CN115567274A - List dividing method and device, computer equipment, storage medium and product - Google Patents
List dividing method and device, computer equipment, storage medium and product Download PDFInfo
- Publication number
- CN115567274A CN115567274A CN202211150496.1A CN202211150496A CN115567274A CN 115567274 A CN115567274 A CN 115567274A CN 202211150496 A CN202211150496 A CN 202211150496A CN 115567274 A CN115567274 A CN 115567274A
- Authority
- CN
- China
- Prior art keywords
- information
- list
- monitored
- data
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Molecular Biology (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a method, an apparatus, a computer device, a storage medium and a computer program product for business form division. The method comprises the following steps: acquiring information to be monitored of a terminal; adding the information to be monitored which accords with the first list division standard into a first list according to the first list division standard and the information to be monitored; screening the information to be monitored in the first list according to preset data characteristics, and generating a first target list based on the screened information to be monitored. By adopting the method, potential data attack objects in the first list can be screened out, invasion caused by security data forged by lawbreakers is prevented, the accuracy of the data in the first list is further improved, and the security of data information is further improved.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method, an apparatus, a computer device, a storage medium, and a computer program product for business form division.
Background
With the continuous development of computer technology, people need to perform information interaction anytime and anywhere in life or work, and therefore, information security is more and more important.
In the traditional method, a server mainly carries out active defense based on a trust list so as to ensure the information security in the communication process. Although the active defense method based on the trust list is adopted, the information in the trust list or the information sent by the terminal in the trust list can be allowed to be received, and the information in the non-trust list or the information sent by the terminal in the non-trust list is forbidden to be received.
However, because the trust lists adopted in the conventional method are not accurate enough, some non-trust lists may be mixed frequently, so that lawless persons may forge secure data to invade, and further, the problems of information security and the like are caused.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a method, an apparatus, a computer device, a computer readable storage medium and a computer program product for ticket division in view of the above technical problems.
In a first aspect, the present application provides a method for business form division. The method comprises the following steps:
acquiring information to be monitored of a terminal; the information to be monitored comprises at least one of equipment information and transmission data information;
adding the information to be monitored which accords with the first list division standard into a first list according to the first list division standard and the information to be monitored;
screening information to be monitored in the first list according to preset data characteristics, and generating a first target list based on the screened information to be monitored; the preset data characteristics comprise at least one of data attack characteristics and data infection characteristics.
In one embodiment, screening information to be monitored in a first list according to preset data characteristics, and generating a first target list based on the screened information to be monitored includes:
extracting data characteristics from the information to be monitored in the first list;
screening the information to be monitored according to the preset data characteristics and the data characteristics of the information to be monitored in the first list, and generating screened information to be monitored; the information to be monitored which passes the screening does not have preset data characteristics.
In one embodiment, screening the information to be monitored according to the preset data characteristics and the data characteristics of the information to be monitored in the first list, and generating the screened information to be monitored, includes:
judging whether the similarity between the data features of the information to be monitored in the first list and the data attack features is greater than or equal to a preset similarity threshold value or not;
if yes, the information to be monitored is removed from the preset list, and the information to be monitored which passes the screening is generated.
In one embodiment, the method further comprises:
if the similarity between the data characteristics of the information to be monitored and the data attack characteristics is smaller than a preset similarity threshold, infection simulation is carried out on the information to be monitored in the first list, and an infection simulation result is generated;
judging whether the infection simulation result meets a preset infection simulation standard or not;
if yes, the information to be monitored is removed from the first list, and the information to be monitored which passes the screening is generated.
In one embodiment, the method further comprises:
and adding the information to be monitored, of which the infection simulation result with the data infection characteristics accords with the preset infection simulation standard, into a third list to generate a third target list.
In one embodiment, the first list classification criterion includes that the trust level of the information to be monitored exceeds a preset trust level; adding the information to be monitored meeting the first list classification standard into a first list according to the first list classification standard and the information to be monitored, wherein the method comprises the following steps:
carrying out trust level division on information to be monitored of the terminal to generate a trust level corresponding to the information to be monitored of the terminal;
and adding the information to be monitored with the trust level exceeding the preset trust level into the first list.
In one embodiment, the method further comprises:
acquiring a training sample set and a test sample set; the training sample set and the testing sample set contain a plurality of sample data; the sample data comprises information to be monitored in the first list, information to be monitored in the second list, information to be monitored in the third list and an initial label of the sample data; the initial list label comprises any one of a first list label, a second list label and a third list label;
inputting sample data in a training sample set into an initial convolutional neural network model for training, and generating a prediction list label of the sample data; the predicted list label comprises any one of a first list label, a second list label and a third list label;
calculating a value of a loss function according to a prediction list label of sample data and an initial list label of the sample data, adjusting parameters of an initial convolutional neural network model based on the value of the loss function, and generating a preset convolutional neural network model;
and optimizing parameters of a preset convolutional neural network model through an initial list label of sample data in the test sample set to generate a target convolutional neural network model.
In a second aspect, the application further provides a device for dividing the name list. The device comprises:
the information acquisition module is used for acquiring information to be monitored of the terminal; the information to be monitored comprises at least one of equipment information and transmission data information;
the information adding module is used for adding the information to be monitored which accords with the first list division standard into the first list according to the first list division standard and the information to be monitored;
the information screening module is used for screening the information to be monitored in the first list according to preset data characteristics and generating a first target list based on the screened information to be monitored; the preset data characteristics comprise at least one of data attack characteristics and data infection characteristics.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps of the model contribution evaluation method as described above when executing the computer program.
In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the model contribution evaluation method as described above.
In a fifth aspect, the present application further provides a computer program product. The computer program product comprises a computer program which, when being executed by a processor, carries out the steps of the model contribution evaluation method as described above.
According to the list dividing method, the list dividing device, the computer equipment, the storage medium and the computer program product, the server acquires information to be monitored of the terminal, adds the information to be monitored which accords with the first list dividing standard into the first list according to the first list dividing standard and the information to be monitored, screens the information to be monitored in the first list according to preset data characteristics, and generates the first target list based on the screened information to be monitored. Since the information to be monitored still may exist in the first list obtained by dividing the information to be monitored according to the first list division standard, the information to be monitored in the first list can be further screened based on the preset data features, and whether the information to be monitored in the first list has at least one of the data attack features and the data infection features can be specifically screened. Therefore, potential data attack objects in the first list can be screened out, invasion caused by security data forged by lawbreakers is prevented, the accuracy of the data in the first list is further improved, and the security of data information is further improved.
Drawings
FIG. 1 is a diagram of an application environment of a method for shortlist division in an embodiment;
FIG. 2 is a flowchart illustrating a method for splitting a list according to an embodiment;
FIG. 3 is a flowchart illustrating a method for generating a first target list according to an embodiment;
FIG. 4 is a schematic flow chart of a method for screening information to be monitored in one embodiment;
FIG. 5 is a schematic flow chart illustrating infection simulation of information to be monitored according to an embodiment;
FIG. 6 is a flowchart illustrating a method for adding a first roster in one embodiment;
FIG. 7 is a schematic flow diagram of a method for generating a model of a target convolutional neural network in one embodiment;
FIG. 8 is a flowchart illustrating a method for splitting a list according to another embodiment;
FIG. 9 is a flowchart illustrating a method for splitting a list according to another embodiment;
FIG. 10 is a block diagram of an apparatus for splitting a list according to an embodiment;
FIG. 11 is a block diagram that illustrates the structure of the list generation module in one embodiment;
FIG. 12 is a block diagram showing the structure of an information adding module in one embodiment;
FIG. 13 is a block diagram of an apparatus for splitting a list in one embodiment;
FIG. 14 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The method for dividing the list provided by the embodiment of the application can be applied to the application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104, or may be located on the cloud or other network server. The server 104 acquires information to be monitored of the terminal, adds the information to be monitored, which meets the first list division standard, into the first list according to the first list division standard and the information to be monitored, screens the information to be monitored in the first list according to preset data characteristics, and generates a first target list based on the screened information to be monitored. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart car-mounted devices, and the like. The portable wearable device can be a smart watch, a smart bracelet, a head-mounted device, and the like. The server 104 may be implemented as a stand-alone server or as a server cluster comprised of multiple servers.
In one embodiment, as shown in fig. 2, a method for dividing a business form is provided, which is exemplified by the method applied to the server 104 in fig. 1, and includes the following steps:
The information to be monitored comprises at least one of equipment information and transmission data information. The device information may include a terminal device brand, a terminal device model, an IP address, a terminal device serial number, software information, running code information, version information, a bug patch, and the like. The transmission data information may include file data information, video and audio data information and the like externally uploaded to the terminal device.
Specifically, the terminal sends information to be monitored to the server, and the server receives and acquires the information to be monitored of the terminal.
Optionally, the server may further obtain an IP address of the terminal device, construct an individual data record table according to the user name corresponding to the terminal device, the information to be monitored, and the IP address of the terminal device, which are collected by the server, classify the information to be monitored according to the IP addresses recorded in the individual data record table corresponding to the information to be monitored, and enter the information to be monitored under different IP address classifications into a management record table which is constructed in advance. Exemplarily, the records of the information to be monitored 1-4 in the individual data record table are that the IP address of the information to be monitored 1 is beijing, the IP address of the information to be monitored 2 is hangzhou, the IP address of the information to be monitored 3 is beijing, and the IP address of the information to be monitored 4 is shanghai, the information to be monitored is classified according to the IP addresses and is recorded into the management record table, that is, the information to be monitored 1 and the information to be monitored 3 are recorded under the classification that the IP address in the management record table is beijing; recording information to be monitored 2 under the classification of the IP address of Hangzhou; the information 4 to be monitored is recorded under the classification of the Shanghai IP address.
And 240, adding the information to be monitored which accords with the first list division standard into the first list according to the first list division standard and the information to be monitored.
The first list may be a database containing data information, software application information, and the like that allow the terminal device or the server to preferentially pass through.
The first list division standard may be divided according to a preset trust level of the information to be monitored, that is, the trust level of the information to be monitored exceeds a preset trust level, and the division standard may refer to a certain specific trust level or a trust level exceeding the preset trust level.
Specifically, the server divides information to be monitored with a preset trust level according to a first list division standard, extracts the information to be monitored with the trust level exceeding the preset trust level, and adds the information to be monitored with the trust level exceeding the preset trust level into the first list.
And step 260, screening the information to be monitored in the first list according to preset data characteristics, and generating a first target list based on the screened information to be monitored.
The data characteristic can be a data characteristic code which represents whether the data is trustable, aggressive or easily infected by a data attack object (such as a virus).
The preset data feature may be a data feature in a data attack library (such as a virus library), a data feature set according to a network virus definition, or a data feature of known untrusted data information, and specifically, the preset data feature includes at least one of a data attack feature and a data infection feature.
The data attack characteristic may be a data characteristic extracted from data information having an offensive property, and the data information having an offensive property may be information that can destroy or tamper with other data information. Optionally, the data attack feature may exist in a data attack library in the server, or may exist in a data attack library in a third-party information service center, and the server performs communication connection with the third-party information service center through network communication and extracts the data attack feature in the data attack library from the third-party information service center.
The data infection characteristics can refer to data characteristics extracted from data information which is easily infected by a data attack object. Optionally, the data infection characteristic may be in a data infection characteristic library in the server, or the server may be in communication connection with a third-party information service center through network communication, and upload the data information to a simulation platform of the third-party information center, perform infection simulation on the data information according to an infection standard established by the network virus definition, perform characteristic extraction on original data information corresponding to infected or damaged data information obtained by infection simulation, and summarize the extracted data characteristics to determine the data infection characteristic.
Specifically, the server extracts data features of the information to be monitored in the first list, compares the data features with preset data features, if the data features and the preset data features have the same or similar parts, the data features are not allowed to pass through screening, otherwise, the data features are allowed to pass through, and collects all the screened information to be monitored to generate a first target list.
According to the list dividing method, the server acquires information to be monitored of the terminal, adds the information to be monitored which accords with the first list dividing standard into the first list according to the first list dividing standard and the information to be monitored, screens the information to be monitored in the first list according to preset data characteristics, and generates the first target list based on the screened information to be monitored. Since the information to be monitored still may exist in the first list obtained by dividing the information to be monitored according to the first list division standard, the information to be monitored in the first list can be further screened based on the preset data features, and whether the information to be monitored in the first list has at least one of the data attack features and the data infection features can be specifically screened. Therefore, potential data attack objects in the first list can be screened out, invasion caused by security data forged by lawbreakers is prevented, the accuracy of the data in the first list is further improved, and the security of data information is further improved.
Fig. 3 is a flowchart of step 260 in the foregoing embodiment, and the method for generating the first target list according to this embodiment is described by taking the server as an example. As shown in fig. 3, the method for generating the first target list includes steps 262 to 264:
Specifically, the server extracts the information to be monitored in the first list, and removes irrelevant data information features and redundant data information features through a feature weight algorithm and a subset search algorithm to obtain the data features of the information to be monitored.
The information to be monitored which passes the screening does not have preset data characteristics.
Specifically, the server compares and screens the data features of the extracted information to be monitored in the first list with preset data features, judges the similarity between the data features and the preset data features, if the data features and the preset data features have the same or similar parts, the data features are not allowed to pass through the screening, otherwise, the data features are allowed to pass through, and summarizes all the screened information to be monitored to generate the screened information to be monitored.
In this embodiment, data features are extracted from the information to be monitored in the first list, and the information to be monitored is screened according to preset data features and the data features of the information to be monitored in the first list, so as to generate the screened information to be monitored. Through a characteristic comparison mode, the first list can be screened, some non-trusted data information possibly mixed in the first list can be screened, fake safety data are effectively prevented from being invaded, and the safety of the data information is improved.
Fig. 4 is a flowchart of step 264 in the foregoing embodiment, and the method for screening information to be monitored in this embodiment is described by taking the server as an example. As shown in FIG. 4, the method of screening information to be monitored includes steps 420-440:
Specifically, the server and the third-party information center are in network communication connection, the server extracts a data attack library from the third-party information center, then inputs the extracted data features of the information to be monitored in the first list into the data attack library for comparison and analysis, then calculates the similarity between the data features of the information to be monitored and the data attack features in the data attack library based on preset calculation logic, and judges whether the similarity is greater than or equal to a preset similarity threshold value.
And step 440, if yes, removing the information to be monitored from the preset list to generate the screened information to be monitored.
The preset list may be a first list.
Specifically, the server determines that the similarity between the data features of the information to be monitored in the first list and the data attack features is greater than or equal to a preset similarity threshold, searches the information to be monitored from the preset list, and eliminates the information to be monitored from the preset list, so as to generate the screened information to be monitored.
In this embodiment, whether the similarity between the data characteristics of the information to be monitored in the first list and the data attack characteristics is greater than or equal to the preset similarity threshold is judged, the untrusted data information possibly mixed in the first list can be screened out, and the untrusted data information is removed from the preset list, so that forged security data is effectively prevented from becoming information security risks in the first list, and the security of the data information is improved.
In one embodiment, described as running on a server for example, the method for generating the second target list includes: and adding the information to be monitored with the similarity greater than or equal to a preset similarity threshold into a second list to generate a second target list.
The second list may be a list generated by summarizing the data information prohibited from passing by the server, and the second list includes information to be monitored that is not trusted by the server.
The data information in the second target list is data information which is forbidden to pass by the server, and the second target list comprises screened information to be monitored corresponding to the data attack characteristics, information to be monitored which is not trusted by the server and the like.
Specifically, the server screens out the information to be monitored, of which the similarity between the data characteristics of the information to be monitored and the data attack characteristics is greater than or equal to a preset similarity threshold value, in the first list, extracts the information to be monitored, and adds the information to be monitored into a second list to generate the second list.
In this embodiment, the information to be monitored, of which the similarity is greater than or equal to the preset similarity threshold, is added to the second list to generate the second target list, so that untrusted data information can be managed in a centralized manner, the data information in the second list is prohibited from passing through, and the security of the data information is improved.
It should be noted that, in the above embodiment, after adding the information to be monitored whose similarity is greater than or equal to the preset similarity threshold to the second list and generating the second target list, the following process may be further performed: the server collects the information to be monitored with the similarity larger than or equal to a preset similarity threshold, collects the classified IP addresses of the information to be monitored with the similarity larger than or equal to the preset similarity threshold, inputs the information to be monitored into a management record table, and inputs all groups of data IP addresses into an individual data record table.
Fig. 5 is a flowchart of infection simulation performed on information to be monitored in the above embodiment, taking a server as an example, and as shown in fig. 5, the infection simulation method includes steps 520 to 560:
in step 520, if the similarity between the data characteristics of the information to be monitored and the data attack characteristics is smaller than the preset similarity threshold, infection simulation is performed on the information to be monitored in the first list, and an infection simulation result is generated.
The infection simulation may be a simulated infection based on infection standards established by the definition of the network virus.
The infection simulation result may be a result generated after infection simulation is performed on the information to be monitored, and optionally, the infection simulation result may be data information after the information to be monitored is infected or damaged, or data information that is not infected or damaged.
Specifically, the server is in network communication connection with a third-party information service center, the server uploads information to be monitored, the similarity between the data characteristics and the data attack characteristics of which is smaller than a preset similarity threshold, to the third-party information service center, the third-party information service center receives the information to be monitored and inputs the information to be monitored into the virtual machine, and the virtual machine simulates infection according to an infection standard established by network virus definition, namely simulates virus infection or destruction through a certain infection mode or infection conditions and generates an infection simulation result.
And 540, judging whether the infection simulation result meets a preset infection simulation standard.
The preset infection simulation standard can be established according to the definition of the network virus, optionally, the preset infection simulation standard can be provided with a data attack characteristic, and also can be a change generated after the data characteristic is infected or destroyed.
Specifically, the server receives the infection simulation result fed back by the third-party information service center, extracts the data characteristics of the infection simulation result, compares the data characteristics of the infection simulation result with the data attack characteristics (namely, the preset infection simulation standard), and judges whether the infection simulation standard is met.
It should be noted that there are various ways to determine the infection simulation result, and another possible implementation manner may be that the server receives the simulated infection result fed back by the third-party information service center, extracts the data feature of the simulated infection result, compares the data feature of the simulated infection result with the data feature of the information to be monitored, and determines whether the data feature of the simulated infection result is the same as or similar to the data feature of the information to be monitored.
And 560, if so, removing the information to be monitored from the first list to generate the screened information to be monitored.
Specifically, the server searches the information to be monitored from the first list if the infection simulation result meets the preset infection simulation standard, eliminates the information to be monitored from the first list, and collects the remaining screened information to be monitored to generate screened information to be monitored.
In this embodiment, if the similarity between the data characteristic of the information to be monitored and the data attack characteristic is smaller than the preset similarity threshold, the information to be monitored in the first list is subjected to infection simulation to generate an infection simulation result, whether the infection simulation result meets the preset infection simulation standard or not is judged, the possibly mixed data information which is easily infected or damaged in the first list can be screened out, and the data information is removed from the first list, so that the data information which is easily infected or damaged is effectively prevented from becoming a hidden danger of information safety in the first list, and the safety of the data information is improved.
In one embodiment, described as running on a server for example, the method for generating the third target list includes: and adding the information to be monitored, of which the infection simulation result with the data infection characteristics accords with the preset infection simulation standard, into a third list to generate a third target list.
The third list may be a list generated by summarizing data information allowed to pass through by the server but still needing real-time monitoring or virus killing, and the third list includes information to be monitored that the server does not trust.
The data information in the third target list is allowed to pass through by the server but still needs real-time monitoring or virus killing, and the third target list comprises information to be monitored corresponding to the screened data infection characteristics, information to be monitored which is not trusted by the server and the like.
Specifically, the server extracts the information to be monitored, which has the infection simulation result with the data infection characteristics meeting the preset infection simulation standard, and adds the information to be monitored into a third list to generate a third target list.
In this embodiment, the information to be monitored, which has the infection simulation result with the data infection characteristics meeting the preset infection simulation standard, is added to the third list to generate the third target list, so that the data information which is easily infected or damaged can be managed in a centralized manner, and the data information in the third list can be monitored and killed in real time, thereby improving the security of the data information.
It should be noted that, in the above embodiment, after adding the information to be monitored, of which the infection simulation result with the data infection characteristic meets the preset infection simulation standard, to the third list and generating the third target list, the following process may be further performed: the server collects information to be monitored, the infection simulation result of which accords with a preset infection simulation standard, collects the IP address of the information to be monitored, simultaneously inputs the information to be monitored and the IP address corresponding to the information to be monitored into an individual record table, and inputs the information to be monitored into the management record table according to the information to be monitored classified under different IP addresses in the individual record table.
Fig. 6 is a flowchart of step 242 in fig. 2 in the above embodiment, and the method for adding the first list is described by taking the server as an example. As shown in fig. 4, the method for adding the first list includes steps 242a to 242b:
and 242a, performing trust level classification on the information to be monitored of the terminal to generate a trust level corresponding to the information to be monitored of the terminal.
The trust level may be a level category into which the server classifies the trust level of the information to be monitored, where the trust level represents the trust level of the information to be monitored.
Specifically, the server acquires information to be monitored sent by the terminal, converts the information to be monitored into binary data, performs normalization processing on the converted binary data, and inputs the processed data into a specified analysis interval. The analysis interval is set by the server default or manually according to a certain rule standard, and is used for preliminarily classifying the processed data, so that errors generated when subsequently performing trust level classification on information to be monitored are reduced as much as possible, the server is enabled to perform trust level classification processing more simply and conveniently, and meanwhile, the analysis result is kept at a higher precision.
The server inputs data in each analysis interval into a pre-constructed monitoring network model, the monitoring network model is in communication connection with a preset trust level division base, the monitoring network model captures trust level division rules from the trust level division base, the monitoring network model performs trust level division on the data in each analysis interval according to the trust level division rules to generate a level rule corresponding to information to be monitored of the terminal, and meanwhile, the information to be monitored with the trust level lower than the preset trust level is forbidden.
And 242b, adding the information to be monitored, of which the trust level exceeds the preset trust level, into the first list.
Specifically, the server divides the information to be monitored with the set trust level, extracts the information to be monitored with the trust level exceeding the preset trust level, and adds the information to be monitored into the first list. Illustratively, the server divides the information to be monitored into trust levels 1-5, wherein the trust level 1 is untrusted data information and the trust level 5 is trusted data information. If the preset trust level is set to be level 4, the server extracts information to be monitored with the trust level of level 5 (namely, the information exceeds the preset trust level by level 4), and adds the information to be monitored into the first list.
In this embodiment, the information to be monitored of the terminal is subjected to trust level division to generate a trust level corresponding to the information to be monitored of the terminal, and the information to be monitored, of which the trust level exceeds a preset trust level, is added to the first list. The obtained data information in the first list can be more accurate and comprehensive, guarantee is provided for screening the first list subsequently, and the safety of the data information is further improved.
It should be noted that, in the above embodiment, after adding the information to be monitored whose trust level exceeds the preset trust level to the first list, the following process may be further performed.
The server divides the information to be monitored with the set trust level, presets a preset trust level of the second list, extracts the information to be monitored with the trust lower than or equal to the preset trust level, and adds the information to be monitored into the second list.
And (II) dividing the information to be monitored with the set trust level by the server, presetting a preset trust level range of a third list, extracting the information to be monitored with the trust level within the preset trust level range, and adding the information to be monitored into the third list.
Illustratively, the server divides the information to be monitored into trust levels 1-5, wherein the trust level 1 is untrusted data information, and the trust level 5 is trusted data information. The server specifies that a first list allows information to be monitored with a trust level exceeding 4, a second list allows information to be monitored with a trust level lower than or equal to 1, and a third list allows information to be monitored with a trust level of 2-4.
In one embodiment, described as running on a server for example, as shown in fig. 7, the method of generating the target convolutional neural network model includes steps 720-780:
The training sample set and the testing sample set contain a plurality of sample data.
The sample data comprises information to be monitored in the first list, information to be monitored in the second list, information to be monitored in the third list and an initial label of the sample data.
The initial list label includes any one of a first list label, a second list label and a third list label.
The first list tag may be a tag assigned by the server, and represents that the information to be monitored is trusted data, and the information to be monitored is already added to the first list.
The second list label may be a label assigned by the server, which indicates that the information to be monitored is untrusted data, and is added to the second list.
The third list label may be a label assigned by the server, and the monitoring information is data information that is allowed to pass through but still needs to be monitored in real time or virus killed, and the information to be monitored is already added to the third list.
Wherein, the training sample set can be a sample set for training the original model.
The test sample set may be a sample set for verifying and testing the accuracy of the trained model.
Specifically, the server collects all the information to be monitored in the generated first list, second list and third list. And simultaneously randomly dividing the information to be monitored into a training sample set and a testing sample set.
And step 740, inputting the sample data in the training sample set into the initial convolutional neural network model for training, and generating a prediction list label of the sample data.
The predicted list label comprises any one of a first list label, a second list label and a third list label.
The convolutional neural network model is used for verifying whether the server judges whether the monitored information is credible or not and judging the performance.
Specifically, the server inputs the data in the training sample set into the initial convolutional neural network for iterative training, and generates a prediction list label corresponding to the sample data in the training sample set.
And 760, calculating a value of the loss function according to the predicted list label of the sample data and the initial list label of the sample data, adjusting parameters of the initial convolutional neural network model based on the value of the loss function, and generating a preset convolutional neural network model.
The loss function may be an operation function for measuring a difference degree between a predicted result and a real result of the initial convolutional neural network model.
Specifically, the server calculates a difference between a test result and a real result (i.e., a value of a calculation loss function) based on a preset calculation logic between a prediction list tag of sample data output by the generated initial convolutional neural network model and the initial list tag of the sample data, and adjusts parameters of the initial convolutional neural network model based on the value of the calculation loss function, thereby generating a better preset convolutional neural network model.
And 780, optimizing parameters of a preset convolutional neural network model through an initial list label of the sample data in the test sample set to generate a target convolutional neural network model.
Specifically, the server inputs sample data in an obtained test sample set into a preset convolutional neural network model, outputs a prediction list label (namely a test result) corresponding to the sample data, calculates a root mean square error between the test result and a real result based on an initial list label (namely a real result) of the sample data and preset calculation logic, obtains a root mean square error corresponding to the sample data, compares the root mean square errors corresponding to the sample data, selects the sample data corresponding to the minimum root mean square error from the sample data, takes parameters of the sample data as optimal parameters, and optimizes the parameters of the preset convolutional neural network model by adopting a long-term iteration method to generate a target convolutional neural network model.
In this embodiment, a prediction list tag of sample data is generated based on the acquired training sample set and the acquired test sample set, a value of a loss function is calculated according to the prediction list tag of the sample data and an initial list tag of the sample data, a parameter of the initial convolutional neural network model is adjusted based on the value of the loss function to generate a preset convolutional neural network model, and the parameter of the preset convolutional neural network model is optimized through the initial list tag of the sample data in the test sample set to generate a target convolutional neural network model.
It should be noted that, in the above embodiment, after the server generates the target convolutional neural network model, the following process may also be performed.
The server can collect the target convolutional neural network model in real time according to a prediction list label output by information to be monitored, judge according to an initial list label of the information to be monitored, which is identified by the server based on the first list, the second list and the third list, judge the information to be monitored as performance abnormal data when the prediction list label and the initial list label have a deviation, calculate the accuracy, the detection rate and the false alarm rate of the server for intercepting malicious information to be monitored simultaneously based on the prediction list label, and draw corresponding three curve graphs according to the accuracy, the detection rate and the false alarm rate, wherein the x axis of the curve graph is time, and the y axis of the curve graph represents the accuracy, the detection rate and the false alarm rate corresponding to the time.
The server and the third-party information service center are in network communication connection, the performance abnormal data and the three graphs are uploaded to the third-party information service center, the third-party information service center can feed the performance abnormal data and the three graphs back to terminal equipment of corresponding workers, the workers can visually check real-time performance indexes of malicious information to be monitored of the server, meanwhile, the proportion of the performance abnormal data to all data in the server is calculated, a pie chart of the proportion is drawn, an interception trend chart is drawn based on the total amount of the performance abnormal data uploaded by the server every day, then a histogram is drawn based on data storage amounts in a first list, a second list and a third list uploaded by the server, the third-party service center feeds the pie chart, the interception trend chart and the histogram back to the corresponding server, and the pie chart, the interception trend chart and the histogram are fed back to the corresponding terminal equipment by the server.
In a specific embodiment, as shown in fig. 8, there is provided a method for splitting a business form, applied to a server, including:
In step 805, it is determined whether the similarity between the data features of the information to be monitored in the first list and the data attack features is greater than or equal to a preset similarity threshold, if so, step 806 is executed, and if not, step 808 is executed.
And 806, if so, removing the information to be monitored from the preset list to generate the screened information to be monitored, and otherwise, executing 808.
And 810, if so, removing the information to be monitored from the first list to generate screened information to be monitored, and if not, executing 812.
In step 813, a first list of targets is generated based on the information to be monitored that passes the screening.
And step 815, inputting the sample data in the training sample set into the initial convolutional neural network model for training, and generating a prediction list label of the sample data.
And 817, optimizing parameters of a preset convolutional neural network model through an initial list label of the sample data in the test sample set, and generating a target convolutional neural network model.
As shown in fig. 9, the cloud service platform is a third-party information service center. The statistical recording module executes step 801, the safety monitoring module executes step 802, the list classification module executes step 803, the data screening module executes steps 804 to 812, and the analysis feedback model executes steps 814 to 817. The statistical recording module, the safety monitoring module, the list classification module, the data screening module and the analysis feedback module are all arranged in the server.
Specifically, a user logs in a related user account of the cloud service platform through the terminal device, the terminal device and the cloud service platform are in network communication connection, meanwhile, a management unit of the cloud service platform sends a monitoring instruction to the server, a statistics recording module in the server receives the monitoring instruction, meanwhile, the statistics recording module collects information to be monitored of the user, then, the authority is applied to each terminal device, and meanwhile, the position (namely, an IP address) of each terminal device is collected. The statistical recording module constructs an individual data recording list and a management recording list, records the user name, the information to be monitored and the position information of the terminal equipment into the individual data recording list, classifies the collected information to be monitored according to different IP addresses and records the information into the management recording list.
The safety monitoring module collects all information to be monitored of the terminal equipment, simultaneously converts non-binary data in the information to be monitored into binary data, normalizes all groups of data converted into the binary data, inputs the data into a specified analysis interval, simultaneously constructs a monitoring network model, introduces the information to be monitored into the monitoring network model, is in communication connection with a preset trust level division library, captures related level division rules in the trust level division library, and registers and divides the information to be monitored according to the level division rules by the monitoring network model.
The list classification module receives the information to be monitored after the trust level is divided, divides and constructs a first list, a second list and a third list according to a system default or a certain rule standard, sequentially guides the division results of the received information to be monitored after the trust level is divided into the three lists for recording and storing, and simultaneously feeds back the three lists to corresponding terminal equipment for a user to check and modify.
The data screening module extracts feature codes of information to be monitored in the first list, is in network communication connection with the cloud service platform and is in communication connection with a virus sharing cloud end in the cloud service platform, compares the extracted feature codes of the information to be monitored with all network virus feature codes in the virus sharing cloud end, and if some feature codes are the same, performs blocking checking and killing on the information to be monitored through an automatic file checking and killing technology and adds the information to the second list; if the same feature codes do not exist, the data screening module is in communication connection with a cloud virtual machine in the cloud service platform, the cloud virtual machine conducts infection simulation on information to be monitored in the first list according to infection standards established by network virus definitions, namely, the data in the first list is uploaded to the cloud virtual machine and virus infection or damage simulation is conducted through a certain infection mode or infection conditions, the data screening module receives simulation results and compares the simulation results with the original information to be monitored to judge whether the virus is infected, and meanwhile, the data screening module collects the information to be monitored, which is infected with the virus, and adds the information to a third list.
The analysis feedback module receives each group of analyzed information to be monitored generated by the data screening module, randomly divides the information to be monitored into a training sample set and a testing sample set, simultaneously constructs an initial convolutional neural network model, trains the initial convolutional neural network by using the training sample set, generates a prediction list label of sample data, calculates a value of a loss function according to the prediction list label of the sample data and the initial list label of the sample data, adjusts parameters of the initial convolutional neural network model based on the value of the loss function, and generates a preset convolutional neural network model. And the analysis feedback module optimizes the parameters of the preset convolutional neural network model through the initial list label of the sample data in the test sample set to generate a target convolutional neural network model. The analysis feedback module inputs the information to be monitored, which is collected from the data screening module in real time and analyzed, into the target convolutional neural network model, and analyzes the information based on the output prediction list label and the initial list label of the information to be monitored in real time, when the prediction list label and the initial list label have deviation, the information to be monitored is judged as performance abnormal data, meanwhile, the accuracy, the detection rate and the false alarm rate of the server for intercepting the malicious information to be monitored are calculated based on the prediction list label, and corresponding three curve graphs are drawn according to the accuracy, the detection rate and the false alarm rate.
The server and the cloud service platform are in network communication connection, the performance abnormal data and the three curve graphs are uploaded to the cloud service platform, the cloud service platform can feed the performance abnormal data and the three curve graphs back to terminal equipment of corresponding workers, the workers can visually check real-time performance indexes of malicious information to be monitored of the server, meanwhile, the proportion of the performance abnormal data to all data in the server is calculated, a pie chart of the proportion is drawn, an interception trend chart is drawn based on the total amount of the performance abnormal data uploaded by the server every day, a histogram is drawn based on data storage amounts in a first list, a second list and a third list uploaded by the server, the third-party service center feeds the pie chart, the interception trend chart and the histogram back to the corresponding server, and the server feeds the pie chart, the interception trend chart and the histogram back to the terminal equipment of the corresponding user.
It should be understood that, although the steps in the flowcharts related to the embodiments as described above are sequentially displayed as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the present application further provides a list dividing apparatus for implementing the above related list dividing method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme described in the above method, so specific limitations in one or more embodiments of the list partitioning device provided below may refer to the above limitations on the list partitioning method, and details are not described herein again.
In one embodiment, as shown in fig. 10, there is provided a business form dividing apparatus 1000 including: an information obtaining module 1010, an information adding module 1020 and a list generating module 1030, wherein:
the information acquisition module 1010 is used for acquiring information to be monitored of the terminal; the information to be monitored comprises at least one of equipment information and transmission data information.
The information adding module 1020 is configured to add, according to the first list division standard and the information to be monitored, the information to be monitored that meets the first list division standard to the first list.
The list generating module 1030 is configured to screen information to be monitored in the first list according to preset data characteristics, and generate a first target list based on the screened information to be monitored; the preset data characteristics comprise at least one of data attack characteristics and data infection characteristics.
In one embodiment, as shown in fig. 11, the list generating module 1030 further includes:
a feature extraction unit 1032, configured to extract data features from the information to be monitored in the first list.
The information screening unit 1034 is configured to screen the information to be monitored according to the preset data characteristics and the data characteristics of the information to be monitored in the first list, and generate screened information to be monitored; the information to be monitored which passes the screening does not have preset data characteristics.
In one embodiment, the information filtering unit 1034 further includes:
and the similarity judging subunit is used for judging whether the similarity between the data characteristics of the information to be monitored in the first list and the data attack characteristics is greater than or equal to a preset similarity threshold value.
And the information removing subunit is used for removing the information to be monitored from the preset list if the information to be monitored is positive, and generating the screened information to be monitored.
In one embodiment, the information filtering unit 1034 further includes:
and the second target list generating subunit is used for adding the information to be monitored, of which the similarity is greater than or equal to a preset similarity threshold, into the second list to generate a second target list.
In one embodiment, the information filtering unit 1034 further includes:
and the simulation result generation subunit is used for performing infection simulation on the information to be monitored in the first list to generate an infection simulation result if the similarity between the data characteristic of the information to be monitored and the data attack characteristic is smaller than a preset similarity threshold value.
And the simulation result judging subunit is used for judging whether the infection simulation result meets the preset infection simulation standard.
And the screening information generating subunit is used for eliminating the information to be monitored from the first list if the information to be monitored passes the screening, so as to generate the information to be monitored which passes the screening.
In one embodiment, the information filtering unit 1034 further includes:
and the third target list generation subunit is used for adding the information to be monitored, of which the infection simulation result with the data infection characteristics meets the preset infection simulation standard, into the third list to generate a third target list.
In one embodiment, as shown in fig. 12, the information adding module 1010 further includes:
and a trust level generation unit 1012, configured to perform trust level classification on the information to be monitored of the terminal, and generate a trust level corresponding to the information to be monitored of the terminal.
The information to be monitored adding unit 1014 is configured to add information to be monitored, of which the trust level exceeds the preset trust level, to the first list.
In one embodiment, as shown in fig. 13, the list dividing apparatus 1000 further includes:
a sample set obtaining module 1040, configured to obtain a training sample set and a test sample set; the training sample set and the testing sample set contain a plurality of sample data; the sample data comprises information to be monitored in the first list, information to be monitored in the second list, information to be monitored in the third list and an initial label of the sample data; the initial list label comprises any one of a first list label, a second list label and a third list label.
The label generation module 1050 is configured to input sample data in the training sample set into the initial convolutional neural network model for training, and generate a prediction list label of the sample data; the predicted list label comprises any one of a first list label, a second list label and a third list label.
The model adjusting module 1060 is configured to calculate a value of the loss function according to the prediction list tag of the sample data and the initial list tag of the sample data, adjust a parameter of the initial convolutional neural network model based on the value of the loss function, and generate the preset convolutional neural network model.
The model generating module 1070 is configured to optimize parameters of the preset convolutional neural network model through an initial list tag of sample data in the test sample set, and generate a target convolutional neural network model.
The modules in the above list partitioning apparatus may be implemented in whole or in part by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 14. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing the roster data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of namespace division.
Those skilled in the art will appreciate that the architecture shown in fig. 14 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
acquiring information to be monitored of a terminal; the information to be monitored comprises at least one of equipment information and transmission data information.
And adding the information to be monitored which accords with the first list division standard into the first list according to the first list division standard and the information to be monitored.
Screening information to be monitored in the first list according to preset data characteristics, and generating a first target list based on the screened information to be monitored; the preset data characteristics comprise at least one of data attack characteristics and data infection characteristics.
In one embodiment, the information to be monitored in the first list is screened according to the preset data characteristics, a first target list is generated based on the information to be monitored which is screened, and the processor executes the computer program to further implement the following steps:
and extracting data characteristics from the information to be monitored in the first list.
Screening the information to be monitored according to the preset data characteristics and the data characteristics of the information to be monitored in the first list, and generating screened information to be monitored; the information to be monitored which passes the screening does not have preset data characteristics.
In one embodiment, the information to be monitored is screened according to the preset data characteristics and the data characteristics of the information to be monitored in the first list, and the information to be monitored passing the screening is generated, and the processor further implements the following steps when executing the computer program:
and judging whether the similarity between the data characteristics of the information to be monitored in the first list and the data attack characteristics is greater than or equal to a preset similarity threshold value.
If so, removing the information to be monitored from the preset list to generate the screened information to be monitored.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
and adding the information to be monitored with the similarity greater than or equal to a preset similarity threshold into a second list to generate a second target list.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
and if the similarity between the data characteristics of the information to be monitored and the data attack characteristics is smaller than a preset similarity threshold, performing infection simulation on the information to be monitored in the first list to generate an infection simulation result.
And judging whether the infection simulation result meets the preset infection simulation standard or not.
If so, removing the information to be monitored from the first list, and generating the screened information to be monitored.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
and adding the information to be monitored, of which the infection simulation result with the data infection characteristics accords with the preset infection simulation standard, into a third list to generate a third target list.
In one embodiment, the first list classification criteria comprises that the trust level of the information to be monitored exceeds a preset trust level; according to the first list classification standard and the information to be monitored, adding the information to be monitored which accords with the first list classification standard into the first list, and realizing the following steps when the processor executes the computer program:
and carrying out trust level division on the information to be monitored of the terminal to generate a trust level corresponding to the information to be monitored of the terminal.
And adding the information to be monitored with the trust level exceeding the preset trust level into the first list.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
acquiring a training sample set and a test sample set; the training sample set and the testing sample set contain a plurality of sample data; the sample data comprises information to be monitored in the first list, information to be monitored in the second list, information to be monitored in the third list and an initial label of the sample data; the initial list label comprises any one of a first list label, a second list label and a third list label.
Inputting sample data in a training sample set into an initial convolutional neural network model for training, and generating a prediction list label of the sample data; the predicted list label comprises any one of a first list label, a second list label and a third list label.
And calculating a value of a loss function according to the prediction list label of the sample data and the initial list label of the sample data, adjusting parameters of the initial convolutional neural network model based on the value of the loss function, and generating a preset convolutional neural network model.
And optimizing parameters of a preset convolutional neural network model through an initial list label of sample data in the test sample set to generate a target convolutional neural network model.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, carries out the steps in the method embodiments described above.
It should be noted that, the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), magnetic Random Access Memory (MRAM), ferroelectric Random Access Memory (FRAM), phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), for example. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (12)
1. A method for business form partitioning, the method comprising:
acquiring information to be monitored of a terminal; the information to be monitored comprises at least one of equipment information and transmission data information;
adding information to be monitored which accords with a first list dividing standard into a first list according to the first list dividing standard and the information to be monitored;
screening the information to be monitored in the first list according to preset data characteristics, and generating a first target list based on the screened information to be monitored; the preset data characteristics comprise at least one of data attack characteristics and data infection characteristics.
2. The method according to claim 1, wherein the screening the information to be monitored in the first list according to preset data characteristics, and generating a first target list based on the screened information to be monitored includes:
extracting data characteristics from the information to be monitored in the first list;
screening the information to be monitored according to the preset data characteristics and the data characteristics of the information to be monitored in the first list, and generating the screened information to be monitored; the screened information to be monitored does not have the preset data characteristics.
3. The method according to claim 2, wherein the screening the information to be monitored according to the preset data features and the data features of the information to be monitored in the first list, and generating the screened information to be monitored includes:
judging whether the similarity between the data features of the information to be monitored in the first list and the data attack features is greater than or equal to a preset similarity threshold value or not;
and if so, removing the information to be monitored from the preset list to generate the screened information to be monitored.
4. The method of claim 3, further comprising:
and adding the information to be monitored with the similarity larger than or equal to a preset similarity threshold into a second list to generate a second target list.
5. The method of claim 3, further comprising:
if the similarity between the data characteristics of the information to be monitored and the data attack characteristics is smaller than a preset similarity threshold, infection simulation is carried out on the information to be monitored in the first list, and an infection simulation result is generated;
judging whether the infection simulation result has the data infection characteristics;
if so, removing the information to be monitored from the first list to generate the screened information to be monitored.
6. The method of claim 5, further comprising:
and adding the information to be monitored corresponding to the infection simulation result with the data infection characteristics into a third list to generate a third target list.
7. The method of any of claims 1-6, wherein the first list classification criteria comprises a trust level of the information to be monitored exceeding a preset trust level; the adding the information to be monitored meeting the first list classification standard into a first list according to the first list classification standard and the information to be monitored comprises the following steps:
carrying out trust level division on the information to be monitored of the terminal to generate a trust level corresponding to the information to be monitored of the terminal;
and adding the information to be monitored with the trust level exceeding the preset trust level into a first list.
8. The method of any one of claims 1 to 6, further comprising:
acquiring a training sample set and a test sample set; the training sample set and the testing sample set comprise a plurality of sample data; the sample data comprises information to be monitored in the first list, information to be monitored in the second list, information to be monitored in the third list and an initial label of the sample data; the initial list label comprises any one of a first list label, a second list label and a third list label;
inputting the sample data in the training sample set into an initial convolutional neural network model for training, and generating a prediction list label of the sample data; the predicted list label comprises any one of a first list label, a second list label and a third list label;
calculating a value of a loss function according to the predicted list label of the sample data and the initial list label of the sample data, adjusting parameters of the initial convolutional neural network model based on the value of the loss function, and generating a preset convolutional neural network model;
and optimizing the parameters of the preset convolutional neural network model through the initial list label of the sample data in the test sample set to generate a target convolutional neural network model.
9. An apparatus for business form division, the apparatus comprising:
the information acquisition module is used for acquiring information to be monitored of the terminal; the information to be monitored comprises at least one of equipment information and transmission data information;
the information adding module is used for adding the information to be monitored which accords with the first list division standard into a first list according to the first list division standard and the information to be monitored;
the information screening module is used for screening the information to be monitored in the first list according to preset data characteristics and generating a first target list based on the screened information to be monitored; the preset data characteristics comprise data attack characteristics and data infection characteristics.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor realizes the steps of the method of any one of claims 1 to 6 when executing the computer program.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
12. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 6 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211150496.1A CN115567274A (en) | 2022-09-21 | 2022-09-21 | List dividing method and device, computer equipment, storage medium and product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211150496.1A CN115567274A (en) | 2022-09-21 | 2022-09-21 | List dividing method and device, computer equipment, storage medium and product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115567274A true CN115567274A (en) | 2023-01-03 |
Family
ID=84742002
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211150496.1A Pending CN115567274A (en) | 2022-09-21 | 2022-09-21 | List dividing method and device, computer equipment, storage medium and product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115567274A (en) |
-
2022
- 2022-09-21 CN CN202211150496.1A patent/CN115567274A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kumar et al. | Intrusion Detection System using decision tree algorithm | |
| Tabash et al. | Intrusion detection model using naive bayes and deep learning technique. | |
| Hosseini et al. | Anomaly process detection using negative selection algorithm and classification techniques | |
| CN111177714A (en) | Abnormal behavior detection method and device, computer equipment and storage medium | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| CN113904881B (en) | Intrusion detection rule false alarm processing method and device | |
| CN112422513B (en) | Anomaly detection and attack initiator analysis system based on network traffic message | |
| Razaq et al. | A big data analytics based approach to anomaly detection | |
| CN115795330A (en) | Medical information anomaly detection method and system based on AI algorithm | |
| RU148692U1 (en) | COMPUTER SECURITY EVENTS MONITORING SYSTEM | |
| Ravikumar | Towards Enhancement of Machine Learning Techniques Using CSE-CIC-IDS2018 Cybersecurity Dataset | |
| RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
| CN114598514A (en) | Industrial control threat detection method and device | |
| CN113114691B (en) | Network intrusion detection method, system, equipment and readable storage medium | |
| CN110661818B (en) | Event anomaly detection method and device, readable storage medium and computer equipment | |
| CN111104670B (en) | APT attack identification and protection method | |
| CN112925805A (en) | Big data intelligent analysis application method based on network security | |
| TW201705035A (en) | Method and system for rapidly screening information security risk hosts rapidly screening hosts with high hacking risks through various hacking indexes analyzed by a hacking risk analysis module | |
| CN117061254A (en) | Abnormal flow detection method, device and computer equipment | |
| CN115567274A (en) | List dividing method and device, computer equipment, storage medium and product | |
| CN111475380B (en) | Log analysis method and device | |
| CN114039837A (en) | Alarm data processing method, device, system, equipment and storage medium | |
| CN114189585A (en) | Crank call abnormity detection method and device and computing equipment | |
| CN115098602B (en) | Data processing method, device and equipment based on big data platform and storage medium | |
| Rathod et al. | AI & ML Based Anamoly Detection and Response Using Ember Dataset |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |