CN115941265B - Big data attack processing method and system applied to cloud service - Google Patents
Big data attack processing method and system applied to cloud service Download PDFInfo
- Publication number
- CN115941265B CN115941265B CN202211354644.1A CN202211354644A CN115941265B CN 115941265 B CN115941265 B CN 115941265B CN 202211354644 A CN202211354644 A CN 202211354644A CN 115941265 B CN115941265 B CN 115941265B
- Authority
- CN
- China
- Prior art keywords
- user
- information
- abnormal
- attack
- intention
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention relates to the technical field of cloud computing security, in particular to a big data attack processing method and system applied to cloud services. The method comprises the following steps: continuously supervising a transaction interaction log generated by a cloud service process, and comparing according to a preset abnormal transaction model to generate an abnormal transaction interaction log; scanning and comparing the abnormal transaction interaction logs according to a preset user abnormal behavior model and a preset system abnormal log model to generate user abnormal behavior information; mining and identifying big data attack intentions of the abnormal behavior information of the user, and generating a cloud session attack intention characteristic set; and integrating the cloud session attack intention characteristics of the cloud session attack intention characteristic set and corresponding cloud session process information to generate abnormal cloud session attack intention full characteristics. The transaction interaction log is generated by monitoring the cloud service in real time, so that the attack intention of the user behavior is analyzed and judged, and the big data attack processing is realized.
Description
Technical Field
The invention relates to the technical field of cloud computing security, in particular to a big data attack processing method and system applied to cloud services.
Background
Big data and cloud computing are gradually applied to the fields of industrial development, government administration, improvement of civilians and the like, and the production efficiency and the living standard of people are greatly improved. Meanwhile, the large data volume of the large data is large and is related to each other, and one successful large data attack can acquire massive data so as to capture valuable information, particularly personal sensitive information, and on the other hand, the large data technology cannot provide accurate and reliable large data attack technology identification and processing service in the application process of the large data technology.
Disclosure of Invention
The invention provides a big data attack processing method and a big data attack processing system applied to cloud service for solving at least one technical problem.
In one embodiment of the present disclosure, a big data attack processing method applied to a cloud service is provided, including the following steps:
step S1: continuously supervising a transaction interaction log generated by a cloud service process, and comparing according to a preset abnormal transaction model to generate an abnormal transaction interaction log;
step S2: scanning and comparing the abnormal transaction interaction logs according to a preset user abnormal behavior model and a preset system abnormal log model to generate user abnormal behavior information;
S3, carrying out big data attack intention mining and recognition on the abnormal behavior information of the user, and generating a cloud session attack intention characteristic set;
step S4: and integrating cloud session attack intention characteristics of the cloud session attack intention characteristic set and corresponding cloud session process information to generate abnormal cloud session attack intention full characteristics for the cloud computing security protection system to perform cloud computing security protection operation.
According to the embodiment, the transaction interaction log generated by the cloud service process is supervised and analyzed, the user abnormal behavior information is generated, the user attack intention is identified and mined on the user abnormal behavior information, the full characteristic of the abnormal cloud session attack intention is generated, and the big data security system is used for making big data security decisions, so that an accurate and reliable big data attack processing method applied to the cloud service is provided.
In one embodiment of the present specification, step S1 is specifically:
acquiring user operation data and checking according to a local historical security detailed log to judge whether the user operation data is security user operation data or not;
when the user operation data are determined to be safe user operation data, a user cloud service process is established;
Generating a transaction interaction log according to the user cloud service process;
performing field scanning on the transaction interaction log to generate transaction field log information;
extracting parameters of the transaction interaction log to generate transaction parameter log information;
feedback extraction is carried out on the transaction interaction log, and transaction feedback log information is generated;
comparing the transaction field log information according to a preset safety field to generate abnormal transaction field log information;
comparing the transaction parameter log information according to preset safety parameters to generate abnormal transaction parameter log information;
comparing the transaction feedback log information according to preset safety feedback to generate abnormal transaction feedback log information, wherein the abnormal transaction interaction log comprises abnormal transaction field log information, abnormal transaction parameter log information and abnormal transaction feedback log information.
In the embodiment, the user operation data and the user historical operation data are compared to judge whether the abnormal operation data are provided, and when the user operation data are judged to be the safe operation data, the field, the parameter and the feedback scanning are extracted from the transaction interaction log and the preset safe transaction interaction log is compared to generate the abnormal transaction interaction log, so that the preparation work is prepared for the next step.
In one embodiment of the present specification, step S2 is specifically:
generating a user transaction interaction log according to the abnormal transaction interaction log and the system log;
generating user behavior characteristic information and user characteristic information according to the user transaction interaction log;
generating historical user behavior information and historical user subject information according to a local historical transaction interaction log;
comparing the historical user subject information according to the user characteristic information to generate user characteristic abnormal subject information;
and comparing the historical user behavior information according to the user behavior characteristic information to generate user characteristic abnormal behavior information, wherein the user characteristic abnormal behavior information comprises user characteristic abnormal main body information and user characteristic abnormal behavior information.
The user abnormal behavior information is generated through deep analysis of the abnormal transaction interaction log, so that accurate and reliable user abnormal behavior information is provided, wherein the step of deep analysis comprises the steps of analyzing user main body abnormality and user behavior abnormality, searching abnormal characteristic points in the user main body abnormality and correlating the abnormal characteristic points to generate the user abnormal behavior information.
In one embodiment of the present specification, step S2 further comprises the steps of:
Scanning the abnormal transaction interaction log according to the user abnormal behavior model to generate user abnormal behavior information;
the construction steps of the abnormal behavior model of the user are as follows:
acquiring user abnormal behavior information and user abnormal behavior cloud service log information;
performing cluster analysis on the abnormal behavior information of the user to generate characteristic information of the abnormal behavior of the user;
marking the user abnormal behavior cloud service log information according to the user abnormal behavior characteristic information to generate user abnormal behavior characteristic log information;
calculating the user abnormal behavior feature log through an abnormal weight generation calculation formula to generate an abnormal weight feature sequence, wherein the user abnormal behavior model comprises the abnormal weight feature sequence:
the anomaly weight generation calculation formula is specifically as follows:
P n weighting information, x, of nth character in log information of abnormal behavior characteristics of user n For the nth character, x in the user abnormal behavior feature log information i N is the sum of the numbers of characters of the abnormal behavior characteristic log information of the user, k is a constant adjustment item, and delta is an adjustment item.
In the embodiment, the abnormal weight generation calculation formula is used for analyzing and generating the abnormal weight feature sequence for the abnormal behavior feature log of the user so as to construct a user abnormal behavior model which can be analyzed and deconstructed to generate the abnormal behavior information of the user.
The embodiment provides an anomaly weighted generation calculation formula which fully considers character information x in user anomaly behavior feature log information n Character information x from first to nth character in user abnormal behavior feature log information i The sum of the characters N of the user abnormal behavior characteristic log information and the adjustment item k, and the deep linkage relation between the user abnormal behavior characteristic log information and the adjustment item k is considered, such as x i With x n The character segment information which is more in accordance with the meaning of the abnormal information is generated by scanning calculation, so that the log information with the meaning of the abnormal behavior is accurately captured.
In one embodiment of the present specification, step S3 is specifically:
mining attack intention of the abnormal behavior information of the user to obtain a first user attack intention;
calculating based on a user abnormal behavior tree or a user abnormal behavior diagram according to the user abnormal behavior information to generate a first abnormal attack intention;
optimizing the attack intention graph of the first abnormal attack intention to generate an optimized abnormal attack intention graph corresponding to the cloud service process;
correcting and calculating the first abnormal attack intention according to the first user attack intention and the first user behavior result information to generate a second user attack intention;
Generating a second abnormal attack intention for a second user attack intention according to a preset attack intention identification sequence;
generating a cloud session attack intention feature set according to the optimized abnormal attack intention graph and the second abnormal attack intention;
the construction of the user abnormal behavior tree or the user abnormal behavior diagram comprises the following steps:
acquiring abnormal behavior information of a general user;
and generating a user abnormal behavior tree or a user abnormal behavior diagram through a deep learning algorithm according to the general user abnormal behavior information.
According to the embodiment, the first user attack intention is obtained by carrying out attack intention mining on the user abnormal behavior information, so that an optimized abnormal attack intention graph is generated in an optimized mode, and a second abnormal attack intention is generated according to the first user attack intention and a preset attack intention recognition sequence, so that multi-level analysis on attack intention recognition of the user abnormal behavior is realized, wherein the first attack intention is trained based on user abnormal behavior history experience and is generated in an optimized mode, the second attack intention is generated according to the preset attack intention recognition sequence, and the optimized abnormal attack intention graph and the second abnormal attack intention are spliced to generate a cloud session attack intention feature set, so that preconditions are provided for next step to realize inference of the identity of an attacker, attack speed, intrusion behavior, attack intention and threat analysis, and further sense network space security situation.
In one embodiment of the present disclosure, the first user attack intention includes a user history attack target, a user intention attack target curve, a determined attack target of other user similar intention attack targets, and a pre-training conventional attack target curve, where a correction deviation calculation formula for performing correction calculation on the first abnormal attack intention specifically includes:
delta E is a correction calculation result, tau is a user history attack target, sigma is a user intention attack target curve, rho is a determined attack target of other user similar intention attack targets, mu is a pre-training conventional attack target curve, P n Weighting information for the nth character in the user abnormal behavior feature log information,a constant.
The embodiment provides a correction deviation calculation formula for correcting and calculating a first abnormal attack intention, wherein the calculation formula fully considers a user history attack target tau, a user intention attack target curve sigma, a determination attack target rho of other user similar intention attack targets and a pre-training conventional attack target curveμ and weighting information P of character information in user abnormal behavior feature log information n The user history attack target is generated according to the cloud session history record, the user attack target category is estimated through the user history attack target, the user intention attack target curve and the determination attack targets of other user similar intention attack targets are corrected, and the estimation weighting is carried out by training the conventional attack target curve and the weighting information P of the nth character of the abnormal behavior characteristic log information of the user is utilized n And weighting is carried out, and full operation of correcting the calculation result is realized through double integration, so that the function is enhanced, and more accurate numerical information is generated.
In one embodiment of the present specification, step S4 is specifically:
performing cluster analysis according to the cloud session attack intention feature set to generate a cloud session attack intention cluster feature set, wherein the cloud session attack intention cluster feature set comprises cloud session attack intention cluster features;
performing cluster analysis according to the cloud session process information to generate cloud session cluster process information;
and generating abnormal cloud session attack intention full features according to the cloud session attack intention clustering features of the cloud session attack intention clustering feature set and the corresponding cloud session process information.
According to the embodiment, the cloud session attack intention characteristic set and the cloud session process information are subjected to deep characteristic analysis through the cluster analysis to generate the cloud session attack intention clustering characteristic set and the cloud session clustering process information, wherein the cloud session attack intention clustering characteristic set comprises an attacker identity, an attack speed and attack intention, the cloud session clustering process information comprises an invasion behavior and an attack intention, the cloud session attack intention characteristic set and the cloud session process information are subjected to deep connection and threat analysis, so that potential safety hazards caused by big data attack in a cloud computing process are perceived, implementation response to big data attack is achieved, and network space security situation of cloud computing is guaranteed.
In one embodiment of the present specification, step S1 is preceded by:
acquiring user data and user operation data;
generating user main body information according to the user data;
judging whether the user main body information is operation and maintenance user information or not;
when the user main body information is determined to be operation and maintenance user information, generating an operation and maintenance application control;
acquiring operation and maintenance application information through operation and maintenance application control information, wherein the operation and maintenance application information comprises operation and maintenance time, a target database, an operation object and operation contents;
according to the autonomous approval model or the obtained approval opinion, the operation and maintenance application information is generated, and operation and maintenance application feedback information is generated;
generating large database opening authority information according to the operation and maintenance application feedback information, wherein the large database opening authority information comprises legal access authority, warning access authority and forbidden access authority;
carrying out big data operation and maintenance operation according to the big database opening authority information and the user operation data;
the construction steps of the autonomous approval model are as follows:
acquiring operation and maintenance information, and performing security marking operation to generate the operation and maintenance marking information, wherein the security marking operation comprises security marking, warning marking and high-risk marking;
Generating an operation and maintenance judgment tree model by using the operation and maintenance labeling information through a spanning tree algorithm, wherein the autonomous approval model is the operation and maintenance judgment tree model;
the method comprises the following steps of:
generating a large database approval white list form control, wherein the large database approval white list form comprises an operation and maintenance time white list control, a target database white list control, an operation object white list control and an operation content white list control;
acquiring large database approval white list data according to the large database approval white list form control;
comparing and matching the operation and maintenance application information according to the approval white list data of the large database to generate a first approval opinion, wherein the first approval opinion comprises approval warning information, and the approval warning information comprises safety warning information, warning information and high-risk warning information;
judging whether the approval warning information in the first approval opinion contains high-risk warning information or not;
when the approval warning information in the first approval comments does not contain the high-risk warning information, generating a second approval comment acquisition control;
acquiring a second trial opinion according to the second trial opinion acquisition control;
the matching comparison method specifically comprises the following steps:
Generating a first contrast ratio and a second contrast ratio according to the big data approval white list data and the operation and maintenance application information;
generating a safety contrast according to the first contrast and the second contrast through a safety contrast calculation formula;
judging whether the safety contrast is within a first safety contrast threshold value range or not;
when the safety contrast is determined to be within the first safety contrast threshold value range, generating safety warning information;
when the safety contrast is not in the first safety contrast threshold range, judging whether the safety contrast is in the second safety contrast threshold range or not;
when the safety contrast is determined to be within the second threshold range, generating warning information;
when the safety contrast is not in the second threshold range, judging whether the safety contrast is in the third safety contrast threshold range or not;
determining that the safety contrast is within a third safety contrast threshold range, and generating high-risk warning information;
and determining that the safety contrast is not in the third safety contrast threshold range, and judging whether the safety contrast is in the first safety contrast threshold range or not.
According to the embodiment, the deep analysis of the operation and maintenance application operation of the operation and maintenance personnel is realized through autonomous approval or intelligent approval, so that feedback information conforming to the safety operation and maintenance principle of the large database is formed, the safety operation and maintenance operation of the large database is ensured, the data leakage or data loss of internal personnel caused by accidents or other reasons is reduced, and the large data asset loss possibly generated by the operation and maintenance work is avoided.
In one embodiment of the present specification, the security contrast calculation formula is specifically:
s is a safety contrast, x is a first contrast, y is a second contrast, alpha is weight information of the first contrast, beta is weight information of the second contrast, delta is a constant adjustment term, and theta is a calculation correction term.
The embodiment provides a safe contrast calculation formula which fully considers the first contrast x and the weight information alpha of the first contrast, the second contrast y and the weight information beta of the second contrast, and forms a functional relationship among the first contrast, the second contrast and the information quantity contained in the safe contrast calculation formulaAnd correcting the result by calculating the correction term so as to provide more effective calculation basis.
In one embodiment of the present specification, a big data attack processing system applied to a cloud service, the system includes:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the big data attack processing method applied to the cloud service as set forth in any one of the above.
The embodiment provides a big data attack processing system applied to cloud service, which can realize any big data attack processing method applied to cloud service, so as to realize attack intention mining of an attack object, examination of operation and maintenance work of operation and maintenance personnel and guarantee reliability, on one hand, the accurate identification of the attack intention is realized by generating full characteristics of abnormal cloud session attack intention through optimized attack intention mining, and on the other hand, effective and accurate data support is provided for subsequent cloud service safety protection, and on the other hand, data leakage and data loss caused by improper operation of internal personnel are avoided through supervision of autonomous examination and approval of the operation and maintenance personnel.
According to the invention, the cloud session attack intention characteristic set is generated by carrying out large data attack intention recognition on the transaction interaction log, and the cloud session attack intention characteristic set is deeply mined through a deep learning algorithm to find out the deep association of data, so that the identity information, the attack speed, the invasion behavior and the attack intention of a large data attacker are inferred and identified, thereby threat analysis is carried out to provide accurate and effective large data attack safety data for cloud service safety protection, and further, the cloud service network space safety situation is ensured, and on the other hand, the invention provides autonomous approval or intelligent approval of operation and maintenance application information of operation and maintenance personnel, thereby ensuring that the data leakage and the data loss caused by the potential improper operation of the operation and maintenance work are avoided, and ensuring the effective development of the large data safety operation and maintenance work.
Drawings
Other features, objects and advantages of the application will become more apparent upon reading of the detailed description of a non-limiting implementation, made with reference to the accompanying drawings in which:
FIG. 1 is a flow chart showing the steps of a big data attack processing method applied to cloud services according to an embodiment;
FIG. 2 is a flow diagram that illustrates steps of a method for generating an abnormal transaction interaction log, in accordance with one embodiment;
FIG. 3 is a flow chart illustrating steps of a method for generating user abnormal behavior information in accordance with one embodiment;
FIG. 4 is a flow chart illustrating steps of a method for modeling abnormal behavior of a user in accordance with one embodiment;
FIG. 5 is a flow diagram that illustrates steps of a method for generating a set of cloud session attack intent characteristics in accordance with one embodiment;
FIG. 6 is a flow diagram that illustrates the steps of a method for generating full features of an abnormal cloud session attack intent in accordance with one embodiment;
FIG. 7 is a flow diagram that illustrates the steps of a large database operation and maintenance approval method of an embodiment;
FIG. 8 is a flow chart illustrating steps of a method for approval opinion generation according to one embodiment;
figures 9a-9b illustrate a flow chart of steps of a match comparison method in an approval opinion of an embodiment.
Detailed Description
The following is a clear and complete description of the technical method of the present patent in conjunction with the accompanying drawings, and it is evident that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to fall within the scope of the present application.
Furthermore, the drawings are merely schematic illustrations of the present invention and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. The functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor methods and/or microcontroller methods.
It will be understood that, although the terms "first," "second," etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another element. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, without departing from the scope of example embodiments. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items.
In one embodiment of the present disclosure, as shown in fig. 1, a big data attack processing method applied to a cloud service is provided, including the following steps:
step S1: continuously supervising a transaction interaction log generated by a cloud service process, and comparing according to a preset abnormal transaction model to generate an abnormal transaction interaction log;
specifically, for example, a transaction interaction log generated by a cloud service process is obtained, and the cloud service process generating the abnormality is captured through a custom cloud service abnormality capture statement, and the corresponding transaction interaction log is marked as an abnormal transaction interaction log.
Specifically, for example, when the transaction interaction log is refreshed, updated transaction interaction log information is continuously acquired, and the transaction interaction log information is compared through a preset abnormal transaction model to generate an abnormal transaction interaction log, wherein the construction method of the preset abnormal transaction model is as follows: and obtaining a conventional abnormal transaction log, and generating a conventional transaction log model from the conventional abnormal transaction log through a deep learning algorithm, wherein the deep learning algorithm comprises a linear model algorithm, a generating decision tree algorithm, a neural network, a support vector machine, bayesian classification and an ensemble learning algorithm.
Step S2: scanning and comparing the abnormal transaction interaction logs according to a preset user abnormal behavior model and a preset system abnormal log model to generate user abnormal behavior information;
specifically, for example, the preset user abnormal behavior model and the preset system abnormal log model are abnormal examination modes of preset conditions, such as field examination, parameter examination and feedback examination, wherein the abnormal examination modes of the preset conditions are generated by analyzing according to the transaction interaction log of the abnormal behavior, and the analysis can be generated by adopting a deep learning algorithm.
S3, carrying out big data attack intention mining and recognition on the abnormal behavior information of the user, and generating a cloud session attack intention characteristic set;
specifically, for example, the abnormal behavior information of the user is analyzed through a rule template to generate a cloud session attack intention characteristic set.
Specifically, a cloud session attack intention feature set is generated, for example, using an interpretation-based intention recognition method.
Specifically, a cloud session attack intention feature set is generated, for example, by adopting an intention recognition method based on a decision theory.
Specifically, a cloud session attack intention feature set is generated, for example, by adopting an intention recognition method based on a layout diagram analysis.
Specifically, a cloud session attack intention feature set is generated, for example, by adopting an intention recognition method based on probabilistic reasoning.
Specifically, the cloud session attack intention feature set is generated, for example, by means of statistics, such as chi-square inspection.
Step S4: and integrating cloud session attack intention characteristics of the cloud session attack intention characteristic set and corresponding cloud session process information to generate abnormal cloud session attack intention full characteristics for the cloud computing security protection system to perform cloud computing security protection operation.
Specifically, for example, according to cloud session attack intention characteristics in the cloud session attack intention characteristic set and corresponding cloud session process information, identifying and splicing through a deep learning algorithm model, and generating abnormal cloud session attack intention full characteristics so as to provide data support for a big data security protection system.
Specifically, for example, mining attack intents according to user behavior information, and generating user attack intents, wherein the user attack intents comprise attack targets, attack bias targets, attack paths and attack frequencies;
vectorizing is carried out according to the attack intention of the user, and an attack intention characteristic vector is generated;
performing visual calculation on the attack intention feature vector to generate attack intention feature image information;
Correcting the attack intention characteristic image information to generate corrected attack intention characteristic image information;
carrying out Gaussian distribution calculation on the corrected attack intention characteristic image information to generate an attack intention Gaussian distribution characteristic set;
matching the attack intention Gaussian distribution feature set with a pre-stored accurate attack intention Gaussian distribution feature set to generate a matched attack intention distribution feature set;
performing saliency processing according to the match attack intention distribution feature set to generate attack intention salient features;
and generating user attack intention salient information according to the attack intention salient features so as to give data support to the cloud service security protection system.
According to the embodiment, the transaction interaction log generated by the cloud service process is supervised and analyzed, the user abnormal behavior information is generated, the user attack intention is identified and mined on the user abnormal behavior information, the full characteristic of the abnormal cloud session attack intention is generated, and the big data security system is used for making big data security decisions, so that an accurate and reliable big data attack processing method applied to the cloud service is provided.
In one embodiment of the present disclosure, as shown in fig. 2, step S1 specifically includes:
step S11: acquiring user operation data and checking according to a local historical security detailed log to judge whether the user operation data is security user operation data or not;
Specifically, for example, user operation data is obtained, the user operation data includes user data and operation data, and the user data is compared according to a historical user data set to determine whether the user is a legal user; and when the user is determined to be a legal user, screening the operation data according to the primary operation screening operation so as to judge whether the operation data is legal operation, wherein the examination is a process of judging whether the user data is legal user and judging whether the operation data is legal operation according to the historical user data and the primary screening rule.
Step S12: when the user operation data are determined to be safe user operation data, a user cloud service process is established;
specifically, the user cloud service process is constructed, for example, through a cloud service construction tool, for example, the user cloud service process can be constructed by using a cloud service construction tool provided by the internet at present, or the cloud service process is generated by using an internet compiling technology.
Step S13: generating a transaction interaction log according to the user cloud service process;
specifically, for example, a process of autonomously generating a transaction interaction log is provided in a user cloud service process, and the transaction interaction log is automatically generated in an operation process of the user cloud service process.
Step S14: performing field scanning on the transaction interaction log to generate transaction field log information;
specifically, for example, a data retrieval statement in a transaction interaction log performs field scanning, and field information of the data retrieval statement is extracted.
Step S15: extracting parameters of the transaction interaction log to generate transaction parameter log information;
specifically, for example, parameter extraction is performed on the data retrieval statement in the transaction interaction log, and field information of the data retrieval statement is extracted.
Step S16: feedback extraction is carried out on the transaction interaction log, and transaction feedback log information is generated;
specifically, feedback information is generated according to transaction interaction in a transaction interaction log, feedback extraction is performed, and transaction feedback log information is generated.
Step S17: comparing the transaction field log information according to a preset safety field to generate abnormal transaction field log information;
specifically, for example, the preset security field is data sensitive field information, where the data sensitive field information includes high data sensitive field information, data sensitive field information and low data sensitive field information, and the comparison is performed according to authority information in the user information, and if it is determined that the authority in the user information cannot use the field information of the data sensitive level, abnormal transaction field log information is generated.
Step S18: comparing the transaction parameter log information according to preset safety parameters to generate abnormal transaction parameter log information;
specifically, for example, the preset security parameters are data sensitive parameter information, wherein the data sensitive parameter information includes high data sensitive parameter information, data sensitive parameter information and low data sensitive parameter information, and the comparison is performed according to authority information in the user information, and if it is determined that the authority in the user information cannot use the parameter information of the data sensitive level, abnormal transaction parameter log information is generated.
Step S19: comparing the transaction feedback log information according to preset safety feedback to generate abnormal transaction feedback log information, wherein the abnormal transaction interaction log comprises abnormal transaction field log information, abnormal transaction parameter log information and abnormal transaction feedback log information.
Specifically, for example, the preset security feedback is data-sensitive feedback information, where the data-sensitive feedback information includes high data-sensitive feedback information, and low data-sensitive feedback information, and the comparison is performed according to authority information in the user information, and if it is determined that the authority in the user information cannot use the feedback information of the data-sensitive level, abnormal transaction feedback log information is generated.
In the embodiment, the user operation data and the user historical operation data are compared to judge whether the abnormal operation data are provided, and when the user operation data are judged to be the safe operation data, the field, the parameter and the feedback scanning are extracted from the transaction interaction log and the preset safe transaction interaction log is compared to generate the abnormal transaction interaction log, so that the preparation work is prepared for the next step.
In one embodiment of the present disclosure, as shown in fig. 3, step S2 specifically includes:
step S21: generating a user transaction interaction log according to the abnormal transaction interaction log and the system log;
specifically, for example: and splicing the abnormal transaction interaction log and the cloud service system log to generate a user transaction interaction log, wherein the splicing is integrated according to the corresponding time sequence.
Step S22: generating user behavior characteristic information and user characteristic information according to the user transaction interaction log;
specifically, for example, a regular expression of the user behavior is generated according to the structure of the characteristic of the user behavior, and the user behavior characteristic information acquisition operation is performed through the regular expression of the user behavior, so as to generate the characteristic information of the user behavior; generating a regular expression of the user characteristic information according to the structure of the user characteristic information, and performing user characteristic information acquisition operation through the regular expression of the user characteristic information to generate the user characteristic information.
Step S23: generating historical user behavior information and historical user subject information according to a local historical transaction interaction log;
specifically, for example, a historical user behavior regular expression is generated according to the structure of the historical user behavior information, and the historical user behavior information acquisition operation is performed through the historical user behavior regular expression to generate the historical user behavior information; generating a regular expression of the historical user subject information according to the structure of the historical user subject information, and performing a historical user subject information acquisition job through the regular expression of the historical user subject information to generate the historical user subject information.
Step S24: comparing the historical user subject information according to the user characteristic information to generate user characteristic abnormal subject information;
specifically, for example, the user characteristic information includes an IP address, user account information and machine code information, and the user characteristic information and the historical user main body information are subjected to a comparison operation to generate misaligned user characteristic information, and marked as user characteristic abnormal main body information.
Step S25: and comparing the historical user behavior information according to the user behavior characteristic information to generate user characteristic abnormal behavior information, wherein the user characteristic abnormal behavior information comprises user characteristic abnormal main body information and user characteristic abnormal behavior information.
Specifically, for example, the historical user behavior information is vectorized, the historical user behavior characteristic information is generated, the user characteristic information is compared with the historical user behavior characteristic information, and the part which is unsuccessful in comparison is the user characteristic abnormal behavior information.
The user abnormal behavior information is generated through deep analysis of the abnormal transaction interaction log, so that accurate and reliable user abnormal behavior information is provided, wherein the step of deep analysis comprises the steps of analyzing user main body abnormality and user behavior abnormality, searching abnormal characteristic points in the user main body abnormality and correlating the abnormal characteristic points to generate the user abnormal behavior information.
In one embodiment of the present disclosure, as shown in fig. 3 and 4, step S2 further includes the following steps:
scanning the abnormal transaction interaction log according to the user abnormal behavior model to generate user abnormal behavior information;
specifically, for example, the user abnormal behavior model is generated according to general user abnormal behavior information through a deep learning algorithm, wherein the deep learning algorithm comprises a linear model, a decision tree generation algorithm, a neural network algorithm, a support vector machine algorithm, a Bayesian classification algorithm and an ensemble learning algorithm.
The construction steps of the abnormal behavior model of the user are as follows:
Step S201: acquiring user abnormal behavior information and user abnormal behavior cloud service log information;
specifically, the user abnormal behavior information and the user abnormal behavior cloud service log information are generated according to a cloud service process, for example.
Specifically, generating an abnormal cloud service process, for example, by a custom mode and a random generation mode; and generating user abnormal behavior information and user abnormal behavior cloud service log information according to the abnormal cloud service process.
Step S202: performing cluster analysis on the abnormal behavior information of the user to generate characteristic information of the abnormal behavior of the user;
specifically, for example, the labels are calculated through a K-MEANS algorithm to generate the user abnormal behavior feature information.
Step S203: marking the user abnormal behavior cloud service log information according to the user abnormal behavior characteristic information to generate user abnormal behavior characteristic log information;
specifically, for example, the user abnormal behavior feature information is marked according to corresponding cloud service log information of the user abnormal behavior, and the user behavior feature log information is generated.
Step S204: and calculating the user abnormal behavior feature log through an abnormal weight generation calculation formula to generate an abnormal weight feature sequence, wherein the user abnormal behavior model comprises the abnormal weight feature sequence.
Specifically, the calculation is performed as by, for example, generating a calculation formula by abnormal weighting in the summary.
The anomaly weight generation calculation formula is specifically as follows:
P n weighting information, x, of nth character in log information of abnormal behavior characteristics of user n For the nth character, x in the user abnormal behavior feature log information i N is the sum of the numbers of characters of the abnormal behavior characteristic log information of the user, k is a constant adjustment item, and delta is an adjustment item.
In the embodiment, the abnormal weight generation calculation formula is used for analyzing and generating the abnormal weight feature sequence for the abnormal behavior feature log of the user so as to construct a user abnormal behavior model which can be analyzed and deconstructed to generate the abnormal behavior information of the user.
The embodiment provides an anomaly weighted generation calculation formula which fully considers character information x in user anomaly behavior feature log information n Character information x from first to nth character in user abnormal behavior feature log information i The sum of the characters N of the user abnormal behavior characteristic log information and the adjustment item k, and the deep linkage relation between the user abnormal behavior characteristic log information and the adjustment item k is considered, such as x i With x n The sum of the numbers of characters N of the user abnormal behavior characteristic log information is changed to be the wholeThe influence is that character segment information which is more in accordance with the meaning of abnormal information is generated through scanning calculation, so that log information with the meaning of abnormal behavior is accurately captured.
In one embodiment of the present disclosure, as shown in fig. 5, step S3 specifically includes:
step S31: mining attack intention of the abnormal behavior information of the user to obtain a first user attack intention;
specifically, for example, attack node analysis calculation and attack bias variable calculation are performed on the abnormal behavior information of the user, and a first user attack intention is generated.
Step S32: calculating based on a user abnormal behavior tree or a user abnormal behavior diagram according to the user abnormal behavior information to generate a first abnormal attack intention;
specifically, for example, the user abnormal behavior tree generates a user abnormal behavior tree based through a decision tree generation algorithm according to the user abnormal historical behavior information.
Specifically, the step of generating the user abnormal behavior map includes, for example, performing coincidence association on the user abnormal behavior information and splicing the user abnormal behavior information to generate the user abnormal behavior map.
Step S33: optimizing the attack intention graph of the first abnormal attack intention to generate an optimized abnormal attack intention graph corresponding to the cloud service process;
Specifically, for example, an attack objective, attack objective bias and attack plan of a first abnormal attack intention are generated to optimize the attack intention, and the attack intention is optimized according to the attack intention optimizing plan to generate an optimized abnormal attack intention graph corresponding to the cloud service process.
Step S34: correcting and calculating the first abnormal attack intention according to the first user attack intention and the first user behavior result information to generate a second user attack intention;
specifically, for example, the first abnormal attack intention is corrected by referring to the correction calculation formula in the present invention.
Step S35: generating a second abnormal attack intention for a second user attack intention according to a preset attack intention identification sequence;
specifically, for example, the preset attack intention recognition sequence generates an attack intention recognition sequence conforming to the conventional attack intention recognition meaning by acquiring a custom or randomly generated mode, so as to recognize the attack intention of the second user and generate a second abnormal attack intention.
Step S36: generating a cloud session attack intention feature set according to the optimized abnormal attack intention graph and the second abnormal attack intention;
specifically, for example, the optimization anomaly attack intent graph and the second anomaly attack intent are integrated to generate a cloud session attack intent feature set.
The construction of the user abnormal behavior tree or the user abnormal behavior diagram comprises the following steps:
acquiring abnormal behavior information of a general user;
specifically, general user abnormal behavior information is generated, for example, by a user abnormal behavior autonomous generation rule and a random generation algorithm.
And generating a user abnormal behavior tree or a user abnormal behavior diagram through a deep learning algorithm according to the general user abnormal behavior information.
Specifically, a user abnormal behavior tree is generated, for example, by a decision tree generation algorithm.
According to the embodiment, the first user attack intention is obtained by carrying out attack intention mining on the user abnormal behavior information, so that an optimized abnormal attack intention graph is generated in an optimized mode, and a second abnormal attack intention is generated according to the first user attack intention and a preset attack intention recognition sequence, so that multi-level analysis on attack intention recognition of the user abnormal behavior is realized, wherein the first attack intention is trained based on user abnormal behavior history experience and is generated in an optimized mode, the second attack intention is generated according to the preset attack intention recognition sequence, and the optimized abnormal attack intention graph and the second abnormal attack intention are spliced to generate a cloud session attack intention feature set, so that preconditions are provided for next step to realize inference of the identity of an attacker, attack speed, intrusion behavior, attack intention and threat analysis, and further sense network space security situation.
In one embodiment of the present disclosure, the first user attack intention includes a user history attack target, a user intention attack target curve, a determined attack target of other user similar intention attack targets, and a pre-training conventional attack target curve, where a correction deviation calculation formula for performing correction calculation on the first abnormal attack intention specifically includes:
delta E is a correction calculation result, tau is a user history attack target, sigma is a user intention attack target curve, rho is a determined attack target of other user similar intention attack targets, mu is a pre-training conventional attack target curve, P n Weighting information for the nth character in the user abnormal behavior feature log information,a constant.
The embodiment provides a correction deviation calculation formula for correcting and calculating a first abnormal attack intention, wherein the calculation formula fully considers a user history attack target tau, a user intention attack target curve sigma, a determination attack target rho of other user similar intention attack targets, a pre-training conventional attack target curve mu and weighted information P of character information in user abnormal behavior characteristic log information n The user history attack target is generated according to the cloud session history record, the user history attack target predicts the user attack target category, the user intention attack target curve and the other user similar intention attack targets are used for correcting so as to generate intention attack target attack vectors possibly generated by being close to the cloud service, and the conventional attack target curve is trained to perform prediction weighting and weighting information P of the nth character of the user abnormal behavior characteristic log information n Weighting and integrating to realize the full operation of the correction calculation result so as to enhance the function and facilitate the generation of more accurate numerical valuesInformation.
In one embodiment of the present disclosure, as shown in fig. 6, step S4 specifically includes:
step S41: performing cluster analysis according to the cloud session attack intention feature set to generate a cloud session attack intention cluster feature set, wherein the cloud session attack intention cluster feature set comprises cloud session attack intention cluster features;
specifically, the cluster analysis calculation is performed, for example, using a K-MEANS algorithm.
Specifically, for example, a hierarchical clustering algorithm is used for cluster analysis calculation.
Specifically, for example, other cluster analysis algorithms are adopted for calculation, such as mixed Gaussian cluster analysis calculation, and in the actual analysis process, if the data volume is excessively large, the iteration can be performed in a mode of data dimension reduction and hierarchical calculation.
Step S42: performing cluster analysis according to the cloud session process information to generate cloud session cluster process information;
specifically, the cluster analysis calculation is performed, for example, using a K-MEANS algorithm.
Specifically, for example, a hierarchical clustering algorithm is used for cluster analysis calculation.
Specifically, for example, other cluster analysis algorithms are adopted for calculation, such as mixed Gaussian cluster analysis calculation, and in the actual analysis process, if the data volume is excessively large, the iteration can be performed in a mode of data dimension reduction and hierarchical calculation.
Step S43: and generating abnormal cloud session attack intention full features according to the cloud session attack intention clustering features of the cloud session attack intention clustering feature set and the corresponding cloud session process information.
Specifically, for example, the cloud session attack intention clustering feature is compared with a pre-stored abnormal cloud session attack intention clustering feature set, wherein the cloud session attack intention clustering feature comprises an attacker speed and an attack target, and cloud session process information is monitored in real time so as to generate abnormal cloud session attack intention full features according to whether system parameters are in a safety index range or not, such as whether data leakage, machine macro and insufficient memory occur, so that data support is provided for a cloud service safety protection system.
According to the embodiment, the cloud session attack intention characteristic set and the cloud session process information are subjected to deep characteristic analysis through the cluster analysis to generate the cloud session attack intention clustering characteristic set and the cloud session clustering process information, wherein the cloud session attack intention clustering characteristic set comprises an attacker identity, an attack speed and attack intention, the cloud session clustering process information comprises an invasion behavior and an attack intention, the cloud session attack intention characteristic set and the cloud session process information are subjected to deep connection and threat analysis, so that potential safety hazards caused by big data attack in a cloud computing process are perceived, implementation response to big data attack is achieved, and network space security situation of cloud computing is guaranteed.
In one embodiment of the present specification, as shown in fig. 7, 8 and 9a to 9b, step S1 further includes, before:
step S01: acquiring user data and user operation data;
specifically, for example, a user data acquisition control is generated for performing a user data acquisition job, and a user operation data acquisition control is generated for performing a user operation data acquisition job.
Step S02: generating user main body information according to the user data;
specifically, the user principal information is generated by comparing user principal data stored in the local server, for example, according to account data in the user data, wherein the user principal information includes whether or not it is operation and maintenance user information.
Step S03: judging whether the user main body information is operation and maintenance user information or not;
specifically, for example, the operation and maintenance user information is given corresponding numbers, such as 01, YW and other custom labels, in the corresponding column of the data table, so as to perform a comparison operation to determine whether the user main body information is the operation and maintenance user information.
Step S04: when the user main body information is determined to be operation and maintenance user information, generating an operation and maintenance application control;
specifically, the operation and maintenance application control is generated through a system interface programming technology, for example.
Step S05: acquiring operation and maintenance application information through operation and maintenance application control information, wherein the operation and maintenance application information comprises operation and maintenance time, a target database, an operation object and operation contents;
Specifically, for example, the form control generation technique includes a form column generation technique, and the form column generation technique is internally adjusted.
Step S06: according to the autonomous approval model or the obtained approval opinion, the operation and maintenance application information is generated, and operation and maintenance application feedback information is generated;
specifically, for example, the autonomous approval model is generated according to a large database security opening rule, such as a security operation and maintenance time period, a security operation and maintenance large database table and a security operation and maintenance large data personnel audit.
Specifically, for example, the acquired approval opinions may perform an approval opinion acquisition operation through an approval opinion form control.
Step S07: generating large database opening authority information according to the operation and maintenance application feedback information, wherein the large database opening authority information comprises legal access authority, warning access authority and forbidden access authority;
specifically, for example, the operation and maintenance application feedback information includes legal access right grant, warning access right grant and prohibition of access right grant.
Step S08: carrying out big data operation and maintenance operation according to the big database opening authority information and the user operation data;
specifically, the corresponding user operation data is constrained, for example, according to the big data open authority information, such as whether the query or modification of different items of different tables, the same table is passed or not.
The construction steps of the autonomous approval model are as follows:
acquiring operation and maintenance information, and performing security marking operation to generate the operation and maintenance marking information, wherein the security marking operation comprises security marking, warning marking and high-risk marking;
specifically, for example, the security labeling operation may perform an automatic labeling operation according to a keyword searching manner, for example, capturing keywords through a regular expression, generating operation and maintenance information of different levels according to preset keyword matching, and performing a corresponding labeling operation on the operation and maintenance information of different levels.
Generating an operation and maintenance judgment tree model by using the operation and maintenance labeling information through a spanning tree algorithm, wherein the autonomous approval model is the operation and maintenance judgment tree model;
specifically, for example, the spanning tree algorithm may refer to a decision spanning tree algorithm, calculate according to an information entropy formula, and generate leaves of a decision tree from high to low relative information entropy.
The method comprises the following steps of:
step S61: generating a large database approval white list form control, wherein the large database approval white list form comprises an operation and maintenance time white list control, a target database white list control, an operation object white list control and an operation content white list control;
Specifically, the control may be generated, for example, according to a system interface programming technique, and may be generated by a web page compilation technique.
Specifically, the control generation job is performed by control generation software, for example.
Step S62: acquiring large database approval white list data according to the large database approval white list form control;
specifically, the control is generated, for example, in accordance with a system interface programming technique.
Step S63: comparing and matching the operation and maintenance application information according to the approval white list data of the large database to generate a first approval opinion, wherein the first approval opinion comprises approval warning information, and the approval warning information comprises safety warning information, warning information and high-risk warning information;
specifically, for example, the big data approval white list is a preset big data white list.
Step S64: judging whether the approval warning information in the first approval opinion contains high-risk warning information or not;
specifically, for example, the first examination and approval opinion includes whether the examination and approval warning information includes high-risk warning information according to the comparison function symbol.
Step S65: when the approval warning information in the first approval comments does not contain the high-risk warning information, generating a second approval comment acquisition control;
Specifically, the control is generated, for example, by a system interface programming technique.
Step S66: acquiring a second trial opinion according to the second trial opinion acquisition control;
specifically, for example, the second approval opinion acquisition control is a form control, and the input approval opinion form information is acquired to generate the second approval opinion.
The matching comparison method specifically comprises the following steps:
step S631: generating a first contrast ratio and a second contrast ratio according to the big data approval white list data and the operation and maintenance application information;
specifically, for example, the operation and maintenance application information is compared according to the large data approval white list data, the conforming portion is digitized and marked as a first contrast, the non-conforming portion is digitized and marked as a second contrast, and the digitizing operation includes weighting calculation according to the fitting degree and the importance degree.
Step S632: generating a safety contrast according to the first contrast and the second contrast through a safety contrast calculation formula;
specifically, for example, a security contrast of 0.5 is generated;
step S633: judging whether the safety contrast is within a first safety contrast threshold value range or not;
specifically, for example, the first safety contrast threshold is 0-0.3.
Step S634: when the safety contrast is determined to be within the first safety contrast threshold value range, generating safety warning information;
specifically, for example, the generated safety contrast is 0.2, and when the preset first safety contrast threshold value is in the range of 0-0.3, safety warning information is generated.
Step S635: when the safety contrast is not in the first safety contrast threshold range, judging whether the safety contrast is in the second safety contrast threshold range or not;
specifically, for example, the generated security contrast is 0.5, and it is judged whether or not the security contrast is within a second security contrast threshold range, such as 0.3 to 0.6, without being within the first security contrast threshold range, such as 0 to 0.3.
Step S636: when the safety contrast is determined to be within the second threshold range, generating warning information;
specifically, for example, it is determined that the safety contrast is 0.5 within a second threshold range, such as 0.3-0.6, and the warning information is generated.
Step S637: when the safety contrast is not in the second threshold range, judging whether the safety contrast is in the third safety contrast threshold range or not;
specifically, for example, when it is determined that the security contrast such as 0.7 is not within the second threshold range such as 0.3 to 0.6, it is judged whether or not the security contrast is within the third security contrast threshold range.
Step S638: determining that the safety contrast is within a third safety contrast threshold range, and generating high-risk warning information;
specifically, for example, it is determined that the safety contrast, e.g., 0.7, is within a third safety contrast threshold range, e.g., 0.6-1.0, and high-risk warning information is generated.
Step S639: and determining that the safety contrast is not in the third safety contrast threshold range, and judging whether the safety contrast is in the first safety contrast threshold range or not.
Specifically, for example, it is determined that the security contrast such as 0.1 is not within the third security contrast threshold range such as 0.6 to 1.0, and it is judged whether the security contrast such as 0.1 is within the first security contrast threshold range such as 0 to 0.3.
According to the embodiment, the deep analysis of the operation and maintenance application operation of the operation and maintenance personnel is realized through autonomous approval or intelligent approval, so that feedback information conforming to the safety operation and maintenance principle of the large database is formed, the safety operation and maintenance operation of the large database is ensured, the data leakage or data loss of internal personnel caused by accidents or other reasons is reduced, and the large data asset loss possibly generated by the operation and maintenance work is avoided.
In one embodiment of the present specification, the security contrast calculation formula is specifically:
S is a safety contrast, x is a first contrast, y is a second contrast, alpha is weight information of the first contrast, beta is weight information of the second contrast, delta is a constant adjustment term, and theta is a calculation correction term.
The embodiment provides a safe contrast calculation formula which fully considers the first contrast x and the weight information alpha of the first contrast, the second contrast y and the weight information beta of the second contrast, only considers the first contrast x or the second contrast y to easily cause insufficient result support, and considers the first contrast x and the second contrast y to correct the deviation by the weight information while considering the implication information quantity, and simultaneously forms a functional relation in the calculation processAnd correcting the result by calculating the correction term so as to provide more effective calculation basis. />
In one embodiment of the present specification, a big data attack processing system applied to a cloud service, the system includes:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the big data attack processing method applied to the cloud service as set forth in any one of the above.
The embodiment provides a big data attack processing system applied to cloud service, which can realize any big data attack processing method applied to cloud service, so as to realize attack intention mining of an attack object, examination of operation and maintenance work of operation and maintenance personnel and guarantee reliability, on one hand, the accurate identification of the attack intention is realized by generating full characteristics of abnormal cloud session attack intention through optimized attack intention mining, and on the other hand, effective and accurate data support is provided for subsequent cloud service safety protection, and on the other hand, data leakage and data loss caused by improper operation of internal personnel are avoided through supervision of autonomous examination and approval of the operation and maintenance personnel.
According to the method, the cloud session attack intention characteristic set is generated by carrying out large data attack intention recognition on the transaction interaction log, and the cloud session attack intention characteristic set is deeply mined through a deep learning algorithm to find out the deep association of data, so that the attack identity, the attack target and the attack intention of a large data attacker are inferred and identified, threat analysis is carried out to provide accurate and effective large data attack safety data for cloud service safety protection, safety protection work is carried out, and further the cloud service network space safety situation is guaranteed.
The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
The foregoing is only a specific embodiment of the invention to enable those skilled in the art to understand or practice the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. The big data attack processing method applied to the cloud service is characterized by comprising the following steps of:
step S1: continuously supervising a transaction interaction log generated by a cloud service process, and comparing according to a preset abnormal transaction model to generate an abnormal transaction interaction log;
Step S2, including:
scanning the abnormal transaction interaction log according to the user abnormal behavior model to generate user abnormal behavior information;
the construction steps of the abnormal behavior model of the user are as follows:
acquiring user abnormal behavior information and user abnormal behavior cloud service log information;
performing cluster analysis on the abnormal behavior information of the user to generate characteristic information of the abnormal behavior of the user;
marking the user abnormal behavior cloud service log information according to the user abnormal behavior characteristic information to generate user abnormal behavior characteristic log information;
calculating an abnormal behavior feature log of the user through an abnormal weight generation calculation formula to generate an abnormal weight feature sequence, wherein the abnormal behavior model of the user comprises the abnormal weight feature sequence;
the abnormal weight generation calculation formula specifically comprises the following steps:
;
for the +.>Weighting information of individual characters, ">For the +.>Characters->For user abnormal behavior feature from first to +.>Characters->Sum of character numbers of log information for abnormal behavior characteristics of user, +.>For constant adjustment item, ++>To adjust items;
S3, carrying out big data attack intention mining and recognition on the abnormal behavior information of the user, and generating a cloud session attack intention characteristic set;
step S4: and integrating cloud session attack intention characteristics of the cloud session attack intention characteristic set and corresponding cloud session process information to generate abnormal cloud session attack intention full characteristics for the cloud computing security protection system to perform cloud computing security protection operation.
2. The method according to claim 1, wherein step S1 is specifically:
acquiring user operation data and checking according to a local historical security detailed log to judge whether the user operation data is security user operation data or not;
when the user operation data are determined to be safe user operation data, a user cloud service process is established;
generating a transaction interaction log according to the user cloud service process;
performing field scanning on the transaction interaction log to generate transaction field log information;
extracting parameters of the transaction interaction log to generate transaction parameter log information;
feedback extraction is carried out on the transaction interaction log, and transaction feedback log information is generated;
comparing the transaction field log information according to a preset safety field to generate abnormal transaction field log information;
Comparing the transaction parameter log information according to preset safety parameters to generate abnormal transaction parameter log information;
comparing the transaction feedback log information according to preset safety feedback to generate abnormal transaction feedback log information, wherein the abnormal transaction interaction log comprises abnormal transaction field log information, abnormal transaction parameter log information and abnormal transaction feedback log information.
3. The method according to claim 1, wherein step S3 is specifically:
mining attack intention of the abnormal behavior information of the user to obtain a first user attack intention;
calculating based on a user abnormal behavior tree or a user abnormal behavior diagram according to the user abnormal behavior information to generate a first abnormal attack intention;
optimizing the attack intention graph of the first abnormal attack intention to generate an optimized abnormal attack intention graph corresponding to the cloud service process;
correcting and calculating the first abnormal attack intention according to the first user attack intention and the first user behavior result information to generate a second user attack intention;
generating a second abnormal attack intention for a second user attack intention according to a preset attack intention identification sequence;
Generating a cloud session attack intention feature set according to the optimized abnormal attack intention graph and the second abnormal attack intention;
the construction of the user abnormal behavior tree or the user abnormal behavior diagram comprises the following steps:
acquiring abnormal behavior information of a general user;
and generating a user abnormal behavior tree or a user abnormal behavior diagram through a deep learning algorithm according to the general user abnormal behavior information.
4. The method of claim 1, wherein the first user attack intent comprises a user history attack goal, a user intent attack goal curve, a determination attack goal of other user similar intent attack goals, and a pre-training regular attack goal curve, wherein a correction deviation calculation formula for performing correction calculation on the first abnormal attack intent is specifically:
;
for correcting the calculation result->For user history attack goal->Attack target curve for user intent +.>Determining an attack target for other users to attack the target with similar intent,/->For pre-training the normal attack target curve, +.>For the +.>Weighting information of individual characters, ">Is constant.
5. The method according to claim 1, wherein step S4 is specifically:
Performing cluster analysis according to the cloud session attack intention feature set to generate a cloud session attack intention cluster feature set, wherein the cloud session attack intention cluster feature set comprises cloud session attack intention cluster features;
performing cluster analysis according to the cloud session process information to generate cloud session cluster process information;
and generating abnormal cloud session attack intention full features according to the cloud session attack intention clustering features of the cloud session attack intention clustering feature set and the corresponding cloud session process information.
6. The method according to claim 1, characterized in that before step S1 further comprises:
acquiring user data and user operation data;
generating user main body information according to the user data;
judging whether the user main body information is operation and maintenance user information or not;
when the user main body information is determined to be operation and maintenance user information, generating an operation and maintenance application control;
acquiring operation and maintenance application information through operation and maintenance application control information, wherein the operation and maintenance application information comprises operation and maintenance time, a target database, an operation object and operation contents;
according to the autonomous approval model or the obtained approval opinion, the operation and maintenance application information is generated, and operation and maintenance application feedback information is generated;
generating large database opening authority information according to the operation and maintenance application feedback information, wherein the large database opening authority information comprises legal access authority, warning access authority and forbidden access authority;
Carrying out big data operation and maintenance operation according to the big database opening authority information and the user operation data;
the construction steps of the autonomous approval model are as follows:
acquiring operation and maintenance information, and performing security marking operation to generate the operation and maintenance marking information, wherein the security marking operation comprises security marking, warning marking and high-risk marking;
generating an operation and maintenance judgment tree model by using the operation and maintenance labeling information through a spanning tree algorithm, wherein the autonomous approval model is the operation and maintenance judgment tree model;
the method comprises the following steps of:
generating a large database approval white list form control, wherein the large database approval white list form comprises an operation and maintenance time white list control, a target database white list control, an operation object white list control and an operation content white list control;
acquiring large database approval white list data according to the large database approval white list form control;
comparing and matching the operation and maintenance application information according to the approval white list data of the large database to generate a first approval opinion, wherein the first approval opinion comprises approval warning information, and the approval warning information comprises safety warning information, warning information and high-risk warning information;
Judging whether the approval warning information in the first approval opinion contains high-risk warning information or not;
when the approval warning information in the first approval comments does not contain the high-risk warning information, generating a second approval comment acquisition control;
acquiring a second trial opinion according to the second trial opinion acquisition control;
the matching comparison method specifically comprises the following steps:
generating a first contrast ratio and a second contrast ratio according to the big data approval white list data and the operation and maintenance application information;
generating a safety contrast according to the first contrast and the second contrast through a safety contrast calculation formula;
judging whether the safety contrast is within a first safety contrast threshold value range or not;
when the safety contrast is determined to be within the first safety contrast threshold value range, generating safety warning information;
when the safety contrast is not in the first safety contrast threshold range, judging whether the safety contrast is in the second safety contrast threshold range or not;
when the safety contrast is determined to be within the second threshold range, generating warning information;
when the safety contrast is not in the second threshold range, judging whether the safety contrast is in the third safety contrast threshold range or not;
Determining that the safety contrast is within a third safety contrast threshold range, and generating high-risk warning information;
and determining that the safety contrast is not in the third safety contrast threshold range, and judging whether the safety contrast is in the first safety contrast threshold range or not.
7. The method according to claim 1, wherein the security contrast calculation formula is specifically:
;
s is the contrast ratio of the safety,for the first contrast, +>For the second contrast, +>Weight information for the first contrast, +.>Weight information for the second contrast, +.>For constant adjustment item, ++>To calculate the correction term.
8. A big data attack handling system for cloud services, the system comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the big data attack processing method applied to cloud services according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211354644.1A CN115941265B (en) | 2022-11-01 | 2022-11-01 | Big data attack processing method and system applied to cloud service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211354644.1A CN115941265B (en) | 2022-11-01 | 2022-11-01 | Big data attack processing method and system applied to cloud service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115941265A CN115941265A (en) | 2023-04-07 |
| CN115941265B true CN115941265B (en) | 2023-10-03 |
Family
ID=86651704
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211354644.1A Active CN115941265B (en) | 2022-11-01 | 2022-11-01 | Big data attack processing method and system applied to cloud service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115941265B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753936A (en) * | 2015-03-24 | 2015-07-01 | 西北工业大学 | Opc security gateway system |
| WO2018177247A1 (en) * | 2017-03-28 | 2018-10-04 | 瀚思安信(北京)软件技术有限公司 | Method of detecting abnormal behavior of user of computer network system |
| CN109861844A (en) * | 2018-12-07 | 2019-06-07 | 中国人民大学 | A kind of cloud service problem fine granularity intelligence source tracing method based on log |
| CN109918279A (en) * | 2019-01-24 | 2019-06-21 | 平安科技(深圳)有限公司 | Electronic device, method and storage medium based on daily record data identification user's abnormal operation |
| CN112804196A (en) * | 2020-12-25 | 2021-05-14 | 北京明朝万达科技股份有限公司 | Log data processing method and device |
| KR20210132545A (en) * | 2020-04-27 | 2021-11-04 | (주)세이퍼존 | Apparatus and method for detecting abnormal behavior and system having the same |
| CN114500099A (en) * | 2022-03-04 | 2022-05-13 | 青岛德鑫网络技术有限公司 | Big data attack processing method and server for cloud service |
| CN114765584A (en) * | 2020-12-30 | 2022-07-19 | 苏州国双软件有限公司 | User behavior monitoring method and device, electronic equipment and storage medium |
-
2022
- 2022-11-01 CN CN202211354644.1A patent/CN115941265B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753936A (en) * | 2015-03-24 | 2015-07-01 | 西北工业大学 | Opc security gateway system |
| WO2018177247A1 (en) * | 2017-03-28 | 2018-10-04 | 瀚思安信(北京)软件技术有限公司 | Method of detecting abnormal behavior of user of computer network system |
| CN109861844A (en) * | 2018-12-07 | 2019-06-07 | 中国人民大学 | A kind of cloud service problem fine granularity intelligence source tracing method based on log |
| CN109918279A (en) * | 2019-01-24 | 2019-06-21 | 平安科技(深圳)有限公司 | Electronic device, method and storage medium based on daily record data identification user's abnormal operation |
| KR20210132545A (en) * | 2020-04-27 | 2021-11-04 | (주)세이퍼존 | Apparatus and method for detecting abnormal behavior and system having the same |
| CN112804196A (en) * | 2020-12-25 | 2021-05-14 | 北京明朝万达科技股份有限公司 | Log data processing method and device |
| CN114765584A (en) * | 2020-12-30 | 2022-07-19 | 苏州国双软件有限公司 | User behavior monitoring method and device, electronic equipment and storage medium |
| CN114500099A (en) * | 2022-03-04 | 2022-05-13 | 青岛德鑫网络技术有限公司 | Big data attack processing method and server for cloud service |
Non-Patent Citations (1)
| Title |
|---|
| "基于数据挖掘的数据库入侵检测系统的设计与实现";石冬冬;《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115941265A (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9661010B2 (en) | Security log mining devices, methods, and systems | |
| Waltl et al. | Increasing transparency in algorithmic-decision-making with explainable AI | |
| US20160210631A1 (en) | Systems and methods for flagging potential fraudulent activities in an organization | |
| Hosseini et al. | Anomaly process detection using negative selection algorithm and classification techniques | |
| Zhang et al. | Objective attributes weights determining based on shannon information entropy in hesitant fuzzy multiple attribute decision making | |
| CN116305168B (en) | Multi-dimensional information security risk assessment method, system and storage medium | |
| CN111143838B (en) | Database user abnormal behavior detection method | |
| CN110674479B (en) | Abnormal behavior data real-time processing method, device, equipment and storage medium | |
| CN111047173B (en) | Community credibility evaluation method based on improved D-S evidence theory | |
| CN115691034A (en) | Intelligent household abnormal condition warning method, system and storage medium | |
| Jia et al. | A zest of lime: Towards architecture-independent model distances | |
| CN110716957B (en) | Intelligent mining and analyzing method for class case suspicious objects | |
| Sathya | Ensemble Machine Learning Techniques for Attack Prediction in NIDS Environment | |
| CN115941265B (en) | Big data attack processing method and system applied to cloud service | |
| Adams et al. | Grouper: Optimizing crowdsourced face annotations | |
| Olga et al. | Big data analysis methods based on machine learning to ensure information security | |
| Netten et al. | Exploiting data analytics for social services: on searching for profiles of unlawful use of social benefits | |
| CN113469816A (en) | Digital currency identification method, system and storage medium based on multigroup technology | |
| Ma et al. | Enhanced Fairness Testing via Generating Effective Initial Individual Discriminatory Instances | |
| Zuhayr et al. | Detection Model for URL Phishing with Comparison Between Shallow Machine Learning and Deep Learning Models | |
| Kovalchuk et al. | Associative Rule Mining for the Assessment of the Risk of Recidivism. | |
| Guevara et al. | Intrusion detection with neural networks based on knowledge extraction by decision tree | |
| Derakhsh et al. | Using Genetic Algorithm to Improve Bernoulli Naïve Bayes Algorithm in Order to Detect DDoS Attacks in Cloud Computing Platform | |
| CN116451194B (en) | Man-machine verification model and method based on client behavior characteristics | |
| Zhang et al. | Understanding Counterfactual Generation using Maximum Mean Discrepancy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |