CN115455409A - Method and device for detecting abnormal external connection behavior, storage medium and electronic equipment - Google Patents
Method and device for detecting abnormal external connection behavior, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN115455409A CN115455409A CN202211123243.5A CN202211123243A CN115455409A CN 115455409 A CN115455409 A CN 115455409A CN 202211123243 A CN202211123243 A CN 202211123243A CN 115455409 A CN115455409 A CN 115455409A
- Authority
- CN
- China
- Prior art keywords
- sequence
- subsequence
- external connection
- determining
- domain name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a method and a device for detecting abnormal external connection behaviors, a storage medium and electronic equipment, wherein the method comprises the following steps: determining an external connection time sequence corresponding to a target domain name under the condition that external connection behavior detection needs to be carried out on the target domain name, wherein the external connection time sequence comprises a plurality of external connection time points corresponding to the target domain name; determining a time interval sequence corresponding to the external connection time sequence, wherein the time interval sequence comprises a plurality of time intervals; determining a subsequence group set corresponding to the time interval sequence, wherein the subsequence group set comprises at least one subsequence group; determining a correlation coefficient corresponding to each subsequence group; judging whether the target domain name meets a preset abnormal condition or not according to each correlation coefficient; and if the target domain name meets the preset abnormal condition, determining the external connection behavior corresponding to the target domain name as the abnormal external connection behavior. By applying the method, the abnormal external connection behaviors can be detected through the time characteristics of the external connection behaviors, the abnormal external connection behaviors of various domain names can be identified, and the detection accuracy can be improved.
Description
Technical Field
The invention relates to the technical field of internet security, in particular to a method and a device for detecting abnormal external connection behaviors, a storage medium and electronic equipment.
Background
The server is one of the important basic resources in the information system, and is also a common attack object in the network. When the server is attacked by malicious samples such as trojans, worms and the like, a malicious domain name external connection access request can be initiated, so that the external connection behavior of the server needs to be detected abnormally in the running process of the server to judge whether the abnormal external connection behavior exists or not so as to facilitate safety protection.
Currently, for detecting abnormal external connection behaviors of a server, an abnormal domain name address is usually set, when the external connection behaviors occur, an accessed domain name address is matched with a preset abnormal domain name address, and if the abnormal domain name address is matched, the current external connection behavior is identified as the abnormal external connection behavior.
In the existing detection process of abnormal external connection behaviors, the abnormal detection is realized depending on the matching of a preset abnormal domain name. The configuration of the abnormal domain name generally has hysteresis, so that it is difficult to configure all malicious domain names in real time, and when a malicious domain name which is not set as the abnormal domain name is subjected to external connection access, the abnormal external connection behavior cannot be accurately identified, so that the detection accuracy of the abnormal external connection behavior is low, and the security of the server is poor.
Disclosure of Invention
In view of this, the embodiment of the present invention provides a method for detecting an abnormal external connection behavior, so as to solve the problem that the existing detection of the abnormal external connection behavior depends on a preset abnormal domain name, and it is difficult to accurately identify the abnormal external connection behaviors of all malicious domain names.
The embodiment of the invention also provides a device for detecting the abnormal external connection behavior, which is used for ensuring the actual realization and application of the method.
In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:
a method for detecting abnormal external connection behaviors comprises the following steps:
determining an external connection time sequence corresponding to a target domain name under the condition that external connection behavior detection needs to be carried out on the target domain name; the external connection time sequence comprises a plurality of external connection time points corresponding to the target domain name;
determining a time interval sequence corresponding to the external connection time sequence; the sequence of time intervals comprises a plurality of time intervals;
determining a subsequence group set corresponding to the time interval sequence; the set of subsequence groups comprises at least one subsequence group, each of the subsequence groups comprises two consecutive subsequences in the time interval sequence, and the sequence lengths of the two consecutive subsequences are equal;
determining a correlation coefficient corresponding to each subsequence group;
judging whether the target domain name meets a preset abnormal condition or not according to each correlation coefficient;
and if the target domain name meets the preset abnormal condition, determining the external connection behavior corresponding to the target domain name as the abnormal external connection behavior.
In the foregoing method, optionally, the determining the set of subsequence groups corresponding to the time interval sequence includes:
determining the length of a target sequence corresponding to the time interval sequence;
determining a reference value range corresponding to the target sequence length;
taking each positive integer in the reference value range as a reference value;
for each reference value, determining a first continuous subsequence and a second continuous subsequence corresponding to the reference value in the time interval sequence, and combining the first continuous subsequence and the second continuous subsequence into a subsequence group corresponding to the reference value;
and forming the subsequence groups corresponding to the reference values into the subsequence group set.
Optionally, the determining a reference value range corresponding to the target sequence length in the above method includes:
calculating the common logarithm of the length of the target sequence;
performing product operation on the common logarithm of the length of the target sequence and the length of the target sequence, and performing rounding processing on an operation result to obtain a first operation numerical value;
subtracting a first numerical value from the length of the target sequence to obtain a second numerical value;
taking the minimum value of the first operand value and the second operand value as a third operand value;
and constructing a target interval, wherein the target interval is used as the reference numerical range, the minimum value of the target interval is a numerical value one, and the maximum value of the target interval is the third operation numerical value.
The above method, optionally, the determining a first continuous subsequence and a second continuous subsequence corresponding to the reference value in the time interval sequence includes:
determining the subsequence length corresponding to the reference value, wherein the subsequence length is the difference between the target sequence length and the reference value;
selecting a third continuous subsequence from the time interval sequence, and taking the third continuous subsequence as a first continuous subsequence corresponding to the reference value; the first time interval in the third consecutive subsequence is the first time interval in the sequence of time intervals, and the sequence length of the third consecutive subsequence is equal to the subsequence length;
selecting a fourth continuous subsequence from the time interval sequence, and taking the fourth continuous subsequence as a second continuous subsequence corresponding to the reference value; the last time interval in the fourth consecutive sub-sequence is the last time interval in the sequence of time intervals, and the sequence length of the fourth consecutive sub-sequence is equal to the sub-sequence length.
Optionally, the determining a correlation coefficient corresponding to each subsequence group includes:
and for each subsequence group, calculating a Pearson correlation coefficient between two continuous subsequences in the subsequence group, and taking the Pearson correlation coefficient between two continuous subsequences in the subsequence group as a corresponding correlation coefficient of the subsequence group.
The method mentioned above, optionally, the calculating a pearson correlation coefficient between two consecutive subsequences in the subsequence group includes:
determining a covariance between two consecutive subsequences in the set of subsequences;
determining a standard deviation corresponding to each continuous subsequence in the subsequence group;
performing product operation on the standard deviation corresponding to each continuous subsequence to obtain a standard deviation product;
and calculating the quotient of the product of the covariance and the standard deviation, and taking the calculation result as a Pearson correlation coefficient between two continuous subsequences in the subsequence group.
Optionally, the above method, wherein the determining, according to each correlation coefficient, whether the target domain name meets a preset abnormal condition includes:
and judging whether each correlation coefficient is in a preset threshold range, and if at least one correlation coefficient is not in the preset threshold range, determining that the target domain name meets the preset abnormal condition.
An apparatus for detecting abnormal external connection behavior, comprising:
the first determining unit is used for determining an external connection time sequence corresponding to a target domain name under the condition that external connection behavior detection needs to be carried out on the target domain name; the external connection time sequence comprises a plurality of external connection time points corresponding to the target domain name;
a second determining unit, configured to determine a time interval sequence corresponding to the external connection time sequence; the sequence of time intervals comprises a plurality of time intervals;
a third determining unit, configured to determine a set of subsequence groups corresponding to the time interval sequence; the set of subsequence groups comprises at least one subsequence group, each of the subsequence groups comprises two consecutive subsequences in the time interval sequence, and the sequence lengths of the two consecutive subsequences are equal;
a fourth determining unit, configured to determine a correlation coefficient corresponding to each of the subsequence groups;
the judging unit is used for judging whether the target domain name meets a preset abnormal condition or not according to each correlation coefficient;
and the fifth determining unit is used for determining the external connection behavior corresponding to the target domain name as the abnormal external connection behavior if the target domain name meets the preset abnormal condition.
A storage medium, the storage medium including stored instructions, wherein when the instructions are executed, a device on which the storage medium is located is controlled to execute the method for detecting abnormal external connection behavior as described above.
An electronic device comprising a memory, and one or more instructions, wherein the one or more instructions are stored in the memory and configured to be executed by one or more processors to perform the method for detecting abnormal behavior of an external connection as described above.
Based on the foregoing method for detecting an abnormal external connection behavior provided in an embodiment of the present invention, the method includes: determining an external connection time sequence corresponding to a target domain name under the condition that external connection behavior detection needs to be carried out on the target domain name; the external connection time sequence comprises a plurality of external connection time points corresponding to the target domain name; determining a time interval sequence corresponding to the external connection time sequence; the time interval sequence comprises a plurality of time intervals; determining a subsequence group set corresponding to the time interval sequence; the subsequence group set comprises at least one subsequence group, each subsequence group comprises two continuous subsequences in the time interval sequence, and the sequence lengths of the two continuous subsequences are equal; determining a correlation coefficient corresponding to each subsequence group; judging whether the target domain name meets a preset abnormal condition or not according to each correlation coefficient; and if the target domain name meets the preset abnormal condition, determining the external connection behavior corresponding to the target domain name as the abnormal external connection behavior. By applying the method provided by the embodiment of the invention, the external connection behavior can be subjected to abnormal detection based on the correlation presented by the time interval of the external connection access. The inventor finds that after being attacked by a malicious sample such as a trojan horse, a worm and the like, the server periodically initiates an external access request for a malicious domain name, and for example, the time interval of the external access request has the characteristics of increasing, decreasing and the like. The correlation coefficient can present the correlation between the variable of the time interval, and can determine whether the access time of the external connection behavior has the characteristic of periodic regular change, so that the abnormal external connection behavior of the server can be found in time, and the threat can be captured. In the method provided by the embodiment of the invention, for the detection of the abnormal external connection behaviors, the time characteristics presented by the external connection behaviors are relied on, the method is not limited by the mastering condition of the accessed domain name, and the method is suitable for the identification of the abnormal external connection behaviors of various domain names, is favorable for improving the detection accuracy rate of the abnormal external connection behaviors and ensures the operation safety of the server.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a method for detecting an abnormal external connection behavior according to an embodiment of the present invention;
fig. 2 is a flowchart of another method for detecting abnormal external connection behavior according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a device for detecting an abnormal external connection behavior according to an embodiment of the present invention;
fig. 4 is another schematic structural diagram of a device for detecting an abnormal external connection behavior according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The embodiment of the invention provides a method for detecting abnormal external connection behaviors, which can be applied to a safety protection platform, wherein an execution main body of the method can be a server of the platform, and a method flow chart of the method is shown in figure 1 and comprises the following steps:
s101: determining an external connection time sequence corresponding to a target domain name under the condition that external connection behavior detection needs to be carried out on the target domain name; the external connection time sequence comprises a plurality of external connection time points corresponding to the target domain name;
in the method provided by the embodiment of the invention, in the running process of the server, the external connection behavior initiated by the server can be monitored, when the condition that the server initiates an external connection access request for a certain domain name through a Domain Name System (DNS) is monitored, the domain name can be regarded as a target domain name, and if the server performs continuous external connection access on the target domain name, the external connection behavior of the target domain name is detected to identify whether the external connection behavior of the target domain name belongs to abnormal external connection behavior.
In the method provided by the embodiment of the invention, the time data of the external domain name in the domain name system can be collected, each time point for performing external access on the target domain name is obtained from the time data, and the time points are used as external time points corresponding to the target domain name. And sequencing all the external connection time points according to the time sequence, and forming the sequenced external connection time points into an external connection time sequence. The data format of the formed external connection time sequence can be shown as a sequence T: t = { T1, T2, T3, T4,... Cndot, tn }, n equals the total number of external connection time points.
It should be noted that the specific data format and data content of the external connection time sequence provided in the embodiment of the present invention are only to better illustrate the specific embodiment provided by the method provided in the present invention, and in the specific implementation process, the specific data format may be set according to actual requirements, and the value of n is also determined by the actual data acquisition situation, and is not limited to the exemplary presentation of the embodiment of the present invention.
S102: determining a time interval sequence corresponding to the external connection time sequence; the sequence of time intervals comprises a plurality of time intervals;
in the method provided by the embodiment of the invention, the difference calculation can be carried out on the external time sequence to obtain each time interval. Specifically, the time interval between two external connection time points having an adjacent relationship in the external connection time sequence may be calculated, for example, the time interval between the first external connection time point and the second external connection time point is calculated, the time interval between the second external connection time point and the third external connection time point is calculated, and by analogy, a plurality of time intervals may be calculated. For example, based on the time sequence T of the external connection in the previous example, time intervals Δ T1, Δ T2, Δ T3, \ 8230 \ 8230;. Δ T (n-1) and the like are calculated, and Δ T1 represents the time interval between the first external connection time point T1 and the second external connection time point T2, which can be regarded as the time interval corresponding to the external connection time point T1. Other time intervals may be used in the same way. And correspondingly determining the arrangement sequence of each time interval according to the time sequence of each external connection time point, namely taking the arrangement sequence of the time interval corresponding to the first external connection time point as a first position, and taking the arrangement sequence of the time interval corresponding to the second external connection time point as a second position, and similarly obtaining the arrangement sequence of all the time intervals. Sequencing the time intervals according to the sequence order of the time intervals, and forming the time interval sequence by the sequenced time intervals, wherein the data format of the formed time interval sequence can be shown as a time interval sequence Δ t: Δ t = { Δ t1, Δ t2, Δ t3, \8230;, Δ t (n-1) }.
It should be noted that, the specific data format and data content of the time interval sequence mentioned in the embodiment of the present invention are only to better describe the specific embodiment provided by the method provided by the present invention, in the specific implementation process, the data format of the time interval sequence may be set according to the actual requirement, and the number of the time intervals is also determined by the actual processing condition, which does not affect the implementation function of the method provided by the embodiment of the present invention.
S103: determining a subsequence group set corresponding to the time interval sequence; the set of subsequence groups comprises at least one subsequence group, each of the subsequence groups comprises two consecutive subsequences in the time interval sequence, and the sequence lengths of the two consecutive subsequences are equal;
in the method provided by the embodiment of the invention, two continuous subsequences with the same length can be extracted from the time interval sequence to combine into a subsequence group. Only one subsequence group can be combined, or continuous subsequences can be selected for multiple times to combine a plurality of subsequence groups. And integrating the subsequence groups obtained by combination into a subsequence group set. The subsequence groups are different, and two continuous subsequences in each subsequence group are different. The continuous subsequence in the time interval sequence refers to a sequence formed by sequencing continuous partial elements in the time interval sequence according to the original position.
It should be noted that the number of the subsequence groups may be determined by actual requirements, for example, the number may be preset, or the number may be calculated adaptively according to a preset policy during each detection, so as to determine the number of the subsequence groups that need to be currently constructed, and the like, without affecting the implementation function of the method provided by the embodiment of the present invention.
S104: determining a correlation coefficient corresponding to each subsequence group;
in the method provided by the embodiment of the present invention, for each subsequence group, a correlation coefficient may be calculated according to two consecutive subsequences in the subsequence group, where the correlation coefficient represents a correlation degree between the two consecutive subsequences, and may be used to indicate whether there is a certain regularity in a change of a time interval, and the correlation coefficient is used as a correlation coefficient corresponding to the subsequence group.
S105: judging whether the target domain name meets a preset abnormal condition or not according to each correlation coefficient;
in the method provided by the embodiment of the invention, the correlation coefficient between the time intervals of the external connection access can be used as a reference, an abnormal condition is preset, and when the behavior of the external connection domain name meets the condition, the domain name is possibly an abnormal domain name. And judging whether the target domain name meets the preset abnormal condition or not according to the correlation coefficient corresponding to each current subsequence group.
S106: and if the target domain name meets the preset abnormal condition, determining the external connection behavior corresponding to the target domain name as the abnormal external connection behavior.
In the method provided by the embodiment of the invention, if the target domain name is judged to accord with the preset abnormal condition, the corresponding external connection behavior is regarded as the abnormal external connection behavior, and the abnormal external connection prompt can be sent. If the target domain name does not meet the preset abnormal condition, no intervention can be carried out.
Based on the method provided by the embodiment of the invention, under the condition that the target domain name needs to be subjected to external connection behavior detection, an external connection time sequence corresponding to the target domain name is determined, wherein the external connection time sequence comprises a plurality of external connection time points corresponding to the target domain name; determining a time interval sequence corresponding to the external connection time sequence, wherein the time interval sequence comprises a plurality of time intervals; determining a subsequence group set corresponding to the time interval sequence, wherein the subsequence group set comprises at least one subsequence group, each subsequence group comprises two continuous subsequences in the time interval sequence, and the sequence lengths of the two continuous subsequences are equal; determining a correlation coefficient corresponding to each subsequence group; judging whether the target domain name meets a preset abnormal condition or not according to each correlation coefficient; and if the target domain name meets the preset abnormal condition, determining the external connection behavior corresponding to the target domain name as the abnormal external connection behavior. By applying the method provided by the embodiment of the invention, the external connection behavior can be subjected to abnormal detection based on the correlation presented by the time interval of the external connection access. The correlation coefficient can present the correlation between the variable of the time interval, and can determine whether the access time of the external connection behavior has the characteristic of periodic regular change, so that the abnormal external connection behavior of the server can be found in time, and the threat can be captured. In the method provided by the embodiment of the invention, for the detection of the abnormal external connection behaviors, the time characteristics presented by the external connection behaviors are relied on, the method is not limited by the mastering condition of the accessed domain name, and the method is suitable for the identification of the abnormal external connection behaviors of various domain names (such as the known abnormal domain name and the unknown abnormal domain name), is favorable for improving the detection accuracy rate of the abnormal external connection behaviors and ensures the operation safety of the server.
The embodiment of the present invention provides another method for detecting an abnormal external connection behavior, with reference to the flowchart shown in fig. 2, and on the basis of the method shown in fig. 1, in the method provided in the embodiment of the present invention, the process of determining the subsequence group set corresponding to the time interval sequence in step S103 includes:
s201: determining the length of a target sequence corresponding to the time interval sequence;
in the method provided by the embodiment of the present invention, the number of elements (time intervals) in the time interval sequence, that is, the sequence length of the time interval sequence, may be calculated, and the sequence length of the time interval sequence is used as the target sequence length.
S202: determining a reference value range corresponding to the target sequence length;
in the method provided by the embodiment of the present invention, the extraction position of the continuous subsequence is determined by setting a value, that is, which segment of the element is selected from the time interval sequence, and the value is called a reference value. The reference value may be selected from a predetermined reference value range, and in the method provided in the embodiment of the present invention, the range of the reference value currently used for forming the subsequence group, i.e. the reference value range, is correspondingly determined according to the sequence length of the time interval sequence.
S203: taking each positive integer in the reference value range as a reference value;
embodiments of the present invention provide methods in which each positive integer in the reference value range is used as a reference value, for example, if the determined reference value range is [1,6], then there are six reference values, 1, 2, 3, 4, 5, and 6.
S204: for each reference value, determining a first continuous subsequence and a second continuous subsequence corresponding to the reference value in the time interval sequence, and forming the first continuous subsequence and the second continuous subsequence into a subsequence group corresponding to the reference value;
in the method provided by the embodiment of the present invention, a subsequence selection policy based on a reference value may be preset, and for each reference value, according to the reference value and the preset subsequence selection policy, two consecutive subsequences corresponding to the reference value are selected from the time interval sequence to form a subsequence group corresponding to the reference value.
S205: and forming the subsequence groups corresponding to the reference values into the subsequence group set.
In the method provided by the embodiment of the invention, the subsequence groups determined based on the reference values are combined into the subsequence group set.
On the basis of the method provided in the foregoing embodiment, in the method provided in the embodiment of the present invention, the process of determining the reference value range corresponding to the target sequence length in step S202 includes:
calculating the common logarithm of the length of the target sequence;
performing product operation on the common logarithm of the target sequence length and the target sequence length, and performing rounding processing on an operation result to obtain a first operation numerical value;
subtracting a first numerical value from the length of the target sequence to obtain a second numerical value;
taking the minimum value of the first operand value and the second operand value as a third operand value;
and constructing a target interval, wherein the target interval is used as the reference numerical range, the minimum value of the target interval is a numerical value one, and the maximum value of the target interval is the third operation numerical value.
In the method provided by the embodiment of the invention, the common logarithm of the length of the target sequence is calculated through a calculation function of the common logarithm, and the calculation result is multiplied by the length of the target sequence and then rounded to obtain a first operation numerical value. The difference between the target sequence length and the value one is the second operand value. And taking the minimum value between the first operand value and the second operand value as a third operand value. And constructing a target interval by taking the first numerical value as the minimum value of the interval and the third operational numerical value as the maximum value of the interval, and taking the target interval as the reference numerical range. Specifically, k represents a reference value, and a value range of k (i.e., a reference value range) may be represented as [1, min (int (n × log10 (n)), n-1) ].
Wherein n represents the sequence length of the time interval sequence, log10 (n) represents base 10, log (logarithm) is calculated, the base 10 logarithm is also called common logarithm, int (n log10 (n)) represents that the calculation result (n log10 (n)) is rounded, min (int (n log10 (n)), n-1 represents that the minimum value of int (n log10 (n)) and (n-1) is taken.
On the basis of the method provided in the foregoing embodiment, in the method provided in the embodiment of the present invention, the process of determining the first continuous subsequence and the second continuous subsequence corresponding to the reference value in the time interval sequence, which is mentioned in step S204, includes:
determining the subsequence length corresponding to the reference value, wherein the subsequence length is the difference value between the target sequence length and the reference value;
in the method provided by the embodiment of the present invention, the difference between the target sequence length and the current reference value is taken as the subsequence length corresponding to the current reference value, that is, the sequence length of the continuous subsequence which needs to be selected currently. If the target sequence length is represented by n, the current reference value is represented by k, and the target sequence length is (n-k).
Selecting a third continuous subsequence from the time interval sequence, and taking the third continuous subsequence as a first continuous subsequence corresponding to the reference value; the first time interval in the third consecutive sub-sequence is the first time interval in the sequence of time intervals, and the sequence length of the third consecutive sub-sequence is equal to the sub-sequence length;
in the method provided in the embodiment of the present invention, a certain number of time intervals are continuously selected from a first element in a time interval sequence, that is, a first time interval, and then a continuous subsequence (a third continuous subsequence) is obtained by selection, where the number of the selected time intervals corresponds to the length of the subsequence, that is, the sequence length of the continuous subsequence obtained by selection is equal to the length of the subsequence. And taking the continuous subsequence obtained by selection as a continuous subsequence (a first continuous subsequence) corresponding to the current reference value. The data format of the first continuous subsequence may be as shown by subsequence Δ T1: Δ T1= { Δ T1, \8230;, Δ T (n-k) }, where n denotes the target sequence length and k denotes the current reference value.
Selecting a fourth continuous subsequence from the time interval sequence, and taking the fourth continuous subsequence as a second continuous subsequence corresponding to the reference value; the last time interval in the fourth consecutive sub-sequence is the last time interval in the sequence of time intervals, and the sequence length of the fourth consecutive sub-sequence is equal to the sub-sequence length.
In the method provided in this embodiment of the present invention, starting from the (k + 1) th time interval in the time interval sequence, a continuous subsequence (fourth continuous subsequence) is obtained by continuously selecting to the last time interval in the time interval sequence, and the continuous subsequence is also used as a continuous subsequence (second continuous subsequence) corresponding to the current reference value, based on the example in the previous step, the data format of the second continuous subsequence may be as shown in subsequence Δ T2: Δ T1= { Δ T (k + 1) \8230;, Δ tn }.
In summary, in the method provided by the embodiment of the present invention, a plurality of subsequence groups may be constructed, that is, a plurality of correlation coefficients may be calculated. Traversing each value in the value range of the reference value k, dividing the time interval sequence into two continuous subsequences according to the value of k, and calculating the correlation coefficient. For example, k has a value range of [1,6], and k may have 6 values, i.e., 1, 2, 3, 4, 5, and 6.
When k takes 1, the two consecutive subsequences are Δ T1= { Δ T1, \8230;, Δ T (n-1) }, Δ T2= { Δ T2, \8230;, Δ T (n) }, respectively.
When k takes 2, two consecutive subsequences are Δ T1= { Δ T1, \8230;, Δ T (n-2) }, Δ T2= { Δ T3, \8230;, 8230;, Δ T (n) }, respectively.
By analogy, every two continuous subsequences obtained according to different values of k are a subsequence group.
On the basis of the method shown in fig. 1, in the method provided in the embodiment of the present invention, the process of determining the correlation coefficient corresponding to each subsequence group in step S104 includes:
and for each subsequence group, calculating a Pearson correlation coefficient between two continuous subsequences in the subsequence group, and taking the Pearson correlation coefficient between two continuous subsequences in the subsequence group as a corresponding correlation coefficient of the subsequence group.
In the method provided by the embodiment of the invention, the correlation between two continuous subsequences is presented through the Pearson correlation coefficient, so that whether the external connection request of the server has regularity is judged. The Pearson correlation coefficient is a linear correlation coefficient, is one of the most commonly used correlation coefficients, can be used for reflecting the linear correlation degree between two variables, and has a value between-1 and 1, and the larger the absolute value is, the stronger the correlation is.
In the method provided by the embodiment of the invention, a calculation strategy of the pearson correlation coefficient can be preset, and the pearson correlation coefficient between two continuous subsequences in each subsequence group is calculated based on the preset calculation strategy and is used as the corresponding correlation coefficient of each subsequence group.
On the basis of the method provided by the foregoing embodiment, in the method provided by the embodiment of the present invention, the calculating a pearson correlation coefficient between two consecutive subsequences in the subsequence group includes:
determining a covariance between two consecutive subsequences in the set of subsequences;
determining a standard deviation corresponding to each continuous subsequence in the subsequence group;
performing product operation on the standard deviation corresponding to each continuous subsequence to obtain a standard deviation product;
and calculating the quotient of the product of the covariance and the standard deviation, and taking the calculation result as a Pearson correlation coefficient between two continuous subsequences in the subsequence group.
In the method provided by the embodiment of the present invention, for the currently processed subsequence group, the covariance between two consecutive subsequences in the subsequence group can be calculated according to a preset covariance calculation strategy, the standard deviation of each consecutive subsequence is calculated to obtain two standard deviations, and the calculated covariance is divided by the product of the two standard deviations to obtain the pearson correlation coefficient between the two consecutive subsequences. Specifically, the pearson correlation coefficient between two consecutive subsequences can be calculated by the following formula principle:
wherein, P ΔT1,ΔT2 Representing the Pearson correlation coefficient before the continuous subsequence Delta T1 and the continuous subsequence Delta T2, cov (Delta T1, delta T2) representing the covariance of Delta T1 and Delta T2, sigma ΔT1 Denotes the standard deviation, σ, of Δ T1 ΔT2 Represents the standard deviation of Δ T2.
According to the method provided by the embodiment of the invention, the abnormal behavior of the DNS external connection is judged according to the Pearson correlation coefficient of two continuous subsequences in the time interval sequence.
On the basis of the method shown in fig. 1, in the method provided in the embodiment of the present invention, the step of determining whether the target domain name meets the preset abnormal condition according to each of the correlation coefficients in step S106 includes:
and judging whether each correlation coefficient is in a preset threshold range, and if at least one correlation coefficient is not in the preset threshold range, determining that the target domain name meets the preset abnormal condition.
In the method provided by the embodiment of the invention, the threshold range of the correlation coefficient can be preset according to actual requirements, under the scene that the correlation is characterized to be stronger as the value is larger, and when the correlation coefficient is in the threshold range, the correlation of the time interval change of the external connection access is considered to be lower, namely, no regularity is presented, and the possibility of belonging to malicious external connection behaviors is lower. When the correlation coefficient exceeds the threshold range, the correlation of the time interval change is considered to be strong, certain regularity is presented, and the possibility of belonging to malicious external connection behaviors is high. For example, when the correlation coefficient is a non-negative number, 0.5 may be used as an upper limit of the threshold range, a value range of 0 to 0.5 may be used as a preset threshold range, and if the correlation coefficient is greater than 0.5, it is determined that the threshold range is exceeded.
In the method provided by the embodiment of the invention, in the detection process, each calculated correlation coefficient can be compared with the upper limit of the preset threshold range to determine whether each correlation coefficient is in the preset threshold range, and if one or more correlation coefficients are not in the threshold range, the target domain name is considered to accord with the preset abnormal condition, namely, the external connection abnormality exists. For example, a total of 6 correlation coefficients are calculated, and if one of the correlation coefficients is greater than the upper limit of the threshold range, the outlier is considered abnormal.
In the method provided by the embodiment of the invention, if each correlation coefficient is within the preset threshold range, the target domain name is determined not to meet the preset abnormal condition.
It should be noted that the specific threshold range provided in the method provided in the embodiment of the present invention is only for better explaining the specific embodiment provided in the method provided in the present invention, and in the specific implementation process, the threshold range may be set according to actual requirements, without affecting the implementation function of the method provided in the embodiment of the present invention.
Corresponding to the method for detecting an abnormal external connection behavior shown in fig. 1, an embodiment of the present invention further provides a device for detecting an abnormal external connection behavior, which is used to implement the method shown in fig. 1 specifically, and a schematic structural diagram of the device is shown in fig. 3, and includes:
a first determining unit 301, configured to determine an external connection time sequence corresponding to a target domain name when external connection behavior detection needs to be performed on the target domain name; the external connection time sequence comprises a plurality of external connection time points corresponding to the target domain name;
a second determining unit 302, configured to determine a time interval sequence corresponding to the external connection time sequence; the sequence of time intervals comprises a plurality of time intervals;
a third determining unit 303, configured to determine a set of subsequence groups corresponding to the time interval sequence; the set of subsequence groups comprises at least one subsequence group, each of the subsequence groups comprises two consecutive subsequences in the time interval sequence, and the sequence lengths of the two consecutive subsequences are equal;
a fourth determining unit 304, configured to determine a correlation coefficient corresponding to each subsequence group;
a determining unit 305, configured to determine whether the target domain name meets a preset abnormal condition according to each of the correlation coefficients;
a fifth determining unit 306, configured to determine, if the target domain name meets the preset abnormal condition, an external connection behavior corresponding to the target domain name as an abnormal external connection behavior.
Based on the device provided by the embodiment of the invention, under the condition that the external connection behavior detection needs to be carried out on the target domain name, the external connection time sequence corresponding to the target domain name is determined, wherein the external connection time sequence comprises a plurality of external connection time points corresponding to the target domain name; determining a time interval sequence corresponding to the external connection time sequence, wherein the time interval sequence comprises a plurality of time intervals; determining a subsequence group set corresponding to the time interval sequence, wherein the subsequence group set comprises at least one subsequence group, each subsequence group comprises two continuous subsequences in the time interval sequence, and the sequence lengths of the two continuous subsequences are equal; determining a correlation coefficient corresponding to each subsequence group; judging whether the target domain name meets a preset abnormal condition or not according to each correlation coefficient; and if the target domain name meets the preset abnormal condition, determining the external connection behavior corresponding to the target domain name as the abnormal external connection behavior. By applying the device provided by the embodiment of the invention, the external connection behavior can be subjected to abnormal detection based on the correlation presented by the time interval of the external connection access. The correlation coefficient can present the correlation between the variable of the time interval, and can determine whether the access time of the external connection behavior has the characteristic of periodic regular change, so that the abnormal external connection behavior of the server can be found in time, and the threat can be captured. In the device provided by the embodiment of the invention, for the detection of the abnormal external connection behaviors, the time characteristics presented by the external connection behaviors are relied on, the device is not limited by the mastering condition of the accessed domain name, and the device is suitable for the identification of the abnormal external connection behaviors of various domain names (such as the known abnormal domain name and the unknown abnormal domain name), thereby being beneficial to improving the detection accuracy rate of the abnormal external connection behaviors and ensuring the operation safety of a server.
The embodiment of the present invention provides another apparatus for detecting an abnormal external connection behavior, a schematic structural diagram of which is shown in fig. 4, and on the basis of the apparatus shown in fig. 3, in the apparatus provided in the embodiment of the present invention, the third determining unit 303 includes:
a first determining subunit 307, configured to determine a target sequence length corresponding to the time interval sequence;
a second determining subunit 308, configured to determine a reference value range corresponding to the target sequence length;
a third determining subunit 309, configured to take each positive integer in the reference value range as a reference value;
a fourth determining subunit 310, configured to determine, for each reference value, a first consecutive subsequence and a second consecutive subsequence corresponding to the reference value in the time interval sequence, and combine the first consecutive subsequence and the second consecutive subsequence into a subsequence group corresponding to the reference value;
a fifth determining subunit 311, configured to form the subsequence groups corresponding to the reference values into the set of subsequence groups.
On the basis of the apparatus provided in the foregoing embodiment, in the apparatus provided in the embodiment of the present invention, the second determining subunit 308 includes:
the first calculating subunit is used for calculating the common logarithm of the length of the target sequence;
the second calculating subunit is used for performing product operation on the common logarithm of the length of the target sequence and the length of the target sequence, and performing rounding processing on an operation result to obtain a first operation numerical value;
the third calculation subunit is used for subtracting a first numerical value from the length of the target sequence to obtain a second operation numerical value;
a construction subunit, configured to use a minimum value of the first operand value and the second operand value as a third operand value; and constructing a target interval, wherein the target interval is used as the reference numerical range, the minimum value of the target interval is a numerical value one, and the maximum value of the target interval is the third operation numerical value.
On the basis of the apparatus provided in the foregoing embodiment, in the apparatus provided in the embodiment of the present invention, the fourth determining subunit 310 includes:
a sixth determining subunit, configured to determine a subsequence length corresponding to the reference value, where the subsequence length is a difference between the target sequence length and the reference value;
a first selecting sub-unit, configured to select a third consecutive sub-sequence from the time interval sequence, and use the third consecutive sub-sequence as a first consecutive sub-sequence corresponding to the reference value; the first time interval in the third consecutive subsequence is the first time interval in the sequence of time intervals, and the sequence length of the third consecutive subsequence is equal to the subsequence length;
a second selecting sub-unit, configured to select a fourth consecutive sub-sequence from the time interval sequence, and use the fourth consecutive sub-sequence as a second consecutive sub-sequence corresponding to the reference value; the last time interval in the fourth consecutive sub-sequence is the last time interval in the sequence of time intervals, and the sequence length of the fourth consecutive sub-sequence is equal to the sub-sequence length.
On the basis of the apparatus provided in the foregoing embodiment, in the apparatus provided in the embodiment of the present invention, the fourth determining unit 304 includes:
and the fourth calculating sub-unit is used for calculating the Pearson correlation coefficient between two continuous subsequences in the subsequence group for each subsequence group, and taking the Pearson correlation coefficient between two continuous subsequences in the subsequence group as the corresponding correlation coefficient of the subsequence group.
On the basis of the apparatus provided in the foregoing embodiment, in the apparatus provided in an embodiment of the present invention, the fourth calculating subunit includes:
a seventh determining sub-unit configured to determine a covariance between two consecutive subsequences in the set of subsequences;
an eighth determining subunit, configured to determine a standard deviation corresponding to each consecutive subsequence in the subsequence group;
a fifth calculating subunit, configured to perform a product operation on the standard deviation corresponding to each of the consecutive sub-sequences to obtain a standard deviation product;
and the sixth calculating subunit is used for calculating the quotient of the product of the covariance and the standard deviation, and taking the calculation result as the Pearson correlation coefficient between two continuous subsequences in the subsequence group.
On the basis of the apparatus provided in the foregoing embodiment, in the apparatus provided in the embodiment of the present invention, the determining unit 305 includes:
and the judging subunit is used for judging whether each correlation coefficient is within a preset threshold range, and if at least one correlation coefficient is not within the preset threshold range, determining that the target domain name meets the preset abnormal condition.
The embodiment of the invention also provides a storage medium, which comprises a stored instruction, wherein when the instruction runs, the device where the storage medium is located is controlled to execute the detection method for the abnormal external connection behavior.
An electronic device is provided in an embodiment of the present invention, and the structural diagram of the electronic device is shown in fig. 5, which specifically includes a memory 401 and one or more instructions 402, where the one or more instructions 402 are stored in the memory 401 and configured to be executed by one or more processors 403 to perform the following operations for executing the one or more instructions 402:
determining an external connection time sequence corresponding to a target domain name under the condition that external connection behavior detection needs to be carried out on the target domain name; the external connection time sequence comprises a plurality of external connection time points corresponding to the target domain name;
determining a time interval sequence corresponding to the external connection time sequence; the sequence of time intervals comprises a plurality of time intervals;
determining a subsequence group set corresponding to the time interval sequence; the set of subsequence groups comprises at least one subsequence group, each of the subsequence groups comprises two consecutive subsequences in the time interval sequence, and the sequence lengths of the two consecutive subsequences are equal;
determining a correlation coefficient corresponding to each subsequence group;
judging whether the target domain name meets a preset abnormal condition or not according to each correlation coefficient;
and if the target domain name meets the preset abnormal condition, determining the external connection behavior corresponding to the target domain name as the abnormal external connection behavior.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for detecting abnormal external connection behaviors is characterized by comprising the following steps:
determining an external connection time sequence corresponding to a target domain name under the condition that external connection behavior detection needs to be carried out on the target domain name; the external connection time sequence comprises a plurality of external connection time points corresponding to the target domain name;
determining a time interval sequence corresponding to the external connection time sequence; the sequence of time intervals comprises a plurality of time intervals;
determining a subsequence group set corresponding to the time interval sequence; the set of subsequence groups comprises at least one subsequence group, each of the subsequence groups comprises two consecutive subsequences in the time interval sequence, and the sequence lengths of the two consecutive subsequences are equal;
determining a correlation coefficient corresponding to each subsequence group;
judging whether the target domain name meets a preset abnormal condition or not according to each correlation coefficient;
and if the target domain name meets the preset abnormal condition, determining the external connection behavior corresponding to the target domain name as the abnormal external connection behavior.
2. The method of claim 1, wherein the determining the set of subsequence groups to which the time interval sequence corresponds comprises:
determining the length of a target sequence corresponding to the time interval sequence;
determining a reference value range corresponding to the target sequence length;
taking each positive integer in the reference value range as a reference value;
for each reference value, determining a first continuous subsequence and a second continuous subsequence corresponding to the reference value in the time interval sequence, and forming the first continuous subsequence and the second continuous subsequence into a subsequence group corresponding to the reference value;
and forming the subsequence groups corresponding to the reference values into the subsequence group set.
3. The method of claim 2, wherein the determining the reference range of values corresponding to the target sequence length comprises:
calculating the common logarithm of the length of the target sequence;
performing product operation on the common logarithm of the target sequence length and the target sequence length, and performing rounding processing on an operation result to obtain a first operation numerical value;
subtracting a first value from the length of the target sequence to obtain a second operation value;
taking the minimum value of the first operand value and the second operand value as a third operand value;
and constructing a target interval, wherein the target interval is used as the reference numerical range, the minimum value of the target interval is a numerical value one, and the maximum value of the target interval is the third operation numerical value.
4. The method of claim 2, wherein determining the first and second consecutive subsequences for the reference value in the sequence of time intervals comprises:
determining the subsequence length corresponding to the reference value, wherein the subsequence length is the difference value between the target sequence length and the reference value;
selecting a third continuous subsequence from the time interval sequence, and taking the third continuous subsequence as a first continuous subsequence corresponding to the reference value; the first time interval in the third consecutive sub-sequence is the first time interval in the sequence of time intervals, and the sequence length of the third consecutive sub-sequence is equal to the sub-sequence length;
selecting a fourth continuous subsequence from the time interval sequence, and taking the fourth continuous subsequence as a second continuous subsequence corresponding to the reference value; the last time interval in the fourth consecutive sub-sequence is the last time interval in the sequence of time intervals, and the sequence length of the fourth consecutive sub-sequence is equal to the sub-sequence length.
5. The method of claim 1, wherein determining the correlation coefficient corresponding to each subsequence group comprises:
and for each subsequence group, calculating a Pearson correlation coefficient between two continuous subsequences in the subsequence group, and taking the Pearson correlation coefficient between two continuous subsequences in the subsequence group as a correlation coefficient corresponding to the subsequence group.
6. The method of claim 5, wherein calculating the Pearson correlation coefficient between two consecutive subsequences in the set of subsequences comprises:
determining a covariance between two consecutive subsequences in the set of subsequences;
determining a standard deviation corresponding to each continuous subsequence in the subsequence group;
performing product operation on the standard deviation corresponding to each continuous subsequence to obtain a standard deviation product;
and calculating the quotient of the product of the covariance and the standard deviation, and taking the calculation result as a Pearson correlation coefficient between two continuous subsequences in the subsequence group.
7. The method according to claim 1, wherein the determining whether the target domain name meets a preset abnormal condition according to each of the correlation coefficients comprises:
and judging whether each correlation coefficient is in a preset threshold range, and if at least one correlation coefficient is not in the preset threshold range, determining that the target domain name meets the preset abnormal condition.
8. A detection device for abnormal external connection behaviors is characterized by comprising:
the first determining unit is used for determining an external connection time sequence corresponding to a target domain name under the condition that external connection behavior detection needs to be carried out on the target domain name; the external connection time sequence comprises a plurality of external connection time points corresponding to the target domain name;
a second determining unit, configured to determine a time interval sequence corresponding to the external connection time sequence; the sequence of time intervals comprises a plurality of time intervals;
a third determining unit, configured to determine a set of subsequence groups corresponding to the time interval sequence; the set of subsequence groups comprises at least one subsequence group, each of the subsequence groups comprises two consecutive subsequences in the time interval sequence, and the sequence lengths of the two consecutive subsequences are equal;
a fourth determining unit, configured to determine a correlation coefficient corresponding to each of the subsequence groups;
the judging unit is used for judging whether the target domain name meets a preset abnormal condition or not according to each correlation coefficient;
and the fifth determining unit is used for determining the external connection behavior corresponding to the target domain name as the abnormal external connection behavior if the target domain name meets the preset abnormal condition.
9. A storage medium, comprising stored instructions, wherein when executed, the storage medium controls a device to perform the method for detecting abnormal external connection behavior according to any one of claims 1 to 7.
10. An electronic device comprising a memory and one or more instructions stored in the memory and configured to be executed by one or more processors to perform the method of detecting abnormal external connection behavior of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211123243.5A CN115455409A (en) | 2022-09-15 | 2022-09-15 | Method and device for detecting abnormal external connection behavior, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211123243.5A CN115455409A (en) | 2022-09-15 | 2022-09-15 | Method and device for detecting abnormal external connection behavior, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115455409A true CN115455409A (en) | 2022-12-09 |
Family
ID=84304376
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211123243.5A Pending CN115455409A (en) | 2022-09-15 | 2022-09-15 | Method and device for detecting abnormal external connection behavior, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115455409A (en) |
-
2022
- 2022-09-15 CN CN202211123243.5A patent/CN115455409A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109213654B (en) | Anomaly detection method and device | |
| JP6106340B2 (en) | Log analysis device, attack detection device, attack detection method and program | |
| CN107154950B (en) | Method and system for detecting log stream abnormity | |
| CN110351280B (en) | Method, system, equipment and readable storage medium for extracting threat information | |
| CN106657057B (en) | Anti-crawler system and method | |
| CN116433009A (en) | Abnormality monitoring method and device for power transformation equipment and storage medium | |
| CN109413071B (en) | Abnormal flow detection method and device | |
| CN115499205A (en) | Method and device for detecting abnormal external connection behavior, storage medium and electronic equipment | |
| WO2018159337A1 (en) | Profile generation device, attack detection apparatus, profile generation method, and profile generation program | |
| CN110602135B (en) | Network attack processing method and device and electronic equipment | |
| WO2017018377A1 (en) | Analysis method, analysis device, and analysis program | |
| EP2100239A1 (en) | Arrangement for comparing content identifiers of files | |
| CN109344610B (en) | Method and device for detecting sequence attack | |
| CN108366274B (en) | Method and device for detecting brushing playing amount | |
| CN111404949A (en) | Flow detection method, device, equipment and storage medium | |
| EP3312755B1 (en) | Method and apparatus for detecting application | |
| CN113542442A (en) | Malicious domain name detection method, device, equipment and storage medium | |
| CN115455409A (en) | Method and device for detecting abnormal external connection behavior, storage medium and electronic equipment | |
| CN111181979B (en) | Access control method, device, computer equipment and computer readable storage medium | |
| CN115221471B (en) | Abnormal data identification method and device, storage medium and computer equipment | |
| CN110868382A (en) | Decision tree-based network threat assessment method, device and storage medium | |
| CN113923039B (en) | Attack equipment identification method and device, electronic equipment and readable storage medium | |
| CN115643065A (en) | Network attack event detection method and system | |
| CN112115418B (en) | Method, device and equipment for acquiring bias estimation information | |
| CN109870621B (en) | Operation judgment method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |