CN114154990B - Big data anti-attack method based on online payment and storage medium - Google Patents
Big data anti-attack method based on online payment and storage medium Download PDFInfo
- Publication number
- CN114154990B CN114154990B CN202111488103.3A CN202111488103A CN114154990B CN 114154990 B CN114154990 B CN 114154990B CN 202111488103 A CN202111488103 A CN 202111488103A CN 114154990 B CN114154990 B CN 114154990B
- Authority
- CN
- China
- Prior art keywords
- attack
- session
- session element
- online payment
- analyzed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The application relates to a big data anti-attack method and a storage medium based on online payment, which are characterized in that a staged attack analysis record of a payment data network attack to be analyzed is obtained by carrying out network attack analysis operation on an online payment session, at least one session element of the payment data network attack to be analyzed is obtained by carrying out network attack session element mining operation on the online payment session, and a final analysis record of the payment data network attack to be analyzed can be obtained by combining the staged attack analysis record, the session element and session element screening indexes. Therefore, the session elements and the session element screening indexes of the payment data network attack to be analyzed are combined, the staged attack analysis records are cleaned, the analysis condition that the session elements do not meet the session element screening indexes can be cleaned, the final analysis records are obtained, the precision of the final analysis records can be ensured, and accurate and reliable data bases are provided for subsequent attack protection.
Description
Technical Field
The embodiment of the application relates to the technical field of online payment and big data protection, in particular to a big data anti-attack method and a storage medium based on online payment.
Background
The continuous progress and development of science and technology has prompted the development of various business industries towards digitization, and gradually forms an online business/electronic business mode. In view of this, the payment method is also gradually changed from offline payment to online/online payment. The online payment can break the limitation of payment time interval and the limitation of payment region, thereby improving the convenience and flexibility of payment. In view of this, the online payment scale is getting bigger and bigger, the related fields are getting wider and wider, and the payment security problem caused by the online payment scale is not neglected.
The inventor finds out through research that related payment security problems are mainly concentrated in the payment session process, such as various payment big data network attack behaviors hidden in the payment session process, and the like, but the related technology is difficult to guarantee the accuracy of the network attack analysis, and further difficult to provide accurate and reliable basis for subsequent attack protection.
Disclosure of Invention
In view of this, the embodiment of the present application provides a big data anti-attack method and a storage medium based on online payment.
The embodiment of the application provides a big data anti-attack method based on online payment, which is applied to a big data anti-attack system, and the method at least comprises the following steps: determining at least one group of online payment sessions triggering anti-attack analysis conditions and at least one session element screening index of the payment data network attack to be analyzed; enabling network attack analysis operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain a staged attack analysis record of the to-be-analyzed payment data network attack, and performing network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack; and obtaining a final analysis record of the payment data network attack to be analyzed by combining the staged attack analysis record, the at least one session element and the at least one session element screening index of the payment data network attack to be analyzed.
Under some design ideas which can be independently implemented, the obtaining of the final analysis record of the to-be-analyzed payment data network attack by combining the staged attack analysis record of the to-be-analyzed payment data network attack, the at least one session element and the at least one session element screening index of the to-be-analyzed payment data network attack includes: on the basis that the online payment session recorded by the staged attack analysis record is not less than one group of trigger anti-attack analysis conditions carries the to-be-analyzed payment data network attack, and the not less than one session element meets the not less than one session element screening index, the final analysis record is determined that the to-be-analyzed payment data network attack is in an activated state; and on the basis that the staged attack analysis record shows that the online payment session with at least one group of trigger anti-attack analysis conditions carries the payment data network attack to be analyzed, and the at least one session element does not meet the screening index of the at least one session element, determining that the final analysis record shows that the payment data network attack to be analyzed is in a state to be activated.
Under some design ideas which can be independently implemented, the network attack session element mining operation is performed on the at least one group of online payment sessions triggering the anti-attack analysis condition, so as to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: and on the basis that the online payment sessions with at least one group of trigger anti-attack analysis conditions carry the to-be-analyzed payment data network attacks, the staged attack analysis records are subjected to network attack session element mining operation on the online payment sessions with at least one group of trigger anti-attack analysis conditions, and at least one session element of the to-be-analyzed payment data network attacks is obtained.
Under some independently implementable design ideas, the payment data network attack to be analyzed comprises a distributed denial of service attack; the at least one group of online payment sessions triggering the anti-attack analysis condition covers a first online payment session; the first online payment session encompasses distributed denial of service attack detection content; the step of starting network attack analysis operation on the at least one group of online payment sessions triggering the attack prevention analysis conditions to obtain staged attack analysis records comprises the following steps: on the basis of determining that the distributed denial of service attack detection content carries abnormal detection items, determining that the staged attack analysis record carries the distributed denial of service attack in the first online payment session; the abnormality detection event includes one or both of: responding to the refusal request and the abnormal flow state theme; and on the basis of determining that the distributed denial of service attack detection content does not carry abnormal detection items, determining that the staged attack analysis record does not carry the distributed denial of service attack in the first online payment session.
Under some independently implementable design considerations, the at least one set of online payment sessions that trigger the attack-prevention analysis condition includes a third online payment session; the at least one session element screening index comprises a released topic key description set; the at least one session element comprises a significant semantic representation of the anomaly detection event; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: carrying out significance semantic expression mining operation on the second online payment session to obtain significance semantic expression content of the abnormal detection items; the at least one session element satisfying the at least one session element screening index includes: the release topic key description set does not carry semantic vectors corresponding to the significant semantic expression contents; the at least one session element not meeting the at least one session element screening criteria includes: and semantic vectors corresponding to the significant semantic expression contents exist in the released subject key description set.
Under some design ideas which can be independently implemented, the at least one session element screening index further comprises a characteristic dimension interval; the at least one conversation element further comprises an event characteristic dimension of an anomaly detection event; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the payment data to be analyzed under the network attack, and the method further comprises the following steps: performing item identification operation on the second online payment session to obtain item feature dimensions of the abnormal detection item; the at least one session element satisfying the at least one session element screening index includes: the release topic key description set does not carry semantic vectors which have corresponding relations with the significance semantic expressions, and item feature dimensions of the abnormal detection items fall into the feature dimension interval; the at least one session element not meeting the at least one session element screening criteria comprises at least one of: the release subject key description set does not carry semantic vectors which have corresponding relations with the significant semantic expressions; and the item feature dimension of the anomaly detection item does not fall into the feature dimension interval.
Under some independently implementable design ideas, the at least one group of online payment sessions triggering the attack-prevention analysis condition comprises a third online payment session and a fourth online payment session, and a set digital signature of the third online payment session is prior to a set digital signature of the fourth online payment session; the at least one session element screening index comprises a set time sequence accumulated value; the at least one session element comprises a time sequence statistical result of the payment data network attack to be analyzed; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: taking the set digital signature of the third online payment session as a starting time sequence node of the network attack of the payment data to be analyzed, and taking the set digital signature of the fourth online payment session as a termination time sequence node of the network attack of the payment data to be analyzed, so as to obtain a time sequence statistical result; the at least one session element satisfying the at least one session element screening index includes: the time sequence statistical result is greater than the set time sequence accumulated value; the at least one session element not meeting the at least one session element screening criteria includes: and the time sequence statistical result is less than or equal to the set time sequence accumulated value.
Under some independently implementable design ideas, the payment data network attack to be analyzed comprises over-authority access; the at least one session element screening index further comprises an over-authority access constraint condition; the at least one session element comprises the distribution condition of the access requests to be processed; the third online payment session and the fourth online payment session both encompass the pending access request; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: performing an access request identification operation on the third online payment session to obtain a first distribution condition of the access request to be processed in the third online payment session; performing an access request identification operation on the fourth online payment session to obtain a second distribution condition of the access request to be processed in the fourth online payment session; the at least one session element satisfying the at least one session element screening index includes: the time sequence statistical result is greater than the set time sequence accumulated value, and the first distribution condition and the second distribution condition are both matched with the over-authority access constraint condition; the not less than one session element not meeting the not less than one session element screening indicator comprises one or more of: and the time sequence statistical result is less than or equal to the set time sequence accumulated value, the first distribution condition does not match the over-authority access constraint condition, and the second distribution condition does not match the over-authority access constraint condition.
Under some independently implementable design ideas, the at least one group of online payment sessions triggering the attack-prevention analysis condition comprises a fifth online payment session; the at least one session element screening index comprises a credible evaluation judgment value; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: performing item identification operation on the fifth online payment session to obtain credible evaluation of abnormal detection items in the fifth online payment session; the at least one session element satisfying the at least one session element screening index includes: the credibility evaluation of the abnormal detection item is larger than the credibility evaluation judgment value; the at least one session element not meeting the at least one session element screening criteria includes: and the credibility evaluation of the abnormal detection item is less than or equal to the credibility evaluation judgment value.
Under some design ideas which can be independently implemented, the at least one session element screening index comprises an abnormal prompt time sequence interval; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: taking the set digital signature of the sixth online payment session as the activation moment of the network attack of the payment data to be analyzed; the sixth online payment session is the online payment session with the latest digital signature set in the online payment sessions with at least one group of trigger anti-attack analysis conditions; the at least one session element satisfying the at least one session element screening index includes: the activation time of the payment data network attack to be analyzed does not fall into the abnormal prompt time sequence interval; the at least one session element not meeting the at least one session element screening criteria includes: and the activation moment of the payment data network attack to be analyzed falls into the abnormal prompt time sequence interval.
Under some design ideas which can be independently implemented, on the basis that the number of the session element screening indexes is greater than one, before performing network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, the method further comprises: determining an attention queue of session elements of the payment data network attack to be analyzed corresponding to the screening indexes; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: carrying out first session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis conditions to obtain first session elements of the payment data to be analyzed in the network attack; the first session element is the session element with the maximum attention in the attention queue; on the basis that the first session element meets the session element screening index corresponding to the first session element, performing second session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain a second session element of the payment data network attack to be analyzed; the second session element is a session element with the second highest attention in the attention queue; and on the basis that the first session element does not meet the screening index corresponding to the first session element, terminating the network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition.
Under some independently implementable design considerations, the method further comprises: and issuing an attack coping strategy on the basis that the final analysis record shows that the payment data to be analyzed is in a state to be activated by network attack.
The embodiment of the application also provides a big data anti-attack system, which comprises a processor, a network module and a memory; the processor and the memory communicate through the network module, and the processor reads the computer program from the memory and operates to perform the above-described method.
An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running.
Compared with the prior art, the method has the advantages that the staged attack analysis record of the payment data network attack to be analyzed is obtained by carrying out the network attack analysis operation on the online payment session, at least one session element of the payment data network attack to be analyzed is obtained by carrying out the network attack session element mining operation on the online payment session, and the final analysis record of the payment data network attack to be analyzed can be obtained by combining the staged attack analysis record, the session element and the session element screening index. Therefore, the session elements and the session element screening indexes of the payment data network attack to be analyzed are combined, the staged attack analysis records are cleaned, the analysis condition that the session elements do not meet the session element screening indexes can be cleaned, the final analysis records are obtained, the precision of the final analysis records can be ensured, and accurate and reliable data bases are provided for subsequent attack protection.
In the description that follows, additional features will be set forth, in part, in the description. These features will be in part apparent to those skilled in the art upon examination of the following and the accompanying drawings, or may be learned by production or use. The features of the present application may be realized and attained by practice or use of various aspects of the methodologies, instrumentalities and combinations particularly pointed out in the detailed examples that follow.
Drawings
To more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic block diagram of a big data anti-attack system according to an embodiment of the present disclosure.
Fig. 2 is a flowchart of a big data anti-attack method based on online payment according to an embodiment of the present application.
Fig. 3 is a block diagram of a big data anti-attack device based on online payment according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
Fig. 1 shows a block diagram of a big data anti-attack system 10 provided in an embodiment of the present application. The big data anti-attack system 10 in the embodiment of the present application may be a server with data storage, transmission, and processing functions, as shown in fig. 1, the big data anti-attack system 10 includes: the system comprises a memory 11, a processor 12, a network module 13 and a big data anti-attack device 20 based on online payment.
The memory 11, the processor 12 and the network module 13 are electrically connected directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 11 stores a big data anti-attack device 20 based on online payment, the big data anti-attack device 20 based on online payment comprises at least one software function module which can be stored in the memory 11 in a form of software or firmware (firmware), and the processor 12 executes various function applications and data processing by running software programs and modules stored in the memory 11, such as the big data anti-attack device 20 based on online payment in the embodiment of the present application, so as to implement the big data anti-attack method based on online payment in the embodiment of the present application.
The Memory 11 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 11 is used for storing a program, and the processor 12 executes the program after receiving an execution instruction.
The processor 12 may be an integrated circuit chip having data processing capabilities. The Processor 12 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like. The various methods, steps and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The network module 13 is used for establishing communication connection between the big data anti-attack system 10 and other communication terminal devices through a network, and implementing transceiving operation of network signals and data. The network signal may include a wireless signal or a wired signal.
It will be appreciated that the configuration shown in FIG. 1 is merely illustrative, and that the big data anti-attack system 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
An embodiment of the present application further provides a computer storage medium, where a computer program is stored, and the computer program implements the method when running.
Fig. 2 shows a flow chart of online payment-based big data anti-attack provided by an embodiment of the application. The method steps defined by the flow related to the method are applied to the big data anti-attack system 10 and can be realized by the processor 12, and the method comprises the contents described in the following steps.
Step S101, determining at least one group of online payment conversation triggering anti-attack analysis conditions and at least one conversation element screening index of the payment data network attack to be analyzed.
For the embodiment of the present application, the online payment session triggering the anti-attack analysis condition may be understood as an online payment session to be processed, and the anti-attack analysis condition may be flexibly set according to the session time period and the session object, which is not further limited in the embodiment of the present application. The online payment session may involve an in-home payment session or a cross-border payment session.
For the embodiment of the application, the payment data to be analyzed may be various network attacks. Optionally, the network attack of the payment data to be analyzed is a session behavior with a data information security risk.
For the embodiment of the application, the session element screening index of the payment data network attack to be analyzed is used for deleting the session behavior which is mistaken for the network attack. The session element screening indexes of the payment data network attack to be analyzed can include various indexes, and the related contents please refer to the following description.
Step S102, starting network attack analysis operation on the at least one group of online payment sessions triggering the anti-attack analysis conditions, and obtaining staged attack analysis records of the payment data to be analyzed for network attacks.
For the embodiment of the application, the network attack parsing operation can be realized through an AI intelligent network, and the staged attack parsing record can be understood as an intermediate parsing record or a transitional parsing record.
For the embodiment of the present application, the staged attack analysis record of the payment data network attack to be analyzed may include the following contents: and the online payment sessions of not less than one group of trigger anti-attack analysis conditions have the network attack of the payment data to be analyzed or do not carry the network attack of the payment data to be analyzed. The big data anti-attack system uses an AI intelligent network to process at least one group of online payment sessions triggering anti-attack analysis conditions, and can obtain staged attack analysis records.
For the present embodiment, the AI intelligent network may be a CNN, RNN, or LSTM network, but is not limited thereto.
Step S103, carrying out network attack conversation element mining operation on the at least one group of online payment conversations triggering the anti-attack analysis conditions to obtain at least one conversation element of the payment data to be analyzed in the network attack.
For the embodiment of the application, the session element of the payment data network attack to be analyzed can be understood as the session attribute or the session feature of the payment data network attack to be analyzed. In an independently implementable embodiment of network attack session element mining operation on at least one group of online payment sessions triggering anti-attack analysis conditions, the at least one group of online payment sessions triggering anti-attack analysis conditions are transmitted to a session element mining network, and the session elements of the network attack of the payment data to be analyzed can be obtained. The session element mining network can debug and optimize a corresponding neural network model by taking an online payment session with the session elements as annotations as a training set. And processing at least one group of online payment sessions triggering the anti-attack analysis conditions through a session element mining network to obtain session elements of the network attack of the payment data to be analyzed.
For example, no less than a set of online payment sessions that trigger the anti-attack analysis conditions includes: and triggering an online payment session _1 of the anti-attack analysis condition. The online payment session _1 triggering the anti-attack analysis condition is processed by a session element mining network, and the obtained session elements of the payment data network attack to be analyzed comprise: the operating habit features/attributes contained in the online payment session _1 that trigger the attack prevention analysis conditions.
As another example, the at least one set of online payment sessions that trigger the anti-attack analysis conditions includes: an online payment session _1 triggering the anti-attack analysis conditions and an online payment session _2 triggering the anti-attack analysis conditions. And processing the online payment session _1 triggering the anti-attack analysis condition and the online payment session _2 triggering the anti-attack analysis condition by the session element mining network to obtain the session elements of the network attack of the payment data to be analyzed.
For another example, the at least one set of online payment sessions that trigger the anti-attack analysis condition includes: an online payment session _1 triggering the anti-attack analysis conditions and an online payment session _2 triggering the anti-attack analysis conditions. And processing the online payment session _1 triggering the anti-attack analysis condition and the online payment session _2 triggering the anti-attack analysis condition by the session element mining network to obtain the session elements of the network attack of the payment data to be analyzed.
And step S104, combining the staged attack analysis record, the at least one session element and the at least one session element screening index of the payment data network attack to be analyzed to obtain a final analysis record of the payment data network attack to be analyzed.
If the staged attack analysis record of the payment data network attack to be analyzed does not carry the payment data network attack to be analyzed in at least one group of online payment sessions triggering the anti-attack analysis condition, at the moment, the analysis record is finally that the payment data network attack to be analyzed is in a state to be activated. If the staged attack analysis record of the payment data network attack to be analyzed is that the payment data network attack to be analyzed exists in at least one group of online payment sessions triggering the anti-attack analysis condition, and the session element of the payment data network attack to be analyzed does not meet the session element screening index, the payment data network attack to be analyzed is in a state to be activated, namely the analysis record of the AI intelligent network has an error, and at the moment, the analysis record is finally that the payment data network attack to be analyzed is in the state to be activated. If the staged attack analysis record of the payment data network attack to be analyzed is that the payment data network attack to be analyzed exists in at least one group of online payment sessions triggering the anti-attack analysis condition, and the session elements of the payment data network attack to be analyzed meet the session element screening index, the payment data network attack to be analyzed is in an activated state, namely the analysis record of the AI intelligent network is accurate, and at the moment, the final analysis record is that the payment data network attack to be analyzed is in the activated state.
For an independently implementable implementation mode, on the basis that the online payment session recorded by staged attack analysis is not less than one group of trigger anti-attack analysis conditions has the to-be-analyzed payment data network attack, and not less than one session element meets not less than one session element screening index, the big data anti-attack system determines that the final analysis record is that the to-be-analyzed payment data network attack is in an activated state; and determining that the final analysis record is that the to-be-analyzed payment data network attack is in a to-be-activated state on the basis that the to-be-analyzed payment data network attack exists in the online payment session of which the staged attack analysis record is not less than one group of trigger anti-attack analysis conditions and not less than one session element does not meet the screening index of not less than one session element.
For the embodiment of the application, the big data anti-attack system is combined with the session elements and the session element screening indexes of the payment data network attack to be analyzed to clean the staged attack analysis records, so that the analysis condition that the session elements do not meet the session element screening indexes can be cleaned, the final analysis records can be obtained, and the precision of the final analysis records can be ensured.
For an embodiment that can be implemented independently, the big data anti-attack system can implement the following steps in the process of executing step S103: and on the basis that the staged attack analysis records that the online payment sessions of the at least one group of trigger anti-attack analysis conditions have the online attack of the payment data to be analyzed, carrying out network attack session element mining operation on the online payment sessions of the at least one group of trigger anti-attack analysis conditions to obtain at least one session element of the online attack of the payment data to be analyzed.
The big data anti-attack system first obtains a staged attack analysis record by executing step S102. Step S103 is executed on the basis of determining that the online payment session recorded by the staged attack analysis is not less than one group of trigger anti-attack analysis conditions has the to-be-analyzed payment data network attack, so that the resource overhead of the big data anti-attack system can be saved.
For an embodiment that can be implemented independently, the big data anti-attack system can implement the following steps in the process of executing step S102: and on the basis that the at least one session element meets the session element screening index, starting network attack analysis operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain a staged attack analysis record of the payment data to be analyzed for network attack.
The big data anti-attack system firstly obtains at least one session element of the payment data network attack to be analyzed by executing step S103. Step S102 is executed on the basis that at least one session element of the payment data network attack to be analyzed is determined to meet the session element screening index, so that the resource overhead of the big data anti-attack system can be saved.
For an independently implementable embodiment, the payment data network attack to be analyzed comprises a distributed denial of service attack, and not less than one set of online payment sessions that trigger the anti-attack analysis condition encompasses a first online payment session encompassing distributed denial of service attack detection content. The big data anti-attack system may implement the following in the process of executing step S102: and on the basis of determining that the distributed denial of service attack detection content carries abnormal detection items, determining that the phased attack analysis record is that the distributed denial of service attack (DDOS) exists in the first online payment session.
For the embodiment of the application, the distributed denial of service attack includes at least one of the following: real-time distributed denial of service attacks, delayed distributed denial of service attacks. The abnormality detection items include at least one of: answer denied requests, abnormal traffic status topics.
If the big data anti-attack system starts network attack analysis operation on the first online payment session, determining that the distributed denial of service attack detection content carries abnormal detection items, and indicating that the abnormal detection items are in an activated state and distributed denial of service attack behaviors; if the big data anti-attack system starts network attack analysis operation on the first online payment session, the distributed denial of service attack detection content is determined to carry abnormal detection items, and the abnormal detection items are indicated to be in a to-be-activated state.
Thus, on the basis of determining that the distributed denial of service attack detection content carries abnormal detection items, the big data anti-attack system determines that the staged attack analysis record is that the distributed denial of service attack exists in the first online payment session; on the basis of determining that the distributed denial of service attack detection content does not carry abnormal detection items, the big data anti-attack system determines that the staged attack analysis record is that the distributed denial of service attack is not carried in the first online payment session.
For an independently implementable embodiment, the at least one session element screening metric comprises a passing topic key description set and the at least one session element comprises a salient semantic representation of an anomaly detection item. The big data anti-attack system may implement the following in the process of executing step S103: and carrying out significance semantic expression mining operation on the second online payment session to obtain significance semantic expression content of the abnormal detection items.
For the embodiments of the present application, the significance semantic expression content includes at least one of: local semantic vectors, global semantic vectors. Wherein the global semantic vector carries verification keyword tags of session objects in the online payment session.
It can be understood that the big data anti-attack system determines whether the release subject key description set has a semantic vector corresponding to the significant semantic expression content by comparing and analyzing the significant semantic expression content with the semantic vector in the release subject key description set, so as to determine whether at least one session element meets at least one session element screening index.
For example, the big data anti-attack system determines that no semantic vector corresponding to the significant semantic expression content is carried in the release semantic vector (white list semantic vector), which indicates that the abnormal detection item cannot be released, and at this time, the big data anti-attack system may determine that at least one session element satisfies at least one session element screening index; and the big data anti-attack system determines that the release semantic vector corresponding to the significant semantic expression content exists in the semantic vector, and shows that the abnormal detection item can be released, and at the moment, the big data anti-attack system can determine that at least one session element does not meet at least one session element screening index.
The big data anti-attack system can reduce analysis errors and ensure the precision of final analysis records by taking the released topic key description set as a session element screening index.
For an independently implementable embodiment, at least one of the session element screening indexes further includes a feature dimension interval, and at least one of the session elements further includes a transaction feature dimension of the anomaly detection transaction. The big data anti-attack system may implement the following in the process of executing step S103: and performing item identification operation on the second online payment session to obtain item feature dimensions of the abnormal detection items.
The big data anti-attack system can obtain the item feature dimension of the abnormal detection item in the second online payment session by carrying out item identification operation on the second online payment session. For example, on the basis that the anomaly detection event is the response denial type request, the big data anti-attack system can obtain a session object marking result covering the response denial type request by performing session object detection processing on the second online payment session, and further can obtain a transaction feature dimension of the response denial type request in the second online payment session by combining the transaction feature dimension of the session object marking result. For another example, on the basis that the anomaly detection event is the anomaly traffic state topic, the big data anti-attack system may obtain the anomaly traffic state topic marking result including the anomaly traffic state topic by performing the access request identification operation on the second online payment session, and further may obtain the event feature dimension of the anomaly traffic state topic in the second online payment session by combining the event feature dimension of the anomaly traffic state topic marking result.
Based on the above, the big data anti-attack system compares and analyzes the significant semantic expression content and the semantic vector in the released subject key description set, determines whether the semantic vector corresponding to the significant semantic expression content exists in the released subject key description set or not, and judges whether the item feature dimension of the abnormal detection item is in the feature dimension interval or not, so as to judge whether at least one session element meets at least one session element screening index or not.
Further, the big data anti-attack system determines that the release semantic vector does not carry a semantic vector corresponding to the significant semantic expression content, and the item feature dimension of the abnormal detection item is in the feature dimension interval, which indicates that the abnormal detection item cannot be released, and at this time, the big data anti-attack system can determine that at least one session element meets at least one session element screening index; the big data anti-attack system determines that a semantic vector corresponding to the significant semantic expression content exists in the released semantic vector, and the item feature dimension of the abnormal detection item is in the feature dimension interval, which indicates that the abnormal detection item can be released, and at the moment, the big data anti-attack system determines that at least one session element does not meet at least one session element screening index; the big data anti-attack system determines that the released semantic vectors do not carry semantic vectors corresponding to the significant semantic expression contents, and the item feature dimension of the abnormal detection item is outside the feature dimension interval, which indicates that the abnormal detection item can be released, and at the moment, the big data anti-attack system determines that at least one session element does not meet at least one session element screening index; the big data anti-attack system determines that the release semantic vector does not carry a semantic vector corresponding to the significant semantic expression content, and the item characteristic dimension of the abnormal detection item is outside the characteristic dimension interval, which indicates that the abnormal detection item can be released, and at the moment, the big data anti-attack system can determine that at least one session element does not meet at least one session element screening index.
It can be understood that the big data anti-attack system determines whether the session element of the payment data network attack to be analyzed meets the session element screening index by combining the item feature dimension and the feature dimension interval of the abnormal detection item, and can ensure the accuracy of the final analysis record.
Under some independently implementable design considerations, the at least one set of online payment sessions that trigger the attack-prevention analysis condition includes a third online payment session and a fourth online payment session, wherein the set digital signature of the third online payment session precedes the set digital signature of the fourth online payment session. The screening index of at least one session element comprises a set time sequence accumulated value, and the at least one session element comprises a time sequence statistical result of the payment data network attack to be analyzed. The big data anti-attack system may implement the following in the process of executing step S103: and taking the set digital signature (timestamp) of the third online payment session as a starting time sequence node (starting time) of the to-be-analyzed payment data network attack, and taking the set digital signature of the fourth online payment session as an ending time sequence node (ending time) of the to-be-analyzed payment data network attack, so as to obtain the time sequence statistical result (duration).
For example, assume that the network attack on the payment data to be analyzed is over-authorized access. The big data anti-attack system determines that the abnormal traffic state theme _1 in the third online payment session is in the over-authority access constraint condition by starting a network attack analysis operation on the third online payment session, and determines that the abnormal traffic state theme _1 in the third online payment session is in the over-authority access constraint condition by starting a network attack analysis operation on the fourth online payment session. And the big data anti-attack system further determines that the time sequence statistical result of the abnormal traffic state theme, namely the theme _1, which has the right to access is the capture time of the third online payment session to the capture time of the fourth online payment session. Namely, the set digital signature of the third online payment session is the starting time sequence node of the abnormal flow state theme, the 1, which has the access right, and the set digital signature of the fourth online payment session is the ending time sequence node of the abnormal flow state theme, the 1, which has the access right.
It can be understood that the third online payment session and the fourth online payment session in the embodiment of the present application are only examples, and in practical implementation, the big data anti-attack system may obtain a time sequence statistical result of the network attack on the payment data to be analyzed in combination with not less than two sets of online payment sessions that trigger the anti-attack analysis condition.
It can be understood that, the big data anti-attack system determines whether the time sequence statistical result of the payment data network attack to be analyzed exceeds the set time sequence accumulated value by comparing and analyzing the time sequence statistical result of the payment data network attack to be analyzed with the set time sequence accumulated value, so as to judge whether at least one session element meets at least one session element screening index.
For example, the big data anti-attack system determines that the time sequence statistical result exceeds the set time sequence accumulated value, and indicates that no less than one session element meets the screening index of no less than one session element; the big data anti-attack system determines that the time sequence statistical result does not exceed the set time sequence accumulated value, and indicates that at least one conversation element does not meet the screening index of at least one conversation element.
It can be understood that, the big data anti-attack system can also perform item identification operation on at least one group of online payment sessions triggering anti-attack analysis conditions to obtain the distribution condition of abnormal detection items in the payment data network attack to be analyzed, and the distribution condition is used as at least one session element of the payment data network attack to be analyzed.
Under some design ideas which can be independently implemented, the payment data network attack to be analyzed comprises the access with the right, the screening index of at least one session element also comprises the constraint condition of the access with the right, the at least one session element comprises the distribution condition of the access request to be processed, and the third online payment session and the fourth online payment session both cover the access request to be processed. The big data anti-attack system may further implement the following content in the process of executing step S103: performing an access request identification operation on the third online payment session to obtain a first distribution condition of the access request to be processed in the third online payment session; and performing access request identification operation on the fourth online payment session to obtain a second distribution condition of the access request to be processed in the fourth online payment session.
For the embodiment of the present application, the distribution of the pending access requests in the online payment session may be a distribution of the abnormal traffic status topic marking result containing the pending access requests in the mapping space of the online payment session. For example, the distribution of the pending access request in the online payment session may be a spatial description of a two-dimensional distribution constraint of the topic marking result of the abnormal traffic state containing the pending access request under the mapping space.
The big data anti-attack system can obtain the distribution condition of the access request to be processed in the third online payment session, namely the first distribution condition, by carrying out the access request identification operation on the third online payment session. The big data anti-attack system can obtain the distribution condition of the access request to be processed in the third online payment session, namely the second distribution condition, by carrying out the access request identification operation on the third online payment session.
It can be understood that, the big data anti-attack system determines whether the time sequence statistical result of the payment data network attack to be analyzed exceeds the set time sequence accumulated value or not and determines whether the distribution condition of the access request to be processed is within the over-authority access constraint condition or not by comparing and analyzing the time sequence statistical result of the payment data network attack to be analyzed and the set time sequence accumulated value, so as to determine whether at least one session element meets at least one session element screening index or not.
Illustratively, the big data anti-attack system determines that the time sequence statistical result exceeds a set time sequence accumulated value, and the first distribution condition and the second distribution condition are both matched in the over-authority access constraint condition, which indicates that no less than one session element meets no less than one session element screening index.
The big data anti-attack system determines that at least one session element does not meet at least one session element screening index on the basis of determining at least one of the following conditions: the time sequence statistical result does not exceed the set time sequence accumulated value, the first distribution condition is outside the over-authority access constraint condition, the second distribution condition is outside the over-authority access constraint condition, and further: the big data anti-attack system determines that the time sequence statistical result does not exceed the set time sequence accumulated value, and the first distribution condition and the second distribution condition are matched in the over-authority access constraint condition, which indicates that not less than one session element does not meet not less than one session element screening index; the big data anti-attack system determines that the time sequence statistical result does not exceed a set time sequence accumulated value, the first distribution condition is located outside the over-authority access constraint condition, and the second distribution condition is matched with the over-authority access constraint condition, so that the condition that at least one session element does not meet the screening index of at least one session element is indicated; the big data anti-attack system determines that the time sequence statistical result does not exceed a set time sequence accumulated value, the first distribution condition is located in the over-authority access constraint condition, the second distribution condition is matched with the over-authority access constraint condition, and the result shows that at least one session element does not meet at least one session element screening index; the big data anti-attack system determines that the time sequence statistical result exceeds a set time sequence accumulated value, and the first distribution condition and the second distribution condition are matched outside the over-authority access constraint condition, which indicates that at least one session element does not meet at least one session element screening index; the big data anti-attack system determines that the time sequence statistical result does not exceed the set time sequence accumulated value, and the first distribution condition and the second distribution condition are matched outside the over-authority access constraint condition, which indicates that not less than one session element does not meet not less than one session element screening index.
Under some independently implementable design ideas, the at least one group of online payment sessions triggering the anti-attack analysis condition comprises a fifth online payment session, and the at least one session element screening index comprises a credible evaluation judgment value. The big data anti-attack system may further implement the following content in the process of executing step S103: and performing item identification operation on the fifth online payment session to obtain the credible evaluation of the abnormal detection items in the fifth online payment session.
The confidence rating of the anomaly detection event indicates a confidence weight for the anomaly detection event. For example, on the basis that the anomaly detection item is a response-refusal-type request, the credibility evaluation of the anomaly detection item indicates the possibility that the anomaly detection item in the fifth online payment session is a response-refusal-type request; on the basis that the anomaly detection item is the subject of the abnormal traffic state, the credibility evaluation of the anomaly detection item indicates the possibility that the anomaly detection item in the fifth online payment session is the subject of the abnormal traffic state.
Based on the above, the big data anti-attack system determines whether the abnormal detection items in the online payment session are credible or not by comparing and analyzing the credible evaluation of the abnormal detection items with the credible evaluation judgment value, so as to judge whether at least one session element meets at least one session element screening index or not.
It can be understood that the big data anti-attack system determines that the credibility evaluation of the abnormal detection items exceeds the credibility evaluation judgment value, which indicates that at least one session element meets the screening index of at least one session element; the big data anti-attack system determines that the credibility evaluation of the abnormal detection items does not exceed the credibility evaluation judgment value, and indicates that not less than one session element does not meet the screening index of not less than one session element.
Under some design ideas which can be independently implemented, the at least one session element screening index comprises an abnormal prompt time sequence interval. The big data anti-attack system may further implement the following content in the process of executing step S103: and taking the set digital signature of the sixth online payment session as the activation moment of the network attack of the payment data to be analyzed.
For the embodiment of the application, the sixth online payment session is an online payment session with the latest digital signature set in at least one group of online payment sessions triggering the attack prevention analysis condition. The abnormal prompt time sequence interval is a time period when the big data anti-attack system prompts on the basis of determining the occurrence of the network attack of the payment data to be analyzed.
Based on the above, the big data anti-attack system determines whether at least one session element meets at least one session element screening index by judging whether the activation time of the payment data network attack to be analyzed is within the abnormal prompt time sequence interval.
Illustratively, the big data anti-attack system determines that the activation time of the network attack of the payment data to be analyzed is outside an abnormal prompt time sequence interval, and indicates that at least one session element meets at least one session element screening index; the big data anti-attack system determines that the activation time of the payment data network attack to be analyzed is in the abnormal prompt time sequence interval, and the fact that at least one conversation element does not meet the screening index of at least one conversation element is shown.
Under some design ideas which can be independently implemented, on the basis that the number of the session element screening indexes is greater than one, before executing step S103, the big data anti-attack system can further implement the following contents: and determining the attention degree queue of the session elements of the payment data network attack to be analyzed corresponding to the screening index.
For the embodiment of the application, the higher the attention of the session element of the to-be-analyzed payment data network attack, the smaller the resource overhead required for excavating the session element from the online payment session triggering the anti-attack analysis condition. For example, the resource overhead required by the big data anti-attack system for determining the set digital signature of the online payment session from the online payment session is smaller than the resource overhead required for mining the distribution situation of the abnormal traffic state topic from the online payment session. Therefore, for the network attack of the payment data to be analyzed, the attention of the session element of the time sequence statistical result is higher than the attention of the session element of the distribution situation of the abnormal traffic state topic.
It can be understood that, on the basis of determining the attention queue of the session element of the to-be-analyzed payment data network attack corresponding to the screening index, the big data anti-attack system may implement the following contents in the process of executing step S103: carrying out first session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis conditions to obtain first session elements of the payment data to be analyzed in the network attack; on the basis that the first session element meets the session element screening index corresponding to the first session element, performing second session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain a second session element of the payment data network attack to be analyzed; and on the basis that the first session element does not meet the screening index corresponding to the first session element, terminating the network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition.
For the embodiment of the present application, the first session element is the session element with the highest attention in the attention queue. For example, the network attack of the payment data to be analyzed is the over-authorized access. The session elements of the payment data network attack to be analyzed comprise: the time sequence statistical result, the distribution condition of the abnormal flow state theme and the item feature dimensionality of the abnormal flow state theme. In the attention queue of the session elements of the payment data network attack to be analyzed, the session element with the largest attention is assumed as a time sequence statistical result, the session element with the second highest attention is assumed as an item feature dimension of an abnormal traffic state topic, and the distribution condition of the abnormal traffic state topic of the session element with the lowest attention is assumed.
In the embodiment of the application, the big data anti-attack system firstly carries out first session element mining operation on at least one group of online payment sessions triggering anti-attack analysis conditions to obtain first session elements of the payment data network attacks to be analyzed. For example, in combination with the above, the big data anti-attack system first determines at least one set of digital signatures for online payment sessions that trigger anti-attack analysis conditions.
For the embodiment of the present application, the second session element is the session element with the second highest attention in the attention queue. For example, the second session element is a transaction feature dimension of the topic of the abnormal traffic state.
After obtaining the first session element, the big data anti-attack system judges whether the first session element meets the session element screening index corresponding to the first session element in at least one session element screening index. On the basis that the first session element meets the session element screening index corresponding to the first session element, the big data anti-attack system conducts second session element mining operation on at least one group of online payment sessions triggering anti-attack analysis conditions to obtain a second session element of the payment data to be analyzed under the network attack.
For example, the big data anti-attack system performs access request identification operation on at least one group of online payment sessions triggering the anti-attack analysis condition on the basis that the timing sequence statistical result of termination of the abnormal traffic state theme exceeds the set timing sequence accumulated value, and obtains the distribution condition of the abnormal traffic state theme in the online payment sessions triggering the anti-attack analysis condition.
And if the first session element does not meet the session element screening index corresponding to the first session element, indicating that the to-be-processed at least one session element does not meet the session element screening index at least one. Therefore, the big data anti-attack system does not need to continue to mine the session elements except the first session element from less than one set of online payment sessions which trigger the anti-attack analysis condition, so that the resource overhead can be reduced.
For some other embodiments, if the second session element meets the session element screening index corresponding to the second session element, the mining operation of the third session element is performed on at least one group of online payment sessions triggering the anti-attack analysis condition, and the third session element of the payment data network attack to be analyzed is obtained. And the big data anti-attack system judges whether the third session element meets the session element screening index corresponding to the third session element, and iterates until a certain session element does not meet the session element screening index corresponding to the session element, and the big data anti-attack system stops executing the session element mining operation. Or the big data anti-attack system judges whether the third session element meets the session element screening index corresponding to the third session element or not, and iterates until all the session elements of the payment data network attack to be analyzed are excavated.
For the embodiment of the application, the big data anti-attack system excavates the session element with the second highest attention degree from the online payment session which is not less than a group of trigger anti-attack analysis conditions on the basis that the session element with the high attention degree meets the session element screening index, so that the resource overhead can be reduced, and the attack protection processing efficiency can be improved.
In other embodiments, the attack coping strategy is issued on the basis that the final analysis record indicates that the payment data network attack to be analyzed is in the state to be activated.
In addition, for some independently implementable technical solutions, after obtaining the final resolution record of the payment data network attack to be analyzed, the method may further include the following steps: determining attack risk description of the payment data network attack to be analyzed according to the final analysis record; and determining an attack protection strategy aiming at the payment data network attack to be analyzed based on the attack risk description.
The method comprises the steps that on the basis that the final analysis record indicates that the to-be-analyzed payment data network attack is in a to-be-activated state, an implementation mode of an attack coping strategy is issued, and attack risk description of the to-be-analyzed payment data network attack is determined according to the final analysis record; the implementation manner of determining the attack protection policy for the to-be-analyzed payment data network attack based on the attack risk description may alternatively be implemented, and the embodiment of the application is not limited.
In addition, for some independently implementable technical solutions, determining the attack risk description of the payment data to be analyzed for the cyber attack according to the final analysis record may be implemented by the following implementation modes: loading the final analysis record to an attack preference extraction network layer in a first trained LSTM model to obtain a first attack preference expression and a second attack preference expression of the final analysis record, which are generated by the attack preference extraction network layer, wherein the attack preference extraction network layer comprises a plurality of preference extraction nodes with upstream and downstream relations, the first attack preference expression is generated by preference extraction nodes except the last node in the plurality of preference extraction nodes with upstream and downstream relations, and the second attack preference expression is generated by the last preference extraction node in the plurality of preference extraction nodes with upstream and downstream relations; loading the second attack preference expression to a coarse recognition network layer in the first trained LSTM model to obtain a target coarse recognition result generated by the coarse recognition network layer, wherein the target coarse recognition result is a coarse recognition result of a target attack risk description excavated in the final analysis record; loading the first attack preference expression, the second attack preference expression, the third attack preference expression and the target coarse recognition result to a fine recognition network layer in the first trained LSTM model, and obtaining a detection attack risk description label of the target attack risk description generated by the fine recognition network layer and detection distribution of the risk level of the target attack risk description in the final analysis record, wherein the third attack preference expression is an attack preference expression generated by a preference extraction node in the coarse recognition network layer according to a target preference vector, and the target preference vector is a description vector obtained by adjusting the second attack preference expression.
By the design, the attack risk description label and the detection distribution of the risk level of the target attack risk description in the final analysis record can be accurately positioned and detected based on the thickness identification network layer, so that the accuracy and the integrity of the attack risk description can be guaranteed, and the attack protection strategy aiming at the network attack of the payment data to be analyzed can be accurately and completely determined based on the attack risk description.
In summary, by performing a network attack analysis operation on the online payment session to obtain a staged attack analysis record of the to-be-analyzed payment data network attack, and performing a network attack session element mining operation on the online payment session to obtain at least one session element of the to-be-analyzed payment data network attack, a final analysis record of the to-be-analyzed payment data network attack can be obtained by combining the staged attack analysis record, the session element and the session element screening index. Therefore, the session elements and the session element screening indexes of the payment data network attack to be analyzed are combined, the staged attack analysis records are cleaned, the analysis condition that the session elements do not meet the session element screening indexes can be cleaned, the final analysis records are obtained, the precision of the final analysis records can be ensured, and accurate and reliable data bases are provided for subsequent attack protection.
Based on the same inventive concept, there is also provided an online payment-based big data anti-attack device 20, which is applied to a big data anti-attack system 10, and the device includes:
the determining module 21 is used for determining at least one group of online payment sessions triggering anti-attack analysis conditions and at least one session element screening index of the payment data network attack to be analyzed;
an obtaining module 22, configured to enable a network attack analysis operation on the at least one group of online payment sessions triggering the anti-attack analysis condition, obtain a staged attack analysis record of the to-be-analyzed payment data network attack, and perform a network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition, so as to obtain at least one session element of the to-be-analyzed payment data network attack;
and the analysis module 23 is configured to obtain a final analysis record of the payment data network attack to be analyzed by combining the staged attack analysis record, the at least one session element, and the at least one session element screening index of the payment data network attack to be analyzed.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a big data anti-attack system 10, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (9)
1. A big data anti-attack method based on online payment is applied to a big data anti-attack system, and the method at least comprises the following steps:
determining at least one group of online payment sessions triggering anti-attack analysis conditions and at least one session element screening index of the payment data network attack to be analyzed;
enabling network attack analysis operation on the at least one group of online payment sessions triggering the anti-attack analysis conditions to obtain staged attack analysis records of the payment data network attack to be analyzed, and performing network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis conditions to obtain at least one session element of the payment data network attack to be analyzed;
combining the staged attack analysis record, the at least one session element and at least one session element screening index of the payment data network attack to be analyzed to obtain a final analysis record of the payment data network attack to be analyzed;
on the basis that the number of the session element screening indexes is larger than one, before performing network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the payment data to be analyzed under the network attack, the method further comprises the following steps: determining an attention queue of session elements of the payment data network attack to be analyzed corresponding to the screening indexes;
the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: carrying out first session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis conditions to obtain first session elements of the payment data to be analyzed in the network attack; the first session element is the session element with the maximum attention in the attention queue; on the basis that the first session element meets the session element screening index corresponding to the first session element, performing second session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain a second session element of the payment data network attack to be analyzed; the second session element is a session element with the second highest attention in the attention queue; and on the basis that the first session element does not meet the screening index corresponding to the first session element, terminating the network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition.
2. The method of claim 1, wherein the obtaining a final resolved record of the payment data network attack to be analyzed in combination with the staged attack resolution record of the payment data network attack to be analyzed, the at least one session element, and the at least one session element screening index of the payment data network attack to be analyzed comprises:
on the basis that the online payment session recorded by the staged attack analysis record is not less than one group of trigger anti-attack analysis conditions carries the to-be-analyzed payment data network attack, and the not less than one session element meets the not less than one session element screening index, the final analysis record is determined that the to-be-analyzed payment data network attack is in an activated state;
and on the basis that the staged attack analysis record is that the online payment session with at least one group of trigger anti-attack analysis conditions carries the to-be-analyzed payment data network attack, and the at least one session element does not meet the at least one session element screening index, determining that the final analysis record is that the to-be-analyzed payment data network attack is in a to-be-activated state.
3. The method as claimed in claim 1 or 2, wherein the performing network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the payment data to be analyzed for network attack comprises: on the basis that the online payment sessions with the at least one group of trigger anti-attack analysis conditions carry the to-be-analyzed payment data network attacks, the staged attack analysis records are, network attack session element mining operation is carried out on the online payment sessions with the at least one group of trigger anti-attack analysis conditions, and at least one session element of the to-be-analyzed payment data network attacks is obtained;
wherein the payment data network attack to be analyzed comprises a distributed denial of service attack; the at least one group of online payment sessions triggering the anti-attack analysis condition covers a first online payment session; the first online payment session encompasses distributed denial of service attack detection content;
the step of starting network attack analysis operation on the at least one group of online payment sessions triggering the anti-attack analysis conditions to obtain staged attack analysis records comprises the following steps: on the basis of determining that the distributed denial of service attack detection content carries abnormal detection items, determining that the staged attack analysis record carries the distributed denial of service attack in the first online payment session; the abnormality detection event includes one or both of: responding to the refusal request and the abnormal flow state theme; and on the basis of determining that the distributed denial of service attack detection content does not carry abnormal detection items, determining that the staged attack analysis record does not carry the distributed denial of service attack in the first online payment session.
4. The method of claim 3, wherein the at least one set of online payment sessions that trigger the anti-attack analysis condition includes a third online payment session; the at least one session element screening index comprises a released topic key description set; the at least one session element comprises a significant semantic representation of the anomaly detection event;
the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: carrying out significance semantic expression mining operation on the second online payment session to obtain significance semantic expression content of the abnormal detection items;
the at least one session element satisfying the at least one session element screening index includes: the release topic key description set does not carry semantic vectors corresponding to the significant semantic expression contents;
the at least one session element not meeting the at least one session element screening criteria includes: semantic vectors corresponding to the significant semantic expression contents exist in the release subject key description set;
wherein the at least one session element screening index further comprises a characteristic dimension interval; the at least one conversation element further comprises an event characteristic dimension of an anomaly detection event;
the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the payment data to be analyzed under the network attack, and the method further comprises the following steps: performing item identification operation on the second online payment session to obtain item feature dimensions of the abnormal detection item;
the at least one session element satisfying the at least one session element screening index includes: the release topic key description set does not carry semantic vectors which have corresponding relations with the significance semantic expressions, and the item feature dimension of the abnormal detection item falls into the feature dimension interval;
the at least one session element not meeting the at least one session element screening criteria comprises at least one of: the released subject key description set does not carry semantic vectors which have corresponding relations with the significant semantic expression; and the item feature dimension of the anomaly detection item does not fall into the feature dimension interval.
5. The method of claim 1, wherein the at least one set of online payment sessions that trigger the attack analysis prevention condition includes a third online payment session and a fourth online payment session, a set digital signature of the third online payment session precedes a set digital signature of the fourth online payment session; the at least one session element screening index comprises a set time sequence accumulated value; the at least one session element comprises a time sequence statistical result of the payment data network attack to be analyzed;
the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: taking the set digital signature of the third online payment session as a starting time sequence node of the network attack of the payment data to be analyzed, and taking the set digital signature of the fourth online payment session as a termination time sequence node of the network attack of the payment data to be analyzed, so as to obtain a time sequence statistical result;
the at least one session element satisfying the at least one session element screening index includes: the time sequence statistical result is greater than the set time sequence accumulated value;
the at least one session element not meeting the at least one session element screening criteria includes: the time sequence statistical result is less than or equal to the set time sequence accumulated value;
wherein the payment data network attack to be analyzed comprises over-authority access; the at least one session element screening index further comprises an over-authority access constraint condition; the at least one session element comprises the distribution condition of the access requests to be processed; the third online payment session and the fourth online payment session both encompass the pending access request;
the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: performing an access request identification operation on the third online payment session to obtain a first distribution condition of the access request to be processed in the third online payment session; performing an access request identification operation on the fourth online payment session to obtain a second distribution condition of the access request to be processed in the fourth online payment session;
the at least one session element satisfying the at least one session element screening index includes: the time sequence statistical result is greater than the set time sequence accumulated value, and the first distribution condition and the second distribution condition are both matched with the over-authority access constraint condition;
the not less than one session element not meeting the not less than one session element screening indicator comprises one or more of: and the time sequence statistical result is less than or equal to the set time sequence accumulated value, the first distribution condition does not match the over-authority access constraint condition, and the second distribution condition does not match the over-authority access constraint condition.
6. The method of claim 1, wherein the at least one set of online payment sessions that trigger the anti-attack analysis condition includes a fifth online payment session; the at least one session element screening index comprises a credible evaluation judgment value;
the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: performing item identification operation on the fifth online payment session to obtain credible evaluation of abnormal detection items in the fifth online payment session;
the at least one session element satisfying the at least one session element screening index includes: the credibility evaluation of the abnormal detection item is larger than the credibility evaluation judgment value;
the at least one session element not meeting the at least one session element screening criteria includes: the reliability evaluation of the abnormality detection event is equal to or less than the reliability evaluation judgment value.
7. The method of claim 1, wherein the at least one session element screening metric comprises an abnormal alert timing interval;
the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: taking a set digital signature of a sixth online payment session as the activation moment of the network attack of the payment data to be analyzed; the sixth online payment session is the online payment session with the latest digital signature set in the online payment sessions with at least one group of trigger anti-attack analysis conditions;
the at least one session element satisfying the at least one session element screening index includes: the activation time of the payment data network attack to be analyzed does not fall into the abnormal prompt time sequence interval;
the at least one session element not meeting the at least one session element screening criteria includes: and the activation moment of the payment data network attack to be analyzed falls into the abnormal prompt time sequence interval.
8. The method of claim 1, wherein the method further comprises: and issuing an attack coping strategy on the basis that the final analysis record indicates that the payment data to be analyzed is in a to-be-activated state.
9. A computer storage medium, characterized in that it stores a computer program which, when executed, implements the method of any one of claims 1-8.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210858531.9A CN115271719A (en) | 2021-12-08 | 2021-12-08 | Attack protection method based on big data and storage medium |
| CN202111488103.3A CN114154990B (en) | 2021-12-08 | 2021-12-08 | Big data anti-attack method based on online payment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111488103.3A CN114154990B (en) | 2021-12-08 | 2021-12-08 | Big data anti-attack method based on online payment and storage medium |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210858531.9A Division CN115271719A (en) | 2021-12-08 | 2021-12-08 | Attack protection method based on big data and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114154990A CN114154990A (en) | 2022-03-08 |
| CN114154990B true CN114154990B (en) | 2022-09-20 |
Family
ID=80453293
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111488103.3A Active CN114154990B (en) | 2021-12-08 | 2021-12-08 | Big data anti-attack method based on online payment and storage medium |
| CN202210858531.9A Pending CN115271719A (en) | 2021-12-08 | 2021-12-08 | Attack protection method based on big data and storage medium |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210858531.9A Pending CN115271719A (en) | 2021-12-08 | 2021-12-08 | Attack protection method based on big data and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN114154990B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114625804B (en) * | 2022-03-30 | 2022-11-08 | 深圳唯爱智云科技有限公司 | Big data-based user behavior data processing method and system and cloud platform |
| CN115510984B (en) * | 2022-09-29 | 2024-01-02 | 广州合利宝支付科技有限公司 | Anti-intrusion method and system for payment platform and cloud platform |
| CN116976960B (en) * | 2023-09-22 | 2023-12-05 | 广州扬盛计算机软件有限公司 | Data processing method and system for two-dimensional code payment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721427A (en) * | 2016-01-14 | 2016-06-29 | 湖南大学 | Method for mining attack frequent sequence mode from Web log |
| CN111553701A (en) * | 2020-05-14 | 2020-08-18 | 支付宝(杭州)信息技术有限公司 | Session-based risk transaction determination method and device |
| CN111835708A (en) * | 2014-12-30 | 2020-10-27 | 华为技术有限公司 | Characteristic information analysis method and device |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN112491867A (en) * | 2020-11-24 | 2021-03-12 | 北京航空航天大学 | SSH man-in-the-middle attack detection system based on session similarity analysis |
| CN113393246A (en) * | 2021-06-29 | 2021-09-14 | 山东派盟网络科技有限公司 | Payment platform risk identification method and system based on data acquisition system |
| CN113643033A (en) * | 2021-09-02 | 2021-11-12 | 于静 | Information processing method and server for big data wind control analysis |
| CN113641993A (en) * | 2021-09-02 | 2021-11-12 | 于静 | Data security processing method based on cloud computing and data security server |
| CN113706158A (en) * | 2021-09-01 | 2021-11-26 | 杨思亭 | Big data intrusion prevention analysis method and system based on cloud payment |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9715592B2 (en) * | 2015-10-16 | 2017-07-25 | Sap Se | Dynamic analysis security testing of multi-party web applications via attack patterns |
| US10546302B2 (en) * | 2016-06-30 | 2020-01-28 | Square, Inc. | Logical validation of devices against fraud and tampering |
| CN110661623B (en) * | 2018-06-29 | 2022-10-11 | 高级计算发展中心(C-Dac),班加罗尔 | Method and system for authenticating a user using a Personal Authentication Device (PAD) |
| JP2022546470A (en) * | 2019-08-30 | 2022-11-04 | コーネル ユニヴァーシティ | Decentralized techniques for validation of data in transport layer security and other contexts |
| IT202000006340A1 (en) * | 2020-03-25 | 2021-09-25 | Cleafy Spa | Method for monitoring and protecting access to an online service |
-
2021
- 2021-12-08 CN CN202111488103.3A patent/CN114154990B/en active Active
- 2021-12-08 CN CN202210858531.9A patent/CN115271719A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111835708A (en) * | 2014-12-30 | 2020-10-27 | 华为技术有限公司 | Characteristic information analysis method and device |
| CN105721427A (en) * | 2016-01-14 | 2016-06-29 | 湖南大学 | Method for mining attack frequent sequence mode from Web log |
| CN111553701A (en) * | 2020-05-14 | 2020-08-18 | 支付宝(杭州)信息技术有限公司 | Session-based risk transaction determination method and device |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN112491867A (en) * | 2020-11-24 | 2021-03-12 | 北京航空航天大学 | SSH man-in-the-middle attack detection system based on session similarity analysis |
| CN113393246A (en) * | 2021-06-29 | 2021-09-14 | 山东派盟网络科技有限公司 | Payment platform risk identification method and system based on data acquisition system |
| CN113706158A (en) * | 2021-09-01 | 2021-11-26 | 杨思亭 | Big data intrusion prevention analysis method and system based on cloud payment |
| CN113643033A (en) * | 2021-09-02 | 2021-11-12 | 于静 | Information processing method and server for big data wind control analysis |
| CN113641993A (en) * | 2021-09-02 | 2021-11-12 | 于静 | Data security processing method based on cloud computing and data security server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114154990A (en) | 2022-03-08 |
| CN115271719A (en) | 2022-11-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114154990B (en) | Big data anti-attack method based on online payment and storage medium | |
| EP3598329B1 (en) | Information processing method, information processing system, and program | |
| US10911437B2 (en) | Detection of anomalous authentication attempts in a client-server architecture | |
| CN114154995B (en) | Abnormal payment data analysis method and system applied to big data wind control | |
| CN109344611B (en) | Application access control method, terminal equipment and medium | |
| US20150143494A1 (en) | Continuous identity authentication method for computer users | |
| CN108256322B (en) | Security testing method and device, computer equipment and storage medium | |
| CN113706176B (en) | Information anti-fraud processing method and service platform system combined with cloud computing | |
| CN113111359A (en) | Big data resource sharing method and resource sharing system based on information security | |
| CN114154147A (en) | Man-machine behavior detection method, system, equipment and medium | |
| CN113918621A (en) | Big data protection processing method based on internet finance and server | |
| CN113486343A (en) | Attack behavior detection method, device, equipment and medium | |
| CN113055399A (en) | Attack success detection method, system and related device for injection attack | |
| RU2659736C1 (en) | System and method of detecting new devices under user interaction with banking services | |
| CN113312671A (en) | Digital business operation safety processing method and system applied to big data mining | |
| CN109214212B (en) | Information leakage prevention method and device | |
| CN117009832A (en) | Abnormal command detection method and device, electronic equipment and storage medium | |
| CN111625825B (en) | Virus detection method, device, equipment and storage medium | |
| EP3174263A1 (en) | Apparatus and method for verifying detection rule | |
| CN113609111A (en) | Big data testing method and system | |
| CN115706669A (en) | Network security situation prediction method and system | |
| CN114157501A (en) | Parameter analysis method and device based on Tianri database | |
| CN112464218A (en) | Model training method and device, electronic equipment and storage medium | |
| JP5454166B2 (en) | Access discrimination program, apparatus, and method | |
| CN113239331B (en) | Risk account anti-intrusion identification method and system based on big data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220608 Address after: 061000 Nancang street, Po Town, Botou City, Cangzhou City, Hebei Province Applicant after: Huang Yibao Address before: 061000 Nancang street, Po Town, Botou City, Cangzhou City, Hebei Province Applicant before: Hebei Xiaobo Internet Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220822 Address after: B121, Floor 1, Building 3, No. 67, Chaoyang Road, Chaoyang District, Beijing 100020 Applicant after: Beijing Huishouqian Technology Co.,Ltd. Address before: 061000 Nancang street, Po Town, Botou City, Cangzhou City, Hebei Province Applicant before: Huang Yibao |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |