CN115134164B - Uploading behavior detection method, system, equipment and computer storage medium - Google Patents
Uploading behavior detection method, system, equipment and computer storage medium Download PDFInfo
- Publication number
- CN115134164B CN115134164B CN202210842849.8A CN202210842849A CN115134164B CN 115134164 B CN115134164 B CN 115134164B CN 202210842849 A CN202210842849 A CN 202210842849A CN 115134164 B CN115134164 B CN 115134164B
- Authority
- CN
- China
- Prior art keywords
- target
- uploading
- file
- baseline
- historical
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 186
- 238000000034 method Methods 0.000 claims abstract description 48
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 24
- 230000002159 abnormal effect Effects 0.000 claims abstract description 7
- 230000006399 behavior Effects 0.000 claims description 168
- 230000003068 static effect Effects 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 10
- 230000008569 process Effects 0.000 description 12
- 230000001360 synchronised effect Effects 0.000 description 9
- 230000005291 magnetic effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000013515 script Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 241000581364 Clinitrachus argentatus Species 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000005294 ferromagnetic effect Effects 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010998 test method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The application discloses a method, a system, equipment and a computer storage medium for detecting uploading behavior, and a target interface for uploading files is determined; acquiring a target uploading behavior to be detected in a target interface; acquiring a baseline modeling result of the target interface, wherein the baseline modeling result comprises a modeling result obtained after performing baseline modeling on the historical uploading behavior of the target interface based on a kernel density estimation algorithm; and determining a security detection result of the target uploading behavior based on the baseline modeling result. In the method, the historical uploading behavior of the target interface can be subjected to baseline modeling based on the kernel density estimation algorithm so as to reflect the uploading behavior rule of the target interface by means of the baseline modeling result, and then, if the security detection result of the target uploading behavior is determined based on the baseline modeling result, the method is equivalent to carrying out security detection on the target uploading behavior based on the uploading behavior rule of the target interface, so that the abnormal uploading behavior detection caused by bypassing of content detection can be avoided, and the detection accuracy is good.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, a system, an apparatus, and a computer storage medium for detecting an uploading behavior.
Background
Currently, a website can upload a file to an electronic device such as a server, for example, can upload a security file such as a document class, a picture class, etc., but after the website is attacked, various vulnerabilities may also be uploaded, for example, uploading dynamic scripts of open source or non-open source projects, jar (Java ARchive) packages, etc., so that an attacker can attack the electronic device such as the server by means of the website. Therefore, in order to ensure the security of the electronic device such as the server, the uploading behavior of the network station needs to be detected safely. For example, various file searching and killing engines can be used for detecting the content of the uploading file of the network station, and whether the uploading behavior of the network station is safe or not can be judged according to the content detection result.
However, the existing content detection method may be bypassed by an attacker, so that the detection result of the uploading behavior of the network station is inaccurate.
In summary, how to accurately detect the uploading behavior is a problem to be solved by those skilled in the art.
Disclosure of Invention
The purpose of the application is to provide an uploading behavior detection method, which can solve the technical problem of how to accurately detect the uploading behavior to a certain extent. The application also provides an uploading behavior detection system, electronic equipment and a computer readable storage medium.
In order to achieve the above object, the present application provides the following technical solutions:
an upload behavior detection method, comprising:
determining a target interface for uploading files;
acquiring a target uploading behavior to be detected in the target interface;
acquiring a baseline modeling result of the target interface, wherein the baseline modeling result comprises a modeling result obtained after performing baseline modeling on the historical uploading behavior of the target interface based on a kernel density estimation algorithm;
and determining a security detection result of the target uploading behavior based on the baseline modeling result.
Preferably, the obtaining the baseline modeling result of the target interface includes:
acquiring recorded historical uploading behaviors of the target interface, wherein the historical uploading behaviors comprise historical uploading files and corresponding historical uploading moments;
determining a history file type of the history uploading file;
And carrying out baseline modeling on the type of the history file and the corresponding history uploading moment based on the kernel density estimation algorithm to obtain a baseline modeling result.
Preferably, the determining the historical file type of the historical uploading file includes:
detecting file suffixes and/or file contents of the history uploading files to obtain history uploading file detection results;
and determining the type of the history file based on the detection result of the history uploading file, wherein the type of the history file comprises a static file or a dynamic file.
Preferably, the detecting the file suffix and/or the file content of the history upload file includes:
detecting file suffixes and/or file contents of the historical uploading files based on a predetermined file analysis model;
the file analysis model comprises a malicious uploading script-like model and/or a jar packet identification model.
Preferably, the obtaining the target uploading behavior to be detected in the target interface includes:
acquiring the target uploading behaviors to be detected in the target interface, wherein the target uploading behaviors comprise target uploading files and corresponding target uploading moments;
The determining the security detection result of the target uploading file based on the baseline modeling result comprises the following steps:
determining a target file type of the target uploading file, wherein the target file type comprises the static file or the dynamic file;
determining target baseline detection time corresponding to the target uploading time based on the historical uploading time in the baseline modeling result;
judging whether the target file type belongs to the historical file type corresponding to the target baseline detection time or not;
if the target file type belongs to the historical file type corresponding to the target baseline detection time, generating the security detection result representing the security of the target uploading behavior;
and if the target file type does not belong to the historical file type corresponding to the target baseline detection time, generating the security detection result representing the abnormal uploading behavior of the target.
Preferably, in the baseline modeling result, determining, based on the historical uploading time, a target baseline detection time corresponding to the target uploading time includes:
determining a baseline detection duration interval value;
determining the historical uploading time corresponding to the target uploading time;
And in the baseline modeling result, taking the baseline detection time which comprises the historical uploading time and has the duration interval value equal to the baseline detection duration interval value as the target baseline detection time.
Preferably, after determining the target file type of the target upload file, before determining whether the target file type belongs to the historical file type corresponding to the target baseline detection time, the method further includes:
detecting the type of the target file to obtain a file type detection result;
if the file type detection result represents that the target file type is the dynamic file, executing the step of judging whether the target file type belongs to the historical file type corresponding to the target baseline detection time;
and if the file type detection result represents that the target file type is the static file, generating the security detection result representing that the target uploading behavior is secure.
An upload behavior detection system comprising:
the target interface determining module is used for determining a target interface for uploading the file;
the target uploading behavior acquisition module is used for acquiring the target uploading behavior to be detected in the target interface;
The baseline modeling result acquisition module is used for acquiring a baseline modeling result of the target interface, wherein the baseline modeling result comprises a modeling result obtained after the historical uploading behavior of the target interface is subjected to baseline modeling based on a kernel density estimation algorithm;
and the detection module is used for determining a security detection result of the target uploading behavior based on the baseline modeling result.
An electronic device, comprising:
a memory for storing a computer program;
and a processor for implementing the steps of any one of the uploading behavior detection methods described above when executing the computer program.
A computer readable storage medium having stored therein a computer program which when executed by a processor implements the steps of any of the upload behavior detection methods described above.
The method for detecting the uploading behavior determines a target interface for uploading files; acquiring a target uploading behavior to be detected in a target interface; acquiring a baseline modeling result of the target interface, wherein the baseline modeling result comprises a modeling result obtained after performing baseline modeling on the historical uploading behavior of the target interface based on a kernel density estimation algorithm; and determining a security detection result of the target uploading behavior based on the baseline modeling result. In the method, the historical uploading behavior of the target interface can be subjected to baseline modeling based on the kernel density estimation algorithm so as to reflect the uploading behavior rule of the target interface by means of the baseline modeling result, and then, if the security detection result of the target uploading behavior is determined based on the baseline modeling result, the method is equivalent to carrying out security detection on the target uploading behavior based on the uploading behavior rule of the target interface, so that the abnormal uploading behavior detection caused by bypassing of content detection can be avoided, and the detection accuracy is good. The uploading behavior detection system, the electronic equipment and the computer readable storage medium also solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
FIG. 1 is a system frame diagram of an embodiment of the present application that provides an upload behavior detection scheme;
fig. 2 is a first flowchart of an uploading behavior detection method provided in an embodiment of the present application;
fig. 3 is a second flowchart of an uploading behavior detection method provided in an embodiment of the present application;
fig. 4 is a third flowchart of an uploading behavior detection method provided in the embodiment of the present application;
fig. 5 is a schematic structural diagram of an uploading behavior detection system provided in an embodiment of the present application;
fig. 6 is a schematic diagram of a hardware composition structure of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Currently, a website can upload a file to an electronic device such as a server, for example, can upload a security file such as a document class, a picture class, etc., but after the website is attacked, various vulnerabilities may also be uploaded, for example, uploading dynamic scripts of open source or non-open source projects, jar (Java ARchive) packages, etc., so that an attacker can attack the electronic device such as the server by means of the website. Therefore, in order to ensure the security of the electronic device such as the server, the uploading behavior of the network station needs to be detected safely. For example, various file searching and killing engines can be used for detecting the content of the uploading file of the network station, and whether the uploading behavior of the network station is safe or not can be judged according to the content detection result. However, the existing content detection method may have the situation of being bypassed by an attacker, for example, two bypass scenarios may occur when the content of the file is detected, one of which is that a lot of heuristic attacks exist at present, the heuristic attacks are performed through a script or jar that the uploaded content is white, and the scenario may cause detection bypass; secondly, the file searching and killing engine is not universal, and the possibility of being bypassed by some confusion scripts exists, so that the scene is bypassed; this can lead to inaccurate detection of the uploading behavior of the network station. The uploading behavior detection scheme provided by the application can accurately detect the uploading behavior.
In the uploading behavior detection scheme of the present application, the system framework adopted may specifically be shown in fig. 1, and may specifically include: a background server 01 and a number of clients 02 establishing a communication connection with the background server 01.
In the application, the background server 01 is used for executing the steps of the uploading behavior detection method, including determining a target interface for uploading files; acquiring a target uploading behavior to be detected in a target interface; acquiring a baseline modeling result of the target interface, wherein the baseline modeling result comprises a modeling result obtained after performing baseline modeling on the historical uploading behavior of the target interface based on a kernel density estimation algorithm; and determining a security detection result of the target uploading behavior based on the baseline modeling result.
Further, the background server 01 may be further provided with an uploading behavior database, a baseline modeling result database, a security detection result database, and the like. The uploading behavior database is used for storing acquired uploading behaviors, such as target uploading behaviors or historical uploading behaviors, and the baseline modeling result database is used for storing baseline modeling results by users, and the security detection result database is used for storing security detection results of various target uploading behaviors. In the present application, the background server 01 may respond to the upload behavior detection requests of one or more clients 02, and it may be understood that the upload behavior detection requests initiated by different clients 02 in the present application may be upload behavior detection requests for the same interface or upload behavior detection requests initiated by different interfaces.
Referring to fig. 2, fig. 2 is a first flowchart of an uploading behavior detection method according to an embodiment of the present application.
The method for detecting the uploading behavior provided by the embodiment of the application can comprise the following steps:
step S101: and determining a target interface for uploading the file.
In practical application, the target interface for uploading the file can be determined first, and the type of the target interface can be determined according to a specific application scene, which is not particularly limited herein.
In a specific application scenario, in the process of determining a target interface for uploading a file, the target interface may be identified according to an HTTP (Hyper Text Transfer Protocol ) log of the interface, for example, the HTTP log of the interface may be obtained, the characteristics of the uploading attachment recorded in the HTTP log may be identified, and if the characteristics of the uploading attachment are file characteristics, for example, corresponding keywords including the file characteristics, for example filename, attachment, etc., the interface may be determined as the target interface for uploading the file.
Step S102: and obtaining the uploading behavior of the target to be detected in the target interface.
In practical application, after determining the target interface for uploading the file, the target uploading behavior to be detected in the target interface can be obtained, so that the security of the target uploading behavior can be detected later.
It should be noted that, in the present application, information carried by the target uploading behavior may be determined according to a specific application scenario, for example, the target uploading behavior may carry an identifier of an uploading object, an uploading time, and the like, which are not specifically limited herein.
Step S103: the method comprises the steps of obtaining a baseline modeling result of a target interface, wherein the baseline modeling result comprises a modeling result obtained after baseline modeling is carried out on historical uploading behaviors of the target interface based on a kernel density estimation algorithm.
Step S104: and determining a security detection result of the target uploading behavior based on the baseline modeling result.
In practical application, after the target uploading behavior to be detected in the target interface is obtained, security detection can be performed on the target uploading behavior, specifically, in the application, a baseline modeling result of the target interface can be obtained first, and the baseline modeling result comprises a modeling result obtained after the historical uploading behavior of the target interface is subjected to baseline modeling based on a kernel density estimation algorithm (kernel density estimation, KDE), namely, the historical uploading behavior of the target interface is required to be analyzed by means of the kernel density estimation algorithm in the application, a baseline modeling result reflecting the uploading behavior rule of the target interface is obtained, and then the security detection result of the target uploading behavior is determined based on the baseline modeling result.
The kernel density estimation algorithm referred to in this application is used to estimate an unknown density function in probability theory, and belongs to one of non-parametric test methods, and is proposed by Rosenblatt (1955) and Emanuel Parzen (1962), which are also called Parzen window (Parzen window). Ruppert and Cline propose a revised kernel density estimation method based on a dataset density function clustering algorithm.
The method for detecting the uploading behavior determines a target interface for uploading files; acquiring a target uploading behavior to be detected in a target interface; acquiring a baseline modeling result of the target interface, wherein the baseline modeling result comprises a modeling result obtained after performing baseline modeling on the historical uploading behavior of the target interface based on a kernel density estimation algorithm; and determining a security detection result of the target uploading behavior based on the baseline modeling result. In the method, the historical uploading behavior of the target interface can be subjected to baseline modeling based on the kernel density estimation algorithm so as to reflect the uploading behavior rule of the target interface by means of the baseline modeling result, and then, if the security detection result of the target uploading behavior is determined based on the baseline modeling result, the method is equivalent to carrying out security detection on the target uploading behavior based on the uploading behavior rule of the target interface, so that the abnormal uploading behavior detection caused by bypassing of content detection can be avoided, and the detection accuracy is good.
Referring to fig. 3, fig. 3 is a second flowchart of an uploading behavior detection method according to an embodiment of the present application.
The method for detecting the uploading behavior provided by the embodiment of the application can comprise the following steps:
step S201: and determining a target interface for uploading the file.
Step S202: and obtaining the uploading behavior of the target to be detected in the target interface.
Step S203: and acquiring recorded historical uploading behaviors of the target interface, wherein the historical uploading behaviors comprise historical uploading files and corresponding historical uploading moments.
In practical application, in the process of obtaining the baseline modeling result of the target interface, the baseline modeling result can be generated in real time according to the historical uploading behavior, in the process, the recorded historical uploading behavior of the target interface can be obtained first, and the historical uploading behavior comprises a historical uploading file and a corresponding historical uploading moment.
It should be noted that, the number of the obtained historical uploading behaviors may be determined according to actual needs, for example, all uploading behaviors of the target interface in a previous week may be obtained as the historical uploading behaviors, which is not specifically limited herein.
Step S204: a history file type of the history upload file is determined.
In practical application, after the historical uploading behavior of the recorded target interface is obtained, the type of the historical file of the historical uploading file can be determined, so that a baseline modeling result is generated based on the type of the historical file and the time of the historical uploading later.
In a specific application scene, in the process of determining the historical file type of the historical uploading file, because the threat files are mostly executable dynamic files and the security files are non-executable static files, the historical file type can be divided into static files or dynamic files, so that the target uploading behavior can be detected based on the historical file type quickly, and correspondingly, file suffix detection and/or file content detection can be carried out on the historical uploading file because the suffixes and the contents of the static files and the dynamic files are regular and different, so that a historical uploading file detection result is obtained; and the type of the history file is rapidly and accurately determined based on the detection result of the history uploading file.
In a specific application scene, file attack row text which disguises a dynamic file into a static file through operations such as suffix forging, normal file splicing and the like exists, for example, a picture code can splice a malicious file into a normal picture file, in order to identify the attack behaviors, the type of a history file of the history file is accurately determined, and in the process of carrying out file suffix detection and/or file content detection on the history uploading file, the file suffix detection and/or the file content detection can be carried out on the history uploading file based on a predetermined file analysis model; and the type of the file analysis model can be determined according to the actual application scene, for example, a malicious uploading script-like model and/or a jar packet identification model can be included.
Step S205: and carrying out baseline modeling on the type of the history file and the corresponding history uploading moment based on a kernel density estimation algorithm to obtain a baseline modeling result.
In practical application, after the history file type of the history uploading file is determined, the history file type and the corresponding history uploading moment can be subjected to baseline modeling based on the kernel density estimation algorithm, so that a baseline modeling result is obtained.
Step S206: and determining a security detection result of the target uploading behavior based on the baseline modeling result.
Referring to fig. 4, fig. 4 is a third flowchart of an uploading behavior detection method according to an embodiment of the present application.
The method for detecting the uploading behavior provided by the embodiment of the application can comprise the following steps:
step S301: and determining a target interface for uploading the file.
Step S302: and acquiring target uploading behaviors to be detected in a target interface, wherein the target uploading behaviors comprise target uploading files and corresponding target uploading moments.
In practical application, under the condition that a baseline modeling result is generated based on a historical uploading time and a historical file type, the obtained target uploading behavior needs to comprise the target uploading file and a corresponding target uploading time, so that safety detection can be carried out on the target uploading behavior based on the baseline modeling result.
Step S303: the method comprises the steps of obtaining a baseline modeling result of a target interface, wherein the baseline modeling result comprises a modeling result obtained after baseline modeling is carried out on historical uploading behaviors of the target interface based on a kernel density estimation algorithm.
Step S304: and determining the target file type of the target uploading file, wherein the target file type comprises a static file or a dynamic file.
In practical application, in the process of determining the security detection result of the target uploading behavior based on the baseline modeling result, the target file type of the target uploading file needs to be determined first, and the target file type also includes a static file or a dynamic file, and accordingly, the process of determining the target file type of the target uploading file can refer to the process of determining the history file type of the history uploading file, which is not particularly limited herein.
Step S305: and determining target baseline detection time corresponding to the target uploading time based on the historical uploading time in the baseline modeling result.
In practical application, after determining the target file type of the target uploading file, determining the target baseline detection time corresponding to the target uploading time based on the historical uploading time in the baseline modeling result, for example, taking the historical uploading time at the same time as the target uploading time as the target baseline detection time, for example, taking the target uploading time as 3 pm in the third day, and taking 3 pm in the third day as the target baseline detection time; of course, the baseline detection duration interval value can also be determined, the historical uploading time corresponding to the target uploading time is determined, in the baseline modeling result, the baseline detection time including the historical uploading time and having the duration interval value equal to the baseline detection duration interval value is taken as the target baseline detection time, the baseline detection duration interval value is taken as 30 minutes, the target uploading time is still taken as the example of 3 pm on the third day, all the historical uploading times within 30 minutes before and after the third day are taken as the target baseline detection time, for example, the duration interval from 2 pm on the third day to 3 pm on the third day is taken as the target baseline detection time, and the like, so that the safety of the target uploading behavior is determined based on the uploading rule of the history file in the baseline detection duration interval in the subsequent safety detection based on the target baseline detection time, and the safety detection of the target uploading behavior can be more accurately performed.
Step S306: judging whether the target file type belongs to a historical file type corresponding to the target baseline detection time; if the target file type belongs to the history file type corresponding to the target baseline detection time, executing step S307; if the target file type does not belong to the history file type corresponding to the target baseline detection time, step S308 is executed.
Step S307: and generating a security detection result for representing the security of the uploading behavior of the target.
Step S308: and generating a security detection result representing the abnormality of the uploading behavior of the target.
In practical application, in the baseline modeling result, after determining the target baseline detection time corresponding to the target uploading time based on the historical uploading time, whether the target file type belongs to the historical file type corresponding to the target baseline detection time can be judged; if the target file type belongs to the historical file type corresponding to the target baseline detection time, the target interface uploads the files of the same type in the previous target baseline detection time, and a security detection result representing security of the uploading behavior of the target can be generated; if the target file type does not belong to the historical file type corresponding to the target baseline detection time, the target interface is indicated to not upload files of the same type in the previous target baseline detection time, potential safety hazards occur, and at the moment, a safety detection result representing the abnormal uploading behavior of the target can be generated.
In a specific application scenario, since the dynamic file may cause the danger of the target uploading behavior, if all types of files are detected, performance and time are consumed undoubtedly, so in order to reduce the consumption of performance and time, the detection process of the uploading behavior can be distinguished according to the file type of the uploaded file, for example, after determining the target file type of the target uploading file, the target file type can be detected before judging whether the target file type belongs to the historical file type corresponding to the target baseline detection time, so as to obtain a file type detection result; if the file type detection result represents that the target file type is a dynamic file, executing the step of judging whether the target file type belongs to a historical file type corresponding to the target baseline detection time; if the file type detection result indicates that the target file type is a static file, a security detection result and the like indicating security of the uploading behavior of the target can be directly generated.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an uploading behavior detection system according to an embodiment of the present application.
An uploading behavior detection system provided in the embodiment of the present application may include:
A target interface determining module 101, configured to determine a target interface for uploading a file;
the target uploading behavior acquisition module 102 is configured to acquire a target uploading behavior to be detected in a target interface;
the baseline modeling result obtaining module 103 is configured to obtain a baseline modeling result of the target interface, where the baseline modeling result includes a modeling result obtained after performing baseline modeling on a historical uploading behavior of the target interface based on a kernel density estimation algorithm;
the detection module 104 is configured to determine a security detection result of the target uploading behavior based on the baseline modeling result.
The embodiment of the application provides an uploading behavior detection system, and a baseline modeling result obtaining module may include:
the historical uploading behavior acquisition unit is used for acquiring the recorded historical uploading behavior of the target interface, wherein the historical uploading behavior comprises a historical uploading file and a corresponding historical uploading moment;
a history file type determining unit for determining a history file type of the history uploading file;
the baseline modeling result generation unit is used for carrying out baseline modeling on the type of the history file and the corresponding history uploading moment based on the kernel density estimation algorithm to obtain a baseline modeling result.
The system for detecting uploading behavior provided in the embodiment of the present application, the historical file type determining unit may be specifically configured to: detecting file suffixes and/or file contents of the history uploading files to obtain a history uploading file detection result; a history file type is determined based on the history upload file detection result, the history file type including a static file or a dynamic file.
The system for detecting uploading behavior provided in the embodiment of the present application, the historical file type determining unit may be specifically configured to: detecting file suffixes and/or file contents of the historical uploading files based on a predetermined file analysis model; the file analysis model comprises a malicious uploading script-like model and/or a jar packet identification model.
The embodiment of the application provides an uploading behavior detection system, and a target uploading behavior acquisition module may include:
the target uploading behavior acquisition unit is used for acquiring target uploading behaviors to be detected in the target interface, wherein the target uploading behaviors comprise target uploading files and corresponding target uploading moments;
the detection module may include:
the target file type determining unit is used for determining the target file type of the target uploading file, wherein the target file type comprises a static file or a dynamic file;
the target baseline detection time determining unit is used for determining target baseline detection time corresponding to the target uploading time based on the historical uploading time in the baseline modeling result;
the detection unit is used for judging whether the target file type belongs to a historical file type corresponding to the target baseline detection time; if the target file type belongs to the historical file type corresponding to the target baseline detection time, generating a security detection result representing security of the target uploading behavior; and if the target file type does not belong to the historical file type corresponding to the target baseline detection time, generating a security detection result representing the abnormal uploading behavior of the target.
The uploading behavior detection system provided in the embodiment of the present application, the target baseline detection time determining unit may be specifically configured to: determining a baseline detection duration interval value; determining a historical uploading time corresponding to the target uploading time; and in the baseline modeling result, taking the baseline detection time which comprises the historical uploading time and has the duration interval value equal to the baseline detection duration interval value as the target baseline detection time.
The system for detecting uploading behavior provided in the embodiment of the present application may further include:
the judging unit is used for detecting the target file type after the target file type determining unit determines the target file type of the target uploading file and before the detecting unit judges whether the target file type belongs to the historical file type corresponding to the target baseline detection time, so as to obtain a file type detection result; if the file type detection result indicates that the target file type is a dynamic file, prompting the detection unit to execute the step of judging whether the target file type belongs to the historical file type corresponding to the target baseline detection time; and if the file type detection result indicates that the target file type is a static file, generating a security detection result indicating the security of the uploading behavior of the target.
Based on the hardware implementation of the program module, and in order to implement the method of the embodiment of the present invention, the embodiment of the present invention further provides an electronic device, and fig. 6 is a schematic diagram of a hardware composition structure of the electronic device of the embodiment of the present invention, as shown in fig. 6, where the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other devices and is used for executing the uploading behavior detection method provided by one or more technical schemes when the computer program is run. And the computer program is stored on the memory 3.
Of course, in practice, the various components in the electronic device are coupled together by a bus system 4. It will be appreciated that the bus system 4 is used to enable connected communications between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. But for clarity of illustration the various buses are labeled as bus system 4 in fig. 6.
The memory 3 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Wherein the nonvolatile Memory may be Read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read Only Memory (EEPROM, electrically Erasable Programmable Read-Only Memory), magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk Read Only Memory (CD-ROM, compact Disc Read-Only Memory); the magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (ddr SDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic Random Access Memory), direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The memory 2 described in the embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the above embodiment of the present invention may be applied to the processor 2 or implemented by the processor 2. The processor 2 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in the processor 2 or by instructions in the form of software. The processor 2 described above may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present invention. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the invention can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium in the memory 3 and the processor 2 reads the program in the memory 3 to perform the steps of the method described above in connection with its hardware.
The corresponding flow in each method of the embodiments of the present invention is implemented when the processor 2 executes the program, and for brevity, will not be described in detail herein.
In an exemplary embodiment, the present invention also provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example comprising a memory 3 storing a computer program executable by the processor 2 for performing the steps of the method described above. The computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, terminal and method may be implemented in other manners. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present invention may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
Alternatively, the above-described integrated units of the present invention may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in essence or a part contributing to the prior art in the form of a software product stored in a storage medium, including several instructions for causing an electronic device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
The description of the relevant parts in the uploading behavior detection system, the electronic device and the computer readable storage medium provided in the embodiments of the present application refers to the detailed description of the corresponding parts in the uploading behavior detection method provided in the embodiments of the present application, and is not repeated here. In addition, the parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of the corresponding technical solutions in the prior art, are not described in detail, so that redundant descriptions are avoided.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (7)
1. The method for detecting the uploading behavior is characterized by comprising the following steps of:
determining a target interface for uploading files;
acquiring a target uploading behavior to be detected in the target interface;
acquiring a baseline modeling result of the target interface, wherein the baseline modeling result comprises a modeling result obtained after performing baseline modeling on the historical uploading behavior of the target interface based on a kernel density estimation algorithm;
determining a security detection result of the target uploading behavior based on the baseline modeling result;
wherein the obtaining the baseline modeling result of the target interface includes:
acquiring recorded historical uploading behaviors of the target interface, wherein the historical uploading behaviors comprise historical uploading files and corresponding historical uploading moments;
detecting file suffixes and/or file contents of the historical uploading files based on a predetermined file analysis model to obtain historical uploading file detection results, wherein the file analysis model comprises a malicious uploading script-like model and/or jar packet identification model;
determining a history file type based on the history uploading file detection result, wherein the history file type comprises a static file or a dynamic file;
And carrying out baseline modeling on the type of the history file and the corresponding history uploading moment based on the kernel density estimation algorithm to obtain a baseline modeling result.
2. The method according to claim 1, wherein the obtaining the target uploading behavior to be detected in the target interface includes:
acquiring the target uploading behaviors to be detected in the target interface, wherein the target uploading behaviors comprise target uploading files and corresponding target uploading moments;
the determining the security detection result of the target uploading file based on the baseline modeling result comprises the following steps:
determining a target file type of the target uploading file, wherein the target file type comprises the static file or the dynamic file;
determining target baseline detection time corresponding to the target uploading time based on the historical uploading time in the baseline modeling result;
judging whether the target file type belongs to the historical file type corresponding to the target baseline detection time or not;
if the target file type belongs to the historical file type corresponding to the target baseline detection time, generating the security detection result representing the security of the target uploading behavior;
And if the target file type does not belong to the historical file type corresponding to the target baseline detection time, generating the security detection result representing the abnormal uploading behavior of the target.
3. The method according to claim 2, wherein determining, in the baseline modeling result, a target baseline detection time corresponding to the target uploading time based on the historical uploading time includes:
determining a baseline detection duration interval value;
determining the historical uploading time corresponding to the target uploading time;
and in the baseline modeling result, taking the baseline detection time which comprises the historical uploading time and has the duration interval value equal to the baseline detection duration interval value as the target baseline detection time.
4. The method according to claim 2, wherein after determining the target file type of the target upload file, the determining whether the target file type belongs to the history file type corresponding to the target baseline detection time is further performed before:
detecting the type of the target file to obtain a file type detection result;
if the file type detection result represents that the target file type is the dynamic file, executing the step of judging whether the target file type belongs to the historical file type corresponding to the target baseline detection time;
And if the file type detection result represents that the target file type is the static file, generating the security detection result representing that the target uploading behavior is secure.
5. An upload behavior detection system, comprising:
the target interface determining module is used for determining a target interface for uploading the file;
the target uploading behavior acquisition module is used for acquiring the target uploading behavior to be detected in the target interface;
the baseline modeling result acquisition module is used for acquiring a baseline modeling result of the target interface, wherein the baseline modeling result comprises a modeling result obtained after the historical uploading behavior of the target interface is subjected to baseline modeling based on a kernel density estimation algorithm;
the detection module is used for determining a security detection result of the target uploading behavior based on the baseline modeling result;
wherein, the baseline modeling result acquisition module comprises:
the historical uploading behavior acquisition unit is used for acquiring the recorded historical uploading behavior of the target interface, wherein the historical uploading behavior comprises a historical uploading file and a corresponding historical uploading moment;
the historical file type determining unit is used for detecting file suffixes and/or file contents of the historical uploading files based on a predetermined file analysis model to obtain historical uploading file detection results, wherein the file analysis model comprises a malicious uploading script-like model and/or a jar packet identification model; determining a history file type based on the history uploading file detection result, wherein the history file type comprises a static file or a dynamic file;
And the baseline modeling result generation unit is used for carrying out baseline modeling on the type of the history file and the corresponding history uploading moment based on the kernel density estimation algorithm to obtain the baseline modeling result.
6. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the uploading behavior detection method according to any of claims 1 to 4 when executing the computer program.
7. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program which, when executed by a processor, implements the steps of the upload behavior detection method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210842849.8A CN115134164B (en) | 2022-07-18 | 2022-07-18 | Uploading behavior detection method, system, equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210842849.8A CN115134164B (en) | 2022-07-18 | 2022-07-18 | Uploading behavior detection method, system, equipment and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115134164A CN115134164A (en) | 2022-09-30 |
| CN115134164B true CN115134164B (en) | 2024-02-23 |
Family
ID=83384127
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210842849.8A Active CN115134164B (en) | 2022-07-18 | 2022-07-18 | Uploading behavior detection method, system, equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115134164B (en) |
Citations (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9038184B1 (en) * | 2010-02-17 | 2015-05-19 | Symantec Corporation | Detection of malicious script operations using statistical analysis |
| CN108696488A (en) * | 2017-04-11 | 2018-10-23 | 腾讯科技(深圳)有限公司 | A kind of upload interface identification method, identification server and system |
| CN109412896A (en) * | 2018-11-14 | 2019-03-01 | 中国平安人寿保险股份有限公司 | Test method, device, computer equipment and the storage medium of upload function |
| WO2019144551A1 (en) * | 2018-01-24 | 2019-08-01 | 平安科技(深圳)有限公司 | Multimedia file processing method, server, and storage medium |
| CN110213255A (en) * | 2019-05-27 | 2019-09-06 | 北京奇艺世纪科技有限公司 | A kind of pair of host carries out the method, apparatus and electronic equipment of trojan horse detection |
| CN110222525A (en) * | 2019-05-14 | 2019-09-10 | 新华三大数据技术有限公司 | Database manipulation auditing method, device, electronic equipment and storage medium |
| CN110855650A (en) * | 2019-11-05 | 2020-02-28 | 西安交通大学 | Illegal file uploading detection method |
| CN111064719A (en) * | 2019-12-09 | 2020-04-24 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal downloading behavior of file |
| CN111107079A (en) * | 2019-12-16 | 2020-05-05 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting uploaded files |
| CN111159706A (en) * | 2019-12-26 | 2020-05-15 | 深信服科技股份有限公司 | Database security detection method, device, equipment and storage medium |
| CN111176985A (en) * | 2019-12-13 | 2020-05-19 | 平安医疗健康管理股份有限公司 | Software interface performance testing method and device, computer equipment and storage medium |
| CN111541647A (en) * | 2020-03-25 | 2020-08-14 | 杭州数梦工场科技有限公司 | Security detection method and device, storage medium and computer equipment |
| CN111625827A (en) * | 2020-05-29 | 2020-09-04 | 深信服科技股份有限公司 | File processing method and device, terminal equipment and computer readable storage medium |
| CN111800405A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Detection method, detection device and storage medium |
| CN112583801A (en) * | 2020-12-02 | 2021-03-30 | 张仕文 | Network abnormal behavior detection system and method based on big data |
| CN112818307A (en) * | 2021-02-25 | 2021-05-18 | 深信服科技股份有限公司 | User operation processing method, system, device and computer readable storage medium |
| CN112926054A (en) * | 2021-02-22 | 2021-06-08 | 亚信科技(成都)有限公司 | Malicious file detection method, device, equipment and storage medium |
| CN113032785A (en) * | 2021-03-26 | 2021-06-25 | 深信服科技股份有限公司 | Document detection method, device, equipment and storage medium |
| CN113364784A (en) * | 2021-06-09 | 2021-09-07 | 深信服科技股份有限公司 | Detection parameter generation method and device, electronic equipment and storage medium |
| CN113595997A (en) * | 2021-07-14 | 2021-11-02 | 上海淇玥信息技术有限公司 | File uploading safety detection method and device and electronic equipment |
| CN113918376A (en) * | 2021-12-14 | 2022-01-11 | 湖南天云软件技术有限公司 | Fault detection method, device, equipment and computer readable storage medium |
| CN113949525A (en) * | 2021-09-07 | 2022-01-18 | 中云网安科技有限公司 | Method and device for detecting abnormal access behavior, storage medium and electronic equipment |
| CN114050941A (en) * | 2022-01-11 | 2022-02-15 | 中孚信息股份有限公司 | Defect account detection method and system based on kernel density estimation |
| CN114218574A (en) * | 2021-12-14 | 2022-03-22 | 中国平安财产保险股份有限公司 | Data detection method and device, electronic equipment and storage medium |
| CN114297657A (en) * | 2021-12-31 | 2022-04-08 | 深信服科技股份有限公司 | File behavior detection baseline determination and file behavior anomaly detection method and device |
| CN114374686A (en) * | 2022-01-05 | 2022-04-19 | 北京百度网讯科技有限公司 | File processing method, device and equipment based on browser |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7840646B2 (en) * | 2003-10-08 | 2010-11-23 | Yahoo! Inc. | Learned upload time estimate module |
| US8024800B2 (en) * | 2006-09-25 | 2011-09-20 | International Business Machines Corporation | File attachment processing method and system |
| US20090207741A1 (en) * | 2008-02-19 | 2009-08-20 | Shusaku Takahashi | Network Subscriber Baseline Analyzer and Generator |
| US8745267B2 (en) * | 2012-08-19 | 2014-06-03 | Box, Inc. | Enhancement of upload and/or download performance based on client and/or server feedback information |
| US9460107B2 (en) * | 2013-07-16 | 2016-10-04 | International Business Machines Corporation | Filename-based inference of repository actions |
| US20160306967A1 (en) * | 2015-04-17 | 2016-10-20 | Symantec Corporation | Method to Detect Malicious Behavior by Computing the Likelihood of Data Accesses |
| US11483375B2 (en) * | 2020-06-19 | 2022-10-25 | Microsoft Technology Licensing, Llc | Predictive model application for file upload blocking determinations |
-
2022
- 2022-07-18 CN CN202210842849.8A patent/CN115134164B/en active Active
Patent Citations (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9038184B1 (en) * | 2010-02-17 | 2015-05-19 | Symantec Corporation | Detection of malicious script operations using statistical analysis |
| CN108696488A (en) * | 2017-04-11 | 2018-10-23 | 腾讯科技(深圳)有限公司 | A kind of upload interface identification method, identification server and system |
| WO2019144551A1 (en) * | 2018-01-24 | 2019-08-01 | 平安科技(深圳)有限公司 | Multimedia file processing method, server, and storage medium |
| CN109412896A (en) * | 2018-11-14 | 2019-03-01 | 中国平安人寿保险股份有限公司 | Test method, device, computer equipment and the storage medium of upload function |
| CN110222525A (en) * | 2019-05-14 | 2019-09-10 | 新华三大数据技术有限公司 | Database manipulation auditing method, device, electronic equipment and storage medium |
| CN110213255A (en) * | 2019-05-27 | 2019-09-06 | 北京奇艺世纪科技有限公司 | A kind of pair of host carries out the method, apparatus and electronic equipment of trojan horse detection |
| CN110855650A (en) * | 2019-11-05 | 2020-02-28 | 西安交通大学 | Illegal file uploading detection method |
| CN111064719A (en) * | 2019-12-09 | 2020-04-24 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal downloading behavior of file |
| CN111176985A (en) * | 2019-12-13 | 2020-05-19 | 平安医疗健康管理股份有限公司 | Software interface performance testing method and device, computer equipment and storage medium |
| CN111107079A (en) * | 2019-12-16 | 2020-05-05 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting uploaded files |
| CN111159706A (en) * | 2019-12-26 | 2020-05-15 | 深信服科技股份有限公司 | Database security detection method, device, equipment and storage medium |
| CN111541647A (en) * | 2020-03-25 | 2020-08-14 | 杭州数梦工场科技有限公司 | Security detection method and device, storage medium and computer equipment |
| CN111625827A (en) * | 2020-05-29 | 2020-09-04 | 深信服科技股份有限公司 | File processing method and device, terminal equipment and computer readable storage medium |
| CN111800405A (en) * | 2020-06-29 | 2020-10-20 | 深信服科技股份有限公司 | Detection method, detection device and storage medium |
| CN112583801A (en) * | 2020-12-02 | 2021-03-30 | 张仕文 | Network abnormal behavior detection system and method based on big data |
| CN112926054A (en) * | 2021-02-22 | 2021-06-08 | 亚信科技(成都)有限公司 | Malicious file detection method, device, equipment and storage medium |
| CN112818307A (en) * | 2021-02-25 | 2021-05-18 | 深信服科技股份有限公司 | User operation processing method, system, device and computer readable storage medium |
| CN113032785A (en) * | 2021-03-26 | 2021-06-25 | 深信服科技股份有限公司 | Document detection method, device, equipment and storage medium |
| CN113364784A (en) * | 2021-06-09 | 2021-09-07 | 深信服科技股份有限公司 | Detection parameter generation method and device, electronic equipment and storage medium |
| CN113595997A (en) * | 2021-07-14 | 2021-11-02 | 上海淇玥信息技术有限公司 | File uploading safety detection method and device and electronic equipment |
| CN113949525A (en) * | 2021-09-07 | 2022-01-18 | 中云网安科技有限公司 | Method and device for detecting abnormal access behavior, storage medium and electronic equipment |
| CN113918376A (en) * | 2021-12-14 | 2022-01-11 | 湖南天云软件技术有限公司 | Fault detection method, device, equipment and computer readable storage medium |
| CN114218574A (en) * | 2021-12-14 | 2022-03-22 | 中国平安财产保险股份有限公司 | Data detection method and device, electronic equipment and storage medium |
| CN114297657A (en) * | 2021-12-31 | 2022-04-08 | 深信服科技股份有限公司 | File behavior detection baseline determination and file behavior anomaly detection method and device |
| CN114374686A (en) * | 2022-01-05 | 2022-04-19 | 北京百度网讯科技有限公司 | File processing method, device and equipment based on browser |
| CN114050941A (en) * | 2022-01-11 | 2022-02-15 | 中孚信息股份有限公司 | Defect account detection method and system based on kernel density estimation |
Non-Patent Citations (1)
| Title |
|---|
| 文件上传漏洞研究与实践;黄志华;王子凯;徐玉华;李云龙;孙伟;;信息安全研究(02);第57-64页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115134164A (en) | 2022-09-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9215245B1 (en) | Exploration system and method for analyzing behavior of binary executable programs | |
| US8627469B1 (en) | Systems and methods for using acquisitional contexts to prevent false-positive malware classifications | |
| US20190073483A1 (en) | Identifying sensitive data writes to data stores | |
| US8176556B1 (en) | Methods and systems for tracing web-based attacks | |
| US8474040B2 (en) | Environmental imaging | |
| KR101043299B1 (en) | Method, system and computer readable recording medium for detecting exploit code | |
| CN110417718B (en) | Method, device, equipment and storage medium for processing risk data in website | |
| US9178904B1 (en) | Systems and methods for detecting malicious browser-based scripts | |
| US8869284B1 (en) | Systems and methods for evaluating application trustworthiness | |
| WO2019144548A1 (en) | Security test method, apparatus, computer device and storage medium | |
| US11275835B2 (en) | Method of speeding up a full antivirus scan of files on a mobile device | |
| CN112769775B (en) | Threat information association analysis method, system, equipment and computer medium | |
| KR101902747B1 (en) | Method and Apparatus for Analyzing Web Vulnerability for Client-side | |
| CN112818307A (en) | User operation processing method, system, device and computer readable storage medium | |
| US10275396B1 (en) | Techniques for data classification based on sensitive data | |
| US10075456B1 (en) | Systems and methods for detecting exploit-kit landing pages | |
| US20190215333A1 (en) | Persistent cross-site scripting vulnerability detection | |
| Daghmehchi Firoozjaei et al. | Memory forensics tools: a comparative analysis | |
| CN113282921A (en) | File detection method, device, equipment and storage medium | |
| CN115134164B (en) | Uploading behavior detection method, system, equipment and computer storage medium | |
| CN115051867B (en) | Illegal external connection behavior detection method and device, electronic equipment and medium | |
| CN111241547A (en) | Detection method, device and system for unauthorized vulnerability | |
| CN116226865A (en) | Security detection method, device, server, medium and product of cloud native application | |
| CN112003824B (en) | Attack detection method and device and computer readable storage medium | |
| CN114417349A (en) | Attack result determination method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |