CN115271719A - Attack protection method based on big data and storage medium - Google Patents
Attack protection method based on big data and storage medium Download PDFInfo
- Publication number
- CN115271719A CN115271719A CN202210858531.9A CN202210858531A CN115271719A CN 115271719 A CN115271719 A CN 115271719A CN 202210858531 A CN202210858531 A CN 202210858531A CN 115271719 A CN115271719 A CN 115271719A
- Authority
- CN
- China
- Prior art keywords
- attack
- session
- session element
- online payment
- analyzed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention relates to an attack protection method and a storage medium based on big data, which determine attack risk description of network attack of payment data to be analyzed according to a final analysis record; and determining an attack protection strategy aiming at the payment data network attack to be analyzed based on the attack risk description.
Description
The invention relates to a divisional application with the application numbers of CN202111488103.3 and the application date of 2021, 12 months and 08 days, and the invention is named as a big data anti-attack method based on online payment and a storage medium.
Technical Field
The embodiment of the invention relates to the technical field of big data protection, in particular to an attack protection method and a storage medium based on big data.
Background
The continuous progress and development of science and technology has prompted the development of various business industries towards digitization, and an online business/electronic business mode is gradually formed. In view of this, the payment method is also gradually changed from offline payment to online/online payment. The online payment can break the limitation of payment time interval and the limitation of payment region, thereby improving the convenience and flexibility of payment. In view of this, the online payment scale is getting bigger and bigger, the related fields are getting wider and wider, and the payment security problem caused by the online payment scale is not neglected.
The inventor finds out through research that related payment security problems are mainly concentrated in the payment session process, such as various payment big data network attack behaviors hidden in the payment session process, and the like, but the related technology is difficult to guarantee the accuracy of the network attack analysis, and further difficult to provide accurate and reliable basis for subsequent attack protection.
Disclosure of Invention
In view of this, embodiments of the present invention provide an attack protection method and a storage medium based on big data.
The embodiment of the invention provides an attack protection method based on big data, which is applied to a big data attack prevention system, and the method at least comprises the following steps: determining at least one group of online payment sessions triggering anti-attack analysis conditions and at least one session element screening index of the payment data network attack to be analyzed; enabling network attack analysis operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain a staged attack analysis record of the to-be-analyzed payment data network attack, and performing network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack; and obtaining a final analysis record of the payment data network attack to be analyzed by combining the staged attack analysis record, the at least one session element and the at least one session element screening index of the payment data network attack to be analyzed.
Under some design ideas which can be independently implemented, the obtaining of the final analysis record of the to-be-analyzed payment data network attack by combining the staged attack analysis record of the to-be-analyzed payment data network attack, the at least one session element and the at least one session element screening index of the to-be-analyzed payment data network attack includes: on the basis that the online payment session recorded by the staged attack analysis record is not less than one group of trigger anti-attack analysis conditions carries the to-be-analyzed payment data network attack, and the not less than one session element meets the not less than one session element screening index, the final analysis record is determined that the to-be-analyzed payment data network attack is in an activated state; and on the basis that the staged attack analysis record is that the online payment session with at least one group of trigger anti-attack analysis conditions carries the to-be-analyzed payment data network attack, and the at least one session element does not meet the at least one session element screening index, determining that the final analysis record is that the to-be-analyzed payment data network attack is in a to-be-activated state.
Under some design ideas which can be independently implemented, the network attack session element mining operation is performed on the at least one group of online payment sessions triggering the anti-attack analysis condition, so as to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: and on the basis that the online payment sessions with at least one group of trigger anti-attack analysis conditions carry the to-be-analyzed payment data network attacks, the staged attack analysis records are subjected to network attack session element mining operation on the online payment sessions with at least one group of trigger anti-attack analysis conditions, and at least one session element of the to-be-analyzed payment data network attacks is obtained.
Under some independently implementable design ideas, the payment data network attack to be analyzed comprises a distributed denial of service attack; the at least one group of online payment sessions triggering the anti-attack analysis condition covers a first online payment session; the first online payment session encompasses distributed denial of service attack detection content; the step of starting network attack analysis operation on the at least one group of online payment sessions triggering the attack prevention analysis conditions to obtain staged attack analysis records comprises the following steps: on the basis of determining that the distributed denial of service attack detection content carries abnormal detection items, determining that the staged attack analysis record carries the distributed denial of service attack in the first online payment session; the abnormality detection event includes one or both of: responding to the refusal request and the abnormal flow state theme; and on the basis of determining that the distributed denial of service attack detection content does not carry abnormal detection items, determining that the staged attack analysis record does not carry the distributed denial of service attack in the first online payment session.
Under some independently implementable design considerations, the at least one set of online payment sessions that trigger the attack-prevention analysis condition includes a third online payment session; the at least one session element screening index comprises a passing topic key description set; the at least one session element comprises a salient semantic representation of the anomaly detection item; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the payment data to be analyzed under the network attack, and the network attack session element mining operation comprises the following steps: carrying out significance semantic expression mining operation on the second online payment session to obtain significance semantic expression content of the abnormal detection items; the at least one session element satisfying the at least one session element screening index includes: the release topic key description set does not carry semantic vectors corresponding to the significant semantic expression contents; the at least one session element not meeting the at least one session element screening criteria includes: and semantic vectors corresponding to the significant semantic expression contents exist in the released subject key description set.
Under some design ideas which can be independently implemented, the at least one session element screening index further comprises a characteristic dimension interval; the at least one conversation element further comprises an item feature dimension of an anomaly detection item; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the payment data to be analyzed under the network attack, and the method further comprises the following steps: performing item identification operation on the second online payment session to obtain item feature dimensions of the abnormal detection item; the at least one session element satisfying the at least one session element screening index includes: the release topic key description set does not carry semantic vectors which have corresponding relations with the significance semantic expressions, and the item feature dimension of the abnormal detection item falls into the feature dimension interval; the at least one session element not meeting the at least one session element screening criteria comprises at least one of: the release subject key description set does not carry semantic vectors which have corresponding relations with the significant semantic expressions; and the item feature dimension of the anomaly detection item does not fall into the feature dimension interval.
Under some independently implementable design ideas, the at least one set of online payment sessions triggering the attack-prevention analysis condition includes a third online payment session and a fourth online payment session, and a set digital signature of the third online payment session is prior to a set digital signature of the fourth online payment session; the at least one session element screening index comprises a set time sequence accumulated value; the at least one session element comprises a time sequence statistical result of the payment data network attack to be analyzed; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the payment data to be analyzed under the network attack, and the network attack session element mining operation comprises the following steps: taking the set digital signature of the third online payment session as a starting time sequence node of the network attack of the payment data to be analyzed, and taking the set digital signature of the fourth online payment session as a termination time sequence node of the network attack of the payment data to be analyzed, so as to obtain a time sequence statistical result; the at least one session element satisfying the at least one session element screening index includes: the time sequence statistical result is greater than the set time sequence accumulated value; the at least one session element not meeting the at least one session element screening criteria includes: and the time sequence statistical result is less than or equal to the set time sequence accumulated value.
Under some independently implementable design ideas, the payment data network attack to be analyzed comprises over-authority access; the at least one session element screening index also comprises an over-authority access constraint condition; the at least one session element comprises the distribution condition of the access requests to be processed; the third online payment session and the fourth online payment session both encompass the pending access request; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the payment data to be analyzed under the network attack, and the network attack session element mining operation comprises the following steps: performing an access request identification operation on the third online payment session to obtain a first distribution condition of the access request to be processed in the third online payment session; performing an access request identification operation on the fourth online payment session, and obtaining a second distribution condition of the access request to be processed in the fourth online payment session; the at least one session element satisfying the at least one session element screening index includes: the time sequence statistical result is greater than the set time sequence accumulated value, and the first distribution condition and the second distribution condition are both matched with the over-authority access constraint condition; the not less than one session element not meeting the not less than one session element screening indicator comprises one or more of: and the time sequence statistical result is less than or equal to the set time sequence accumulated value, the first distribution condition does not match the over-authority access constraint condition, and the second distribution condition does not match the over-authority access constraint condition.
Under some independently implementable design ideas, the at least one group of online payment sessions triggering the attack-prevention analysis condition comprises a fifth online payment session; the at least one session element screening index comprises a credible evaluation judgment value; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: performing item identification operation on the fifth online payment session to obtain credible evaluation of abnormal detection items in the fifth online payment session; the at least one session element satisfying the at least one session element screening index includes: the credibility evaluation of the abnormal detection item is greater than the credibility evaluation judgment value; the at least one session element not meeting the at least one session element screening criteria includes: the reliability evaluation of the abnormality detection event is equal to or less than the reliability evaluation judgment value.
Under some design ideas which can be independently implemented, the at least one session element screening index comprises an abnormal prompt time sequence interval; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: taking the set digital signature of the sixth online payment session as the activation moment of the network attack of the payment data to be analyzed; the sixth online payment session is the online payment session with the latest digital signature set in the online payment sessions with at least one group of trigger anti-attack analysis conditions; the at least one session element satisfying the at least one session element screening index includes: the activation moment of the payment data network attack to be analyzed does not fall into the abnormal prompt time sequence interval; the at least one session element not meeting the at least one session element screening criteria includes: and the activation moment of the payment data network attack to be analyzed falls into the abnormal prompt time sequence interval.
Under some independently implementable design ideas, on the basis that the number of the session element screening indexes is greater than one, before performing network attack session element mining operation on the at least one group of online payment sessions triggering the attack prevention analysis condition to obtain at least one session element of the payment data to be analyzed for network attack, the method further includes: determining an attention queue of session elements of the payment data network attack to be analyzed corresponding to the screening index; the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the payment data to be analyzed under the network attack, and the network attack session element mining operation comprises the following steps: carrying out first session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis conditions to obtain first session elements of the payment data to be analyzed in the network attack; the first session element is the session element with the maximum attention in the attention queue; on the basis that the first session element meets the session element screening index corresponding to the first session element, performing second session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain a second session element of the payment data network attack to be analyzed; the second session element is a session element with the second highest attention in the attention queue; and on the basis that the first session element does not meet the screening index corresponding to the first session element, terminating the network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition.
Under some independently implementable design considerations, the method further comprises: and issuing an attack coping strategy on the basis that the final analysis record indicates that the payment data to be analyzed is in a to-be-activated state.
The embodiment of the invention also provides a big data anti-attack system, which comprises a processor, a network module and a memory; the processor and the memory communicate through the network module, and the processor reads the computer program from the memory and operates to perform the above-described method.
The embodiment of the invention also provides a computer storage medium, wherein the computer storage medium stores a computer program, and the computer program realizes the method when running.
Compared with the prior art, the method has the advantages that the staged attack analysis record of the payment data network attack to be analyzed is obtained by carrying out the network attack analysis operation on the online payment session, at least one session element of the payment data network attack to be analyzed is obtained by carrying out the network attack session element mining operation on the online payment session, and the final analysis record of the payment data network attack to be analyzed can be obtained by combining the staged attack analysis record, the session element and the session element screening index. Therefore, the session elements and the session element screening indexes of the payment data network attack to be analyzed are combined, the staged attack analysis records are cleaned, the analysis condition that the session elements do not meet the session element screening indexes can be cleaned, the final analysis records are obtained, the precision of the final analysis records can be ensured, and accurate and reliable data bases are provided for subsequent attack protection.
In the description that follows, additional features will be set forth, in part, in the description. These features will be in part apparent to those of ordinary skill in the art upon examination of the following and the accompanying drawings or may be learned by production or use. The features of the present application may be realized and attained by practice or use of various aspects of the methodologies, instrumentalities and combinations particularly pointed out in the detailed examples which follow.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a flowchart of an attack protection method based on big data according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The big data anti-attack system in the embodiment of the invention can be a server with data storage, transmission and processing functions, and comprises: memory 11, processor 12, network module 13 and big data based attack protection device 20.
The memory 11, the processor 12 and the network module 13 are electrically connected directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 11 stores a big data based attack protection device 20, the big data based attack protection device 20 includes at least one software functional module that can be stored in the memory 11 in a form of software or firmware (firmware), and the processor 12 executes various functional applications and data processing by running a software program and a module stored in the memory 11, such as the big data based attack protection device 20 in the embodiment of the present invention, that is, implements the big data based attack protection method in the embodiment of the present invention.
The Memory 11 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 11 is used for storing a program, and the processor 12 executes the program after receiving the execution instruction.
The processor 12 may be an integrated circuit chip having data processing capabilities. The Processor 12 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like. The various methods, steps and logic blocks disclosed in embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The network module 13 is configured to establish communication connection between the big data anti-attack system and other communication terminal devices through a network, so as to implement transceiving operation of network signals and data. The network signal may include a wireless signal or a wired signal.
The embodiment of the invention also provides a computer storage medium, wherein the computer storage medium stores a computer program, and the computer program realizes the method when running.
Fig. 1 shows a flowchart of big data-based attack protection provided by an embodiment of the present invention. The method steps defined by the related procedures of the method are applied to a big data anti-attack system and can be realized by the processor 12, and the method comprises the contents described in the following steps.
Step S101, determining at least one group of online payment conversation triggering anti-attack analysis conditions and at least one conversation element screening index of the payment data network attack to be analyzed.
For the embodiment of the present invention, the online payment session that triggers the anti-attack analysis condition may be understood as the online payment session to be processed, and the anti-attack analysis condition may be flexibly set according to the session time period and the session object, which is not further limited in the embodiment of the present invention. The online payment session may involve an inbound payment session or a cross-inbound payment session.
For the embodiment of the invention, the payment data to be analyzed can be various network attacks. Optionally, the network attack of the payment data to be analyzed is a session behavior with a data information security risk.
For the embodiment of the invention, the session element screening index of the payment data network attack to be analyzed is used for deleting the session behavior which is mistaken for the network attack. The session element screening indexes of the payment data network attack to be analyzed can include various indexes, and the related contents please refer to the following description.
Step S102, starting network attack analysis operation on the at least one group of online payment sessions triggering the anti-attack analysis conditions, and obtaining staged attack analysis records of the payment data to be analyzed for network attacks.
For the embodiment of the invention, the network attack analysis operation can be realized through an AI intelligent network, and the staged attack analysis records can be understood as intermediate analysis records or transitional analysis records.
For the embodiment of the present invention, the staged attack analysis record of the payment data network attack to be analyzed may include the following contents: and the online payment sessions of not less than one group of trigger anti-attack analysis conditions have the network attack of the payment data to be analyzed or do not carry the network attack of the payment data to be analyzed. The big data anti-attack system uses the AI intelligent network to process at least one group of online payment sessions triggering the anti-attack analysis conditions, and can obtain staged attack analysis records.
For the embodiments of the present invention, the AI intelligent network may be a CNN, RNN, or LSTM network, but is not limited thereto.
Step S103, carrying out network attack conversation element mining operation on the at least one group of online payment conversations triggering the anti-attack analysis conditions to obtain at least one conversation element of the payment data to be analyzed in the network attack.
For the embodiment of the invention, the session element of the payment data network attack to be analyzed can be understood as the session attribute or the session characteristic of the payment data network attack to be analyzed. In an independently implementable embodiment of network attack session element mining operation on at least one group of online payment sessions triggering anti-attack analysis conditions, the at least one group of online payment sessions triggering anti-attack analysis conditions are transmitted to a session element mining network, and the session elements of the network attack of the payment data to be analyzed can be obtained. The session element mining network can debug and optimize a corresponding neural network model by taking an online payment session with the session elements as annotations as a training set. And processing at least one group of online payment sessions triggering the anti-attack analysis conditions through a session element mining network to obtain session elements of the network attack of the payment data to be analyzed.
For example, not less than one set of online payment sessions that trigger the anti-attack analysis conditions includes: and triggering an online payment session _1 of the anti-attack analysis condition. The online payment session _1 triggering the anti-attack analysis condition is processed by the session element mining network, and the obtained session elements of the payment data network attack to be analyzed comprise: the operating habit features/attributes contained in the online payment session _1 that trigger the attack prevention analysis conditions.
As another example, the at least one set of online payment sessions that trigger the anti-attack analysis conditions includes: an online payment session _1 triggering the anti-attack analysis conditions and an online payment session _2 triggering the anti-attack analysis conditions. And processing the online payment session _1 triggering the anti-attack analysis condition and the online payment session _2 triggering the anti-attack analysis condition by the session element mining network to obtain the session elements of the network attack of the payment data to be analyzed.
For another example, the at least one set of online payment sessions that trigger the anti-attack analysis condition includes: an online payment session _1 triggering the anti-attack analysis conditions and an online payment session _2 triggering the anti-attack analysis conditions. And processing the online payment session _1 triggering the anti-attack analysis condition and the online payment session _2 triggering the anti-attack analysis condition by the session element mining network to obtain the session elements of the network attack of the payment data to be analyzed.
And step S104, combining the staged attack analysis record, the at least one session element and the at least one session element screening index of the payment data network attack to be analyzed to obtain a final analysis record of the payment data network attack to be analyzed.
If the staged attack analysis record of the payment data network attack to be analyzed does not carry the payment data network attack to be analyzed in at least one group of online payment sessions triggering the anti-attack analysis condition, at the moment, the analysis record is finally that the payment data network attack to be analyzed is in a state to be activated. If the staged attack analysis record of the payment data network attack to be analyzed is that the payment data network attack to be analyzed exists in at least one group of online payment sessions triggering the anti-attack analysis condition, and the session element of the payment data network attack to be analyzed does not meet the session element screening index, the payment data network attack to be analyzed is in a state to be activated, namely the analysis record of the AI intelligent network has an error, and at the moment, the analysis record is finally that the payment data network attack to be analyzed is in the state to be activated. If the staged attack analysis record of the payment data network attack to be analyzed is that the payment data network attack to be analyzed exists in at least one group of online payment sessions triggering the anti-attack analysis condition, and the session elements of the payment data network attack to be analyzed meet the session element screening index, the payment data network attack to be analyzed is in an activated state, namely the analysis record of the AI intelligent network is accurate, and at the moment, the final analysis record is that the payment data network attack to be analyzed is in an activated state.
For an independently implementable implementation mode, on the basis that the online payment session with the staged attack analysis records that at least one group of trigger anti-attack analysis conditions has the to-be-analyzed payment data network attack and at least one session element meets at least one session element screening index, the big data anti-attack system determines that the final analysis record is that the to-be-analyzed payment data network attack is in an activated state; and determining that the final analysis record is that the to-be-analyzed payment data network attack is in a to-be-activated state on the basis that the to-be-analyzed payment data network attack exists in the online payment session of which the staged attack analysis record is not less than one group of trigger anti-attack analysis conditions and not less than one session element does not meet the screening index of not less than one session element.
For the embodiment of the invention, the big data anti-attack system is combined with the session elements and the session element screening indexes of the payment data network attack to be analyzed to clean the staged attack analysis records, so that the analysis condition that the session elements do not meet the session element screening indexes can be cleaned, the final analysis records can be obtained, and the precision of the final analysis records can be ensured.
For an embodiment that can be implemented independently, the big data anti-attack system can implement the following steps in the process of executing step S103: and on the basis that the online payment sessions of the at least one group of trigger anti-attack analysis conditions have the online attack of the payment data to be analyzed in the staged attack analysis records, performing network attack session element mining operation on the online payment sessions of the at least one group of trigger anti-attack analysis conditions to obtain at least one session element of the online attack of the payment data to be analyzed.
The big data anti-attack system first obtains a staged attack analysis record by executing step S102. Step S103 is executed on the basis of determining that the online payment session with the staged attack analysis records of not less than one group of trigger anti-attack analysis conditions has the to-be-analyzed payment data network attack, so that the resource overhead of the big data anti-attack system can be saved.
For an embodiment that can be implemented independently, the big data anti-attack system can implement the following steps in the process of executing step S102: and on the basis that the at least one session element meets the session element screening index, starting network attack analysis operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain a staged attack analysis record of the payment data to be analyzed for network attack.
The big data anti-attack system firstly obtains at least one session element of the payment data network attack to be analyzed by executing step S103. Step S102 is executed on the basis that at least one session element of the payment data network attack to be analyzed meets the session element screening index, so that the resource overhead of a big data anti-attack system can be saved.
For an independently implementable embodiment, the payment data network attack to be analyzed comprises a distributed denial of service attack, and not less than one set of online payment sessions that trigger the anti-attack analysis condition encompasses a first online payment session encompassing distributed denial of service attack detection content. The big data anti-attack system may implement the following in the process of executing step S102: and on the basis of determining that the distributed denial of service attack detection content carries abnormal detection items, determining that the staged attack analysis record indicates that the distributed denial of service attack (DDOS) exists in the first online payment session.
For the embodiment of the invention, the distributed denial of service attack comprises at least one of the following: real-time distributed denial of service attacks, delayed distributed denial of service attacks. The abnormality detection items include at least one of: answer denied requests, abnormal traffic status topics.
If the big data anti-attack system starts network attack analysis operation on the first online payment session, determining that the distributed denial of service attack detection content carries abnormal detection items, and indicating that the abnormal detection items are in an activated state; if the big data anti-attack system starts network attack analysis operation on the first online payment session, the distributed denial of service attack detection content is determined to carry abnormal detection items, and the abnormal detection items are indicated to be in a to-be-activated state.
Thus, on the basis of determining that the distributed denial of service attack detection content carries abnormal detection items, the big data anti-attack system determines that the staged attack analysis record is that the distributed denial of service attack exists in the first online payment session; on the basis of determining that the distributed denial of service attack detection content does not carry abnormal detection items, the big data anti-attack system determines that the staged attack analysis record is that the distributed denial of service attack is not carried in the first online payment session.
For an independently implementable embodiment, the at least one session element screening metric comprises a passing topic key description set and the at least one session element comprises a salient semantic representation of an anomaly detection item. The big data anti-attack system may implement the following in the process of executing step S103: and carrying out significance semantic expression mining operation on the second online payment session to obtain significance semantic expression content of the abnormal detection items.
For the embodiment of the invention, the significant semantic expression content comprises at least one of the following: local semantic vectors, global semantic vectors. Wherein the global semantic vector carries verification keyword tags of session objects in the online payment session.
It can be understood that the big data anti-attack system determines whether the release subject key description set has a semantic vector corresponding to the significant semantic expression content by comparing and analyzing the significant semantic expression content with the semantic vector in the release subject key description set, so as to determine whether at least one session element meets at least one session element screening index.
For example, the big data anti-attack system determines that the release semantic vector (white list semantic vector) does not carry a semantic vector corresponding to the significant semantic expression content, which indicates that the anomaly detection item cannot be released, and at this time, the big data anti-attack system may determine that at least one session element satisfies at least one session element screening index; and the big data anti-attack system determines that the semantic vector corresponding to the significant semantic expression content exists in the released semantic vector, and indicates that the abnormal detection item can be released, and at the moment, the big data anti-attack system determines that at least one session element does not meet the screening index of at least one session element.
The big data anti-attack system can reduce analysis errors and ensure the precision of final analysis records by taking the released topic key description set as a session element screening index.
For an independently implementable embodiment, at least one of the session element screening indexes further includes a feature dimension interval, and at least one of the session elements further includes a transaction feature dimension of the anomaly detection transaction. The big data anti-attack system may implement the following in the process of executing step S103: and performing item identification operation on the second online payment session to obtain item feature dimensions of the abnormal detection items.
The big data anti-attack system can obtain the item feature dimension of the abnormal detection item in the second online payment session by carrying out item identification operation on the second online payment session. For example, on the basis that the anomaly detection event is the answer-rejection request, the big data anti-attack system can obtain a session object marking result covering the answer-rejection request by performing session object detection processing on the second online payment session, and further can obtain an event feature dimension of the answer-rejection request in the second online payment session by combining the event feature dimension of the session object marking result. For another example, on the basis that the anomaly detection event is the anomaly traffic state topic, the big data anti-attack system may obtain the anomaly traffic state topic marking result including the anomaly traffic state topic by performing the access request identification operation on the second online payment session, and further may obtain the event feature dimension of the anomaly traffic state topic in the second online payment session by combining the event feature dimension of the anomaly traffic state topic marking result.
Based on the above, the big data anti-attack system compares and analyzes the significant semantic expression content and the semantic vector in the released subject key description set, determines whether the semantic vector corresponding to the significant semantic expression content exists in the released subject key description set or not, and judges whether the item feature dimension of the abnormal detection item is in the feature dimension interval or not, so as to judge whether at least one session element meets at least one session element screening index or not.
Further, the big data anti-attack system determines that the release semantic vector does not carry a semantic vector corresponding to the significant semantic expression content, and the item feature dimension of the abnormal detection item is in the feature dimension interval, which indicates that the abnormal detection item cannot be released, and at this time, the big data anti-attack system can determine that at least one session element meets at least one session element screening index; the big data anti-attack system determines that a semantic vector corresponding to the significant semantic expression content exists in the released semantic vector, and the item feature dimension of the abnormal detection item is in the feature dimension interval, which indicates that the abnormal detection item can be released, and at the moment, the big data anti-attack system determines that at least one session element does not meet at least one session element screening index; the big data anti-attack system determines that the released semantic vectors do not carry semantic vectors corresponding to the significant semantic expression contents, and the item feature dimension of the abnormal detection item is outside the feature dimension interval, which indicates that the abnormal detection item can be released, and at the moment, the big data anti-attack system determines that at least one session element does not meet at least one session element screening index; the big data anti-attack system determines that the release semantic vector does not carry a semantic vector corresponding to the significant semantic expression content, and the item feature dimension of the abnormal detection item is outside the feature dimension interval, which indicates that the abnormal detection item can be released, and at the moment, the big data anti-attack system determines that at least one session element does not meet at least one session element screening index.
It can be understood that the big data anti-attack system determines whether the session element of the payment data network attack to be analyzed meets the session element screening index by combining the item feature dimension and the feature dimension interval of the abnormal detection item, and can ensure the accuracy of the final analysis record.
In some independently implementable design considerations, the at least one set of online payment sessions that trigger the attack-prevention-analysis-condition includes a third online payment session and a fourth online payment session, wherein the set-up digital signature of the third online payment session precedes the set-up digital signature of the fourth online payment session. The screening index of at least one session element comprises a set time sequence accumulated value, and the screening index of at least one session element comprises a time sequence statistical result of the payment data network attack to be analyzed. The big data anti-attack system may implement the following in the process of executing step S103: and taking the set digital signature (timestamp) of the third online payment session as a starting time sequence node (starting time) of the to-be-analyzed payment data network attack, and taking the set digital signature of the fourth online payment session as an ending time sequence node (ending time) of the to-be-analyzed payment data network attack, so as to obtain the time sequence statistical result (duration).
For example, assume that the payment data network attack to be analyzed is over-authorized access. The big data anti-attack system determines that the abnormal flow state theme [ theta ] -1 in the third online payment session is in the over-authority access constraint condition by starting the network attack analysis operation on the third online payment session, and determines that the abnormal flow state theme [ theta ] -1 in the third online payment session is in the over-authority access constraint condition by starting the network attack analysis operation on the fourth online payment session. And the big data anti-attack system further determines that the time sequence statistical result of the abnormal traffic state theme, namely the theme _1, which has the right to access is the capture time of the third online payment session to the capture time of the fourth online payment session. Namely, the set digital signature of the third online payment session is the starting time sequence node of the abnormal flow state theme, the 1, which has the access right, and the set digital signature of the fourth online payment session is the ending time sequence node of the abnormal flow state theme, the 1, which has the access right.
It can be understood that the third online payment session and the fourth online payment session in the embodiment of the present invention are only examples, and in practical implementation, the big data anti-attack system may obtain the time sequence statistical result of the network attack on the payment data to be analyzed in combination with not less than two sets of online payment sessions that trigger the anti-attack analysis condition.
It can be understood that, the big data anti-attack system determines whether the time sequence statistical result of the payment data network attack to be analyzed exceeds the set time sequence accumulated value by comparing and analyzing the time sequence statistical result of the payment data network attack to be analyzed with the set time sequence accumulated value, so as to judge whether at least one session element meets at least one session element screening index.
For example, the big data anti-attack system determines that the time sequence statistical result exceeds the set time sequence accumulated value, and indicates that no less than one session element meets the screening index of no less than one session element; the big data anti-attack system determines that the time sequence statistical result does not exceed the set time sequence accumulated value, and indicates that not less than one session element does not meet not less than one session element screening index.
It can be understood that, the big data anti-attack system may further perform item identification operation on at least one group of online payment sessions triggering the anti-attack analysis condition to obtain a distribution of abnormal detection items in the to-be-analyzed payment data network attack, and the distribution is used as at least one session element of the to-be-analyzed payment data network attack.
Under some design ideas which can be independently implemented, the payment data network attack to be analyzed comprises the access with the right, the screening index of at least one session element also comprises the constraint condition of the access with the right, the at least one session element comprises the distribution condition of the access request to be processed, and the third online payment session and the fourth online payment session both cover the access request to be processed. The big data anti-attack system may further implement the following content in the process of executing step S103: performing an access request identification operation on the third online payment session to obtain a first distribution condition of the access request to be processed in the third online payment session; and performing access request identification operation on the fourth online payment session to obtain a second distribution condition of the access request to be processed in the fourth online payment session.
For the embodiment of the present invention, the distribution of the to-be-processed access request in the online payment session may be a distribution of the subject mark result of the abnormal traffic state including the to-be-processed access request in the mapping space of the online payment session. For example, the distribution of the pending access requests in the online payment session may be a spatial description of a two-dimensional distribution constraint of the topic marking result of the abnormal traffic state containing the pending access requests under the mapping space.
The big data anti-attack system can obtain the distribution condition of the access request to be processed in the third online payment session, namely the first distribution condition, by carrying out the access request identification operation on the third online payment session. The big data anti-attack system can obtain the distribution condition of the access request to be processed in the third online payment session, namely the second distribution condition, by performing the access request identification operation on the third online payment session.
It can be understood that, the big data anti-attack system determines whether at least one session element meets at least one session element screening index by comparing and analyzing the time sequence statistical result of the payment data network attack to be analyzed with the set time sequence cumulative value to determine whether the time sequence statistical result of the payment data network attack to be analyzed exceeds the set time sequence cumulative value and whether the distribution condition of the access request to be processed is within the over-authorization access constraint condition.
Illustratively, the big data anti-attack system determines that the time sequence statistical result exceeds the set time sequence accumulated value, and the first distribution condition and the second distribution condition are both matched in the over-authority access constraint condition, which indicates that not less than one session element meets not less than one session element screening index.
The big data anti-attack system determines that at least one session element does not meet at least one session element screening index on the basis of determining at least one of the following situations: the time sequence statistical result does not exceed the set time sequence accumulated value, the first distribution condition is outside the over-authority access constraint condition, the second distribution condition is outside the over-authority access constraint condition, and further: the big data anti-attack system determines that the time sequence statistical result does not exceed a set time sequence accumulated value, and the first distribution condition and the second distribution condition are matched in the over-authority access constraint condition, which indicates that not less than one session element does not meet not less than one session element screening index; the big data anti-attack system determines that the time sequence statistical result does not exceed the set time sequence accumulated value, the first distribution condition is outside the over-authorization access constraint condition, and the second distribution condition is matched with the over-authorization access constraint condition, which indicates that not less than one session element does not meet not less than one session element screening index; the big data anti-attack system determines that the time sequence statistical result does not exceed the set time sequence accumulated value, the first distribution condition is located in the over-authorization access constraint condition, and the second distribution condition is matched with the over-authorization access constraint condition, so that the condition that at least one session element does not meet the screening index of at least one session element is indicated; the big data anti-attack system determines that the time sequence statistical result exceeds a set time sequence accumulated value, and the first distribution condition and the second distribution condition are matched outside the over-authority access constraint condition, which indicates that at least one session element does not meet at least one session element screening index; the big data anti-attack system determines that the time sequence statistical result does not exceed the set time sequence accumulated value, and the first distribution condition and the second distribution condition are matched outside the over-authority access constraint condition, which indicates that not less than one session element does not meet not less than one session element screening index.
Under some independently implementable design ideas, the at least one group of online payment sessions triggering the anti-attack analysis condition comprises a fifth online payment session, and the at least one session element screening index comprises a credible evaluation judgment value. The big data anti-attack system may further implement the following content in the process of executing step S103: and performing item identification operation on the fifth online payment session to obtain the credible evaluation of the abnormal detection items in the fifth online payment session.
The confidence rating of the anomaly detection event indicates a confidence weight for the anomaly detection event. For example, on the basis that the anomaly detection item is a response-refusal request, the credibility evaluation of the anomaly detection item indicates the possibility that the anomaly detection item in the fifth online payment session is a response-refusal request; on the basis that the anomaly detection item is the subject of the abnormal traffic state, the credibility evaluation of the anomaly detection item indicates the possibility that the anomaly detection item in the fifth online payment session is the subject of the abnormal traffic state.
Based on the above, the big data anti-attack system determines whether the abnormal detection items in the online payment session are credible or not by comparing and analyzing the credible evaluation of the abnormal detection items with the credible evaluation judgment value, so as to judge whether at least one session element meets at least one session element screening index or not.
It can be understood that the big data anti-attack system determines that the credibility evaluation of the abnormal detection item exceeds the credibility evaluation judgment value, which indicates that not less than one session element meets not less than one session element screening index; the big data anti-attack system determines that the credibility evaluation of the abnormal detection items does not exceed the credibility evaluation judgment value, and indicates that not less than one session element does not meet the screening index of not less than one session element.
Under some design ideas which can be independently implemented, at least one session element screening index comprises an abnormal prompt time sequence interval. The big data anti-attack system may further implement the following content in the process of executing step S103: and taking the set digital signature of the sixth online payment session as the activation moment of the network attack of the payment data to be analyzed.
For the embodiment of the invention, the sixth online payment session is the online payment session with the latest digital signature set in at least one group of online payment sessions triggering the anti-attack analysis condition. The abnormal prompt time sequence interval is a time period when the big data anti-attack system prompts on the basis of determining the occurrence of the network attack of the payment data to be analyzed.
Based on the above, the big data anti-attack system determines whether at least one session element meets at least one session element screening index by judging whether the activation time of the payment data network attack to be analyzed is within the abnormal prompt time sequence interval.
Illustratively, the big data anti-attack system determines that the activation moment of the network attack of the payment data to be analyzed is outside an abnormal prompt time sequence interval, and indicates that not less than one session element meets not less than one session element screening index; the big data anti-attack system determines that the activation time of the payment data network attack to be analyzed is in the abnormal prompt time sequence interval, and the fact that at least one conversation element does not meet the screening index of at least one conversation element is shown.
Under some design ideas that can be implemented independently, on the basis that the number of the session element screening indexes is greater than one, before executing step S103, the big data anti-attack system can further implement the following contents: and determining the attention queue of the session elements of the payment data network attack to be analyzed corresponding to the screening index.
For the embodiment of the invention, the higher the attention of the session element of the payment data network attack to be analyzed, the smaller the resource overhead required for excavating the session element from the online payment session triggering the anti-attack analysis condition. For example, the resource overhead required by the big data anti-attack system for determining the set digital signature of the online payment session from the online payment session is smaller than the resource overhead required for mining the distribution situation of the abnormal traffic state topic from the online payment session. Therefore, for the network attack of the payment data to be analyzed, the attention of the session element of the time sequence statistical result is higher than the attention of the session element of the distribution situation of the abnormal traffic state topic.
It can be understood that, on the basis of determining the attention queue of the session element of the to-be-analyzed payment data network attack corresponding to the screening index, the big data anti-attack system may implement the following contents in the process of executing step S103: carrying out first session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis conditions to obtain first session elements of the payment data to be analyzed in the network attack; on the basis that the first session element meets the session element screening index corresponding to the first session element, performing second session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain a second session element of the payment data network attack to be analyzed; and on the basis that the first session element does not meet the screening index corresponding to the first session element, terminating the network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition.
For the embodiment of the present invention, the first session element is the session element with the highest attention in the attention queue. For example, the network attack of the payment data to be analyzed is the over-authorized access. The session elements of the payment data network attack to be analyzed comprise: the time sequence statistical result, the distribution condition of the abnormal flow state theme and the item feature dimensionality of the abnormal flow state theme. In the attention queue of the session elements of the payment data network attack to be analyzed, the session element with the largest attention is assumed as a time sequence statistical result, the session element with the second highest attention is assumed as an item feature dimension of an abnormal traffic state topic, and the distribution condition of the abnormal traffic state topic of the session element with the lowest attention is assumed.
In the embodiment of the invention, the big data anti-attack system firstly carries out first session element mining operation on at least one group of online payment sessions triggering anti-attack analysis conditions to obtain the first session element of the payment data network attack to be analyzed. For example, in combination with the above, the big data anti-attack system first determines at least one set of digital signatures for the online payment session that trigger the anti-attack analysis conditions.
For the embodiment of the present invention, the second session element is the session element with the second highest attention in the attention queue. For example, the second session element is a transaction feature dimension of the topic of the abnormal traffic state.
After obtaining the first session element, the big data anti-attack system judges whether the first session element meets the session element screening index corresponding to the first session element in at least one session element screening index. On the basis that the first session element meets the session element screening index corresponding to the first session element, the big data anti-attack system conducts second session element mining operation on at least one group of online payment sessions triggering anti-attack analysis conditions to obtain a second session element of the payment data to be analyzed under the network attack.
For example, on the basis that the timing sequence statistical result of the termination of the abnormal traffic state theme is determined to exceed the set timing sequence accumulated value, the big data anti-attack system performs access request identification operation on at least one group of online payment sessions triggering the anti-attack analysis condition to obtain the distribution condition of the abnormal traffic state theme in the online payment sessions triggering the anti-attack analysis condition.
And if the first session element does not meet the session element screening index corresponding to the first session element, indicating that the to-be-processed at least one session element does not meet the session element screening index at least one. Therefore, the big data anti-attack system does not need to continue to mine the session elements except the first session element from less than one set of online payment sessions which trigger the anti-attack analysis condition, so that the resource overhead can be reduced.
For some other embodiments, if the second session element meets the session element screening index corresponding to the second session element, the mining operation of the third session element is performed on at least one group of online payment sessions triggering the anti-attack analysis condition, so as to obtain the third session element of the payment data network attack to be analyzed. And the big data anti-attack system judges whether the third session element meets the session element screening index corresponding to the third session element, and iterates until a certain session element does not meet the session element screening index corresponding to the session element, and the big data anti-attack system stops executing the session element mining operation. Or the big data anti-attack system judges whether the third session element meets the session element screening index corresponding to the third session element or not, and iterates until all the session elements of the payment data network attack to be analyzed are excavated.
For the embodiment of the invention, on the basis that the session elements with high attention satisfy the session element screening indexes, the big data anti-attack system excavates the session elements with the second highest attention from the online payment sessions which are not less than a group of trigger anti-attack analysis conditions, so that the resource overhead can be reduced, and the attack protection processing efficiency can be improved.
In other embodiments, the attack coping strategy is issued on the basis that the final analysis record indicates that the payment data network attack to be analyzed is in the state to be activated.
In addition, for some independently implementable technical solutions, after obtaining the final analysis record of the payment data network attack to be analyzed, the method may further include the following steps: determining attack risk description of the payment data network attack to be analyzed according to the final analysis record; and determining an attack protection strategy aiming at the payment data network attack to be analyzed based on the attack risk description.
The method comprises the steps that on the basis that the final analysis record indicates that the to-be-analyzed payment data network attack is in a to-be-activated state, an implementation mode of an attack coping strategy is issued, and attack risk description of the to-be-analyzed payment data network attack is determined according to the final analysis record; the implementation manner of determining the attack protection policy for the to-be-analyzed payment data network attack based on the attack risk description may alternatively be implemented, and the embodiment of the present invention is not limited.
In addition, for some independently implementable technical solutions, determining the attack risk description of the payment data to be analyzed for the cyber attack according to the final analysis record may be implemented by the following implementation modes: loading the final analysis record to an attack preference extraction network layer in a first trained LSTM model to obtain a first attack preference expression and a second attack preference expression of the final analysis record, which are generated by the attack preference extraction network layer, wherein the attack preference extraction network layer comprises a plurality of preference extraction nodes with upstream and downstream relations, the first attack preference expression is generated by preference extraction nodes except the last node in the plurality of preference extraction nodes with upstream and downstream relations, and the second attack preference expression is generated by the last preference extraction node in the plurality of preference extraction nodes with upstream and downstream relations; loading the second attack preference expression to a coarse identification network layer in the first trained LSTM model to obtain a target coarse identification result generated by the coarse identification network layer, wherein the target coarse identification result is a coarse identification result of a target attack risk description excavated in the final analysis record; and loading the first attack preference expression, the second attack preference expression, a third attack preference expression and the target coarse identification result to a fine identification network layer in the first trained LSTM model to obtain a detection attack risk description label of the target attack risk description generated by the fine identification network layer and detection distribution of the risk level of the target attack risk description in the final analysis record, wherein the third attack preference expression is an attack preference expression generated by a preference extraction node in the coarse identification network layer according to a target preference vector, and the target preference vector is a description vector obtained by adjusting the second attack preference expression.
By the design, the attack risk description label and the detection distribution of the risk level of the target attack risk description in the final analysis record can be accurately positioned and detected based on the thickness identification network layer, so that the accuracy and the integrity of the attack risk description can be guaranteed, and the attack protection strategy aiming at the network attack of the payment data to be analyzed can be accurately and completely determined based on the attack risk description.
In summary, by performing the network attack analysis operation on the online payment session to obtain the staged attack analysis record of the payment data network attack to be analyzed, and performing the network attack session element mining operation on the online payment session to obtain at least one session element of the payment data network attack to be analyzed, the final analysis record of the payment data network attack to be analyzed can be obtained by combining the staged attack analysis record, the session elements and the session element screening indexes. Therefore, the session elements and the session element screening indexes of the payment data network attack to be analyzed are combined, the staged attack analysis records are cleaned, the analysis condition that the session elements do not meet the session element screening indexes can be cleaned, the final analysis records are obtained, the precision of the final analysis records can be ensured, and accurate and reliable data bases are provided for subsequent attack protection.
Based on the same inventive concept, the invention further provides an attack protection device 20 based on big data, which is applied to a big data attack prevention system, and the device comprises:
the determining module 21 is used for determining at least one group of online payment sessions triggering the anti-attack analysis conditions and at least one session element screening index of the payment data network attack to be analyzed;
an obtaining module 22, configured to enable a network attack analysis operation on the at least one group of online payment sessions triggering the anti-attack analysis condition, obtain a staged attack analysis record of the to-be-analyzed payment data network attack, and perform a network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition, so as to obtain at least one session element of the to-be-analyzed payment data network attack;
and the analysis module 23 is configured to obtain a final analysis record of the payment data network attack to be analyzed by combining the staged attack analysis record, the at least one session element, and the at least one session element screening index of the payment data network attack to be analyzed.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present invention may be integrated together to form an independent part, or each module may exist alone, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a big data anti-attack system, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (7)
1. An attack protection method based on big data is applied to a big data attack prevention system, and the method at least comprises the following steps:
determining attack risk description of the payment data network attack to be analyzed according to the final analysis record;
and determining an attack protection strategy aiming at the payment data network attack to be analyzed based on the attack risk description.
2. The method of claim 1, wherein determining the attack risk description of the payment data network attack to be analyzed according to the final parse record comprises:
loading the final analysis record to an attack preference extraction network layer in a first trained LSTM model to obtain a first attack preference expression and a second attack preference expression of the final analysis record, wherein the first attack preference expression and the second attack preference expression are generated by the attack preference extraction network layer, the attack preference extraction network layer comprises a plurality of preference extraction nodes with upstream and downstream relations, the first attack preference expression is an attack preference expression generated by a preference extraction node except the last node in the plurality of preference extraction nodes with upstream and downstream relations, and the second attack preference expression is an attack preference expression generated by the last preference extraction node in the plurality of preference extraction nodes with upstream and downstream relations;
loading the second attack preference expression to a coarse identification network layer in the first trained LSTM model to obtain a target coarse identification result generated by the coarse identification network layer, wherein the target coarse identification result is a coarse identification result of a target attack risk description excavated in the final analysis record;
and loading the first attack preference expression, the second attack preference expression, a third attack preference expression and the target coarse identification result to a fine identification network layer in the first trained LSTM model to obtain a detection attack risk description label of the target attack risk description generated by the fine identification network layer and detection distribution of the risk level of the target attack risk description in the final analysis record, wherein the third attack preference expression is an attack preference expression generated by a preference extraction node in the coarse identification network layer according to a target preference vector, and the target preference vector is a description vector obtained by adjusting the second attack preference expression.
3. The method of claim 1, wherein prior to determining an attack risk description for the payment data network attack to be analyzed from the final parsed record, the method further comprises:
determining at least one group of online payment sessions triggering anti-attack analysis conditions and at least one session element screening index of the payment data network attack to be analyzed;
enabling network attack analysis operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain a staged attack analysis record of the to-be-analyzed payment data network attack, and performing network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack;
and combining the staged attack analysis record, the at least one session element and the at least one session element screening index of the payment data network attack to be analyzed to obtain a final analysis record of the payment data network attack to be analyzed.
4. The method of claim 3, wherein performing network attack session element mining operation on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack comprises: on the basis that the online payment sessions with the at least one group of trigger anti-attack analysis conditions carry the to-be-analyzed payment data network attacks, the staged attack analysis records are, network attack session element mining operation is carried out on the online payment sessions with the at least one group of trigger anti-attack analysis conditions, and at least one session element of the to-be-analyzed payment data network attacks is obtained;
wherein the payment data network attack to be analyzed comprises a distributed denial of service attack; the at least one group of online payment sessions triggering the anti-attack analysis condition covers a first online payment session; the first online payment session encompasses distributed denial of service attack detection content;
the step of starting network attack analysis operation on the at least one group of online payment sessions triggering the anti-attack analysis conditions to obtain staged attack analysis records comprises the following steps: on the basis of determining that the distributed denial of service attack detection content carries abnormal detection items, determining that the staged attack analysis record carries the distributed denial of service attack in the first online payment session; the abnormality detection event includes one or both of: responding to the refusal request and the abnormal flow state theme; and on the basis of determining that the distributed denial of service attack detection content does not carry abnormal detection items, determining that the staged attack analysis record does not carry the distributed denial of service attack in the first online payment session.
5. The method of claim 4, wherein the at least one set of online payment sessions that trigger the attack analysis prevention condition includes a third online payment session; the at least one session element screening index comprises a released topic key description set; the at least one session element comprises a significant semantic representation of the anomaly detection event;
the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the to-be-analyzed payment data network attack, and the method comprises the following steps: performing significance semantic expression mining operation on the second online payment session to obtain significance semantic expression content of the abnormal detection item;
the at least one session element satisfying the at least one session element screening index includes: the release topic key description set does not carry semantic vectors corresponding to the significant semantic expression contents;
the not less than one session element not meeting the not less than one session element screening index includes: semantic vectors corresponding to the significant semantic expression contents exist in the release subject key description set;
wherein the at least one session element screening index further comprises a characteristic dimension interval; the at least one conversation element further comprises an event characteristic dimension of an anomaly detection event;
the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the payment data to be analyzed under the network attack, and the method further comprises the following steps: performing item identification operation on the second online payment session to obtain item feature dimensions of the abnormal detection item;
the at least one session element satisfying the at least one session element screening index includes: the release topic key description set does not carry semantic vectors which have corresponding relations with the significance semantic expressions, and item feature dimensions of the abnormal detection items fall into the feature dimension interval;
the at least one session element not meeting the at least one session element screening criteria comprises at least one of: the released subject key description set does not carry semantic vectors which have corresponding relations with the significant semantic expression; and the item feature dimension of the anomaly detection item does not fall into the feature dimension interval.
6. The method of claim 3, wherein the at least one set of online payment sessions that trigger the attack analysis prevention condition includes a third online payment session and a fourth online payment session, and a set digital signature of the third online payment session is prior to a set digital signature of the fourth online payment session; the at least one session element screening index comprises a set time sequence accumulated value; the at least one session element comprises a time sequence statistical result of the payment data network attack to be analyzed;
the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the payment data to be analyzed under the network attack, and the network attack session element mining operation comprises the following steps: taking the set digital signature of the third online payment session as a starting time sequence node of the network attack of the payment data to be analyzed, and taking the set digital signature of the fourth online payment session as a termination time sequence node of the network attack of the payment data to be analyzed, so as to obtain a time sequence statistical result;
the at least one session element satisfying the at least one session element screening index includes: the time sequence statistical result is greater than the set time sequence accumulated value;
the at least one session element not meeting the at least one session element screening criteria includes: the time sequence statistical result is less than or equal to the set time sequence accumulated value;
wherein the payment data network attack to be analyzed comprises over-authority access; the at least one session element screening index further comprises an over-authority access constraint condition; the at least one session element comprises the distribution condition of the access requests to be processed; the third online payment session and the fourth online payment session both encompass the pending access request;
the network attack session element mining operation is carried out on the at least one group of online payment sessions triggering the anti-attack analysis condition to obtain at least one session element of the payment data to be analyzed under the network attack, and the network attack session element mining operation comprises the following steps: performing an access request identification operation on the third online payment session to obtain a first distribution condition of the access request to be processed in the third online payment session; performing an access request identification operation on the fourth online payment session, and obtaining a second distribution condition of the access request to be processed in the fourth online payment session;
the at least one session element satisfying the at least one session element screening index includes: the time sequence statistical result is greater than the set time sequence accumulated value, and the first distribution condition and the second distribution condition are both matched with the over-authority access constraint condition;
the not less than one session element not meeting the not less than one session element screening indicator comprises one or more of: and the time sequence statistical result is less than or equal to the set time sequence accumulated value, the first distribution condition does not match the over-authority access constraint condition, and the second distribution condition does not match the over-authority access constraint condition.
7. A computer storage medium, characterized in that it stores a computer program which, when executed, implements the method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210858531.9A CN115271719A (en) | 2021-12-08 | 2021-12-08 | Attack protection method based on big data and storage medium |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111488103.3A CN114154990B (en) | 2021-12-08 | 2021-12-08 | Big data anti-attack method based on online payment and storage medium |
| CN202210858531.9A CN115271719A (en) | 2021-12-08 | 2021-12-08 | Attack protection method based on big data and storage medium |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111488103.3A Division CN114154990B (en) | 2021-12-08 | 2021-12-08 | Big data anti-attack method based on online payment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115271719A true CN115271719A (en) | 2022-11-01 |
Family
ID=80453293
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210858531.9A Pending CN115271719A (en) | 2021-12-08 | 2021-12-08 | Attack protection method based on big data and storage medium |
| CN202111488103.3A Active CN114154990B (en) | 2021-12-08 | 2021-12-08 | Big data anti-attack method based on online payment and storage medium |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111488103.3A Active CN114154990B (en) | 2021-12-08 | 2021-12-08 | Big data anti-attack method based on online payment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN115271719A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116976960A (en) * | 2023-09-22 | 2023-10-31 | 广州扬盛计算机软件有限公司 | Data processing method and system for two-dimensional code payment |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114625804B (en) * | 2022-03-30 | 2022-11-08 | 深圳唯爱智云科技有限公司 | Big data-based user behavior data processing method and system and cloud platform |
| CN115510984B (en) * | 2022-09-29 | 2024-01-02 | 广州合利宝支付科技有限公司 | Anti-intrusion method and system for payment platform and cloud platform |
Family Cites Families (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111835708A (en) * | 2014-12-30 | 2020-10-27 | 华为技术有限公司 | Characteristic information analysis method and device |
| US9715592B2 (en) * | 2015-10-16 | 2017-07-25 | Sap Se | Dynamic analysis security testing of multi-party web applications via attack patterns |
| CN105721427B (en) * | 2016-01-14 | 2018-10-30 | 湖南大学 | A method of excavating attack Frequent Sequential Patterns from Web daily records |
| US10546302B2 (en) * | 2016-06-30 | 2020-01-28 | Square, Inc. | Logical validation of devices against fraud and tampering |
| CN110661623B (en) * | 2018-06-29 | 2022-10-11 | 高级计算发展中心(C-Dac),班加罗尔 | Method and system for authenticating a user using a Personal Authentication Device (PAD) |
| AU2020336124A1 (en) * | 2019-08-30 | 2022-04-07 | Cornell University | Decentralized techniques for verification of data in transport layer security and other contexts |
| IT202000006340A1 (en) * | 2020-03-25 | 2021-09-25 | Cleafy Spa | Method for monitoring and protecting access to an online service |
| CN111553701A (en) * | 2020-05-14 | 2020-08-18 | 支付宝(杭州)信息技术有限公司 | Session-based risk transaction determination method and device |
| CN111935192B (en) * | 2020-10-12 | 2021-03-23 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN112491867B (en) * | 2020-11-24 | 2021-11-12 | 北京航空航天大学 | SSH man-in-the-middle attack detection system based on session similarity analysis |
| CN113393246A (en) * | 2021-06-29 | 2021-09-14 | 山东派盟网络科技有限公司 | Payment platform risk identification method and system based on data acquisition system |
| CN113706158A (en) * | 2021-09-01 | 2021-11-26 | 杨思亭 | Big data intrusion prevention analysis method and system based on cloud payment |
| CN113641993A (en) * | 2021-09-02 | 2021-11-12 | 于静 | Data security processing method based on cloud computing and data security server |
| CN113643033B (en) * | 2021-09-02 | 2022-04-19 | 厦门蝉羽网络科技有限公司 | Information processing method and server for big data wind control analysis |
-
2021
- 2021-12-08 CN CN202210858531.9A patent/CN115271719A/en active Pending
- 2021-12-08 CN CN202111488103.3A patent/CN114154990B/en active Active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116976960A (en) * | 2023-09-22 | 2023-10-31 | 广州扬盛计算机软件有限公司 | Data processing method and system for two-dimensional code payment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114154990B (en) | 2022-09-20 |
| CN114154990A (en) | 2022-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114154990B (en) | Big data anti-attack method based on online payment and storage medium | |
| US11411681B2 (en) | In-vehicle information processing for unauthorized data | |
| US10911437B2 (en) | Detection of anomalous authentication attempts in a client-server architecture | |
| CN109344611B (en) | Application access control method, terminal equipment and medium | |
| CN114154995B (en) | Abnormal payment data analysis method and system applied to big data wind control | |
| CN107302547A (en) | A kind of web service exceptions detection method and device | |
| EP3108399A1 (en) | Scoring for threat observables | |
| CN103379099A (en) | Hostile attack identification method and system | |
| CN113706176B (en) | Information anti-fraud processing method and service platform system combined with cloud computing | |
| CN113111359A (en) | Big data resource sharing method and resource sharing system based on information security | |
| CN111835737B (en) | WEB attack protection method based on automatic learning and related equipment thereof | |
| CN114154147A (en) | Man-machine behavior detection method, system, equipment and medium | |
| CN113918621A (en) | Big data protection processing method based on internet finance and server | |
| CN113486343A (en) | Attack behavior detection method, device, equipment and medium | |
| CN114157501A (en) | Parameter analysis method and device based on Tianri database | |
| CN114417405A (en) | Privacy service data analysis method based on artificial intelligence and server | |
| CN113312671A (en) | Digital business operation safety processing method and system applied to big data mining | |
| CN117009832A (en) | Abnormal command detection method and device, electronic equipment and storage medium | |
| CN109214212B (en) | Information leakage prevention method and device | |
| CN115706669A (en) | Network security situation prediction method and system | |
| CN113949580A (en) | Intrusion detection analysis method combined with cloud computing service and cloud computing system | |
| CN112464218A (en) | Model training method and device, electronic equipment and storage medium | |
| JP5454166B2 (en) | Access discrimination program, apparatus, and method | |
| CN111625825A (en) | Virus detection method, device, equipment and storage medium | |
| CN110955884A (en) | Method and device for determining upper limit times of password trial and error |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |