CN115632874A - Method, device, equipment and storage medium for detecting threat of entity object - Google Patents

Method, device, equipment and storage medium for detecting threat of entity object Download PDF

Info

Publication number
CN115632874A
CN115632874A CN202211412683.2A CN202211412683A CN115632874A CN 115632874 A CN115632874 A CN 115632874A CN 202211412683 A CN202211412683 A CN 202211412683A CN 115632874 A CN115632874 A CN 115632874A
Authority
CN
China
Prior art keywords
historical
entity
entity object
current
threat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211412683.2A
Other languages
Chinese (zh)
Inventor
徐莉莎
陈远猷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Para Software Co ltd
Original Assignee
Shanghai Para Software Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Para Software Co ltd filed Critical Shanghai Para Software Co ltd
Priority to CN202211412683.2A priority Critical patent/CN115632874A/en
Publication of CN115632874A publication Critical patent/CN115632874A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The invention discloses a threat detection method, a device, equipment and a storage medium of an entity object, comprising the following steps: performing feature extraction and association calculation on historical entity logs of at least two historical entity objects collected in a historical period, and determining at least one specific group and a potential threat score of each specific group; determining threat scores of the current entity object in each specific group according to a first association degree between the current entity log acquired in the current period and the historical entity logs contained in each specific group; determining a threat detection result of the current entity object and determining a threat detection result of the current entity object according to the maximum value of the threat scores corresponding to the current entity object and the potential threat scores of each specific group; effectively reduces the cost of threat detection and improves the accuracy of threat scoring judgment.

Description

Method, device, equipment and storage medium for detecting threat of entity object
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting a threat of an entity object.
Background
The progress of network technology and the popularization of informatization bring new development opportunities to various industries and bring network security threats. The network system has information leakage, data destruction, illegal use of resources, unauthorized threats and the like due to the vulnerability of an internal system or malicious attack, and can cause great loss to enterprises. The existing attack case shows that most of normal users access network resources in a mode with the characteristics of the users, the similarity degree is low, the network attack is a group attack, and the group objects are strongly similar and tightly coupled.
The existing threat detection methods mainly comprise two types, one type is that various risk modes are detected through safety expert experience, and various risks are graded according to self-defined weights. This approach relies too much on expert experience, labor costs are high, and custom weights are not suitable for the ever-changing threat. The other type is that various known risks are detected by adopting a supervised classification method in a machine learning mode, and then the score is obtained according to the probability. The method requires that training data have good characteristics and accurate labels, labeling personnel have professional network security knowledge, labeling cost is high, and detection and scoring results are prone to causing large errors when dealing with unknown threats.
Disclosure of Invention
The invention provides a threat detection method, a device, equipment and a storage medium of an entity object, which realize an unsupervised threat detection method, effectively reduce the threat detection cost, improve the accuracy of threat scoring judgment and effectively ensure the referential comprehensiveness of the threat of the entity object.
In a first aspect, an embodiment of the present disclosure provides a method for detecting a threat of an entity object, including:
performing feature extraction and association calculation on historical entity logs of at least two historical entity objects collected in a historical period, and determining at least one specific group and a potential threat score of each specific group;
determining threat scores of the current entity object in each specific group according to a first association degree between the current entity log of the current entity object and the historical entity logs of the historical entity objects contained in each specific group, wherein the first association degree is acquired in the current period;
and determining a threat detection result of the current entity object according to the maximum value of the threat scores corresponding to the current entity object and the potential threat scores of the specific groups.
In a second aspect, an embodiment of the present disclosure provides a threat detection apparatus for a physical object, including:
the historical threat scoring module is used for performing feature extraction and association calculation on historical entity logs of at least two historical entity objects acquired in a historical period to determine at least one specific group and a potential threat score of each specific group;
the current threat scoring module is used for determining threat scores of the current entity object in each specific group according to a first association degree between the current entity log of the current entity object acquired in the current period and the historical entity logs of the historical entity objects contained in each specific group;
and the detection result determining module is used for determining the threat detection result of the current entity object according to the maximum value of the threat scores corresponding to the current entity object and the potential threat scores of the specific groups.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the method for threat detection of a physical object as provided in the embodiments of the first aspect described above.
In a fourth aspect, an embodiment of the present disclosure provides a computer-readable storage medium, where computer instructions are stored, and the computer instructions are configured to, when executed, enable a processor to implement the method for threat detection on a physical object provided in the embodiment of the first aspect.
According to the threat detection method, the device, the equipment and the storage medium of the entity object, the characteristic extraction and the association degree calculation are carried out on the historical entity logs of at least two historical entity objects collected in a historical period, and the specific groups and the potential threat scores of each specific group are determined; determining threat scores of the current entity object in each specific group according to a first association degree between the current entity log of the current entity object and the historical entity logs of the historical entity objects contained in each specific group, wherein the first association degree is acquired in the current period; and determining the threat detection result of the current entity object according to the maximum value of the threat scores corresponding to the current entity object and the potential threat scores of the specific groups. By adopting the technical scheme, the entity logs of the transverse dimension and the time dimension of the historical entity object are collected, and the habits of multiple stages and multiple scenes of a specific entity are aggregated to construct the characteristics of the entity, so that the entity portrait is more specific; according to the minority similarity of the attacks, a method for constructing and analyzing the specific group is closer to the characteristics of the actual attacks. By the aid of the technical scheme, threat detection cost is effectively reduced, accuracy of threat scoring judgment is improved, and comprehensiveness of entity object threats capable of being referred to is guaranteed.
It should be understood that the statements in this section are not intended to identify key or critical features of the embodiments of the present invention, nor are they intended to limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flowchart of a threat detection method for a physical object according to an embodiment of the present invention;
fig. 2 is a flowchart of a threat detection method for a physical object according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a threat detection method for a physical object according to a second embodiment of the present invention;
fig. 4 is a schematic structural diagram of a threat detection apparatus for a physical object according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and "target" and the like in the description and claims of the invention and the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of a threat detection method for a physical object according to an embodiment of the present invention, where this embodiment is applicable to a situation of threat detection on a network physical object in multiple application scenarios, and the method may be executed by a threat detection apparatus for a physical object, and the threat detection apparatus for a physical object may be implemented in the form of hardware and/or software.
As shown in fig. 1, the method includes:
s101, performing feature extraction and association calculation on historical entity logs of at least two historical entity objects collected in a historical period, and determining at least one specific group and a potential threat score of each specific group.
In this embodiment, the historical period may be understood as a fixed time interval in the historical time, and the historical period may be set according to an actual requirement, for example, the historical period may be one week, two weeks, or one month in the past, and the embodiment of the present invention does not limit this. The history entity object may be understood as an element collected in a history period and capable of identifying a specific user, and may include, for example, an account, a device, or an IP. The historical entity log may be understood as a log formed by the network operation of each historical entity object.
An idiom group is understood to be a group of potentially threatening entities determined based on the degree of association, the idiom group including at least one potentially threatening entity object. The number of the idiosyncrasies and the number of the entity objects included in the idiosyncrasies are not limited in the embodiments of the present invention. The potential threat score may be understood as a score of the degree of potential threat of the historical entity object. Specifically, historical entity logs of at least two historical entity objects collected in a historical period are obtained, and feature extraction is carried out on each historical entity object; constructing a feature matrix according to the extracted features, and calculating the association degree between the historical entity objects based on the feature matrix of each historical entity object; determining at least one specific group according to the association degree between the historical entity objects; and finally, determining the potential threat degree score of the idiosyncratic group according to the association degree between the historical entity objects contained in the idiosyncratic group.
For example, the characteristic extraction method for the historical entity log may be to preprocess the entity log and obtain the multi-element heterogeneous characteristics by aggregating according to the transverse dimension and the time series dimension. The characteristics of the historical entity log can include the proportion of the environmental equipment logged last time, whether the logging is frequently performed or not, the number of logged in fixed periods, the access duration, the number of accessed applications, the access application sequence, the number of downloaded files, the number of modified files, the time interval of operation and the like; and extracting m features of the historical entity log to obtain a feature matrix formed by m-dimensional feature vectors. The relevance between the historical entity objects may be calculated by using similarity or consistency, for example, the relevance may be calculated by using a series of contrastable indexes such as cosine similarity, structural similarity, histogram, and the like, which is not limited in this embodiment of the present invention.
For example, the manner of determining at least one specific group according to the association degree between the historical entity objects may be: and performing algorithm group mining such as a mining algorithm based on the association degree or a maximum clique algorithm and the like according to the association degree among the historical entity objects to determine at least one specific group.
S102, determining threat scores of the current entity object in each specific group according to a first association degree between the current entity log of the current entity object acquired in the current period and historical entity logs of historical entity objects contained in each specific group.
In this embodiment, the current period may be understood as a fixed time interval in the current time, and may be, for example, one week, two weeks, or one month. The current entity object may be understood as an element collected in the current period and capable of identifying a specific user, and may include at least an account, a device, an IP, and the like. It should be noted that the number of the current entity objects may be one, two, or more, and the embodiment of the present invention does not limit this. The current entity log may be understood as a log formed by the network operations of each of the historical entity objects. It is understood that, in the embodiment of the present invention, the current entity object is the entity object to be detected by the threat. The first association degree may be understood as an association degree between the current entity log and the historical entity log included in each idiosyncratic group, or may be understood as an association degree between the current entity object and the historical entity object in the idiosyncratic group.
Specifically, a current entity log of a current entity object is obtained in a current period, and feature extraction is performed on the current entity log to obtain a feature matrix corresponding to the current entity object; calculating the association degree of the feature matrix of the current entity object and the feature matrix of each historical entity object contained in each peculiar group, and determining the first association degree between the current entity object and each historical entity object contained in each peculiar group; and determining the threat scores of the current entity object in each specific group. The network attack is a group attack, and the entity objects of the groups have strong similarity and close coupling relationship, so that the higher the association degree between the entity objects is, the larger the existing network threat is. In this embodiment, it may be embodied that the higher the first association degree between the current entity object and each historical entity object in the specific group is, the higher the threat score of the current entity object is.
It should be noted that, as time goes on, the current entity log of the current entity object also becomes the historical entity log of the historical entity object, and participates in the learning process of the potential threat score of the idiom group, so that the potential threat score of the idiom group is continuously learned along with the updating of the historical entity log, and further, the threat entity group can be more suitable for a practical network system, and the accuracy of threat detection is improved.
S103, determining a threat detection result of the current entity object according to the maximum value of the threat scores corresponding to the current entity object and the potential threat scores of the specific groups.
In this embodiment, the threat detection result of the current entity object may be understood as a detection result of whether the current entity object has a network threat. The corresponding threat scores exist in the current entity object, namely the threat scores of the current entity object in each specific group.
Specifically, the maximum value of the threat scores of the current entity object in each specific group is determined, the maximum value is compared with the potential threat score of each specific group, and whether the network threat exists in the current entity object is determined according to the comparison result.
Exemplarily, the mode of determining the threat detection result of the current entity object according to the maximum value of the threat score corresponding to the current entity object and the potential threat scores of the specific groups may be to determine whether the maximum value of the threat score corresponding to the current entity object is smaller than the potential threat scores of all the specific groups; if yes, determining that the current entity object has no threat; if not, determining that the current entity object has the threat. Or judging whether the maximum value of the threat scores corresponding to the current entity object is larger than the potential threat scores of all the specific groups; if yes, determining that the current entity object has a threat; if not, determining that the current entity object has no threat.
In the embodiment, the specific groups and the potential threat scores of each specific group are determined by performing feature extraction and association calculation on historical entity logs of at least two historical entity objects collected in a historical period; determining threat scores of the current entity object in each specific group according to a first association degree between the current entity log of the current entity object acquired in the current period and historical entity logs of historical entity objects contained in each specific group; and determining the threat detection result of the current entity object according to the maximum value of the threat scores corresponding to the current entity object and the potential threat scores of the specific groups. By adopting the technical scheme, the entity logs of the transverse dimension and the time dimension of the historical entity object are collected, and the habits of multiple stages and multiple scenes of a specific entity are aggregated to construct the characteristics of the entity, so that the entity portrait is more specific; according to the minority similarity of the attacks, a method for constructing and analyzing the specific group is closer to the characteristics of the actual attacks. By the aid of the technical scheme, threat detection cost is effectively reduced, accuracy of threat scoring judgment is improved, and comprehensiveness of entity object threats capable of being referred to is guaranteed.
Optionally, the method further includes:
if the peculiar group does not exist according to the historical entity log of the historical entity object, performing feature extraction and association calculation according to the current entity log of the current entity object acquired in the current period to determine whether the peculiar group exists;
if yes, determining that the current entity object in the specific group has a threat;
and if not, determining that the current entity object has no threat.
Specifically, feature extraction and relevance calculation are carried out on historical entity logs of at least two historical entity objects collected in a historical period, and whether at least one specific group exists or not is determined; if the entity object exists, determining the threat detection result of the current entity object obtained in the current period by adopting the threat detection method of the entity object provided in the steps S101-S103; if not, the threat detection result of the current entity object cannot be determined according to the method in step S103, "according to the maximum value of the threat scores corresponding to the current entity object and the potential threat scores of each specific group," at this time, feature extraction and association calculation need to be performed according to the current entity log of the current entity object acquired in the current period, and it is determined whether the specific group exists. If the specific group does not exist, the current entity object does not have a threat, and if at least one specific group exists, the current entity object in the specific group is considered to have the threat, so that a threat detection result of the current entity object is obtained.
Example two
Fig. 2 is a flowchart of a threat detection method for an entity object according to a second embodiment of the present invention, where this embodiment is further optimized from any of the foregoing embodiments, and this embodiment is applicable to a situation where threat detection is performed on a network entity object in multiple application scenarios.
As shown in fig. 2, the method includes:
s201, extracting characteristics of historical entity logs of at least two historical entity objects collected in a historical period to obtain a first characteristic matrix of each historical entity object.
In this embodiment, the first feature matrix may be understood as a feature matrix formed by multi-dimensional feature vectors of the history entity log of the history entity object.
Further, step S201 may include:
(1) And acquiring historical entity logs of at least two historical entity objects collected in a historical period.
And in the historical period time, historical entity logs of record registration, login, application access and operation in the application corresponding to at least two historical entity objects are collected.
(2) And for the log information of the historical entity log corresponding to each historical entity object, carrying out session segmentation on the basis of the session marks to obtain at least one complete session.
In this embodiment, log information exists in the history entity log corresponding to each history entity object, and the log information may be understood as a set of session information. Wherein the historical entity log may include at least one complete session based on the time dimension. The session refers to the behavior of the entity object in accessing network resources in the network system, such as login, access, information download, information modification, and the like, and a unique session mark may exist in each complete session. If a plurality of sessions exist, the plurality of sessions can be segmented based on the unique session mark to obtain at least one complete session containing the behavior that the entity object accesses the network resource in the network system.
(3) And for each complete conversation, extracting the characteristics of the complete conversation on the preset dimension characteristic parameters to obtain the characteristic vector of the complete conversation.
In this embodiment, the preset dimension characteristic parameter may be understood as a preset number of pieces of characteristic parameter information with different dimensions.
Specifically, the data of each complete session is calculated as a vector feature, and an m-dimensional feature vector corresponding to the feature parameter is extracted from the session, which may include m pieces of feature information, such as a ratio of the environmental devices logged in last time, whether the logging is frequently performed, the number of logs in a fixed period, an access duration, the number of access applications, an access application sequence, the number of downloaded files, the number of modified files, and an operation time interval, to obtain the m-dimensional vector.
(4) And for each historical entity object, arranging the eigenvectors of each complete session corresponding to the historical entity object according to the session occurrence time to obtain an initial characteristic matrix.
In this embodiment, the initial feature matrix may be understood as an initial matrix constructed for the multi-dimensional vector features corresponding to the historical entity objects.
Specifically, all sessions of the history entity object in the history period are arranged into r sessions according to a time sequence, and vector features are respectively calculated for all sessions in the history period according to a time occurrence sequence of each session based on m-dimensional vectors of each session, and are arranged to obtain a feature matrix in an r × m form. Further, calculating the feature matrix of all the historical entity objects, for example, if there are n historical entity objects, the matrix of the n historical entity objects can be obtained as r _1 × m, r _2 × m, \8230, r _ n × m, and at this time, the feature matrix of the n historical entity objects is determined as the initial feature matrix.
(5) And performing average pooling on each initial characteristic matrix to obtain a first characteristic matrix of each historical entity object.
In this embodiment, the first feature matrix may be understood as a feature matrix that is averaged and pooled for each initial feature matrix. The average pooling is a method for reducing the size of a feature map, the calculation amount and the required video memory in a neural network, and can be specifically understood as a method for only averaging features of feature points and unifying feature dimensions of each historical entity object.
Specifically, the matrix characteristic dimensions of different historical entity objects are unified by utilizing an average pooling mode, and the initial characteristic matrixes r _1 m, r _2m, \8230areaveragely pooled into the first characteristic matrix r _ r m. Wherein the output dimension r _ r can be adjusted according to the actual scene data.
S202, for each historical entity object group containing two historical entity objects, determining a second relevance of the historical entity object group according to the relevance between the first feature matrixes of the historical entity object groups.
In this embodiment, the history entity object group may be understood as a set of any two history entity objects. Within the historical entity object group, each historical entity object has a corresponding first feature matrix. The second degree of association may be understood as a degree of association between the first feature matrices corresponding to two historical entity objects in the historical entity object group.
Specifically, the historical entity object group includes two different historical entity objects, the historical entity objects included in each two historical entity object groups may not be completely the same, and the degree of association between the first feature matrices of the two historical entity objects in the historical entity object group is determined as the second degree of association.
Illustratively, the historical entity object group a includes a historical entity object 1 and a historical entity object 2, the two historical entity objects correspond to the first feature matrices N1 and N2, respectively, and the association degree between N1 and N2 is determined as the association degree between the historical entity object 1 and the historical entity object 2, that is, the second association degree corresponding to the historical entity object group a; the history entity object group B includes a history entity object 3 and a history entity object 4. The historical entity object group A and the historical entity object group B can be historical entity object groups with the historical entity objects not identical. For example, the historical entity object 1 contained in the historical entity object group a and the historical entity object 3 contained in the historical entity object group B may be the same historical entity object.
S203, determining at least one specific group according to the second relevance of each historical entity object group.
In this embodiment, a corresponding second association degree exists between each historical entity object group, and group mining based on the association degree is performed on the historical entity objects in each historical entity object group, where the second association degree satisfies a preset condition, to further determine at least one idiosyncratic group.
Further, step S203 may include:
(1) And determining an entity association set formed by a first preset number of historical entity object groups with the maximum second association degree according to the ranking of the second association degree of each historical entity object group.
In this embodiment, the first preset number may be understood as the number of elements of the preset entity association set. An entity association set may be specifically understood as a set consisting of a preset number of historical entity object groups.
Specifically, the historical entity object groups are sorted from high to low in association degree, data with low association degree are removed according to the sorting of the maximum association degree, the first k historical entity object groups in the second association degree are selected, a set of the k historical entity object groups is determined as an entity association set, and at this time, t historical entity objects (t < =2 k) exist in the entity association set. The historical entity object number t in the entity association set may be set according to an actual situation, which is not limited in this embodiment. Where k may be related to t by kmax = t (t-1)/2.
Illustratively, if k is 3, and there are 4 historical entity object groups, historical entity object groups a, B, C, and D, respectively; the second association degree of the history entity object group a is 0.7, the second association degree of the history entity object group B is 0.6, the second association degree of the history entity object group C is 0.2, and the second association degree of the history entity object group D is 0.8. The second relevance of the historical entity object group A, the historical entity object group B and the historical entity object group D can be determined to be the first three according to the second relevance which is sorted from the largest to the smallest, so that the entity relevance set is determined according to the set of the historical entity object group A, the historical entity object group B and the historical entity object group D.
(2) And for each historical entity object contained in the entity association set, determining the maximum value of the second association degrees of the historical entity object groups to which the historical entity objects belong as the target association degrees of the historical entity objects.
In this embodiment, the target relevance may be understood as a relevance corresponding to the historical entity object itself, and specifically, the second relevance with the maximum value may be used as the target relevance of the historical entity object.
Specifically, the entity association set includes a first preset number k of historical entity object groups, where the first preset number k of historical entity object groups includes t historical entity objects, a second association degree of each historical entity object group of the first preset number in the entity association set is obtained, a maximum association degree value is obtained for the second association degrees of the first preset number of historical entity object groups where the historical entity object groups to which the t historical entity objects belong, and the second association degree with the maximum association degree is determined as a target association degree. The historical entity objects in the entity association set satisfy: at least one historical entity object group Q exists in any one historical entity object group P in the entity association set, so that similarity (P, Q) > = min (the second association degree of all the historical entity object groups in the entity association set). Q can be understood as a historical entity object group corresponding to the target relevance.
Illustratively, if t =5,k =7, there are 5 history entity objects 1-5, and 7 history entity object groups corresponding to five history entity objects. For example, include (1, 2), (1, 3), (1, 4), (2, 3), (2, 5), (3, 4) and (4, 5). At this time, the historical entity object group corresponding to the historical entity object 1 includes (1, 2), (1, 3) and (1, 4), wherein the second association degrees corresponding to the three historical entity object groups are 0.7, 0.6 and 0.3 respectively, and at this time, it is determined that the second association degree 0.7 corresponding to (1, 2) is the target association degree of the historical entity object 1. The historical entity object group corresponding to the historical entity object 2 comprises (2, 3) and (2, 5), wherein the second association degrees corresponding to the two historical entity object groups are respectively 0.5 and 0.9, and at this time, the second association degree 0.9 corresponding to (2, 5) is determined as the target association degree of the historical entity object 2. Similarly, since only one historical entity object group exists in the historical entity object 3, the historical entity object 4 and the historical entity object 5 in the entity association set, the second association degree of the only one historical entity object group corresponding to the historical entity object can be directly determined as the target association degree. At this time, it is determined that there are five target association degrees in the entity association set, which are the same as the number of the historical entity objects.
(3) And determining a candidate specific set formed by a second preset number of historical entity objects with the maximum target relevance according to the sequence of the target relevance of each historical entity object in the entity relevance set.
In this embodiment, the candidate specific set may be understood as an entity set formed by historical entity objects in the entity association set, where the target association degree satisfies a preset condition, and the historical entity objects in the candidate specific set may be used as candidate objects of the threat entity group. The preset conditions met by the historical entity objects in the entity association set may be: the historical entity objects with the second preset number are arranged at the top in the sequence from the large target relevance degree to the small target relevance degree; the number of entities included in the candidate specific set is a second preset number, and the second preset number may be set according to an actual requirement, which is not limited in the embodiment of the present invention.
Specifically, the target relevance corresponding to each historical entity object in the entity relevance set is ranked, a second preset number of target relevance ranked from high to low in the target relevance ranking is taken, each historical entity object corresponding to the second preset number of target relevance is extracted, and a candidate specific set is constructed based on each historical entity object.
Illustratively, the target relevance of the historical entity object 1 is 0.7, the target relevance of the historical entity object 2 is 0.9, the target relevance of the historical entity object 3 is 0.75, and the target relevance of the historical entity object 4 is 0.6, the target relevance of the historical entity object 5 is 0.8, and the target relevance is ranked from high to low, at which time, the target relevance of the historical entity object 2 is determined to be the highest, and the target relevance of the historical entity object 4 is determined to be the lowest. The second preset number is measured by 4, and at this time, the historical entity object 1, the historical entity object 2, the historical entity object 3 and the historical entity object 5 construct a candidate specific set.
(4) And carrying out group mining on the historical entity objects contained in the candidate specific set based on a maximum clustering algorithm to obtain at least one specific group.
In this embodiment, the maximum clique algorithm is an algorithm that constructs the largest independent set. In this embodiment, the largest independent set can be understood as an idiosyncratic group. A distinct group may be understood as a collection of a certain number of historical entity objects.
Specifically, a plurality of historical entity objects in the candidate idiosyncratic set are divided into different classes according to a maximum clustering algorithm, and each class can be determined as an idiosyncratic group.
Illustratively, there are four historical entity objects in the candidate saveset, historical entity object 1, historical entity object 2, historical entity object 3, and historical entity object 5. And carrying out group mining on the four historical entity objects according to a maximum clustering algorithm to obtain the final number of the specific groups. For example, group mining determines two distinct groups (1, 5) and (2, 3).
And S204, calculating the potential threat score of each specific group.
In this embodiment, the potential threat score may be understood as a relevancy score between historical entity objects in each idiosyncratic group.
Specifically, the potential threat scores of the idiosyncratic groups are determined based on the scores of the target relevance of the historical entity objects among the idiosyncratic groups.
Further, an average value of the target relevance of each historical entity object included in the specific group is determined as a potential threat score of the specific group.
Illustratively, when the historical entity object 1 and the historical entity object 5 exist in the idiosyncratic group a, the target association degree of the historical entity object 1 is 0.7, and the target association degree of the historical entity object 5 is 0.6, and the potential threat score of the current idiosyncratic group a can be determined to be 0.65 based on the average value of the target association degrees between the two historical entity objects. The historical entity object 2 and the historical entity object 3 exist in the idiosyncratic group B, when the target association degree of the historical entity object 2 is 0.9, and the target association degree of the historical entity object 3 is 0.75, the potential threat score of the current idiosyncratic group B can be determined to be 0.825 based on the average value of the target association degrees between the two historical entity objects.
S205, determining threat scores of the current entity object in each specific group according to a first association degree between the current entity log of the current entity object acquired in the current period and historical entity logs of historical entity objects contained in each specific group.
In this embodiment, the threat scores of the current entity object in each distinct group may be understood as the association score between the currently acquired entity object and the historical entity object.
Specifically, the information of each current entity object in the current log is extracted, the association degree between the current entity object and each historical entity object is determined as a first association degree, and the threat score of the current entity object in each specific group can be determined based on the first association degree between the current entity object and each historical entity object.
Further, determining the threat score of the current entity object in each distinct group according to the first association degree between the current entity log of the current entity object acquired in the current period and the historical entity log of the historical entity object included in each distinct group may specifically be understood as:
(1) And performing feature extraction on a current entity log corresponding to a current entity object acquired in a current period to obtain a second feature matrix of the current entity object. And the historical entity log and the current entity log adopt the same characteristic extraction mode.
In this embodiment, the second feature matrix may be understood as a matrix formed by multi-dimensional feature vectors of the current entity object.
Specifically, feature extraction is performed on a current entity log corresponding to a current entity object acquired in a current period, so that a second feature matrix formed by features of the current entity object is obtained. The feature extraction mode for the current entity log is the same as the feature extraction mode for the historical entity log, which is not described in detail in the embodiments of the present invention.
(2) And determining a first association degree between the current entity object and the corresponding historical entity object in each specific group according to the second characteristic matrix of the current entity object and the first characteristic matrix of the historical entity object in each specific group.
In this embodiment, the association degree between the first feature matrix of the current entity object and the second feature matrix of the historical entity object in each idiosyncratic group is calculated, and the first association degree between the current entity object and each historical entity object in the corresponding idiosyncratic group is respectively determined according to the association degree.
(3) And determining the maximum value of the first association degree corresponding to the current entity object as the threat score of the current entity object in each specific group.
In this embodiment, the first relevance degrees corresponding to the current entity object and the historical entity objects in each distinct group are sorted from high relevance degree to low relevance degree, and the maximum value of the first relevance degrees corresponding to the current entity object and the historical entity objects in each distinct group is taken; and determining the maximum value of the first association degree corresponding to each specific group as the threat score of the current entity object and the specific group.
Illustratively, the first association degrees of the current entity object with the historical entity object 1 and the historical entity object 5 existing in the idiosyncratic group a are 0.6 and 0.8, respectively, and the threat score of the current entity object corresponding to the idiosyncratic group a can be determined to be 0.8; the first association degrees of the current entity object with the historical entity object 2 and the historical entity object 3 existing in the idiosyncratic group B are 0.5 and 0.2, respectively, and it can be determined that the threat score of the current entity object corresponding to the idiosyncratic group B is 0.5.
S206, determining the threat detection result of the current entity object according to the maximum value of the threat scores corresponding to the current entity object and the potential threat scores of the specific groups.
In this embodiment, the threat scores corresponding to the current entity object and each distinct group have different score values, and it is determined whether the maximum value of the threat scores corresponding to the current entity object is smaller than the potential threat scores of all distinct groups, if so, it is determined that the current entity object has no threat, and if not, it is determined that the current entity object has a threat.
For example, if the threat score of the current entity object corresponding to the idiosyncratic group a is 0.8 and the threat score corresponding to the idiosyncratic group B is 0.5, the maximum value of the threat score corresponding to the current entity object may be determined to be 0.8. The potential threat score for cohort a was 0.65 and the potential threat score for cohort B was 0.825. The maximum value of the threat scores corresponding to the current entity object is larger than the potential threat scores of the specific group A and smaller than the potential threat scores of the specific group B, so that the maximum value of the threat scores corresponding to the current entity object does not meet the condition of the potential threat scores smaller than all the specific groups, and the current entity object is determined to have a threat.
In the embodiment, a first feature matrix of each historical entity object is obtained by extracting features of historical entity logs of at least two historical entity objects collected in a historical period; for each historical entity object group containing two historical entity objects, determining a second degree of association of the historical entity object group according to the degree of association between the first feature matrixes of the historical entity object group; determining at least one specific group according to the second association degree of each historical entity object group; calculating a potential threat score for each idiosyncratic group; determining threat scores of the current entity object in each specific group according to a first association degree between the current entity log of the current entity object and the historical entity logs of the historical entity objects contained in each specific group, wherein the first association degree is acquired in the current period; and determining the threat detection result of the current entity object according to the maximum value of the threat scores corresponding to the current entity object and the potential threat scores of the specific groups. By adopting the technical scheme, the association degree of each historical entity object is determined, and the grade of the risk is determined according to the number and the difference of the potential threat entity sets. The threat scores contained in the existing historical entity object data may be determined, or the threat scores of the new current entity object data may be calculated. By adopting an unsupervised analysis method, the threat score is determined based on the threat entity group, so that the labeling cost is reduced, and meanwhile, the method has higher flexibility when dealing with unknown threats. By the aid of the technical scheme, the cost of threat scoring is effectively reduced, accuracy of threat scoring detection is enhanced, and the method can be suitable for threat detection in various application scenes.
As a first optional embodiment of the embodiment, on the basis of the above embodiment, the first optional embodiment further optimizes and increases the maximum value of the threat scores corresponding to the current entity object and the potential threat scores of each specific group, and determines the specific content of the threat detection result of the current entity object, including:
judging whether the maximum value of the threat scores corresponding to the current entity object is smaller than the potential threat scores of all the specific groups or not; if yes, determining that the current entity object has no threat;
if not, determining that the current entity object has the threat.
Specifically, the maximum threat score of the threat scores corresponding to the current entity object and the potential threat scores of all the specific groups are determined, and if the maximum threat score of the maximum threat score corresponding to the current entity object is smaller than the potential threat scores of all the specific groups, it can be determined that the current entity object has no threat; if the maximum threat score of the maximum value of the threat scores corresponding to the current entity object is greater than or equal to the potential threat scores of any specific group, the existence of the threat on the current entity object can be determined.
For example, if the maximum threat score of the maximum value of the threat scores corresponding to the current entity object is 0.7, and the potential threat scores of the specific groups include 0.8, 0.85, and 0.79, and the maximum threat score of the maximum value of the threat scores corresponding to the current entity object is smaller than the potential threat scores of all the specific groups, it may be determined that there is no threat on the current entity object.
Illustratively, the maximum value of the threat score corresponding to the maximum threat score of the current entity-object is 0.7, and the potential threat scores of the ad-hoc group include 0.63, 0.7 and 0.72, when the maximum value of the threat score corresponding to the maximum threat score of the current entity-object is greater than 0.63 of the potential threat score and equal to 0.7 of another potential threat score, when it can be determined that the current entity-object has a threat.
Fig. 3 is a schematic diagram of an architecture of a threat detection method for an entity object according to a second embodiment of the present invention, and as shown in fig. 3, first, historical data is collected, a historical entity object and a historical entity log are determined, feature aggregation calculation is performed on the collected data of the historical entity object, a feature matrix is obtained, a specific group is determined based on a degree of association between the feature matrices, potential threats are mined, and a potential threat score is determined.
Meanwhile, the current entity log of the current entity object can be collected to serve as new entity data, feature aggregation calculation is carried out on the collected data of the current entity object to obtain a feature matrix, and the feature matrix correlation degree between the current entity object feature matrix and the historical entity object is compared with the potential threat scores corresponding to the specific groups, so that the threat score of the current entity object is determined.
It is understood that the data collection information of the current entity object may also be advanced as the data collection information of the historical entity object over time to continue to participate in the threat detection process of the entity object.
EXAMPLE III
Fig. 4 is a schematic structural diagram of a threat detection apparatus for a physical object according to a third embodiment of the present invention. As shown in fig. 4, the apparatus includes:
the historical threat scoring module 31 is configured to perform feature extraction and association calculation on historical entity logs of at least two historical entity objects collected in a historical period, and determine specific groups and potential threat scores of each specific group;
a current threat scoring module 32, configured to determine threat scores of the current entity object in each of the distinct groups according to a first association degree between a current entity log of the current entity object acquired in a current period and historical entity logs of historical entity objects included in each of the distinct groups;
the detection result determining module 33 is configured to determine a threat detection result of the current entity object according to a maximum value of the threat scores corresponding to the current entity object and the potential threat scores of each of the specific groups.
By adopting the technical scheme, the entity logs of the transverse dimension and the time dimension of the historical entity object are collected, and the habits of multiple stages and multiple scenes of a specific entity are aggregated to construct the characteristics of the entity, so that the entity portrait is more specific; according to the minority similarity of the attacks, a method for constructing and analyzing the specific group is closer to the characteristics of the actual attacks. By the aid of the technical scheme, threat detection cost is effectively reduced, accuracy of threat scoring judgment is improved, and comprehensiveness of entity object threats capable of being referred to is guaranteed.
Optionally, the historical threat scoring module 31 includes:
the system comprises a characteristic extraction unit, a characteristic analysis unit and a characteristic analysis unit, wherein the characteristic extraction unit is used for extracting the characteristics of historical entity logs of at least two historical entity objects acquired in a historical period to obtain a first characteristic matrix of each historical entity object;
the relevancy determining unit is used for determining second relevancy of each historical entity object group containing two historical entity objects according to relevancy between the first feature matrixes of the historical entity object groups;
an entity group determining unit, configured to determine at least one specific group according to the second relevance of each historical entity object group;
and the threat score calculation unit is used for calculating the potential threat score of each specific group.
Optionally, the feature extraction unit is specifically applied to:
acquiring historical entity logs of at least two historical entity objects acquired in a historical period;
for the log information of the historical entity log corresponding to each historical entity object, carrying out session segmentation based on the session marks to obtain at least one complete session;
for each complete conversation, extracting the characteristics of the complete conversation on a preset dimension characteristic parameter to obtain a characteristic vector of the complete conversation;
for each historical entity object, arranging the eigenvectors of each complete session corresponding to the historical entity object according to the session occurrence time to obtain an initial characteristic matrix;
and performing average pooling on each initial feature matrix to obtain a first feature matrix of each historical entity object.
Optionally, the entity group determining unit is specifically applied to:
determining an entity association set formed by a first preset number of historical entity object groups with the maximum second association degree according to the ranking of the second association degree of each historical entity object group;
for each historical entity object contained in the entity association set, determining the maximum value of the second association degree of the historical entity object group to which the historical entity object belongs as the target association degree of the historical entity object;
determining a candidate specific set formed by a second preset number of historical entity objects with the maximum target relevance according to the sequence of the target relevance of each historical entity object in the entity relevance set;
and performing group mining on the historical entity objects contained in the candidate specific set based on a maximum cluster algorithm to obtain a specific group.
Further, calculating a potential threat score for each of the distinct cohorts comprises: determining an average value of the target relevance of each historical entity object contained in the idiom group as a potential threat score of the idiom group.
Optionally, the current threat scoring module 32 is specifically applied to:
performing feature extraction on a current entity log corresponding to a current entity object acquired in a current period to obtain a second feature matrix of the current entity object; wherein the historical entity log and the current entity log adopt the same characteristic extraction mode;
determining a first association degree between the current entity object and the corresponding historical entity object in each specific group according to the second feature matrix of the current entity object and the first feature matrix of the historical entity object in each specific group;
and determining the maximum value of the first association degree corresponding to the current entity object as the threat score of the current entity object in each specific group.
Optionally, the detection result determining module 33 is specifically applied to:
and judging whether the maximum value of the threat scores corresponding to the current entity object is smaller than the potential threat scores of all the specific groups or not. If yes, determining that the current entity object has no threat;
if not, determining that the current entity object has a threat.
Optionally, the apparatus further includes a group-specific determining module, configured to, if it is determined that a group-specific does not exist according to the historical entity log of the historical entity object, perform feature extraction and association calculation according to a current entity log of a current entity object acquired in a current period, and determine whether a group-specific exists;
if yes, determining that the current entity object in the specific group has a threat;
and if not, determining that the current entity object has no threat.
The threat detection device for the entity object provided by the embodiment of the invention can execute the threat detection method for the entity object provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Example four
FIG. 5 illustrates a schematic diagram of an electronic device 40 that may be used to implement an embodiment of the present invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 40 includes at least one processor 41, and a memory communicatively connected to the at least one processor 41, such as a Read Only Memory (ROM) 42, a Random Access Memory (RAM) 43, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 41 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 42 or the computer program loaded from the storage unit 48 into the Random Access Memory (RAM) 43. In the RAM 43, various programs and data necessary for the operation of the electronic apparatus 40 can also be stored. The processor 41, the ROM 42, and the RAM 43 are connected to each other via a bus 44. An input/output (I/O) interface 45 is also connected to bus 44.
A number of components in the electronic device 40 are connected to the I/O interface 45, including: an input unit 46 such as a keyboard, a mouse, etc.; an output unit 47 such as various types of displays, speakers, and the like; a storage unit 48 such as a magnetic disk, an optical disk, or the like; and a communication unit 49 such as a network card, modem, wireless communication transceiver, etc. The communication unit 49 allows the electronic device 40 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
Processor 41 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of processor 41 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. Processor 41 performs the various methods and processes described above, such as a threat detection method for a physical object.
In some embodiments, a method of threat detection for a physical object may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 48. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 40 via the ROM 42 and/or the communication unit 49. When the computer program is loaded into RAM 43 and executed by processor 41, one or more steps of the above-described method of threat detection for a physical object may be performed. Alternatively, in other embodiments, processor 41 may be configured to perform a method of threat detection for a physical object by any other suitable means (e.g., by way of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user may provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired result of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (11)

1. A method for threat detection of a physical object, comprising:
performing feature extraction and association calculation on historical entity logs of at least two historical entity objects acquired in a historical period, and determining at least one specific group and a potential threat score of each specific group;
determining threat scores of the current entity object in each specific group according to a first association degree between the current entity log of the current entity object and the historical entity logs of the historical entity objects contained in each specific group, wherein the first association degree is acquired in the current period;
and determining a threat detection result of the current entity object according to the maximum value of the threat scores corresponding to the current entity object and the potential threat scores of the specific groups.
2. The method of claim 1, wherein the performing feature extraction and relevance computation on the historical entity logs of at least two historical entity objects collected in the historical period, and the determining at least one distinct group and the potential threat score of each distinct group comprises:
performing feature extraction on historical entity logs of at least two historical entity objects acquired in a historical period to obtain a first feature matrix of each historical entity object;
for each historical entity object group containing two historical entity objects, determining a second relevance of the historical entity object group according to the relevance between the first feature matrixes of the historical entity object group;
determining at least one specific group according to the second relevance of each historical entity object group;
calculating a potential threat score for each of the distinct cohorts.
3. The method of claim 2, wherein the performing feature extraction on the historical entity logs of at least two historical entity objects collected in the historical period to obtain a first feature matrix of each historical entity object comprises:
acquiring historical entity logs of at least two historical entity objects acquired in a historical period;
for the log information of the historical entity log corresponding to each historical entity object, carrying out session segmentation based on the session marks to obtain at least one complete session;
for each complete conversation, extracting the characteristics of the complete conversation on a preset dimension characteristic parameter to obtain a characteristic vector of the complete conversation;
for each historical entity object, arranging the eigenvectors of each complete session corresponding to the historical entity object according to the session occurrence time to obtain an initial characteristic matrix;
and performing average pooling on each initial characteristic matrix to obtain a first characteristic matrix of each historical entity object.
4. The method of claim 2, wherein said determining at least one distinct group based on the second association of each of said historical entity object groups comprises:
determining an entity association set formed by a first preset number of historical entity object groups with the maximum second association degree according to the ranking of the second association degree of each historical entity object group;
for each historical entity object contained in the entity association set, determining the maximum value of the second association degree of the historical entity object group to which the historical entity object belongs as the target association degree of the historical entity object;
determining a candidate specific set formed by a second preset number of historical entity objects with the maximum target relevance according to the sequence of the target relevance of each historical entity object in the entity relevance set;
and carrying out group mining on the historical entity objects contained in the candidate specific set based on a maximum clustering algorithm to obtain at least one specific group.
5. The method of claim 4, wherein calculating the potential threat score for each of the distinct cohorts comprises:
determining an average value of the target relevance of each historical entity object contained in the specific group as a potential threat score of the specific group.
6. The method according to claim 1, wherein determining threat scores of the current entity object in each of the distinct groups according to a first degree of association between the current entity log of the current entity object acquired in a current period and the historical entity logs of the historical entity objects included in each of the distinct groups includes:
performing feature extraction on a current entity log corresponding to a current entity object acquired in a current period to obtain a second feature matrix of the current entity object; wherein the historical entity log and the current entity log adopt the same characteristic extraction mode;
determining a first association degree between the current entity object and the corresponding historical entity object in each idiosyncratic group according to the second feature matrix of the current entity object and the first feature matrix of the historical entity object in each idiosyncratic group;
and determining the maximum value of the first association degree corresponding to the current entity object as the threat score of the current entity object in each specific group.
7. The method of claim 1, wherein determining the threat detection result for the current physical object according to the maximum value of the threat scores corresponding to the current physical object and the potential threat scores of each of the specific groups comprises:
judging whether the maximum value of the threat scores corresponding to the current entity object is smaller than the potential threat scores of all the specific groups or not;
if yes, determining that the current entity object has no threat;
if not, determining that the current entity object has a threat.
8. The method of claim 1, further comprising:
if the peculiar group does not exist according to the historical entity log of the historical entity object, performing feature extraction and association calculation according to the current entity log of the current entity object acquired in the current period to determine whether the peculiar group exists;
if yes, determining that the current entity object in the specific group has a threat;
and if not, determining that the current entity object has no threat.
9. An apparatus for threat detection of a physical object, comprising:
the historical threat scoring module is used for performing feature extraction and association calculation on historical entity logs of at least two historical entity objects acquired in a historical period to determine specific groups and potential threat scores of each specific group;
the current threat scoring module is used for determining threat scores of the current entity object in each specific group according to a first association degree between the current entity log of the current entity object and historical entity logs of historical entity objects contained in each specific group, wherein the first association degree is acquired in a current period;
and the detection result determining module is used for determining the threat detection result of the current entity object according to the maximum value of the threat scores corresponding to the current entity object and the potential threat scores of the specific groups.
10. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of threat detection for a physical object of any of claims 1-8.
11. A computer-readable storage medium having stored thereon computer instructions for causing a processor to, when executed, implement the method of threat detection for a physical object of any of claims 1-8.
CN202211412683.2A 2022-11-11 2022-11-11 Method, device, equipment and storage medium for detecting threat of entity object Pending CN115632874A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211412683.2A CN115632874A (en) 2022-11-11 2022-11-11 Method, device, equipment and storage medium for detecting threat of entity object

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211412683.2A CN115632874A (en) 2022-11-11 2022-11-11 Method, device, equipment and storage medium for detecting threat of entity object

Publications (1)

Publication Number Publication Date
CN115632874A true CN115632874A (en) 2023-01-20

Family

ID=84909926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211412683.2A Pending CN115632874A (en) 2022-11-11 2022-11-11 Method, device, equipment and storage medium for detecting threat of entity object

Country Status (1)

Country Link
CN (1) CN115632874A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116938600A (en) * 2023-09-14 2023-10-24 北京安天网络安全技术有限公司 Threat event analysis method, electronic device and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116938600A (en) * 2023-09-14 2023-10-24 北京安天网络安全技术有限公司 Threat event analysis method, electronic device and storage medium
CN116938600B (en) * 2023-09-14 2023-11-24 北京安天网络安全技术有限公司 Threat event analysis method, electronic device and storage medium

Similar Documents

Publication Publication Date Title
US20200110842A1 (en) Techniques to process search queries and perform contextual searches
CN110442712B (en) Risk determination method, risk determination device, server and text examination system
CN114444619B (en) Sample generation method, training method, data processing method and electronic device
CN111090807A (en) Knowledge graph-based user identification method and device
CN110019845B (en) Community evolution analysis method and device based on knowledge graph
CN115883187A (en) Method, device, equipment and medium for identifying abnormal information in network traffic data
CN115632874A (en) Method, device, equipment and storage medium for detecting threat of entity object
CN111586695A (en) Short message identification method and related equipment
CN113904943A (en) Account detection method and device, electronic equipment and storage medium
CN116527399B (en) Malicious traffic classification method and device based on unreliable pseudo tag semi-supervised learning
CN114511022B (en) Feature screening, behavior recognition model training and abnormal behavior recognition method and device
CN114444514B (en) Semantic matching model training method, semantic matching method and related device
CN113452700B (en) Method, device, equipment and storage medium for processing safety information
CN113612777B (en) Training method, flow classification method, device, electronic equipment and storage medium
CN115589339A (en) Network attack type identification method, device, equipment and storage medium
CN116362955A (en) Graph data storage, access and processing methods, training methods, equipment and media
CN110197066B (en) Virtual machine monitoring method and system in cloud computing environment
CN113869904A (en) Suspicious data identification method, device, electronic equipment, medium and computer program
CN113868660B (en) Training method, device and equipment for malicious software detection model
US20200311472A1 (en) Comprehensive Data Science Solution for Segmentation Analysis
CN113239687B (en) Data processing method and device
CN115687780A (en) Object recommendation method and device, electronic equipment and storage medium
CN116342183A (en) Information recommendation method, training device, electronic equipment and storage medium
CN115964637A (en) Data processing method and device, electronic equipment and storage medium
CN115757869A (en) Video processing method, video processing device, electronic equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination