CN114218565A - Intrusion protection data processing method based on big data and big data server - Google Patents
Intrusion protection data processing method based on big data and big data server Download PDFInfo
- Publication number
- CN114218565A CN114218565A CN202111397910.4A CN202111397910A CN114218565A CN 114218565 A CN114218565 A CN 114218565A CN 202111397910 A CN202111397910 A CN 202111397910A CN 114218565 A CN114218565 A CN 114218565A
- Authority
- CN
- China
- Prior art keywords
- interactive behavior
- behavior
- data
- behavior data
- cloud
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 12
- 230000002452 interceptive effect Effects 0.000 claims abstract description 438
- 230000002265 prevention Effects 0.000 claims abstract description 128
- 239000012634 fragment Substances 0.000 claims abstract description 94
- 230000006399 behavior Effects 0.000 claims description 661
- 230000003993 interaction Effects 0.000 claims description 163
- 238000012545 processing Methods 0.000 claims description 148
- 238000000034 method Methods 0.000 claims description 65
- 230000004927 fusion Effects 0.000 claims description 48
- 238000012216 screening Methods 0.000 claims description 11
- 230000008859 change Effects 0.000 claims description 9
- 238000009826 distribution Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 4
- 230000003252 repetitive effect Effects 0.000 claims description 3
- 230000014509 gene expression Effects 0.000 description 38
- 230000008569 process Effects 0.000 description 31
- 238000004891 communication Methods 0.000 description 17
- 230000000007 visual effect Effects 0.000 description 13
- 238000001514 detection method Methods 0.000 description 8
- 238000006243 chemical reaction Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 5
- 238000005457 optimization Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000003860 storage Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000004069 differentiation Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000007499 fusion processing Methods 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 239000000463 material Substances 0.000 description 3
- 230000000644 propagated effect Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000010977 jade Substances 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 239000003607 modifier Substances 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 241000894007 species Species 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
Abstract
According to the intrusion protection data processing method based on the big data and the big data server, after the first reference interactive behavior data corresponding to the target behavior description is compiled, the cloud reference interactive behavior database can be combined to screen the data fragment queue of the cloud reference interactive behavior matched with the operation behavior habit characteristics of the first reference interactive behavior data, the local reference interactive behavior database is combined to construct second reference interactive behavior data and determine the local reference interactive behavior data fragments, and then the intrusion protection behavior data fragments corresponding to the local reference interactive behavior data fragments in the intrusion protection interactive behavior database are fused to obtain the target intrusion protection interactive behavior data. And the target intrusion prevention interactive behavior data is ensured to keep corresponding operation behavior habit characteristics, the identification error of the target intrusion prevention interactive behavior data relative to other intrusion prevention strategies is reduced, and the target intrusion prevention interactive behavior data is ensured to be suitable for different intrusion prevention strategies.
Description
Technical Field
The application relates to the technical field of big data and information security, in particular to an intrusion prevention data processing method based on big data and a big data server.
Background
In the rapidly developing big data internet era, information security is becoming more and more a topic of concern for people. With the continuous and deep digital information construction, the intrusion prevention data is rapidly increasing at a geometric level, and the traditional system or tool has difficulty in effectively processing such a huge amount of intrusion prevention data. More and more data owning methods put higher requirements on big data, and the requirements can reach effective intrusion prevention effect through analysis of mass data.
In view of this, technologies related to big data such as cloud computing and cloud storage are continuously permeating, and meanwhile, some applications and products related to the big data are also emerging, which indicates that the curtain will be gradually pulled open in the big data era of data intrusion prevention.
With the development of artificial intelligence, intrusion prevention processing can be generally performed based on an intrusion prevention policy, and the operation principle of the intrusion prevention policy is to analyze interactive behavior data so as to judge whether an intrusion behavior or an intrusion intention exists. In order to ensure that the intrusion protection policy can be applied to different service scenarios, it is usually necessary to optimize and upgrade the data identification capability of the intrusion protection policy. In other words, the intrusion prevention policy is required to perform recognition analysis on different interactive behavior data. How to guarantee the quality of the interactive behavior data used by different intrusion prevention strategies is a technical problem to be considered at present.
Disclosure of Invention
In view of the foregoing, the present application provides the following.
The scheme of one embodiment of the application provides an intrusion prevention data processing method based on big data, which is applied to a big data server, and the method comprises the following steps:
obtaining a target behavior description; constructing first reference interactive behavior data corresponding to the target behavior description; screening out a data fragment queue of the cloud reference interactive behavior of which the operating behavior habit characteristics are matched with the operating behavior habit characteristics of the first reference interactive behavior data from a cloud reference interactive behavior database;
searching a data fragment queue of the local reference interactive behavior corresponding to the data fragment queue of the cloud reference interactive behavior in a local reference interactive behavior database; according to the operation behavior habit characteristics of the data fragment queue of the local reference interactive behavior, second reference interactive behavior data corresponding to the target behavior description is constructed;
determining a local reference interactive behavior data segment matched with the service interactive demand characteristic corresponding to the second reference interactive behavior data from the local reference interactive behavior database; fusing intrusion protection behavior data segments corresponding to the local reference interaction behavior data segments in an intrusion protection interaction behavior database to obtain target intrusion protection interaction behavior data; the behavior description contents of the local reference interactive behavior database, the cloud reference interactive behavior database and the intrusion protection interactive behavior database are the same, and the intrusion protection interactive behavior database is matched with the operation behavior habit characteristics of the local reference interactive behavior database.
Preferably, the screening out a data fragment queue of the cloud-referenced interactive behavior whose operating behavior habit features are matched with the operating behavior habit features of the first reference interactive behavior data from the cloud-referenced interactive behavior database includes:
acquiring a candidate data fragment queue of the cloud reference interactive behavior from a cloud reference interactive behavior database according to the first reference interactive behavior data;
determining the characteristic difference degree of the operation behavior habit characteristics of the candidate data segment queue of the cloud reference interactive behavior and the first reference interactive behavior data;
and taking the candidate data segment queue of the cloud reference interactive behavior corresponding to the characteristic difference degree of the minimum operation behavior habit characteristics as the data segment queue of the cloud reference interactive behavior matched with the operation behavior habit characteristics of the first reference interactive behavior data.
Preferably, the obtaining a candidate data fragment queue of the cloud-referenced interactive behavior from the cloud-referenced interactive behavior database according to the first reference interactive behavior data includes:
determining a number of reference interactive behavior data segments comprised by the first reference interactive behavior data;
and acquiring a candidate data fragment queue of the cloud reference interactive behaviors, wherein the number of the cloud reference interactive behavior data fragments is equal to the determined number, from a cloud reference interactive behavior database.
Preferably, the obtaining, from the cloud reference interactive behavior database, a candidate data fragment queue of cloud reference interactive behaviors, where the number of the cloud reference interactive behavior data fragments is equal to the determined number, includes:
searching a data fragment queue of the cloud reference interactive behaviors in the cloud reference interactive behavior database;
when the number of the cloud reference interactive behavior data fragments included in the searched data fragment queue of the cloud reference interactive behavior is smaller than the determined number, continuing the search;
when the number of the cloud reference interactive behavior data segments included in the searched data segment queue of the cloud reference interactive behavior is equal to the determined number, taking the searched data segment queue of the cloud reference interactive behavior as a candidate data segment queue of the cloud reference interactive behavior;
when the number of the cloud reference interactive behavior data fragments included in the searched data fragment queue of the cloud reference interactive behavior is larger than the determined number, separating the candidate data fragment queue of the cloud reference interactive behavior according to the sequence of the included cloud reference interactive behavior data fragments and the determined number.
Preferably, the determining the feature difference between the candidate data segment queue of the cloud-side reference interactive behavior and the operation behavior habit feature of the first reference interactive behavior data includes:
extracting a reference interactive behavior data segment from the first reference interactive behavior data;
generating feature difference degrees of operation behavior habit features of the candidate data segment queue of the cloud reference interactive behaviors and the first reference interactive behavior data according to difference results of operation behavior habit quantized values between the cloud reference interactive behavior data segments included in the candidate data segment queue of the cloud reference interactive behaviors and the extracted reference interactive behavior data segments corresponding to the cloud reference interactive behaviors; the difference result of the operation behavior habit quantized value comprises at least one of a time sequence difference result, a track change degree difference result, a time sequence distribution difference of a business interaction demand quantized value and a possibility distribution difference of a track change degree.
Preferably, the determining, from the local reference interactive behavior database, a local reference interactive behavior data segment matched with the service interaction requirement feature corresponding to the second reference interactive behavior data includes:
extracting a reference interactive behavior data segment from the second reference interactive behavior data; determining behavior event characteristics of the extracted reference interactive behavior data segments;
screening a local reference interactive behavior data segment subset with behavior event characteristics matched with the behavior event characteristics of the extracted reference interactive behavior data segments from the local reference interactive behavior database;
determining service interaction requirement characteristic difference degrees of each local reference interaction behavior data segment in each local reference interaction behavior data segment subset and the corresponding extracted reference interaction behavior data segment;
and determining a local reference interactive behavior data segment corresponding to the minimum service interaction requirement characteristic difference degree as a local reference interactive behavior data segment matched with the service interaction requirement characteristic corresponding to the second reference interactive behavior data.
Preferably, the determining, for each local reference interactive behavior data segment in each local reference interactive behavior data segment subset, a service interaction requirement characteristic difference from the corresponding extracted reference interactive behavior data segment includes:
determining a service interaction demand quantized value of each local reference interaction behavior data segment in each local reference interaction behavior data segment subset;
determining a business interaction requirement quantized value of each extracted reference interaction behavior data segment;
calculating a difference result of corresponding business interaction demand quantitative values for each local reference interaction behavior data segment and the corresponding extracted reference interaction behavior data segment;
and generating a service interaction demand characteristic difference degree having a set relation with the difference result according to the difference result.
Preferably, the fusing the intrusion prevention behavior data segments corresponding to the local reference interactive behavior data segments in the intrusion prevention interactive behavior database to obtain the target intrusion prevention interactive behavior data includes:
sorting the determined local reference interactive behavior data segments according to a behavior event sequence in the corresponding target behavior description;
determining the fusion position of adjacent local reference interactive behavior data segments in the sorted local reference interactive behavior data segments;
searching an intrusion prevention behavior data fragment corresponding to the local reference interactive behavior data fragment in an intrusion prevention interactive behavior database;
fusing the corresponding intrusion prevention behavior data fragments according to the determined fusion positions of the adjacent local reference interactive behavior data fragments to obtain target intrusion prevention interactive behavior data;
wherein the determining of the fusion position of the adjacent local reference interactive behavior data segment in the sorted local reference interactive behavior data segments comprises:
acquiring interactive behavior data content extracted from each determined local reference interactive behavior data segment;
determining the number of fused repeated interactive behavior data contents of adjacent local reference interactive behavior data segments; wherein the degree of distinction between the interactive behavior data content corresponding to the number of the fused repetitive interactive behavior data content of each of the adjacent local reference interactive behavior data segments is minimized;
and determining the fusion position of the adjacent local reference interactive behavior data segment in the sorted local reference interactive behavior data segments according to the quantity of the fusion repeated interactive behavior data content.
Preferably, before obtaining the target behavior description, the method further includes:
acquiring historical interactive behavior data of intrusion protection;
identifying behavior description contents corresponding to the historical intrusion protection interactive behavior data;
generating a data fragment queue of the cloud reference interaction behavior according to the behavior description content obtained by identification;
creating a cloud reference interactive behavior database according to the generated data fragment queue of the cloud reference interactive behavior;
acquiring operation behavior habit characteristics of the acquired intrusion protection historical interaction behavior data;
generating a data fragment queue of the local reference interactive behavior according to the behavior description content obtained by identification and the acquired operation behavior habit characteristics;
and creating a local reference interactive behavior database according to the generated data fragment queue of the local reference interactive behavior.
The scheme of one embodiment of the application provides a big data server, which comprises a processing engine, a network module and a memory; the processing engine and the memory communicate through the network module, and the processing engine reads the computer program from the memory and operates to perform the above-described method.
In the description that follows, additional features will be set forth, in part, in the description. These features will be in part apparent to those skilled in the art upon examination of the following and the accompanying drawings, or may be learned by production or use. The features of the present application may be realized and attained by practice or use of various aspects of the methodologies, instrumentalities and combinations particularly pointed out in the detailed examples that follow.
Drawings
The present application will be further explained by way of exemplary embodiments, which will be described in detail by way of the accompanying drawings. These embodiments are not intended to be limiting, and in these embodiments like numerals are used to indicate like structures, wherein:
FIG. 1 is a flow diagram of an exemplary big data based intrusion prevention data processing method and/or process, according to some embodiments of the present application;
FIG. 2 is a block diagram of an exemplary big data based intrusion prevention data processing apparatus according to some embodiments of the present application;
FIG. 3 is a block diagram of an exemplary big-data based intrusion prevention data processing system, according to some embodiments of the present application, an
FIG. 4 is a diagram illustrating hardware and software components in an exemplary big data server, according to some embodiments of the present application.
Detailed Description
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings used in the description of the embodiments will be briefly introduced below. It is obvious that the drawings in the following description are only examples or embodiments of the application, from which the application can also be applied to other similar scenarios without inventive effort for a person skilled in the art. Unless otherwise apparent from the context, or otherwise indicated, like reference numbers in the figures refer to the same structure or operation.
It should be understood that "system", "device", "unit" and/or "module" as used herein is a method for distinguishing different components, elements, parts, portions or assemblies at different levels. However, other words may be substituted by other expressions if they accomplish the same purpose.
As used in this application and the appended claims, the terms "a," "an," "the," and/or "the" are not intended to be inclusive in the singular, but rather are intended to be inclusive in the plural unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" merely indicate that steps and elements are included which are explicitly identified, that the steps and elements do not form an exclusive list, and that a method or apparatus may include other steps or elements.
Flow charts are used herein to illustrate operations performed by systems according to embodiments of the present application. It should be understood that the preceding or following operations are not necessarily performed in the exact order in which they are performed. Rather, the various steps may be processed in reverse order or simultaneously. Meanwhile, other operations may be added to the processes, or a certain step or several steps of operations may be removed from the processes.
In order to better understand the technical solutions of the present invention, the following detailed descriptions of the technical solutions of the present invention are provided with the accompanying drawings and the specific embodiments, and it should be understood that the specific features in the embodiments and the examples of the present invention are the detailed descriptions of the technical solutions of the present invention, and are not limitations of the technical solutions of the present invention, and the technical features in the embodiments and the examples of the present invention may be combined with each other without conflict.
As described in the background art, the inventor finds that interactive behavior data in the related art is difficult to adapt to different intrusion prevention strategies, and identification errors may be caused.
The intrusion protection data processing method based on big data and the whole scheme of the big data server provided by the application can be summarized as follows: and constructing first reference interactive behavior data corresponding to the obtained target behavior description, and performing optimization processing on the intrusion protection interactive behavior data by combining a cloud reference interactive behavior database and a local reference interactive behavior database, so as to obtain target intrusion protection interactive behavior data. Because the behavior description contents of the local reference interactive behavior database, the cloud reference interactive behavior database and the intrusion protection interactive behavior database are the same, and the operation behavior habit characteristics of the intrusion protection interactive behavior database are matched with those of the local reference interactive behavior database, the target intrusion protection interactive behavior data can be ensured to retain the corresponding operation behavior habit characteristics, the identification errors of the target intrusion protection interactive behavior data in the operation of other intrusion protection strategies can be reduced, and the target intrusion protection interactive behavior data can be ensured to be suitable for different intrusion protection strategies.
To further explain the overall scheme, first, an exemplary big data-based intrusion prevention data processing method is described, and referring to fig. 1, which is a flowchart illustrating an exemplary big data-based intrusion prevention data processing method and/or process according to some embodiments of the present application, and the big data-based intrusion prevention data processing method may include the technical schemes described in the following steps 100 to 300.
Step 100, a big data server obtains target behavior description; constructing first reference interactive behavior data corresponding to the target behavior description; and screening out a data fragment queue of the cloud reference interactive behavior with the operating behavior habit characteristics matched with the operating behavior habit characteristics of the first reference interactive behavior data from a cloud reference interactive behavior database.
For example, the target behavior description may be used to record business interaction behavior data. The big data server can obtain a target behavior description according to the service interaction log, and the target behavior description can be a behavior description meeting set conditions (such as an interaction heat judgment condition and an interaction security judgment condition).
Further, the first reference interactive behavior data is used for expressing the target behavior description from a data level, for example, the target behavior description may be a behavior description feature, and the first reference interactive behavior data may be obtained by translating the behavior description feature.
In the embodiment of the application, the cloud-side reference interactive behavior database and the local reference interactive behavior database below the cloud-side reference interactive behavior database can be pre-established and used as a reference for interactive behavior data conversion, so that the interactive behavior data obtained through conversion can be suitable for different intrusion protection strategies.
It can be understood that the operation behavior habit features are used for representing the operation behavior habits of the user corresponding to the interactive behavior data, and the operation behavior habit features can be used as key features for intrusion prevention judgment, so that the accuracy of interactive behavior data conversion can be ensured by keeping the operation behavior habit features, and the deviation of the same operation behavior habit features in the interactive behavior data conversion process is avoided.
In some possible embodiments, in order to accurately determine the data fragment queue of the cloud-referenced interaction behavior whose operation behavior habit characteristics match the operation behavior habit characteristics of the first referenced interaction behavior data, the data fragment queue of the cloud-referenced interaction behavior whose operation behavior habit characteristics match the operation behavior habit characteristics of the first referenced interaction behavior data is screened from the cloud-referenced interaction behavior database described in step 100, which may be implemented by the following technical solutions described in steps 110 to 130.
And step 110, acquiring a candidate data fragment queue of the cloud reference interactive behavior from a cloud reference interactive behavior database according to the first reference interactive behavior data.
In this embodiment of the application, in order to ensure that the matching of the habit features of the subsequent operation behaviors does not become confused, it is necessary to ensure that the number of the candidate data segment queues of the cloud-referenced interaction behaviors matches the first referenced interaction behavior data, and for this reason, the method described in step 110 may further include the following technical solutions described in steps 111 and 112, where the candidate data segment queues of the cloud-referenced interaction behaviors are obtained from the cloud-referenced interaction behavior database according to the first referenced interaction behavior data.
And step 111, determining the number of reference interactive behavior data segments included in the first reference interactive behavior data.
For example, when the number of reference interactive behavior data segments included in the first reference interactive behavior data is determined, segment splitting may be performed according to an interactive behavior event or an interactive behavior time sequence corresponding to the first reference interactive behavior data, so as to ensure that the obtained reference interactive behavior data segments do not change their own meaning.
And step 112, acquiring a candidate data fragment queue of the cloud reference interactive behaviors, wherein the number of the cloud reference interactive behavior data fragments is equal to the determined number, from the cloud reference interactive behavior database.
After the number of the reference interactive behavior data segments included in the first reference interactive behavior data is determined, the candidate data segment queue of the corresponding cloud reference interactive behavior may be determined according to the number of the reference interactive behavior data segments included in the first reference interactive behavior data.
Further, the obtaining, from the cloud reference interaction behavior database, the candidate data fragment queue of the cloud reference interaction behaviors, where the number of the cloud reference interaction behavior data fragments included in the candidate data fragment queue is equal to the determined number, as described in step 112, may include the following steps 1121 to 1124.
Step 1121, searching a data fragment queue of the cloud reference interactive behavior included in the cloud reference interactive behavior database.
For example, a data fragment queue of cloud-referenced interaction behaviors included in the cloud-referenced interaction behavior database may be traversed.
Step 1122, when the number of the cloud reference interactive behavior data segments included in the searched data segment queue of the cloud reference interactive behavior is smaller than the determined number, continuing the search.
For example, when the number of cloud reference interactive behavior data fragments included in the traversed cloud reference interactive behavior data fragment queue is smaller than the determined number, the traversal is continued.
Step 1123, when the number of the cloud reference interactive behavior data segments included in the searched data segment queue of the cloud reference interactive behavior is equal to the determined number, taking the searched data segment queue of the cloud reference interactive behavior as a candidate data segment queue of the cloud reference interactive behavior.
For example, when the number of cloud reference interactive behavior data segments included in the traversed cloud reference interactive behavior data segment queue is equal to the determined number, the traversed cloud reference interactive behavior data segment queue is used as a candidate data segment queue of the cloud reference interactive behavior.
Step 1124, when the number of the cloud reference interactive behavior data segments included in the searched cloud reference interactive behavior data segment queue is greater than the determined number, separating the searched cloud reference interactive behavior data segment queue into a candidate cloud reference interactive behavior data segment queue according to the sequence of the included cloud reference interactive behavior data segments and the determined number.
For another example, when the number of cloud reference interactive behavior data segments included in the traversed cloud reference interactive behavior data segment queue is greater than the determined number, the traversed cloud reference interactive behavior data segment queue is used to separate a candidate data segment queue of the cloud reference interactive behavior according to the included sequence of the cloud reference interactive behavior data segments and the determined number.
Thus, based on the steps 1121-1124, it can be ensured that the data fragments in the candidate data fragment queue of the cloud reference interaction behavior are not missed.
Thus, based on the steps 111 and 112, it can be ensured that the number of candidate data segment queues of the cloud reference interactive behavior is matched with the first reference interactive behavior data, so that it is ensured that the matching of the following operation behavior habit features is not confused.
And step 120, determining the characteristic difference degree of the operation behavior habit characteristics of the candidate data segment queue of the cloud reference interactive behavior and the first reference interactive behavior data.
In the embodiment of the present application, the feature differentiation degree of the operation behavior habit features may be understood as a feature difference degree or a feature differentiation degree of the operation behavior habit features.
In some possible embodiments, in order to reduce the error of the feature difference degree of the operation behavior habit feature as much as possible, the determining the feature difference degree of the operation behavior habit feature of the cloud-end reference interaction behavior segment queue and the first reference interaction behavior data described in step 120 above may include the following technical solutions described in steps 121 and 122.
And step 121, extracting a reference interactive behavior data segment from the first reference interactive behavior data.
Step 122, generating a feature difference degree of the operation behavior habit features of the candidate data segment queue of the cloud reference interaction behavior and the first reference interaction behavior data according to the difference result of the operation behavior habit quantized values between each cloud reference interaction behavior data segment included in the candidate data segment queue of the cloud reference interaction behavior and the extracted reference interaction behavior data segment corresponding to each cloud reference interaction behavior data segment.
In step 122, the difference result of the operation behavior habit quantified value includes at least one of a time sequence difference result, a track change degree difference result, a time sequence distribution difference of the business interaction requirement quantified value, and a probability distribution difference of the track change degree. For example, the difference result may be understood as a difference value, and the distribution difference may be understood as a probability that the timing difference and the track variation degree are recorded in the form of a list.
For example, the operation behavior habit quantized value is used for expressing feature difference degrees of different operation behavior habit features, and the difference result of the operation behavior habit quantized value includes at least one of a time sequence difference result, a trajectory change degree difference result, a time sequence distribution difference of a business interaction requirement quantized value, and a probability distribution difference of the trajectory change degree, so that the feature difference degrees of the operation behavior habit features can be analyzed from different angles as much as possible, and errors of the feature difference degrees of the operation behavior habit features can be reduced as much as possible.
For example, the candidate data segment queue of the cloud-side reference interactive behavior with the smallest feature differentiation degree of the operation behavior habit features may be understood as the candidate data segment queue of the cloud-side reference interactive behavior with the most similar operation behavior habit features, so that it is ensured that the data segment queue of the cloud-side reference interactive behavior matched with the operation behavior habit features of the first reference interactive behavior data satisfies the similarity of the operation behavior habit features as much as possible.
200, searching a data fragment queue of the local reference interactive behavior corresponding to the data fragment queue of the cloud reference interactive behavior in a local reference interactive behavior database by a big data server; and constructing second reference interactive behavior data corresponding to the target behavior description according to the operation behavior habit characteristics of the data fragment queue of the local reference interactive behavior.
For example, the local reference interactive behavior database may be synchronized with the big data server for performing timing consistency check on the interactive behavior data, thereby ensuring that no timing deviation occurs in the conversion process of the interactive behavior data. Further, when searching for the data segment queue of the local reference interactive behavior corresponding to the data segment queue of the cloud reference interactive behavior, the search can be implemented according to the target behavior description. Thereby ensuring that the data fragment queue of the local reference interactive behavior corresponds to the target behavior description. Further, a preset neural network model can be adopted to translate the operation behavior habit characteristics of the data segment queue of the local reference interaction behavior, so that second reference interaction behavior data corresponding to the target behavior description is obtained. In general, similar to image processing, translating features into data may be understood as "decoding", and extracting features from data may be understood as "encoding", so that the above processing regarding the operation behavior habit features and the reference interaction behavior data may refer to related prior art, and will not be described herein again.
Step 300, the big data server determines a local reference interactive behavior data segment matched with the service interactive demand characteristic corresponding to the second reference interactive behavior data from the local reference interactive behavior database; and fusing intrusion protection behavior data segments corresponding to the local reference interaction behavior data segments in the intrusion protection interaction behavior database to obtain target intrusion protection interaction behavior data.
In the embodiment of the application, the intrusion protection interactive behavior database can be understood as a general database and is used for realizing the sharing of interactive behavior data so as to ensure that different intrusion protection strategies can learn different interactive behavior data, so as to optimize the intrusion protection strategies and improve the capability of the intrusion protection strategies for identifying different interactive behavior data.
When the intrusion protection policy analyzes and identifies the interactive behavior data, in order to ensure that the interactive behavior data can keep the original operation behavior habit characteristics, after determining the local reference interactive behavior data segment matched with the service interaction demand characteristics corresponding to the second reference interactive behavior data from the local reference interactive behavior database, the intrusion protection behavior data segments corresponding to the local reference interactive behavior data segment in the intrusion protection interactive behavior database can be fused to obtain the target intrusion protection interactive behavior data.
Because, the action description content of the local reference interactive action database, the cloud reference interactive action database and the intrusion protection interactive action database is the same, and the intrusion protection interactive action database is matched with the operation action habit characteristics of the local reference interactive action database, the target intrusion protection interactive action data can be ensured to reserve corresponding operation action habit characteristics, the identification error of the target intrusion protection interactive action data in the operation of other intrusion protection strategies can be ensured, and the target intrusion protection interactive action data can be suitable for different intrusion protection strategies.
In some possible embodiments, the determining, from the local reference interaction behavior database described in step 300, a local reference interaction behavior data segment matching the service interaction requirement characteristic corresponding to the second reference interaction behavior data may include the following technical solutions described in steps 310 to 340.
Step 310, extracting a reference interactive behavior data segment from the second reference interactive behavior data; and determining the behavior event characteristics of the extracted reference interactive behavior data segments.
For example, behavioral event features focus on the business interaction events themselves.
And 320, screening a local reference interactive behavior data segment subset with behavior event characteristics matched with the behavior event characteristics of the extracted reference interactive behavior data segments from the local reference interactive behavior database.
And 330, determining the service interaction requirement characteristic difference degree between each local reference interaction behavior data segment in each local reference interaction behavior data segment subset and the corresponding extracted reference interaction behavior data segment.
For example, the service interaction requirement can be understood as requirement information in the service interaction process. The service interaction requirement characteristic distinctiveness is used for describing the difference situation between different service interaction requirement characteristics.
In some possible embodiments, the determining, for each local reference interactive behavior data segment in each local reference interactive behavior data segment subset described in the above step 330, a service interaction requirement characteristic difference from the corresponding extracted reference interactive behavior data segment may include the following technical solutions described in steps 331 to 334.
331, determining a service interaction demand quantized value of each local reference interactive behavior data segment in each local reference interactive behavior data segment subset;
and step 332, determining the business interaction requirement quantitative value of each extracted reference interaction behavior data segment.
And 333, calculating a difference result of the corresponding business interaction demand quantitative value for each local reference interaction behavior data segment and the corresponding extracted reference interaction behavior data segment.
And 334, generating a service interaction requirement characteristic difference degree having a set relation with the difference result according to the difference result.
For example, the service interaction requirement characteristic difference degree having the set relationship with the difference result may be understood as the service interaction requirement characteristic difference degree having a positive correlation with the difference result.
And 340, determining a local reference interactive behavior data segment corresponding to the minimum service interaction requirement characteristic difference degree as a local reference interactive behavior data segment matched with the service interaction requirement characteristic corresponding to the second reference interactive behavior data.
By adopting the design, the service interaction requirement characteristics can be taken into account by applying the steps 310 to 340, so that the local reference interaction behavior data segment matched with the service interaction requirement characteristics corresponding to the second reference interaction behavior data can be ensured to be matched with the actual service event and service environment in the subsequent data segment fusion process.
In some other embodiments, in order to ensure that no confusion occurs during the data segment fusion process and ensure the availability of the target intrusion prevention interactive behavior data, the step 300 described above may include the following technical solutions described in the steps 300a to 300d, where the intrusion prevention interactive behavior data segments corresponding to the local reference interactive behavior data segment in the intrusion prevention interactive behavior database are fused to obtain the target intrusion prevention interactive behavior data.
Step 300a, the determined local reference interactive behavior data segments are sorted according to the behavior event sequence in the corresponding target behavior description.
For example, the ordering may be based on the order of occurrence of the behavioral events.
And step 300b, determining the fusion position of the adjacent local reference interactive behavior data segments in the sorted local reference interactive behavior data segments.
For example, the fusion location may be a relative positional relationship between the data segments.
In some possible embodiments, the determining the merging position of the adjacent local reference interactive behavior data segment in the sorted local reference interactive behavior data segments as described in step 300b may include the following: acquiring interactive behavior data content extracted from each determined local reference interactive behavior data segment; determining the number of fused repeated interactive behavior data contents of adjacent local reference interactive behavior data segments; wherein the degree of distinction between the interactive behavior data content corresponding to the number of the fused repetitive interactive behavior data content of each of the adjacent local reference interactive behavior data segments is minimized; and determining the fusion position of the adjacent local reference interactive behavior data segment in the sorted local reference interactive behavior data segments according to the quantity of the fusion repeated interactive behavior data content. Therefore, the fusion position of the adjacent local reference interactive behavior data segment in the sorted local reference interactive behavior data segment can be accurately determined.
And step 300c, searching an intrusion prevention behavior data fragment corresponding to the local reference interactive behavior data fragment in an intrusion prevention interactive behavior database.
For example, intrusion prevention behavior data fragments may be understood as data fragments that apply to different intrusion prevention policies.
And 300d, fusing the corresponding intrusion prevention behavior data fragments according to the determined fusion positions of the adjacent local reference interactive behavior data fragments to obtain target intrusion prevention interactive behavior data.
It can be understood that by implementing the above steps 300a-300d, data fusion can be performed based on the fusion location, so as to ensure that no confusion occurs in the data segment fusion process and to ensure the availability of target intrusion prevention interactive behavior data.
In some other embodiments, the method further includes a technical solution of creating a local reference interactive behavior database and a cloud reference interactive behavior database, for example, before obtaining the target behavior description in step 100, the method may further include the following steps: acquiring historical interactive behavior data of intrusion protection; identifying behavior description contents corresponding to the historical intrusion protection interactive behavior data; generating a data fragment queue of the cloud reference interaction behavior according to the behavior description content obtained by identification; creating a cloud reference interactive behavior database according to the generated data fragment queue of the cloud reference interactive behavior; acquiring operation behavior habit characteristics of the acquired intrusion protection historical interaction behavior data; generating a data fragment queue of the local reference interactive behavior according to the behavior description content obtained by identification and the acquired operation behavior habit characteristics; and creating a local reference interactive behavior database according to the generated data fragment queue of the local reference interactive behavior. Therefore, a complete and reliable data base can be provided for fusion conversion of the interactive behavior data by creating the local reference interactive behavior database and the cloud reference interactive behavior database, so that the usability of the target intrusion prevention interactive behavior data is ensured.
In summary, when the technical solutions described in steps 100 to 300 are applied, after the first reference interactive behavior data corresponding to the target behavior description is obtained through compiling, a data fragment queue of the cloud reference interactive behavior whose operating behavior habit features are matched with the operating behavior habit features of the first reference interactive behavior data can be screened from the cloud reference interactive behavior database, and then the second reference interactive behavior data is constructed in combination with the local reference interactive behavior database to determine the local reference interactive behavior data fragments, so that the intrusion protection behavior data fragments corresponding to the local reference interactive behavior data fragments in the intrusion protection interactive behavior database can be fused to obtain the target intrusion protection interactive behavior data. The method can ensure that the target intrusion protection interactive behavior data retains corresponding operation behavior habit characteristics, can reduce the identification error of the target intrusion protection interactive behavior data in the operation of other intrusion protection strategies, and can ensure that the target intrusion protection interactive behavior data can be suitable for different intrusion protection strategies.
In some optional embodiments, on the basis of ensuring that the target intrusion prevention interaction behavior data can be applied to different intrusion prevention policies, the relevant intrusion prevention policies may be further optimized, for example, the intrusion prevention policies are optimized for the relevant intrusion prevention policies.
In some optional embodiments, after the intrusion prevention behavior data segments corresponding to the local reference interaction behavior data segment in the intrusion prevention interaction behavior database are fused to obtain the target intrusion prevention interaction behavior data as described in step 300, the method may further include the following steps: and determining an original intrusion protection strategy corresponding to the target intrusion protection interactive behavior data, and optimizing the original intrusion protection strategy to obtain a target optimized intrusion protection strategy.
For example, a corresponding original intrusion prevention policy may be determined according to a calling condition of target intrusion prevention interaction behavior data, and then the original intrusion prevention policy is optimized by combining with a prevention operation instruction to obtain a target optimized intrusion prevention policy.
In some optional embodiments, the optimizing the original intrusion prevention policy to obtain the target optimized intrusion prevention policy described in the foregoing may include the following technical solutions.
And step S11, the big data server acquires protection operation indicating data to be loaded corresponding to the original intrusion protection strategy, and acquires current operation flow information corresponding to the protection operation indicating data.
In the embodiment of the application, it can be understood that the big data server may determine the corresponding original intrusion prevention policy based on the calling condition of the target intrusion prevention interaction behavior data. In addition, the big data server can be in communication connection with the plurality of intelligent service processing terminals, the original intrusion protection strategy can be a previous intrusion protection strategy of the intelligent service processing terminals, the big data server can acquire the original intrusion protection strategy from the related intelligent service processing terminals on the premise of acquiring the authorization of the intelligent service processing terminals, and after the original intrusion protection strategy is acquired, the big data server can analyze the original intrusion protection strategy to determine protection operation indication data to be loaded corresponding to the original intrusion protection strategy.
Furthermore, protection operation indication data to be loaded is used for being added into the original intrusion protection strategy so as to indicate the intrusion protection operation of the intelligent service processing end running the original intrusion protection strategy, and the normal running of the original intrusion protection strategy is prevented from being influenced by the wrong operation. For example, the protection operation indication data "please exit the program after obtaining the authority authentication result" may indicate that the user does not exit the program in advance when the original intrusion protection policy is run on the smart service processing end.
In addition, the operation flow information may be used to represent operation sequence information of different guard operations, and the current operation flow information may correspond to a set of guard operation indication data.
In some possible embodiments, the step of acquiring the current operation flow information corresponding to the protection operation indication data described in the above step S11 may be implemented by the following steps S111 to S114.
Step S111, converting the protection operation indication data into visual streaming data, detecting the visual streaming data by using a preset streaming data detection step length, and sequentially obtaining time sequence nodes corresponding to a maximum operation discrimination in the preset streaming data detection step length to form a maximum operation discrimination set.
For example, the visualized streaming data can be represented by a chart, so that the flow content corresponding to the protection operation indication data can be completely displayed. The preset streaming data detection step length can be a preset time detection step length or a preset time detection window, and the operation distinction degree is used for distinguishing different protection operations.
And step S112, sequentially calculating the time sequence differences corresponding to two continuous time sequence nodes in the maximum operation discrimination set to form a time sequence difference set.
For example, the maximum operation discrimination set includes a plurality of timing nodes, and the guard operation corresponding to each timing node is different. Thus, the set of timing differences may be used to record the time intervals between different guard operations.
Step S113, obtaining a significant time sequence difference corresponding to the time sequence difference set as a target time sequence difference, obtaining a target time sequence node from the maximum operation region degree set to form a first flow node queue, where the time sequence difference corresponding to two consecutive time sequence nodes in the first flow node queue is a set ratio of the target time sequence difference.
For example, the significant timing difference may be a median of the time intervals, such as 100 time intervals, in which the time interval t8 occurs the most, and then the time interval t8 may be understood as the significant timing difference, in other words, the time interval t8 may be understood as the target timing difference.
Step S114, adding time sequence nodes in the first streaming node queue so that the time sequence difference corresponding to two consecutive time sequence nodes is the target time sequence difference to obtain a target streaming node queue, where each time sequence node in the target streaming node queue is an operation process node corresponding to the protection operation indication data.
For example, adding a timing node to the first streaming node queue may be understood as inserting a corresponding time point of a timing node into the first streaming node queue, so as to adjust the timing difference/time interval, and thus, a target streaming node queue after the timing node is optimized may be obtained. By means of the design, the protection operation instruction data are converted into the visual streaming data and are analyzed in combination with the time sequence nodes, and the current operation flow information corresponding to the protection operation instruction data can be accurately acquired from the time sequence level.
And step S12, the big data server acquires the performance expression record of the intrusion prevention strategy.
In the embodiment of the application, the performance expression record of the intrusion protection strategy comprises performance time sequence expression information of the intrusion protection strategy, and the performance time sequence expression information of the intrusion protection strategy is expressed through operation flow characteristics.
It can be understood that after obtaining the protection operation instruction data to be loaded corresponding to the original intrusion protection policy and the current operation flow information corresponding to the protection operation instruction data, a performance expression record of the intrusion protection policy may be further obtained, where the performance expression record may include protection effect description information of the intrusion protection policy, such as "intercept abnormal data access request", "reject file modification request that fails to be verified", and the like. In addition, the time sequence expression information of the intrusion prevention policy may correspond to the operation flow characteristics, which include behavior response characteristics, performance delay characteristics, and the like.
And step S13, the big data server determines a target operation process node from the current operation process information according to the performance time sequence expression information of the intrusion protection strategy.
In the embodiment of the present application, the target operation flow node may be an operation flow node which is prone to operation errors. Based on this, the step of determining the target operation flow node from the current operation flow information according to the performance timing expression information of the intrusion prevention policy described in the above step S13 can be implemented by the following embodiments described in step S131 and step S132.
Step S131, obtaining performance initial time sequence expression information from the performance time sequence expression information of the intrusion protection strategy, and determining an initial operation process node from the current operation process information according to the performance initial time sequence expression information.
For example, the performance initial timing expression information is used to characterize the enabling time of the protection function of the intrusion protection policy.
Step S132, obtaining performance maintaining state expression information from the performance time sequence expression information of the intrusion protection strategy, and determining an end operation process node from the current operation process information according to the performance maintaining state expression information.
For example, the performance maintaining state expression information is used to represent the effective duration of the protection function of the intrusion protection policy, it can be understood that the initial operation process node and the last operation process node are operation process nodes in which operation errors easily occur, and through the above step S131 and step S132, the performance initial timing sequence expression information and the performance maintaining state expression information can be analyzed, so that the initial operation process node and the last operation process node are accurately determined.
Step S14, the big data server obtains the corresponding original intrusion protection strategy item to be optimized according to the target operation process node, loads the intrusion protection strategy performance index corresponding to the performance expression record of the intrusion protection strategy to the original intrusion protection strategy item to be optimized to obtain the corresponding target intrusion protection strategy, and binds the target intrusion protection strategy and the protection operation indication data to generate the corresponding target optimized intrusion protection strategy.
It is understood that the original intrusion prevention policy items to be optimized may be part of the original intrusion prevention policy items, such as access interception items, identity verification items, data tamper prevention items, and the like. The performance index of the intrusion protection strategy is used for indicating the protection effect of the intrusion protection strategy and verifying the correctness of the protection operation, and the protection operation indication data is used for providing relevant operation guidance and prompt for the actual intrusion protection operation.
In some examples, the performance category of the intrusion protection policy corresponding to the performance expression record of the intrusion protection policy is a fusion class (for example, a performance superposition class), based on which, the step described in the step S14 of obtaining the corresponding original intrusion protection policy item to be optimized according to the target operation flow node and loading the intrusion protection policy performance index corresponding to the performance expression record of the intrusion protection policy to the original intrusion protection policy item to be optimized to obtain the corresponding target intrusion protection policy may include the implementation of the technical scheme described in the following step S141 a-step S143 a.
And step S141a, acquiring intrusion protection strategy fusion data corresponding to the performance expression records of the intrusion protection strategies.
For example, the intrusion prevention policy fusion data is used to record the fusion condition of the performance content of the intrusion prevention policy, and may also be used to represent the fusion of different operation flows.
Step S142a, obtaining operation flow node data from the intrusion protection policy fusion data, determining the fusion time of the operation flow node data as the operation flow trigger time corresponding to the target operation flow node, and obtaining the fusion operation flow node data of the original intrusion protection policy item to be optimized corresponding to the operation flow trigger time to form the intrusion protection policy item corresponding to the operation flow node.
It can be understood that after the operation flow triggering time corresponding to the target operation flow node is determined, the integrity of the intrusion protection policy item corresponding to the operation flow node can be ensured by acquiring the fusion operation flow node data of the original intrusion protection policy item to be optimized corresponding to the operation flow triggering time.
Step S143a, fusing other fusion data in the intrusion protection policy fusion data according to a time sequence order into the corresponding original intrusion protection policy items to be optimized before and/or after the operation flow triggering time to form a fused intrusion protection policy item.
It can be understood that after other fusion data in the intrusion protection policy fusion data are fused in the original intrusion protection policy items to be optimized before the operation flow triggering time and/or after the operation flow triggering time according to the time sequence, the corresponding original intrusion protection policy items to be optimized also match the intrusion protection policy performance index, thereby ensuring that the intrusion protection effect of the original intrusion protection policy items to be optimized can be detected, so as to judge the correctness of the protection operation.
In some other examples, the operational flow node data includes an initial operational flow node data and an end operational flow node data, and the target operational flow node includes the initial operational flow node and the end operational flow node. Based on this, the step of obtaining the operation flow node data from the intrusion prevention policy fusion data, determining the fusion time of the operation flow node data as the operation flow trigger time corresponding to the target operation flow node, and obtaining the fusion operation flow node data of the original intrusion prevention policy item to be optimized corresponding to the operation flow trigger time to form the intrusion prevention policy item corresponding to the operation flow node, which is described in the above step S142a, may be implemented by the following steps S1421a and S1422 a.
Step S1421a, determining the fusion time of the initial operation flow node data as a first trigger time corresponding to the initial operation flow node, and acquiring an original intrusion protection policy item to be optimized corresponding to the first trigger time and fusing the initial operation flow node data to form an intrusion protection policy item corresponding to the initial operation flow node.
For example, after the fusion time of the initial operation flow node data is determined as the first trigger time corresponding to the initial operation flow node, the original intrusion protection policy item to be optimized corresponding to the first trigger time is obtained, and then the original intrusion protection policy item to be optimized corresponding to the first trigger time is fused with the initial operation flow node data, so as to obtain the intrusion protection policy item corresponding to the initial operation flow node.
Step S1422a, determining the fusion time of the end operation flow node data as a second trigger time corresponding to the end operation flow node, and obtaining the original intrusion protection policy item to be optimized corresponding to the second trigger time and fusing the end operation flow node data to form an intrusion protection policy item corresponding to the end operation flow node.
For example, after the fusion time of the end operation flow node data is determined as the second trigger time corresponding to the end operation flow node, the original intrusion prevention policy item to be optimized corresponding to the second trigger time is obtained, and then the original intrusion prevention policy item to be optimized corresponding to the second trigger time is fused with the end operation flow node data, so as to obtain the intrusion prevention policy item corresponding to the end operation flow node.
Therefore, the accurate matching between the operation flow nodes and the intrusion protection strategy items can be ensured, and the subsequent accurate binding of the protection operation indication data is facilitated.
On the basis of the above steps S1421 a-S1422 a, the step of fusing other fusion data in the intrusion prevention policy fusion data into the original intrusion prevention policy items to be optimized before and/or after the operation flow trigger time according to the time sequence order to form the fused intrusion prevention policy items described in step S143a may include the following technical solutions: and fusing other fusion data in the intrusion protection strategy fusion data into the original intrusion protection strategy item to be optimized between the first trigger time and the second trigger time according to the time sequence to form a fusion intrusion protection strategy item.
In other examples, the performance category of the intrusion protection policy corresponding to the performance expression record of the intrusion protection policy is an adjustment class, and the further adjustment class includes at least one of sensitivity adjustment (for example, adjustment of operation behavior detection sensitivity), visual information adjustment (for example, adjustment of abnormal risk display effect), and output mode adjustment (for example, adjustment of output mode of first-pass risk prompt). Based on this, the step of obtaining the corresponding original intrusion prevention policy item to be optimized according to the target operation flow node and loading the intrusion prevention policy performance index corresponding to the performance expression record of the intrusion prevention policy to the original intrusion prevention policy item to be optimized to obtain the corresponding target intrusion prevention policy described in the step S14 may include the following technical solutions: and determining the adjustment time of the intrusion protection strategy adjustment as the target trigger time corresponding to the target operation flow node, and obtaining the corresponding original intrusion protection strategy items to be optimized according to the target trigger time to adjust and form the adjusted intrusion protection strategy items.
For example, the time for performing the intrusion protection policy adjustment may be determined as the target trigger time corresponding to the target operation flow node, and then the corresponding original intrusion protection policy item to be optimized is obtained and adjusted to form the adjusted intrusion protection policy item.
In some other examples, the original intrusion prevention policy may include a first waiting timing node (pause timing node) and a second waiting timing node (pause timing node) that is consecutive. Based on this, the step of obtaining the corresponding original intrusion prevention policy item to be optimized according to the target operation flow node and loading the intrusion prevention policy performance index corresponding to the performance expression record of the intrusion prevention policy to the original intrusion prevention policy item to be optimized to obtain the corresponding target intrusion prevention policy, which is described in the above step S14, may include the following technical solutions described in steps S141b to S143 b.
Step S141b, obtaining a first operation flow node closest to the first wait sequence node from the target operation flow nodes, and determining an evaluation start time of the intrusion protection policy performance as a third trigger time corresponding to the first operation flow node.
For example, the first operation process node closest to the first wait sequence node may be understood as the operation process node closest to the operation time of the first wait sequence node, and the evaluation start time of the intrusion protection policy performance may be understood as the detection start time of the intrusion protection policy performance.
Step S141b, obtaining a second operation flow node closest to the second waiting sequence node from the target operation flow node, and determining the evaluation termination time of the intrusion protection policy performance as a fourth trigger time corresponding to the second operation flow node.
For example, the evaluation termination time of the intrusion prevention policy performance can be understood as the detection termination time of the intrusion prevention policy performance.
Step S141b, adjusting the first wait time node to the third trigger time by adjusting the original intrusion prevention policy items associated with the first wait time node, and adjusting the second wait time node to the fourth trigger time by adjusting the original intrusion prevention policy items associated with the second wait time node.
It can be understood that after the third trigger time and the fourth trigger time are determined, the original intrusion prevention policy items associated with the first wait sequence node may be adjusted, so that the time corresponding to the first wait sequence node is adjusted to the third trigger time, and the time corresponding to the second wait sequence node is adjusted to the fourth trigger time, so that the synchronicity between the evaluation of the intrusion prevention policy performance and the starting of the relevant intrusion prevention policy items can be ensured.
In some possible embodiments, the step of obtaining the corresponding original intrusion prevention policy item to be optimized according to the target operation flow node and loading the intrusion prevention policy performance index corresponding to the performance expression record of the intrusion prevention policy to the original intrusion prevention policy item to be optimized to obtain the corresponding target intrusion prevention policy described in the step S14 may further include the following steps: acquiring visual text prompt information corresponding to the protection operation instruction data, and acquiring target visual text prompt information corresponding to the target operation process node; determining the initial fusion time of the target visual text prompt information as the target trigger time corresponding to the target operation flow node, and fusing the target visual text prompt information to form a fusion intrusion protection strategy item from the original intrusion protection strategy item to be optimized corresponding to the target trigger time.
For example, the visual text prompt information can be output and displayed through the intelligent service processing terminal, after the target visual text prompt information corresponding to the target operation flow node is determined, the target trigger time corresponding to the target operation flow node can be determined according to the initial fusion time of the target visual text prompt information, and therefore the time sequence consistency of the visual text prompt information and the target operation flow node is ensured.
In some optional embodiments, after the step of obtaining the performance expression record of the intrusion prevention policy described in step S12, the method may further include the following steps: analyzing the performance expression record of the intrusion protection strategy to obtain different recording units; acquiring intrusion protection strategy performance expression information corresponding to each recording unit, wherein the intrusion protection strategy performance expression information comprises corresponding intrusion protection strategy performance categories and performance time sequence expression information of intrusion protection strategies; determining target operation process nodes corresponding to all recording units according to the performance time sequence expression information of the intrusion protection strategy; and acquiring corresponding original intrusion protection strategy items to be optimized according to target operation process nodes corresponding to the recording units, loading the intrusion protection strategy performance indexes corresponding to the recording units to the corresponding original intrusion protection strategy items to be optimized to obtain corresponding target intrusion protection strategies, and binding the target intrusion protection strategies and protection operation indication data to generate corresponding target optimized intrusion protection strategies.
For example, analyzing the performance expression record of the intrusion protection policy, and acquiring different record units may be understood as splitting the performance expression record of the intrusion protection policy to obtain a plurality of record units. Furthermore, the target operation flow nodes corresponding to each recording unit are determined according to the performance time sequence expression information of the intrusion protection strategy, one-to-one correspondence between the recording units and the operation flow nodes can be ensured, then corresponding original intrusion protection strategy items to be optimized are obtained according to the target operation flow nodes corresponding to each recording unit, the intrusion protection strategy performance indexes corresponding to each recording unit are loaded to the corresponding original intrusion protection strategy items to be optimized to obtain corresponding target intrusion protection strategies, the target intrusion protection strategies and the protection operation indication data are bound to generate corresponding target optimized intrusion protection strategies, and therefore, by splitting the performance expression records of the intrusion protection strategies, the target optimized intrusion protection strategies can be determined based on the branch treatment thought, and therefore the integrity of protection operation indication data and the intrusion protection strategy performance indexes in the target optimized intrusion protection strategies is ensured, the method avoids the loss or confusion of protection operation indication data and the performance indexes of the intrusion protection strategy in the target optimization intrusion protection strategy.
In some optional embodiments, after the corresponding target-optimized intrusion prevention policy is generated, the corresponding target-optimized intrusion prevention policy may be issued to the corresponding intelligent service processing end. Therefore, after the intelligent service processing terminal receives the target optimization intrusion protection strategy, when the target optimization intrusion protection strategy is operated, the intelligent service processing terminal can perform corresponding protection operation by combining the intrusion protection strategy performance index and the protection operation indication data, so that the safety of important data information in the intelligent service processing terminal is ensured. For example, after generating the corresponding target-optimized intrusion prevention policy, the method further includes: and issuing the target optimization intrusion protection strategy to a target intelligent service processing terminal.
In some optional embodiments, after the target optimized intrusion prevention policy is issued to the target intelligent service processing end, intrusion prevention assistance may be performed on the intelligent service processing end, so as to further ensure the data information security of the intelligent service processing end. Based on this, after the target optimized intrusion prevention policy is issued to the target intelligent service processing end, the method may further include the following technical solutions described in step S151 to step S153.
And S151, the big data server sends an intrusion protection monitoring instruction to the intelligent service processing end in the intrusion protection auxiliary list, wherein the intelligent service processing end in the intrusion protection auxiliary list comprises a hot intelligent service processing end and an associated intelligent service processing end.
For example, the intrusion prevention auxiliary list includes a plurality of intelligent service processing terminals, and each intelligent service processing terminal may understand that the target optimized intrusion prevention policy issued by the big data server has been received, and has operated the corresponding target optimized intrusion prevention policy. The hot intelligent service processing end can be connected to an intelligent service processing end for directly docking service handling, and the associated intelligent service processing end can be understood as an intelligent service processing end for playing a role in connection and transition.
Step S152, the big data server receives intrusion protection strategy operation information returned by the first associated intelligent service processing end, the intrusion protection strategy operation information comprises intrusion protection thread information of each intrusion protection thread of the first associated intelligent service processing end and service interaction demand information of the intelligent service processing end communicated with each intrusion protection thread, wherein the intrusion protection thread information of each intrusion protection thread corresponds to the intrusion protection thread information of each intrusion protection thread, and the first associated intelligent service processing end is any associated intelligent service processing end in the intrusion protection auxiliary list.
For example, the intrusion protection thread may correspond to an intrusion protection policy item, and the service interaction requirement information is used to represent requirement information of the intelligent service processing end in a service interaction process.
And step S153, the big data server determines and records the auxiliary protection configuration information of the auxiliary intrusion protection list according to the intrusion protection strategy operation information and the intelligent service processing terminal category corresponding to the acquired service interaction demand information of each intelligent service processing terminal.
For example, the auxiliary protection configuration information records which intelligent service processing terminals in the auxiliary intrusion protection list need to be assisted by intrusion protection, and for example, which intelligent service processing terminals in the auxiliary intrusion protection list need to be assisted by intrusion protection can be determined according to the communication state between different intelligent service processing terminals included in the auxiliary protection configuration information.
By the design, the request of the intrusion protection assistance can be realized based on the intrusion protection monitoring indication, so that the intrusion protection strategy operation information returned by the first associated intelligent service processing terminal is obtained, the auxiliary protection configuration information of the intrusion protection auxiliary list is determined and recorded according to the intrusion protection strategy operation information and the intelligent service processing terminal category corresponding to the acquired service interaction demand information of each intelligent service processing terminal, and the intelligent service processing terminals in the intrusion protection auxiliary list are determined to be assisted in intrusion protection through the communication state between different intelligent service processing terminals included in the auxiliary protection configuration information, so that the data information security of the intelligent service processing terminals is further ensured.
For example, an additional intrusion protection policy may be issued to the intelligent service processing end that needs to perform intrusion protection assistance according to the auxiliary protection configuration information, or the intelligent service processing end that needs to perform intrusion protection assistance may be instructed to perform related protection operations according to the auxiliary protection configuration information.
In some optional embodiments, the determining and recording auxiliary protection configuration information of the auxiliary intrusion protection list according to the intrusion protection policy operation information and the class of the intelligent service processing end corresponding to the acquired service interaction demand information of each intelligent service processing end includes: judging whether intrusion protection thread information of a first intrusion protection thread in the intrusion protection strategy operation information only corresponds to service interaction demand information of one intelligent service processing end, wherein the first intrusion protection thread is any intrusion protection thread of the first associated intelligent service processing end; if not, determining the communication state of the plurality of intelligent service processing ends and the first associated intelligent service processing end according to the service interaction demand information of the plurality of intelligent service processing ends corresponding to the intrusion protection thread information of the first intrusion protection thread and the acquired intelligent service processing end type corresponding to the service interaction demand information of each intelligent service processing end in the plurality of intelligent service processing ends; and recording the communication states of the plurality of intelligent service processing ends and the first associated intelligent service processing end.
In some optional embodiments, the determining, according to the service interaction demand information of the plurality of intelligent service processing ends corresponding to the intrusion protection thread information of the first intrusion protection thread and the acquired class of the intelligent service processing end corresponding to the service interaction demand information of each of the plurality of intelligent service processing ends, a communication state between the plurality of intelligent service processing ends and the first associated intelligent service processing end includes: if the service interaction demand information of the plurality of intelligent service processing ends corresponding to the intrusion protection thread information of the first intrusion protection thread is determined to be the service interaction demand information of the hot intelligent service processing end according to the service interaction demand information of the plurality of intelligent service processing ends corresponding to the intrusion protection thread information of the first intrusion protection thread and the acquired class of the intelligent service processing end corresponding to the service interaction demand information of each intelligent service processing end in the plurality of intelligent service processing ends, determining that a candidate associated intelligent service processing end is connected between the first associated intelligent service processing end and the plurality of hot intelligent service processing ends; the recording the communication states of the plurality of intelligent service processing terminals and the first associated intelligent service processing terminal includes: and recording the communication state of the first associated intelligent service processing terminal connected with the candidate associated intelligent service processing terminals and the candidate associated intelligent service processing terminals connected with the hot intelligent service processing terminals.
In some optional embodiments, the determining, according to the service interaction demand information of the plurality of intelligent service processing ends corresponding to the intrusion protection thread information of the first intrusion protection thread and the acquired class of the intelligent service processing end corresponding to the service interaction demand information of each of the plurality of intelligent service processing ends, a communication state between the plurality of intelligent service processing ends and the first associated intelligent service processing end includes: if the service interaction demand information of the plurality of intelligent service processing ends corresponding to the intrusion protection thread information of the first intrusion protection thread comprises the service interaction demand information of at least one associated intelligent service processing end according to the service interaction demand information of the plurality of intelligent service processing ends corresponding to the intrusion protection thread information of the first intrusion protection thread and the acquired class of the intelligent service processing end corresponding to the service interaction demand information of each intelligent service processing end in the plurality of intelligent service processing ends, reading intrusion protection strategy operation information of a second associated intelligent service processing end, wherein the second associated intelligent service processing end is any associated intelligent service processing end in the at least one associated intelligent service processing end; judging whether a comparison result of service interaction demand information corresponding to intrusion protection thread information of a second intrusion protection thread in the intrusion protection strategy operation information of the second associated intelligent service processing terminal and service interaction demand information corresponding to the intrusion protection thread information of the first intrusion protection thread is a set result, wherein the service interaction demand information of the plurality of intelligent service processing terminals corresponding to the intrusion protection thread information of the second intrusion protection thread comprises the service interaction demand information of the first associated intelligent service processing terminal; if the comparison result is a set result, determining that the first associated intelligent service processing terminal and the second associated intelligent service processing terminal are in a direct communication relation; the recording the communication states of the plurality of intelligent service processing terminals and the first associated intelligent service processing terminal includes: and recording the communication state of the first associated intelligent service processing terminal directly communicating with the second associated intelligent service processing terminal.
In some optional embodiments, after determining whether a comparison result between service interaction demand information corresponding to intrusion prevention thread information of a second intrusion prevention thread and service interaction demand information corresponding to intrusion prevention thread information of a first intrusion prevention thread in intrusion prevention policy operation information of the second associated intelligent service processing end is a set result, the method further includes: if the comparison result is not the set result, determining that a candidate associated intelligent service processing end is connected between the first associated intelligent service processing end and the at least one associated intelligent service processing end; the recording the communication states of the plurality of intelligent service processing terminals and the first associated intelligent service processing terminal includes: and recording the communication state of the first associated intelligent service processing terminal connected with the candidate associated intelligent service processing terminal and the candidate associated intelligent service processing terminal connected with the at least one associated intelligent service processing terminal.
In some optional embodiments, after the determining whether the intrusion protection thread information of the first intrusion protection thread in the intrusion protection policy operation information corresponds to only the service interaction requirement information of one intelligent service processing end, the method further includes: if so, determining that the intelligent service processing end and the first associated intelligent service processing end are in a direct communication relationship according to the service interaction demand information of the intelligent service processing end corresponding to the intrusion protection thread information of the first intrusion protection thread and the acquired class of the intelligent service processing end corresponding to the service interaction demand information of the intelligent service processing end; and recording the communication state of the intelligent service processing terminal directly communicating with the first associated intelligent service processing terminal.
It should be noted that the above description of some alternative embodiments should be understood as examples, and not as technical features essential to the implementation of the present solution.
Next, for the above intrusion prevention data processing method based on big data, an exemplary intrusion prevention data processing apparatus based on big data is further provided in the embodiments of the present invention, as shown in fig. 2, the intrusion prevention data processing apparatus 200 based on big data may include the following functional modules.
A data screening module 210, configured to obtain a target behavior description; constructing first reference interactive behavior data corresponding to the target behavior description; and screening out a data fragment queue of the cloud reference interactive behavior with the operating behavior habit characteristics matched with the operating behavior habit characteristics of the first reference interactive behavior data from a cloud reference interactive behavior database.
The data construction module 220 is configured to search, in a local reference interactive behavior database, a data fragment queue of a local reference interactive behavior corresponding to the data fragment queue of the cloud reference interactive behavior; and constructing second reference interactive behavior data corresponding to the target behavior description according to the operation behavior habit characteristics of the data fragment queue of the local reference interactive behavior.
A data fusion module 230, configured to determine, from the local reference interactive behavior database, a local reference interactive behavior data segment that matches a service interaction requirement feature corresponding to the second reference interactive behavior data; fusing intrusion protection behavior data segments corresponding to the local reference interaction behavior data segments in an intrusion protection interaction behavior database to obtain target intrusion protection interaction behavior data; the behavior description contents of the local reference interactive behavior database, the cloud reference interactive behavior database and the intrusion protection interactive behavior database are the same, and the intrusion protection interactive behavior database is matched with the operation behavior habit characteristics of the local reference interactive behavior database.
Then, based on the above method embodiment and apparatus embodiment, the embodiment of the present invention further provides a system embodiment, that is, an intrusion prevention data processing system based on big data, please refer to fig. 3, where the intrusion prevention data processing system 30 based on big data may include a big data server 10 and an intelligent service terminal 20. Wherein the big data server 10 and the intelligent service terminal 20 communicate to implement the above method, and further, the functionality of the big data based intrusion prevention data processing system 30 is described as follows. The big data server 10 obtains the target behavior description; constructing first reference interactive behavior data corresponding to the target behavior description; screening out a data fragment queue of the cloud reference interactive behavior of which the operating behavior habit characteristics are matched with the operating behavior habit characteristics of the first reference interactive behavior data from a cloud reference interactive behavior database; searching a data fragment queue of the local reference interactive behavior corresponding to the data fragment queue of the cloud reference interactive behavior in a local reference interactive behavior database; according to the operation behavior habit characteristics of the data fragment queue of the local reference interactive behavior, second reference interactive behavior data corresponding to the target behavior description is constructed; determining a local reference interactive behavior data segment matched with the service interactive demand characteristic corresponding to the second reference interactive behavior data from the local reference interactive behavior database; fusing intrusion protection behavior data segments corresponding to the local reference interaction behavior data segments in an intrusion protection interaction behavior database to obtain target intrusion protection interaction behavior data; the behavior description contents of the local reference interactive behavior database, the cloud reference interactive behavior database and the intrusion protection interactive behavior database are the same, and the intrusion protection interactive behavior database is matched with the operation behavior habit characteristics of the local reference interactive behavior database.
Further, referring to fig. 4 in conjunction, the big data server 10 may include a processing engine 110, a network module 120, and a memory 130, the processing engine 110 and the memory 130 communicating through the network module 120.
The Memory 130 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 130 is used for storing a program, and the processing engine 110 executes the program after receiving the execution instruction.
It will be appreciated that the configuration shown in fig. 4 is merely illustrative and that the big data server 10 may also include more or fewer components than shown in fig. 4, or have a different configuration than shown in fig. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof.
It should be understood that, for the above, a person skilled in the art can deduce from the above disclosure to determine the meaning of the related technical term without doubt, for example, for some values, coefficients, weights, indexes, factors, and other terms, a person skilled in the art can deduce and determine from the logical relationship between the above and the following, and the value range of these values can be selected according to the actual situation, for example, 0 to 1, for example, 1 to 10, and for example, 50 to 100, which are not limited herein.
The skilled person can unambiguously determine some preset, reference, predetermined, set and target technical features/terms, such as threshold values, threshold intervals, threshold ranges, etc., from the above disclosure. For some technical characteristic terms which are not explained, the technical solution can be clearly and completely implemented by those skilled in the art by reasonably and unambiguously deriving the technical solution based on the logical relations in the previous and following paragraphs. Prefixes of unexplained technical feature terms, such as "first", "second", "previous", "next", "current", "history", "latest", "best", "target", "specified", and "real-time", etc., can be unambiguously derived and determined from the context. Suffixes of technical feature terms not to be explained, such as "list", "feature", "sequence", "set", "matrix", "unit", "element", "track", and "list", etc., can also be derived and determined unambiguously from the foregoing and the following.
The foregoing disclosure of embodiments of the present invention will be apparent to those skilled in the art. It should be understood that the process of deriving and analyzing technical terms, which are not explained, by those skilled in the art based on the above disclosure is based on the contents described in the present application, and thus the above contents are not an inventive judgment of the overall scheme.
It should be appreciated that the system and its modules shown above may be implemented in a variety of ways. For example, in some embodiments, the system and its modules may be implemented in hardware, software, or a combination of software and hardware. Wherein the hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory for execution by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the methods and systems described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided, for example, on a carrier medium such as a diskette, CD-or DVD-ROM, a programmable memory such as read-only memory (firmware), or a data carrier such as an optical or electronic signal carrier. The system and its modules of the present application may be implemented not only by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., but also by software executed by various types of processors, for example, or by a combination of the above hardware circuits and software (e.g., firmware).
It is to be noted that different embodiments may produce different advantages, and in different embodiments, any one or combination of the above advantages may be produced, or any other advantages may be obtained.
Having thus described the basic concept, it will be apparent to those skilled in the art that the foregoing detailed disclosure is to be considered merely illustrative and not restrictive of the broad application. Various modifications, improvements and adaptations to the present application may occur to those skilled in the art, although not explicitly described herein. Such modifications, improvements and adaptations are proposed in the present application and thus fall within the spirit and scope of the exemplary embodiments of the present application.
Also, this application uses specific language to describe embodiments of the application. Reference throughout this specification to "one embodiment," "an embodiment," and/or "some embodiments" means that a particular feature, structure, or characteristic described in connection with at least one embodiment of the present application is included in at least one embodiment of the present application. Therefore, it is emphasized and should be appreciated that two or more references to "an embodiment" or "one embodiment" or "an alternative embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, some features, structures, or characteristics of one or more embodiments of the present application may be combined as appropriate.
Moreover, those skilled in the art will appreciate that aspects of the present application may be illustrated and described in terms of several patentable species or situations, including any new and useful combination of processes, machines, manufacture, or materials, or any new and useful improvement thereon. Accordingly, various aspects of the present application may be embodied entirely in hardware, entirely in software (including firmware, resident software, micro-code, etc.) or in a combination of hardware and software. The above hardware or software may be referred to as "data block," module, "" engine, "" unit, "" component, "or" system. Furthermore, aspects of the present application may be represented as a computer product, including computer readable program code, embodied in one or more computer readable media.
The computer storage medium may comprise a propagated data signal with the computer program code embodied therewith, for example, on baseband or as part of a carrier wave. The propagated signal may take any of a variety of forms, including electromagnetic, optical, etc., or any suitable combination. A computer storage medium may be any computer-readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code located on a computer storage medium may be propagated over any suitable medium, including radio, cable, fiber optic cable, RF, or the like, or any combination of the preceding.
Computer program code required for the operation of various portions of the present application may be written in any one or more programming languages, including an object oriented programming language such as Java, Scala, Smalltalk, Eiffel, JADE, Emerald, C + +, C #, VB.NET, Python, and the like, a conventional programming language such as C, Visual Basic, Fortran 2003, Perl, COBOL 2002, PHP, ABAP, a dynamic programming language such as Python, Ruby, and Groovy, or other programming languages, and the like. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any network format, such as a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet), or in a cloud computing environment, or as a service, such as a software as a service (SaaS).
Additionally, the order in which elements and sequences of the processes described herein are processed, the use of alphanumeric characters, or the use of other designations, is not intended to limit the order of the processes and methods described herein, unless explicitly claimed. While various presently contemplated embodiments of the invention have been discussed in the foregoing disclosure by way of example, it is to be understood that such detail is solely for that purpose and that the appended claims are not limited to the disclosed embodiments, but, on the contrary, are intended to cover all modifications and equivalent arrangements that are within the spirit and scope of the embodiments herein. For example, although the system components described above may be implemented by hardware devices, they may also be implemented by software-only solutions, such as installing the described system on an existing server or mobile device.
Similarly, it should be noted that in the preceding description of embodiments of the application, various features are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure aiding in the understanding of one or more of the embodiments. This method of disclosure, however, is not intended to require more features than are expressly recited in the claims. Indeed, the embodiments may be characterized as having less than all of the features of a single embodiment disclosed above.
Numerals describing the number of components, attributes, etc. are used in some embodiments, it being understood that such numerals used in the description of the embodiments are modified in some instances by the use of the modifier "about", "approximately" or "substantially". Unless otherwise indicated, "about", "approximately" or "substantially" indicates that the numbers allow for adaptive variation. Accordingly, in some embodiments, the numerical parameters used in the specification and claims are approximations that may vary depending upon the desired properties of the individual embodiments. In some embodiments, the numerical parameter should take into account the specified significant digits and employ a general digit preserving approach. Notwithstanding that the numerical ranges and parameters setting forth the broad scope of the range are approximations, in the specific examples, such numerical values are set forth as precisely as possible within the scope of the application.
The entire contents of each patent, patent application publication, and other material cited in this application, such as articles, books, specifications, publications, documents, and the like, are hereby incorporated by reference into this application. Except where the application is filed in a manner inconsistent or contrary to the present disclosure, and except where the claim is filed in its broadest scope (whether present or later appended to the application) as well. It is noted that the descriptions, definitions and/or use of terms in this application shall control if they are inconsistent or contrary to the statements and/or uses of the present application in the material attached to this application.
Finally, it should be understood that the embodiments described herein are merely illustrative of the principles of the embodiments of the present application. Other variations are also possible within the scope of the present application. Thus, by way of example, and not limitation, alternative configurations of the embodiments of the present application can be viewed as being consistent with the teachings of the present application. Accordingly, the embodiments of the present application are not limited to only those embodiments explicitly described and depicted herein.
Claims (10)
1. A big data-based intrusion protection data processing method is applied to a big data server, and the method comprises the following steps:
obtaining a target behavior description; constructing first reference interactive behavior data corresponding to the target behavior description; screening out a data fragment queue of the cloud reference interactive behavior of which the operating behavior habit characteristics are matched with the operating behavior habit characteristics of the first reference interactive behavior data from a cloud reference interactive behavior database;
searching a data fragment queue of the local reference interactive behavior corresponding to the data fragment queue of the cloud reference interactive behavior in a local reference interactive behavior database; according to the operation behavior habit characteristics of the data fragment queue of the local reference interactive behavior, second reference interactive behavior data corresponding to the target behavior description is constructed;
determining a local reference interactive behavior data segment matched with the service interactive demand characteristic corresponding to the second reference interactive behavior data from the local reference interactive behavior database; fusing intrusion protection behavior data segments corresponding to the local reference interaction behavior data segments in an intrusion protection interaction behavior database to obtain target intrusion protection interaction behavior data; the behavior description contents of the local reference interactive behavior database, the cloud reference interactive behavior database and the intrusion protection interactive behavior database are the same, and the intrusion protection interactive behavior database is matched with the operation behavior habit characteristics of the local reference interactive behavior database.
2. The method of claim 1, wherein screening out, from a cloud-based reference interaction behavior database, a data fragment queue of cloud-based reference interaction behaviors whose operating behavior habit features match those of the first reference interaction behavior data comprises:
acquiring a candidate data fragment queue of the cloud reference interactive behavior from a cloud reference interactive behavior database according to the first reference interactive behavior data;
determining the characteristic difference degree of the operation behavior habit characteristics of the candidate data segment queue of the cloud reference interactive behavior and the first reference interactive behavior data;
and taking the candidate data segment queue of the cloud reference interactive behavior corresponding to the characteristic difference degree of the minimum operation behavior habit characteristics as the data segment queue of the cloud reference interactive behavior matched with the operation behavior habit characteristics of the first reference interactive behavior data.
3. The method of claim 2, wherein obtaining a candidate data segment queue of cloud-referenced interactivity from a cloud-referenced interactivity database according to the first reference interactivity data comprises:
determining a number of reference interactive behavior data segments comprised by the first reference interactive behavior data;
and acquiring a candidate data fragment queue of the cloud reference interactive behaviors, wherein the number of the cloud reference interactive behavior data fragments is equal to the determined number, from a cloud reference interactive behavior database.
4. The method of claim 3, wherein obtaining, from the cloud reference interactivity database, a candidate data segment queue of cloud reference interactivity having a number of cloud reference interactivity data segments equal to the determined number comprises:
searching a data fragment queue of the cloud reference interactive behaviors in the cloud reference interactive behavior database;
when the number of the cloud reference interactive behavior data fragments included in the searched data fragment queue of the cloud reference interactive behavior is smaller than the determined number, continuing the search;
when the number of the cloud reference interactive behavior data segments included in the searched data segment queue of the cloud reference interactive behavior is equal to the determined number, taking the searched data segment queue of the cloud reference interactive behavior as a candidate data segment queue of the cloud reference interactive behavior;
when the number of the cloud reference interactive behavior data fragments included in the searched data fragment queue of the cloud reference interactive behavior is larger than the determined number, separating the candidate data fragment queue of the cloud reference interactive behavior according to the sequence of the included cloud reference interactive behavior data fragments and the determined number.
5. The method of claim 2, wherein the determining the feature difference between the candidate data segment queue of the cloud-based reference interactive behavior and the operation behavior habit feature of the first reference interactive behavior data comprises:
extracting a reference interactive behavior data segment from the first reference interactive behavior data;
generating feature difference degrees of operation behavior habit features of the candidate data segment queue of the cloud reference interactive behaviors and the first reference interactive behavior data according to difference results of operation behavior habit quantized values between the cloud reference interactive behavior data segments included in the candidate data segment queue of the cloud reference interactive behaviors and the extracted reference interactive behavior data segments corresponding to the cloud reference interactive behaviors; the difference result of the operation behavior habit quantized value comprises at least one of a time sequence difference result, a track change degree difference result, a time sequence distribution difference of a business interaction demand quantized value and a possibility distribution difference of a track change degree.
6. The method according to claim 1, wherein the determining, from the local reference interactive behavior database, a local reference interactive behavior data segment matching the service interaction requirement characteristic corresponding to the second reference interactive behavior data comprises:
extracting a reference interactive behavior data segment from the second reference interactive behavior data; determining behavior event characteristics of the extracted reference interactive behavior data segments;
screening a local reference interactive behavior data segment subset with behavior event characteristics matched with the behavior event characteristics of the extracted reference interactive behavior data segments from the local reference interactive behavior database;
determining service interaction requirement characteristic difference degrees of each local reference interaction behavior data segment in each local reference interaction behavior data segment subset and the corresponding extracted reference interaction behavior data segment;
and determining a local reference interactive behavior data segment corresponding to the minimum service interaction requirement characteristic difference degree as a local reference interactive behavior data segment matched with the service interaction requirement characteristic corresponding to the second reference interactive behavior data.
7. The method according to claim 6, wherein the determining, for each local reference interactive behavior data segment in each local reference interactive behavior data segment subset, a service interaction requirement characteristic difference from the corresponding extracted reference interactive behavior data segment comprises:
determining a service interaction demand quantized value of each local reference interaction behavior data segment in each local reference interaction behavior data segment subset;
determining a business interaction requirement quantized value of each extracted reference interaction behavior data segment;
calculating a difference result of corresponding business interaction demand quantitative values for each local reference interaction behavior data segment and the corresponding extracted reference interaction behavior data segment;
and generating a service interaction demand characteristic difference degree having a set relation with the difference result according to the difference result.
8. The method of claim 1, wherein the fusing intrusion prevention behavior data segments corresponding to the local reference interaction behavior data segments in the intrusion prevention interaction behavior database to obtain target intrusion prevention interaction behavior data comprises:
sorting the determined local reference interactive behavior data segments according to a behavior event sequence in the corresponding target behavior description;
determining the fusion position of adjacent local reference interactive behavior data segments in the sorted local reference interactive behavior data segments;
searching an intrusion prevention behavior data fragment corresponding to the local reference interactive behavior data fragment in an intrusion prevention interactive behavior database;
fusing the corresponding intrusion prevention behavior data fragments according to the determined fusion positions of the adjacent local reference interactive behavior data fragments to obtain target intrusion prevention interactive behavior data;
wherein the determining of the fusion position of the adjacent local reference interactive behavior data segment in the sorted local reference interactive behavior data segments comprises:
acquiring interactive behavior data content extracted from each determined local reference interactive behavior data segment;
determining the number of fused repeated interactive behavior data contents of adjacent local reference interactive behavior data segments; wherein the degree of distinction between the interactive behavior data content corresponding to the number of the fused repetitive interactive behavior data content of each of the adjacent local reference interactive behavior data segments is minimized;
and determining the fusion position of the adjacent local reference interactive behavior data segment in the sorted local reference interactive behavior data segments according to the quantity of the fusion repeated interactive behavior data content.
9. The method of any of claims 1 to 8, wherein prior to obtaining the target behavior description, the method further comprises:
acquiring historical interactive behavior data of intrusion protection;
identifying behavior description contents corresponding to the historical intrusion protection interactive behavior data;
generating a data fragment queue of the cloud reference interaction behavior according to the behavior description content obtained by identification;
creating a cloud reference interactive behavior database according to the generated data fragment queue of the cloud reference interactive behavior;
acquiring operation behavior habit characteristics of the acquired intrusion protection historical interaction behavior data;
generating a data fragment queue of the local reference interactive behavior according to the behavior description content obtained by identification and the acquired operation behavior habit characteristics;
and creating a local reference interactive behavior database according to the generated data fragment queue of the local reference interactive behavior.
10. A big data server is characterized by comprising a processing engine, a network module and a memory; the processing engine and the memory communicate through the network module, the processing engine reading a computer program from the memory and operating to perform the method of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111397910.4A CN114218565B (en) | 2021-11-23 | 2021-11-23 | Intrusion protection data processing method based on big data and big data server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111397910.4A CN114218565B (en) | 2021-11-23 | 2021-11-23 | Intrusion protection data processing method based on big data and big data server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114218565A true CN114218565A (en) | 2022-03-22 |
| CN114218565B CN114218565B (en) | 2022-10-21 |
Family
ID=80698117
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111397910.4A Active CN114218565B (en) | 2021-11-23 | 2021-11-23 | Intrusion protection data processing method based on big data and big data server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114218565B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884740A (en) * | 2022-05-25 | 2022-08-09 | 天津亿立科技有限公司 | AI-based intrusion protection response data processing method and server |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150039289A1 (en) * | 2013-07-31 | 2015-02-05 | Stanford University | Systems and Methods for Representing, Diagnosing, and Recommending Interaction Sequences |
| US20160078365A1 (en) * | 2014-03-21 | 2016-03-17 | Philippe Baumard | Autonomous detection of incongruous behaviors |
| US20170154366A1 (en) * | 2010-11-29 | 2017-06-01 | Biocatch Ltd. | Device, system, and method of generating and managing behavioral biometric cookies |
| CN111510449A (en) * | 2020-04-10 | 2020-08-07 | 吴萌萌 | Attack behavior mining method based on image big data and big data platform server |
| CN112615865A (en) * | 2020-12-21 | 2021-04-06 | 曹佳乐 | Data anti-intrusion method based on big data and artificial intelligence and big data server |
| CN112685787A (en) * | 2021-02-23 | 2021-04-20 | 张雪君 | Big data information security protection method applied to artificial intelligence and cloud server |
| CN113468520A (en) * | 2021-06-16 | 2021-10-01 | 崔恒锋 | Data intrusion detection method applied to block chain service and big data server |
| CN113468017A (en) * | 2021-06-16 | 2021-10-01 | 崔恒锋 | Online service state detection method applied to block chain and service server |
| CN113641994A (en) * | 2021-10-13 | 2021-11-12 | 杭银消费金融股份有限公司 | Data processing method and system based on graph data |
-
2021
- 2021-11-23 CN CN202111397910.4A patent/CN114218565B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170154366A1 (en) * | 2010-11-29 | 2017-06-01 | Biocatch Ltd. | Device, system, and method of generating and managing behavioral biometric cookies |
| US20150039289A1 (en) * | 2013-07-31 | 2015-02-05 | Stanford University | Systems and Methods for Representing, Diagnosing, and Recommending Interaction Sequences |
| US20160078365A1 (en) * | 2014-03-21 | 2016-03-17 | Philippe Baumard | Autonomous detection of incongruous behaviors |
| CN111510449A (en) * | 2020-04-10 | 2020-08-07 | 吴萌萌 | Attack behavior mining method based on image big data and big data platform server |
| CN112291228A (en) * | 2020-04-10 | 2021-01-29 | 吴萌萌 | Attack behavior mining method and system based on image big data |
| CN112615865A (en) * | 2020-12-21 | 2021-04-06 | 曹佳乐 | Data anti-intrusion method based on big data and artificial intelligence and big data server |
| CN112685787A (en) * | 2021-02-23 | 2021-04-20 | 张雪君 | Big data information security protection method applied to artificial intelligence and cloud server |
| CN113468520A (en) * | 2021-06-16 | 2021-10-01 | 崔恒锋 | Data intrusion detection method applied to block chain service and big data server |
| CN113468017A (en) * | 2021-06-16 | 2021-10-01 | 崔恒锋 | Online service state detection method applied to block chain and service server |
| CN113641994A (en) * | 2021-10-13 | 2021-11-12 | 杭银消费金融股份有限公司 | Data processing method and system based on graph data |
Non-Patent Citations (2)
| Title |
|---|
| MOHIUDDIN AHMED ET AL: "Anomaly Detection on Big Data in Financial Markets", 《IEEE》 * |
| 闫伟等: "数字图书馆微服务用户信息防护策略研究", 《青岛大学学报(自然科学版)》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884740A (en) * | 2022-05-25 | 2022-08-09 | 天津亿立科技有限公司 | AI-based intrusion protection response data processing method and server |
| CN114884740B (en) * | 2022-05-25 | 2023-01-20 | 四川厚加源科技有限公司 | AI-based intrusion protection response data processing method and server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114218565B (en) | 2022-10-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11551036B2 (en) | Methods and apparatuses for building data identification models | |
| CN113553596B (en) | Information protection method applied to big data service and server | |
| US11062120B2 (en) | High speed reference point independent database filtering for fingerprint identification | |
| CN112487495B (en) | Data processing method based on big data and cloud computing and big data server | |
| CN111695903B (en) | Information flow analysis method based on block chain and mobile internet and cloud computing platform | |
| CN113468520A (en) | Data intrusion detection method applied to block chain service and big data server | |
| CN112580346B (en) | Event extraction method and device, computer equipment and storage medium | |
| CN113536323B (en) | Big data security processing method and server for remote online office | |
| CN114218034B (en) | Online office security processing method under big data scene and big data server | |
| CN113127552B (en) | Food safety identification method and system based on big data | |
| CN114218565B (en) | Intrusion protection data processing method based on big data and big data server | |
| CN111932226A (en) | Data stream monitoring method based on block chain and big data and cloud computing service platform | |
| CN113313464A (en) | Cloud office big data processing method combined with artificial intelligence and cloud office server | |
| CN114661994B (en) | User interest data processing method and system based on artificial intelligence and cloud platform | |
| CN113468017A (en) | Online service state detection method applied to block chain and service server | |
| CN114186607A (en) | Big data processing method and artificial intelligence server applied to cloud office | |
| US20210044864A1 (en) | Method and apparatus for identifying video content based on biometric features of characters | |
| CN116524873B (en) | Display adjustment method and device of display screen and computer equipment | |
| CN112686667A (en) | Data processing method based on big data and block chain and cloud service platform | |
| CN113313463A (en) | Data analysis method and data analysis server applied to big data cloud office | |
| CN112528306A (en) | Data access method based on big data and artificial intelligence and cloud computing server | |
| CN114221793B (en) | Data information intrusion protection method and server in big data environment | |
| CN116450137A (en) | System abnormality detection method and device, storage medium and electronic equipment | |
| CN112330312B (en) | Data processing method based on block chain payment and facial recognition and big data platform | |
| CN113408896A (en) | User behavior detection method combining big data and cloud service and service server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220929 Address after: No. 1, 14th Floor, Building 2, No. 3, Yangliu Road, Middle Section of Huangshan Avenue, Dazhulin Street, Liangjiang New District, Yubei District, Chongqing 400000 Applicant after: Chongqing Zhongyuan lvlan Energy Technology Co.,Ltd. Address before: Room 1703, building a, high tech Sunshine Building, No. 13 Road, high tech Zone, Kunming, Yunnan 650101 Applicant before: Zhao Yunqi |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |