, when the fourth service big data set includes the first abnormal session event, an operation state expression of the first abnormal session event in the fourth service big data set may be obtained, where the operation state expression may be used to represent a subject content of the first abnormal session event in the fourth service big data set, and may be represented by an interrelated relationship of abnormal key features. Based on the operational state representation of the first abnormal session event, a reverse threat mechanism for the first abnormal session event may be activated. Accordingly, the anti-threat mechanism for the first abnormal session event may be to determine whether the operation state expression (the interrelation of the abnormal key features) of the first abnormal session event matches with the operation state expression (the interrelation of the abnormal key features) of the preset abnormal session event, and give the scoring information according to the relevance, wherein the higher the relevance is, the higher the scoring information is. The operation state expression of the first abnormal session event may be a dimension attribute when the first abnormal session event interacts with a preset abnormal session event, and correspondingly, the anti-threat mechanism for the first abnormal session event may also be to implement a corresponding countermeasure according to the operation state expression of the first abnormal session event.
It will be appreciated that a variety of content may be determined based on the operational state representation of the first abnormal session event, and that there may be more than one anti-threat mechanism activated for the first abnormal session event based on the operational state representation.
By acquiring the operation state expression of the first abnormal session event and activating the anti-threat mechanism aiming at the first abnormal session event according to the operation state expression, the accuracy of positioning and screening the first abnormal session event can be improved.
On the basis of the above, please refer to fig. 2 in combination, there is provided an illegal event recognition device 200 based on big data, which is applied to an illegal event recognition system based on big data, the device includes:
the log determining module 210 is configured to parse a service big data log to be subjected to protection analysis, and determine a first service big data set including a first abnormal session event in the service big data log, where the first abnormal session event includes one or more abnormal session events;
an event judging module 220, configured to obtain, based on the first service big data set, a key description of the first abnormal session event, where the key description includes at least a topic description; performing theme positioning on the business big data log based on the theme description of the first abnormal session event, and judging whether a second business big data set of the business big data log contains the first abnormal session event or not;
A positioning capturing module 230, configured to determine, based on the second service big data set including the first abnormal session event, a first distribution condition of the first abnormal session event in the second service big data set; and on the basis that the second business big data set does not contain the first abnormal conversation event, re-executing keyword analysis on the business big data log, capturing the second abnormal conversation event and positioning.
On the basis of the above, please refer to fig. 3 in combination, there is shown an illegal event recognition system 300 based on big data, comprising a processor 310 and a memory 320 in communication with each other, wherein the processor 310 is configured to read and execute a computer program from the memory 320 to implement the above-mentioned method.
On the basis of the above, there is also provided a computer readable storage medium on which a computer program stored which, when run, implements the above method.
In summary, based on the above scheme, in the embodiment of the present invention, a service big data set including a first abnormal session event can be determined from the service big data log by analyzing the service big data log to be subjected to protection analysis, and a topic description of the first abnormal session event is obtained from the service big data set, and then, by performing topic positioning on the service big data log, a distribution condition of the first abnormal session event in a subsequent service big data set is screened out, and by using the distribution condition, the abnormal session event can be completely captured and positioned, thereby improving reliability of positioning of the abnormal session event.
It should be appreciated that the systems and modules thereof shown above may be implemented in a variety of ways. For example, in some embodiments, the system and its modules may be implemented in hardware, software, or a combination of software and hardware. Wherein the hardware portion may be implemented using dedicated logic; the software portions may then be stored in a memory and executed by a suitable instruction execution system, such as a microprocessor or special purpose design hardware. Those skilled in the art will appreciate that the methods and systems described above may be implemented using computer executable instructions and/or embodied in processor control code, such as provided on a carrier medium such as a magnetic disk, CD or DVD-ROM, a programmable memory such as read only memory (firmware), or a data carrier such as an optical or electronic signal carrier. The system of the present invention and its modules may be implemented not only with hardware circuitry such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, etc., or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., but also with software executed by various types of processors, for example, and with a combination of the above hardware circuitry and software (e.g., firmware).
It should be noted that, the advantages that may be generated by different embodiments may be different, and in different embodiments, the advantages that may be generated may be any one or a combination of several of the above, or any other possible advantages that may be obtained.
While the basic concepts have been described above, it will be apparent to those skilled in the art that the foregoing detailed disclosure is by way of example only and is not intended to be limiting. Although not explicitly described herein, various modifications, improvements and adaptations of the invention may occur to one skilled in the art. Such modifications, improvements, and modifications are intended to be suggested within the present disclosure, and therefore, such modifications, improvements, and adaptations are intended to be within the spirit and scope of the exemplary embodiments of the present disclosure.
Meanwhile, the present invention uses specific words to describe embodiments of the present invention. Reference to "one embodiment," "an embodiment," and/or "some embodiments" means that a particular feature, structure, or characteristic is associated with at least one embodiment of the invention. Thus, it should be emphasized and should be appreciated that two or more references to "an embodiment" or "one embodiment" or "an alternative embodiment" in various positions in this specification are not necessarily referring to the same embodiment. Furthermore, certain features, structures, or characteristics of one or more embodiments of the invention may be combined as suitable.
Furthermore, those skilled in the art will appreciate that the various aspects of the invention are illustrated and described in the context of a number of patentable categories or circumstances, including any novel and useful procedures, machines, products, or materials, or any novel and useful modifications thereof. Accordingly, aspects of the invention may be performed entirely by hardware, entirely by software (including firmware, resident software, micro-code, etc.) or by a combination of hardware and software. The above hardware or software may be referred to as a "data block," module, "" engine, "" unit, "" component, "or" system. Furthermore, aspects of the invention may take the form of a computer product, comprising computer-readable program code, embodied in one or more computer-readable media.
The computer storage medium may contain a propagated data signal with the computer program code embodied therein, for example, on a baseband or as part of a carrier wave. The propagated signal may take on a variety of forms, including electro-magnetic, optical, etc., or any suitable combination thereof. A computer storage medium may be any computer readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code located on a computer storage medium may be propagated through any suitable medium, including radio, cable, fiber optic cable, RF, or the like, or a combination of any of the foregoing.
The computer program code necessary for operation of portions of the present invention may be written in any one or more programming languages, including an object oriented programming language such as Java, scala, smalltalk, eiffel, JADE, emerald, C ++, c#, vb net, python, etc., a conventional programming language such as C language, visual Basic, fortran 2003, perl, COBOL 2002, PHP, ABAP, dynamic programming languages such as Python, ruby and Groovy, or other programming languages, etc. The program code may execute entirely on the user's computer or as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any form of network, such as a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet), or the use of services such as software as a service (SaaS) in a cloud computing environment.
Furthermore, the order in which the elements and sequences are presented, the use of numerical letters, or other designations are used in the invention is not intended to limit the sequence of the processes and methods unless specifically recited in the claims. While certain presently useful inventive embodiments have been discussed in the foregoing disclosure, by way of example, it is to be understood that such details are merely illustrative and that the appended claims are not limited to the disclosed embodiments, but, on the contrary, are intended to cover all modifications and equivalent arrangements included within the spirit and scope of the embodiments of the invention. For example, while the system components described above may be implemented by hardware devices, they may also be implemented solely by software solutions, such as installing the described system on an existing server or mobile device.
Similarly, it should be noted that in order to simplify the description of the present disclosure and thereby aid in understanding one or more inventive embodiments, various features are sometimes grouped together in a single embodiment, figure, or description thereof. This method of disclosure, however, is not intended to imply that more features than are required by the subject invention. Indeed, less than all of the features of a single embodiment disclosed above.
In some embodiments, numbers describing the components, number of attributes are used, it being understood that such numbers being used in the description of embodiments are modified in some examples by the modifier "about," approximately, "or" substantially. Unless otherwise indicated, "about," "approximately," or "substantially" indicate that the numbers allow for adaptive variation. Accordingly, in some embodiments, numerical parameters set forth in the specification and claims are approximations that may vary depending upon the desired properties sought to be obtained by the individual embodiments. In some embodiments, the numerical parameters should take into account the specified significant digits and employ a method for preserving the general number of digits. Although the numerical ranges and parameters set forth herein are approximations in some embodiments for use in determining the breadth of the range, in particular embodiments, the numerical values set forth herein are as precisely as possible.
Each patent, patent application publication, and other material, such as articles, books, specifications, publications, documents, etc., cited herein is hereby incorporated by reference in its entirety. Except for the application history file that is inconsistent or conflicting with this disclosure, the file (currently or later attached to this disclosure) that limits the broadest scope of the claims of this disclosure is also excluded. It is noted that the description, definition, and/or use of the term in the appended claims controls the description, definition, and/or use of the term in this invention if there is a discrepancy or conflict between the description, definition, and/or use of the term in the appended claims.
Finally, it should be understood that the embodiments described herein are merely illustrative of the principles of the embodiments of the present invention. Other variations are also possible within the scope of the invention. Thus, by way of example, and not limitation, alternative configurations of embodiments of the invention may be considered in keeping with the teachings of the invention. Accordingly, the embodiments of the present invention are not limited to the embodiments explicitly described and depicted herein.
The foregoing is merely exemplary of the present invention and is not intended to limit the present invention. Various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the invention are to be included in the scope of the claims of the present invention.
Claims (9)
1. An illegal event recognition method based on big data is characterized by being applied to an illegal event recognition system, and comprises the following steps:
analyzing a business big data log to be subjected to protection analysis, and determining a first business big data set comprising a first abnormal session event in the business big data log, wherein the first abnormal session event comprises one or more abnormal session events;
obtaining a key description of the first abnormal session event based on the first business big data set, wherein the key description at least comprises a theme description; performing theme positioning on the business big data log based on the theme description of the first abnormal session event, and judging whether a second business big data set of the business big data log contains the first abnormal session event or not;
on the basis that the second business big data set contains the first abnormal conversation event, determining a first distribution condition of the first abnormal conversation event in the second business big data set; on the basis that the second business big data set does not contain the first abnormal conversation event, carrying out keyword analysis on the business big data log again, capturing the second abnormal conversation event and positioning;
Based on the topic description of the first abnormal session event, performing topic positioning on the service big data log, and judging whether a second service big data set of the service big data log contains the first abnormal session event or not, including:
performing theme positioning on a second business big data set of the business big data log, and determining theme description of alternative abnormal session events in the second business big data set;
determining that the second business big data set contains the first abnormal session event when the topic description matched with the topic description of the first abnormal session event is contained;
the method is realized through an intelligent thread, the intelligent thread at least comprises a keyword analysis sub-thread, wherein the keyword analysis is carried out on a business big data log to be subjected to protection analysis, and a first business big data set comprising a first abnormal session event in the business big data log is determined, and the method comprises the following steps:
loading each business big data set of the business big data log into the keyword analysis sub-thread one by one for processing, and mining keyword description of alternative abnormal session events in each business big data set;
Determining a first business big data set comprising a first abnormal session event according to the keyword description of the alternative abnormal session event;
the intelligent thread further comprises a theme positioning sub-thread, wherein theme positioning is performed on a second service big data set of the service big data log, and theme description of an alternative abnormal session event in the second service big data set is determined, and the method comprises the following steps:
loading a second business big data set into a theme positioning sub-thread for processing, and mining theme description of alternative abnormal session events in the second business big data set;
the intelligent thread further comprises an operation state expression mining sub-thread, wherein the operation state expression of the first abnormal session event in the second business big data set is obtained on the basis that the second business big data set contains the first abnormal session event, and the operation state expression mining sub-thread comprises the following steps:
loading the second business big data set into an operation state expression mining sub-thread for processing, and mining the operation state expression of the first abnormal session event in the second business big data set;
the business big data log is a business big data log in a set business scene crawled by a crawler program.
2. The method of claim 1, wherein parsing a traffic big data log to be protection analyzed to determine a first traffic big data set in the traffic big data log that includes a first abnormal session event, comprises: and carrying out keyword analysis on the business big data log to be subjected to protection analysis, and determining a first business big data set comprising a first abnormal session event in the business big data log.
3. The method of claim 1, wherein parsing a traffic big data log to be protection analyzed to determine a first traffic big data set in the traffic big data log that includes a first abnormal session event, comprises: performing theme positioning on a business big data log to be subjected to protection analysis, and determining an alternative abnormal session event in the business big data log;
determining an abnormal session event meeting the set requirement in the alternative abnormal session events as a first abnormal session event;
and determining the business big data set carrying the first abnormal session event as a first business big data set.
4. The method of claim 1, wherein re-performing keyword resolution on the traffic big data log, capturing and locating a second abnormal session event, comprises:
On the basis that the second business big data set does not contain the first abnormal conversation event, carrying out keyword analysis on the business big data log again, and determining a third business big data set of the business big data log, wherein the third business big data set comprises the captured second abnormal conversation event;
obtaining a key description of the second abnormal session event based on the third business big data set, wherein the key description at least comprises a theme description;
performing theme positioning on the business big data log based on the theme description of the second abnormal session event, and judging whether a fourth business big data set of the business big data log contains the second abnormal session event or not;
determining a second distribution condition of the second abnormal session event in the fourth business big data set on the basis that the fourth business big data set contains the second abnormal session event;
wherein the method further comprises:
carrying out keyword analysis on the business big data log, and judging whether a fourth business big data set of the business big data log contains the first abnormal session event or not;
And on the basis that the fourth business big data set contains the first abnormal conversation event, determining a third distribution condition of the first abnormal conversation event in the fourth business big data set.
5. The method according to claim 1, wherein the method further comprises:
acquiring an operation state expression of the first abnormal session event in the second business big data set on the basis that the second business big data set contains the first abnormal session event;
based on the operational state expression of the first abnormal session event, a reverse threat mechanism for the first abnormal session event is activated.
6. The method as recited in claim 4, wherein the method further comprises:
acquiring an operation state expression of the second abnormal session event in the fourth business big data set on the basis that the fourth business big data set contains the second abnormal session event;
and activating a reverse threat mechanism for the second abnormal session event based on the operational state expression of the second abnormal session event.
7. The method as recited in claim 4, wherein the method further comprises:
Acquiring an operation state expression of the first abnormal session event in the fourth business big data set on the basis that the fourth business big data set contains the first abnormal session event;
based on the operational state expression of the first abnormal session event, a reverse threat mechanism for the first abnormal session event is activated.
8. The method of claim 2, wherein performing keyword parsing on a business big data log to be subjected to protection analysis, determining a first business big data set in the business big data log including a first abnormal session event, comprises:
based on a first abnormal session event which is set in advance, carrying out keyword analysis on a plurality of business big data sets of the business big data log one by one, and determining a first business big data set comprising the first abnormal session event from the plurality of business big data sets;
the method for analyzing the keywords of the business big data log to be subjected to protection analysis comprises the steps of:
carrying out keyword analysis on a business big data set of the business big data log to determine an alternative abnormal session event in the business big data set;
Determining an abnormal session event meeting the set requirement in the alternative abnormal session events as a first abnormal session event;
and determining the business big data set carrying the first abnormal session event as a first business big data set.
9. A big data based illegal event identification system, characterized by comprising a processor and a memory in communication with each other, said processor being adapted to read a computer program from said memory and to execute it for implementing the method according to any of the claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111059891.4A CN113918937B (en) | 2021-09-10 | 2021-09-10 | Illegal event identification method and system based on big data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111059891.4A CN113918937B (en) | 2021-09-10 | 2021-09-10 | Illegal event identification method and system based on big data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113918937A CN113918937A (en) | 2022-01-11 |
| CN113918937B true CN113918937B (en) | 2023-07-18 |
Family
ID=79234440
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111059891.4A Active CN113918937B (en) | 2021-09-10 | 2021-09-10 | Illegal event identification method and system based on big data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113918937B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114697127B (en) * | 2022-04-13 | 2023-04-14 | 以上科技有限公司 | Service session risk processing method based on cloud computing and server |
| CN115174231B (en) * | 2022-07-08 | 2024-01-02 | 北京基智科技有限公司 | Network fraud analysis method and server based on AI Knowledge Base |
| CN117149787B (en) * | 2023-08-31 | 2024-03-26 | 广州万融数据服务有限公司 | Key information grabbing and displaying method based on big data |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2930623A1 (en) * | 2015-05-22 | 2016-11-22 | Interset Software Inc. | Method and system for aggregating and ranking of security event-based data |
| WO2020259392A1 (en) * | 2019-06-25 | 2020-12-30 | 深圳前海微众银行股份有限公司 | Method and device for determining root cause task of abnormal task |
Family Cites Families (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI369623B (en) * | 2008-11-07 | 2012-08-01 | Chunghwa Telecom Co Ltd | Control system and protection method for integrated information security service |
| US9760426B2 (en) * | 2015-05-28 | 2017-09-12 | Microsoft Technology Licensing, Llc | Detecting anomalous accounts using event logs |
| CN106209893B (en) * | 2016-07-27 | 2019-03-19 | 中国人民解放军信息工程大学 | The inside threat detection system and its detection method excavated based on business process model |
| US10452465B2 (en) * | 2017-09-08 | 2019-10-22 | Oracle International Corporation | Techniques for managing and analyzing log data |
| EP3811221A4 (en) * | 2018-07-20 | 2021-07-07 | Huawei Technologies Co., Ltd. | Apparatus and method for detecting anomaly in dataset and computer program product therefor |
| US11055405B1 (en) * | 2019-04-30 | 2021-07-06 | Splunk Inc. | Anomaly event detection using frequent patterns |
| CN110365529B (en) * | 2019-07-10 | 2022-03-22 | 广州博依特智能信息科技有限公司 | Edge computing intelligent gateway service processing method and edge computing intelligent gateway |
| CN110928718B (en) * | 2019-11-18 | 2024-01-30 | 上海维谛信息科技有限公司 | Abnormality processing method, system, terminal and medium based on association analysis |
| CN111651646B (en) * | 2020-06-30 | 2023-07-07 | 支付宝(杭州)信息技术有限公司 | Service processing method and device |
| CN112052109B (en) * | 2020-08-28 | 2022-03-04 | 西安电子科技大学 | Cloud service platform event anomaly detection method based on log analysis |
| CN112954031B (en) * | 2021-02-01 | 2021-12-10 | 福建多多云科技有限公司 | Equipment state notification method based on cloud mobile phone |
-
2021
- 2021-09-10 CN CN202111059891.4A patent/CN113918937B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2930623A1 (en) * | 2015-05-22 | 2016-11-22 | Interset Software Inc. | Method and system for aggregating and ranking of security event-based data |
| WO2020259392A1 (en) * | 2019-06-25 | 2020-12-30 | 深圳前海微众银行股份有限公司 | Method and device for determining root cause task of abnormal task |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113918937A (en) | 2022-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113918937B (en) | Illegal event identification method and system based on big data | |
| EP3441875B1 (en) | Intellectual automated security, performance and code generation framework | |
| US9553889B1 (en) | System and method of detecting malicious files on mobile devices | |
| US20180025286A1 (en) | Detecting trends in evolving analytics models | |
| US20180211041A1 (en) | Detection of Malware Using Feature Hashing | |
| Darshan et al. | Performance evaluation of filter-based feature selection techniques in classifying portable executable files | |
| US20140090069A1 (en) | Training classifiers for program analysis | |
| US20210224534A1 (en) | Binary linear classification | |
| CN113609261B (en) | Vulnerability information mining method and device based on knowledge graph of network information security | |
| US20190129788A1 (en) | Automated, adaptive, and auto-remediating system for production environment | |
| US9292675B2 (en) | System and method for creating a core cognitive fingerprint | |
| CN110929267A (en) | Code vulnerability detection method, device, equipment and storage medium | |
| US20210234833A1 (en) | Application firewalls based on self-modeling service flows | |
| US9818060B2 (en) | System and method for generation of a heuristic | |
| CN116112746B (en) | Online education live video compression method and system | |
| Rawat et al. | Autonomous artificial intelligence systems for fraud detection and forensics in dark web environments | |
| US20200036737A1 (en) | Identification of deviant engineering modifications to programmable logic controllers | |
| CN113630336B (en) | Data distribution method and system based on optical interconnection | |
| CN117037982A (en) | Medical big data information intelligent acquisition method and system | |
| CN115640602A (en) | Private data processing method and system based on big data protection | |
| CN115514570A (en) | Network diagnosis processing method and system and cloud platform | |
| CN114329116A (en) | Artificial intelligence-based intelligent park resource matching degree analysis method and system | |
| CN114925369A (en) | Static analysis method and system for business system container safety | |
| CN114301713A (en) | Risk access detection model training method, risk access detection method and risk access detection device | |
| CN114691830B (en) | Network security analysis method and system based on big data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |