CN116488948A - Machine behavior abnormality detection method, device, equipment and medium - Google Patents

Machine behavior abnormality detection method, device, equipment and medium Download PDF

Info

Publication number
CN116488948A
CN116488948A CN202310744948.7A CN202310744948A CN116488948A CN 116488948 A CN116488948 A CN 116488948A CN 202310744948 A CN202310744948 A CN 202310744948A CN 116488948 A CN116488948 A CN 116488948A
Authority
CN
China
Prior art keywords
access
operation data
access operation
behavior
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310744948.7A
Other languages
Chinese (zh)
Other versions
CN116488948B (en
Inventor
宋小龙
马振
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Data Security Solutions Co Ltd
Original Assignee
Information and Data Security Solutions Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Data Security Solutions Co Ltd filed Critical Information and Data Security Solutions Co Ltd
Priority to CN202310744948.7A priority Critical patent/CN116488948B/en
Publication of CN116488948A publication Critical patent/CN116488948A/en
Application granted granted Critical
Publication of CN116488948B publication Critical patent/CN116488948B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application relates to the technical field of network security, and provides a method, a device, equipment and a medium for detecting abnormal machine behaviors, wherein the method comprises the following steps: acquiring access operation data in a preset time period; detecting the access operation data according to a preset multi-dimensional identification mode to determine whether target access operation data of which the access operation behavior belongs to suspected machine access behavior operation exists in the access operation data; when determining that the access operation data has target access operation data of which the access operation behavior belongs to suspected machine access behavior operation, acquiring target access operation data; re-detecting the target access operation data to determine again whether the access operation behavior in the target access operation data belongs to the machine access behavior operation. By the technical scheme, whether the access operation behavior belongs to the suspected machine access behavior operation or not is accurately identified, so that the detection efficiency and accuracy are greatly improved.

Description

Machine behavior abnormality detection method, device, equipment and medium
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a medium for detecting abnormal machine behavior.
Background
From a user and security perspective, aggressive machine behavior authentication attempts, such as library collisions, brute force cracking, etc., can introduce significant risk and even significant loss to the user account assets. From the perspective of data leakage, data exposed to the public network and data assets circulated in the public network can bring a great challenge to the security of the data assets when being acquired in a manner of imperceptible machine behaviors such as low speed and low frequency. From the operational point of view, the long-period multiple small-number automatic acquisition of collected data from internal personnel is also a risk point that needs attention. The access of safety equipment on each node reduces the touch of high-frequency machine behaviors to a certain extent. As attacker or implementer technology and thought logic improves, various combinations of ways may be used to attempt detection around the security device.
The machine behavior detection method commonly used in the prior art comprises the following steps:
1) Initial access authentication definition. The common method is to add a verification mode to a login page, output a verification code, click a picture character, move a sliding vane mode, a double authentication mode and the like. These approaches still suffer from the corresponding technical means, and the machine behavior operation class after successful login cannot be detected.
2) Identification is defined using rule thresholds. According to the method, the abnormality is thrown out according to the fact that the operation times in a short time exceed the upper limit of a preset threshold, and the method has a certain effect on the operation access of the high-frequency machine behavior, but the dimension is single, and too many missed reports are generated.
3) The feature extracted machine learning model identifies machine behavior. When the supervised model is adopted for detection, a large amount of training data is needed, the data marking work amount is huge by expert experience, and the interpretation of abnormal detection results generated by machine learning is questionable. By adopting an unsupervised model detection mode, the accuracy of feature selection, a large amount of data and the support of calculation force are required to be considered, the requirements on the practical implementation environment are high, and the problem that the detection result is not well explained is also faced. The method of combining the unsupervised model and the supervised model is adopted, the unsupervised model is firstly used for finding the abnormality, and then the supervised model is used for improving the accuracy, but the problems of large log quantity, smaller fine granularity of the log and insufficient calculation power are also encountered, for example, the log such as mouse operation, keyboard use and the like cannot be provided by a plurality of sites and devices.
Disclosure of Invention
The embodiment of the application provides a method, a device, equipment and a medium for detecting abnormal machine behaviors, which aim to solve the technical problems of poor actual landing performance, low detection efficiency, poor interpretation of detection results and the like in the related technology.
In a first aspect, an embodiment of the present application provides a method for detecting a machine behavior abnormality, including:
acquiring access operation data in a preset time period;
detecting the access operation data according to a preset multi-dimensional identification mode to determine whether target access operation data of which the access operation behavior belongs to suspected machine access behavior operation exists in the access operation data;
when determining that the access operation data has target access operation data of which the access operation behavior belongs to suspected machine access behavior operation, acquiring the target access operation data;
re-detecting the target access operation data to determine whether the access operation behavior in the target access operation data belongs to machine access behavior operation or not again.
In one embodiment, optionally, the preset multi-dimensional recognition mode includes at least one of the following:
operating an access time array interval dislocation computing and identifying mode;
a step-by-step sliding window identification mode is moved;
the time interval average division identification mode;
operation time and operation parameter ASSIC value identification mode.
In one embodiment, optionally, the operation access time array interval misalignment calculation identification method includes:
Grouping the access operation data according to the target client, and aggregating the grouped access operation data according to the operation time to obtain aggregated access operation data;
performing time interval difference calculation on the aggregated access operation data corresponding to each target client in an array mode to generate a time interval difference array;
determining the fluctuation condition of the interval time difference according to the time interval difference array;
searching and acquiring the longest constant-frequency operation access sequence with the constant-frequency time interval and the continuous length exceeding a first preset length in a time interval difference array corresponding to each target client according to the fluctuation condition of the interval time difference;
and determining the access operation data corresponding to the longest equal-frequency operation access sequence as target access operation data belonging to suspected machine access behavior operation.
In one embodiment, optionally, the identifying process of the moving step sliding window identifying mode includes:
sorting the access operation data according to the operation time of the target client to obtain sorted operation access data;
calculating the operation time difference between any two operation access sequences adjacent in time to obtain an operation time difference sequence;
Calculating a variation coefficient of each operation time difference according to the operation time difference and a sliding window with a preset size;
searching and acquiring a longest operation access sequence with a variation coefficient smaller than a first preset coefficient and a continuous length exceeding a second preset length in an operation time difference sequence corresponding to each target client according to the variation coefficient of each operation time difference;
and determining the access operation data corresponding to the longest operation access sequence as target access operation data belonging to suspected machine access behavior operation.
In one embodiment, optionally, the identifying process of the time period interval average division identifying mode includes:
sorting the access operation data according to the operation time of the target client to obtain sorted operation access data;
according to a preset time interval dividing mode, data grouping is carried out on the operation access data after sequencing, and a plurality of time interval groups are obtained;
determining the total number of first target time interval groups containing access operation behaviors in all time interval groups and the number of access operation behaviors contained in each time interval group;
calculating the operation number variation coefficient of each time interval group according to the total number and the times;
Searching and acquiring a time interval group sequence of which the total number exceeds a preset number and the variation coefficient of the operation number is smaller than a second preset coefficient in an operation access data group corresponding to each target client;
and determining the access operation data corresponding to the time interval group sequence as target access operation data belonging to suspected machine access behavior operation.
In one embodiment, optionally, the identifying process of the operation time and the operation parameter ASSIC value identifying manner includes:
according to the access operation data, calculating an ASIC code value of each parameter character string;
grouping and aggregating the ASIC code values of each parameter string according to the target clients to obtain the integral ASIC code value corresponding to each target client;
calculating the variation coefficient, the maximum ASIC code value and the time interval seconds of the whole ASIC code value of each target client according to the whole ASIC code value corresponding to each target client;
and identifying and acquiring target access operation data belonging to suspected machine access behavior operation according to the variation coefficient of the overall ASIC code value of each target client, the maximum ASIC code value and the time interval seconds and preset and optimized limiting values.
In one embodiment, optionally, the access operation data in the preset time period is obtained through a high-order SQL statement, and the access operation data is detected according to a preset multi-dimensional recognition mode.
In a second aspect, an embodiment of the present application provides a device for detecting abnormal behavior of a machine, including:
the first acquisition module is used for acquiring access operation data in a preset time period;
the detection module is used for detecting the access operation data according to a preset multi-dimensional identification mode so as to determine whether target access operation data of which the access operation behavior belongs to suspected machine access behavior operation exists in the access operation data;
the second acquisition module is used for acquiring target access operation data when determining that the access operation behavior belongs to target access operation data of suspected machine access behavior operation in the access operation data;
and the re-detection module is used for re-detecting the target access operation data so as to determine whether the access operation behavior in the target access operation data belongs to the machine access behavior operation or not again.
In one embodiment, optionally, the detection module includes at least one of the following units:
The first identification unit is used for detecting the access operation data through an operation access time array interval dislocation calculation identification mode;
the second identification unit is used for detecting the access operation data in a moving step sliding window identification mode;
the third identification unit is used for detecting the access operation data in a time period interval average division identification mode;
and the fourth identification unit is used for detecting the access operation data through an operation time and operation parameter ASSIC value identification mode.
In one embodiment, the first identifying unit is configured to:
grouping the access operation data according to the target client, and aggregating the grouped access operation data according to the operation time to obtain aggregated access operation data;
performing time interval difference calculation on the aggregated access operation data corresponding to each target client in an array mode to generate a time interval difference array;
determining the fluctuation condition of the interval time difference according to the time interval difference array;
searching and acquiring the longest constant-frequency operation access sequence with the constant-frequency time interval and the continuous length exceeding a first preset length in a time interval difference array corresponding to each target client according to the fluctuation condition of the interval time difference;
And determining the access operation data corresponding to the longest equal-frequency operation access sequence as target access operation data belonging to suspected machine access behavior operation.
In one embodiment, optionally, the second identifying unit is configured to:
sorting the access operation data according to the operation time of the target client to obtain sorted operation access data;
calculating the operation time difference between any two operation access sequences adjacent in time to obtain an operation time difference sequence;
calculating a variation coefficient of each operation time difference according to the operation time difference and a sliding window with a preset size;
searching and acquiring a longest operation access sequence with a variation coefficient smaller than a first preset coefficient and a continuous length exceeding a second preset length in an operation time difference sequence corresponding to each target client according to the variation coefficient of each operation time difference;
and determining the access operation data corresponding to the longest operation access sequence as target access operation data belonging to suspected machine access behavior operation.
In one embodiment, optionally, the third identifying unit is configured to:
sorting the access operation data according to the operation time of the target client to obtain sorted operation access data;
According to a preset time interval dividing mode, data grouping is carried out on the operation access data after sequencing, and a plurality of time interval groups are obtained;
determining the total number of first target time interval groups containing access operation behaviors in all time interval groups and the number of access operation behaviors contained in each time interval group;
calculating the operation number variation coefficient of each time interval group according to the total number and the times;
searching and acquiring a time interval group sequence of which the total number exceeds a preset number and the variation coefficient of the operation number is smaller than a second preset coefficient in an operation access data group corresponding to each target client;
and determining the access operation data corresponding to the time interval group sequence as target access operation data belonging to suspected machine access behavior operation.
In one embodiment, optionally, the fourth identifying unit is configured to:
according to the access operation data, calculating an ASIC code value of each parameter character string;
grouping and aggregating the ASIC code values of each parameter string according to the target clients to obtain the integral ASIC code value corresponding to each target client;
calculating the variation coefficient, the maximum ASIC code value and the time interval seconds of the whole ASIC code value of each target client according to the whole ASIC code value corresponding to each target client;
And identifying and acquiring target access operation data belonging to suspected machine access behavior operation according to the variation coefficient of the overall ASIC code value of each target client, the maximum ASIC code value and the time interval seconds and preset and optimized limiting values.
In one embodiment, optionally, the access operation data in the preset time period is obtained through a high-order SQL statement, and the access operation data is detected according to a preset multi-dimensional recognition mode.
In a third aspect, a computer device is provided, comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the above-described machine behaviour anomaly detection method when the computer program is executed.
In a fourth aspect, a computer-readable storage medium is provided, in which a computer program is stored, which when executed by a processor, implements the steps of the machine behavior anomaly detection method described above.
In the scheme realized by the machine behavior abnormality detection method, the device, the equipment and the medium, access operation data in a preset time period are obtained; detecting the access operation data according to a preset multi-dimensional identification mode to determine whether target access operation data of which the access operation behavior belongs to suspected machine access behavior operation exists in the access operation data; when determining that the access operation data has target access operation data of which the access operation behavior belongs to suspected machine access behavior operation, acquiring the target access operation data; re-detecting the target access operation data to determine whether the access operation behavior in the target access operation data belongs to machine access behavior operation or not again. According to the method and the device for detecting the access operation data, the access operation data can be detected in a preset multidimensional recognition mode, so that whether the access operation behavior belongs to suspected machine access behavior operation or not can be accurately recognized, and therefore detection efficiency and accuracy are greatly improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an application environment of a method for detecting machine behavior anomalies according to an embodiment of the invention.
FIG. 2 illustrates a schematic flow diagram of a machine behavior anomaly detection method according to one embodiment of the present application.
Fig. 3 shows a schematic flow chart of a machine behaviour anomaly detection method according to another embodiment of the present application.
Fig. 4 shows a schematic flow chart of a machine behaviour anomaly detection method according to a further embodiment of the present application.
Fig. 5 shows a schematic flow chart of a machine behaviour anomaly detection method according to a further embodiment of the present application.
Fig. 6 shows a schematic flow chart of a machine behaviour anomaly detection method according to a further embodiment of the present application.
Fig. 7 shows a block diagram of a machine behavior anomaly detection device according to one embodiment of the present application.
FIG. 8 illustrates a schematic diagram of a structure of a computer device according to one embodiment of the present application.
Fig. 9 shows another structural schematic diagram of a computer device according to an embodiment of the present application.
Detailed Description
For a better understanding of the technical solutions of the present application, embodiments of the present application are described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, of the embodiments of the present application. All other embodiments, based on the embodiments herein, which would be apparent to one of ordinary skill in the art without making any inventive effort, are intended to be within the scope of the present application.
The terminology used in the embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
Some embodiments of the present application are described in detail below with reference to the accompanying drawings. The following embodiments and features of the embodiments may be combined with each other without conflict.
The machine behavior anomaly detection method provided by the embodiment of the invention can be applied to an application environment as shown in fig. 1, wherein a client communicates with a server through a network. The method comprises the steps that a server obtains access operation data of each client in a preset time period; detecting the access operation data according to a preset multi-dimensional identification mode to determine whether target access operation data of which the access operation behavior belongs to suspected machine access behavior operation exists in the access operation data; when determining that the access operation data has target access operation data of which the access operation behavior belongs to suspected machine access behavior operation, acquiring the target access operation data; re-detecting the target access operation data to determine whether the access operation behavior in the target access operation data belongs to machine access behavior operation or not again.
The clients may be, but are not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices. The server may be implemented by a stand-alone server or a server cluster formed by a plurality of servers. The present invention will be described in detail with reference to specific examples.
Referring to fig. 2, fig. 2 shows a schematic flow chart of a machine behavior anomaly detection method according to one embodiment of the present application. The machine behavior abnormality detection method is used for solving the technical problems of poor actual landing performance, low detection efficiency, poor detection result interpretation and the like in the related technology.
As shown in fig. 2, a machine behavior anomaly detection method according to an embodiment of the present application may be used for a server, where the process includes:
step S201, access operation data of each client in a preset time period are obtained;
in the data acquisition stage, the behavior of the analysis object entity (user or IP) within a preset time period, namely the access operation behavior, is acquired. Specifically, a plurality of data source formats are supported, and log data of various operations, access, authentication login, audit class and data leakage class are analyzed, converted and collected to obtain the behaviors of each analysis object entity. The operation compliance audit log can be derived from login or operation log of service systems such as SSO, 4A, fort machine, CRM, report and the like; sensitive data leakage logs can be derived from the operating days of DLP and database auditing equipment; the access class related log may be derived from logs of WAF, load balancing, middleware, nginnx, etc. devices. And collecting data in the warehouse, and directly using corresponding big data native SQL sentences to carry out query aggregation.
Step S202, detecting the access operation data according to a preset multi-dimensional identification mode to determine whether target access operation data of which the access operation behavior belongs to suspected machine access behavior operation exists in the access operation data;
in one embodiment, optionally, the preset multi-dimensional recognition mode includes at least one of the following:
operating an access time array interval dislocation computing and identifying mode;
a step-by-step sliding window identification mode is moved;
the time interval average division identification mode;
operation time and operation parameter ASSIC value identification mode.
Specifically, when the suspected machine access behavior operation is identified, any of the above identification methods may be used, and of course, the access operation data may be identified simultaneously in multiple identification methods, and when the access operation data is identified simultaneously in multiple identification methods, an intersection of identification results determined by multiple identification methods may be taken as a final identification result.
In one embodiment, optionally, the access operation data in the preset time period is obtained through a high-order SQL statement, and the access operation data is detected according to a preset multi-dimensional recognition mode.
Step S203, when it is determined that the access operation data has target access operation data of which the access operation behavior belongs to suspected machine access behavior operation, acquiring the target access operation data;
step S204, re-detecting the target access operation data to determine whether the access operation behavior in the target access operation data belongs to the machine access behavior operation again.
In the embodiment, the access operation data can be detected by relying on the original high-order SQL query statement of the large database in a preset multidimensional recognition mode so as to accurately recognize whether the access operation behavior belongs to the suspected machine access operation, thereby greatly improving the detection efficiency and accuracy.
As shown in fig. 3, in an embodiment, optionally, the identifying process of the operation access time array interval misalignment computing identifying mode includes:
step S301, grouping the access operation data according to the target client, and aggregating the grouped access operation data according to the operation time to obtain aggregated access operation data;
step S302, performing time interval difference calculation on the aggregated access operation data corresponding to each target client in an array mode to generate a time interval difference array;
The SQL query statement is aggregated according to an analysis object, namely a target client, specifically, an array aggregation function can be used for converting an operation time sequence into a 10-bit timestamp array < int > format, and then an array difference calculation function is used for generating a time interval difference array.
Step S303, determining the fluctuation condition of the interval time difference according to the time interval difference array;
the arraymap function can be used for respectively calculating whether each two interval time differences of each target client are within a left preset multiple and a right preset multiple range or not, and a 0-1 array is generated;
step S304, searching and acquiring the longest equal-frequency operation access sequence with equal frequency time intervals and continuous length exceeding a first preset length in a time interval difference array corresponding to each target client according to the fluctuation condition of the interval time difference;
according to the previous step 0-1 array, using an array segmentation function to segment the time interval difference array into the array format of the array, calculating the length of each continuous equal frequency and approximate equal frequency in the array, obtaining a longest section of equal frequency operation access sequence with the continuous length exceeding a threshold range through index positioning screening, positioning back to the original log evidence list segmented by the step S303 by using an array slicing function according to the longest section of equal frequency operation access sequence, and determining the original log evidence and times.
Step S305, determining the access operation data corresponding to the longest equal-frequency operation access sequence as target access operation data belonging to the suspected machine access behavior operation.
As shown in fig. 4, in an embodiment, optionally, the identifying process of the moving step sliding window identifying manner includes:
step S401, sorting the access operation data according to the operation time of the target client to obtain sorted operation access data;
inquiring and obtaining data in the time range of each client, sequencing according to the client and the operation time, adding a next operation time field, and calculating a 10-bit time stamp difference value of the client and the operation time;
step S402, calculating the operation time difference between any two operation access sequences adjacent in time to obtain an operation time difference sequence;
specifically, the collected and put data are directly queried by using corresponding big data native SQL sentences, a new column is obtained by shifting down one bit according to the analysis object group and the time ascending sequence lag, namely, the upper operation time and the lower operation time are on the same row, the operation time field in the datetime date format is converted into the 10-bit timestamp format, the further calculation is convenient, and the upper operation time difference and the lower operation time difference are calculated.
Step S403, calculating a variation coefficient of each operation time difference according to the operation time difference and a sliding window with a preset size;
In this embodiment, the sliding window size, i.e. the length of the sliding window, may be set according to actual needs. And for each operation time difference, forming a time difference set according to the time difference of n length of downward sliding of the client group, and further calculating the variation coefficient of the time difference set. The coefficient of variation calculation method comprises:
wherein, the liquid crystal display device comprises a liquid crystal display device,standard deviation of the continuous operating time difference +.>Represents the mean value of the continuous operation time difference,/-)>Indicating the i-th operation time difference in the sequence of operation time differences, and n indicating the length of the sliding window.
The coefficient of variation measures the ratio of the magnitudes of the fluctuations of the data along the average, with smaller coefficients of variation representing smaller fluctuations.
Step S404, searching and obtaining the longest operation access sequence with the variation coefficient smaller than the first preset coefficient and the continuous length exceeding the second preset length in the operation time difference sequence corresponding to each target client according to the variation coefficient of each operation time difference;
judging whether the variation coefficient is smaller than a first preset coefficient, further, for example, the calculated array variation coefficient can be set to be 1, other values are set to be 0, the first preset coefficient y can be set according to the requirement, and the smaller the fluctuation coefficient is, the more stable the description is. If the ripple factor is 0, it is stated that the ripple is absolutely equal. For example, in actual operation, there may be some errors due to the network or other reasons, and in order to tolerate these errors, the first preset coefficient y may be set to 0.05.
And calculating time difference numerical value strings, p1, p2 and … … pn which continuously meet the condition that the variation coefficient is smaller than the first preset coefficient according to the client groups, and calculating the maximum value in the numerical value strings. And traversing and executing the step until the longest operation access sequence of which the variation coefficient of each client is smaller than the first preset coefficient and the continuous length exceeds the second preset length is obtained.
Likewise, the minimum number of continuous operations, i.e., the continuous length, may be set, for example, they may set the coefficient of variation of the time interval of the continuous 10 operations to be smaller than the preset coefficient of fluctuation, which may be regarded as continuous machine behavior.
Step S405, determining the access operation data corresponding to the longest operation access sequence as target access operation data belonging to the suspected machine access behavior operation.
In the above embodiment, the steps of further detailed calculation are as follows: and according to the longest operation access sequence obtained in the steps, the specification of the original machine behavior operation is positioned through index return of one step, wherein the specification comprises fields such as operation time (datetime format), account numbers used by analysis objects, IP (Internet protocol) and the like, and operation contents. The machine equal frequency operation behavior can be intuitively found from the visual angle, and the operation time interval number can be further brought out to form the data source display of the folding fluctuation diagram.
As shown in fig. 5, in an embodiment, optionally, the identifying process of the time period interval average division identifying manner includes:
step S501, sorting the access operation data according to the operation time of the target client to obtain sorted operation access data;
step S502, according to a preset time interval dividing mode, data grouping is carried out on the operation access data after sequencing, and a plurality of time interval groups are obtained;
the time interval dividing mode can be preset according to the requirement. For example, one month of isodistribution detection may be grouped per day, one day of isodistribution detection may be grouped per hour interval, one hour of isodistribution detection may be divided per 2 minute interval, and so on.
Step S503, determining the total number of the first target time interval groups including the access operation behaviors in all the time interval groups and the number of access operation behaviors included in each time interval group;
step S504, calculating the operation quantity variation coefficient of each time interval group according to the total quantity and the times;
specifically, the coefficient of variation of the operation number can be calculated using the following formula:
Wherein, the liquid crystal display device comprises a liquid crystal display device,standard deviation of the number of times +.>Represents the mean value of the number of times,/->Represents the number of access operation actions in the ith time interval group, m represents the total number.
Step S505, searching and obtaining a time interval group sequence with total number exceeding a preset number and operation number variation coefficient smaller than a second preset coefficient in the operation access data group corresponding to each target client;
step S506, the access operation data corresponding to the time interval group sequence is determined to be the target access operation data belonging to the suspected machine access behavior operation.
When the total number corresponding to the target client exceeds the preset number and the variation coefficient of the operation number is smaller than the preset value, namely the operation of the equal-distribution machine behavior is captured, further data required by the operation time interval and the operation time interval equal-distribution machine behavior operation time sequence diagram can be obtained.
By means of the time interval average division, it is possible to identify equidistributed machine behaviors, i.e. by dividing a range of data by time intervals of smaller granularity, machine behaviors are identified which occur when the operation access behavior occurs in each small time interval and the number of operations within each interval is not much different.
As shown in fig. 6, in an embodiment, optionally, the identifying process of the operation time and the operation parameter ASSIC value identifying manner includes:
step S601, calculating an assicode code value of each parameter character string according to the access operation data;
step S602, grouping and aggregating the ASIC code values of each parameter string according to the target clients to obtain the integral ASIC code value corresponding to each target client;
step S603, calculating the variation coefficient, the maximum ASIC code value and the time interval seconds of the whole ASIC code value of each target client according to the whole ASIC code value corresponding to each target client;
the coefficient of variation of the overall assic code value can be calculated by the following formula:
wherein, the liquid crystal display device comprises a liquid crystal display device,standard deviation of overall asssic code value representing parameter string, < >>Mean value of the overall assic code value representing the parameter string,/->An assic code value representing the ith parameter string, and q represents the total number of parameter strings.
Step S604, identifying and acquiring target access operation data belonging to suspected machine access behavior operation according to the variation coefficient of the overall ASIC code value of each target client, the maximum ASIC code value and the time interval seconds, and preset and optimized limiting values.
The application scene of the embodiment has unique effect in web access, and performs data acquisition, crawling and other actions aiming at the change parameter value under a certain URL path. Therefore, the problems of poor actual landing performance, low detection efficiency and the like in the prior art, and the defects of poor interpretation of detection results and the like can be solved by detecting the machine behaviors through the parameter values, and the detection efficiency and accuracy are greatly improved.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present invention.
Fig. 7 shows a block diagram of a machine behavior anomaly detection device according to one embodiment of the present application.
As shown in fig. 7, in a second aspect, an embodiment of the present application provides a machine behavior anomaly detection apparatus 70, including:
a first obtaining module 71, configured to obtain access operation data within a preset period of time;
the detection module 72 is configured to detect the access operation data according to a preset multi-dimensional recognition manner, so as to determine whether there is target access operation data of which the access operation behavior belongs to a suspected machine access behavior operation in the access operation data;
A second obtaining module 73, configured to obtain target access operation data when it is determined that there is target access operation data in the access operation data that the access operation behavior belongs to a suspected machine access behavior operation;
the re-detection module 74 is configured to re-detect the target access operation data, so as to determine whether the access operation behavior in the target access operation data belongs to the machine access behavior operation again.
In one embodiment, optionally, the detection module includes at least one of the following units:
the first identification unit is used for detecting the access operation data through an operation access time array interval dislocation calculation identification mode;
the second identification unit is used for detecting the access operation data in a moving step sliding window identification mode;
the third identification unit is used for detecting the access operation data in a time period interval average division identification mode;
and the fourth identification unit is used for detecting the access operation data through an operation time and operation parameter ASSIC value identification mode.
In one embodiment, the first identifying unit is configured to:
grouping the access operation data according to the target client, and aggregating the grouped access operation data according to the operation time to obtain aggregated access operation data;
Performing time interval difference calculation on the aggregated access operation data corresponding to each target client in an array mode to generate a time interval difference array;
determining the fluctuation condition of the interval time difference according to the time interval difference array;
searching and acquiring the longest constant-frequency operation access sequence with the constant-frequency time interval and the continuous length exceeding a first preset length in a time interval difference array corresponding to each target client according to the fluctuation condition of the interval time difference;
and determining the access operation data corresponding to the longest equal-frequency operation access sequence as target access operation data belonging to suspected machine access behavior operation.
In one embodiment, optionally, the second identifying unit is configured to:
sorting the access operation data according to the operation time of the target client to obtain sorted operation access data;
calculating the operation time difference between any two operation access sequences adjacent in time to obtain an operation time difference sequence;
calculating a variation coefficient of each operation time difference according to the operation time difference and a sliding window with a preset size;
searching and acquiring a longest operation access sequence with a variation coefficient smaller than a first preset coefficient and a continuous length exceeding a second preset length in an operation time difference sequence corresponding to each target client according to the variation coefficient of each operation time difference;
And determining the access operation data corresponding to the longest operation access sequence as target access operation data belonging to suspected machine access behavior operation.
In one embodiment, optionally, the third identifying unit is configured to:
sorting the access operation data according to the operation time of the target client to obtain sorted operation access data;
according to a preset time interval dividing mode, data grouping is carried out on the operation access data after sequencing, and a plurality of time interval groups are obtained;
determining the total number of first target time interval groups containing access operation behaviors in all time interval groups and the number of access operation behaviors contained in each time interval group;
calculating the operation number variation coefficient of each time interval group according to the total number and the times;
searching and acquiring a time interval group sequence of which the total number exceeds a preset number and the variation coefficient of the operation number is smaller than a second preset coefficient in an operation access data group corresponding to each target client;
and determining the access operation data corresponding to the time interval group sequence as target access operation data belonging to suspected machine access behavior operation.
In one embodiment, optionally, the fourth identifying unit is configured to:
according to the access operation data, calculating an ASIC code value of each parameter character string;
grouping and aggregating the ASIC code values of each parameter string according to the target clients to obtain the integral ASIC code value corresponding to each target client;
calculating the variation coefficient, the maximum ASIC code value and the time interval seconds of the whole ASIC code value of each target client according to the whole ASIC code value corresponding to each target client;
and identifying and acquiring target access operation data belonging to suspected machine access behavior operation according to the variation coefficient of the overall ASIC code value of each target client, the maximum ASIC code value and the time interval seconds and preset and optimized limiting values.
In one embodiment, optionally, the access operation data in the preset time period is obtained through a high-order SQL statement, and the access operation data is detected according to a preset multi-dimensional recognition mode.
The specific limitation regarding the machine behavior abnormality detection device may be referred to the limitation regarding the machine behavior abnormality detection method hereinabove, and will not be described herein. The above-described respective modules in the machine behavior abnormality detection device may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 8. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes non-volatile and/or volatile storage media and internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is for communicating with an external client via a network connection. The computer program, when executed by a processor, performs a function or step on the server side of a machine behavior anomaly detection method.
In one embodiment, a computer device is provided, which may be a client, the internal structure of which may be as shown in fig. 9. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is for communicating with an external server via a network connection. The computer program, when executed by a processor, performs a function or step of a machine behavior anomaly detection method client side.
It should be appreciated that the processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field-programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The computer device of embodiments of the present application exists in a variety of forms including, but not limited to:
(1) Mobile communication devices, which are characterized by mobile communication functionality and are aimed at providing voice, data communication. Such terminals include smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer equipment, which belongs to the category of personal computers, has the functions of calculation and processing and generally has the characteristic of mobile internet surfing. Such terminals include PDA, MID and UMPC devices, etc., such as iPad.
(3) Portable entertainment devices such devices can display and play multimedia content. Such devices include audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture in that the server is provided with high-reliability services, and therefore, the server has high requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like.
(5) Other electronic devices with data interaction function.
In one embodiment, a computer device is provided comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of when executing the computer program:
acquiring access operation data in a preset time period;
detecting the access operation data according to a preset multi-dimensional identification mode to determine whether target access operation data of which the access operation behavior belongs to suspected machine access behavior operation exists in the access operation data;
When determining that the access operation data has target access operation data of which the access operation behavior belongs to suspected machine access behavior operation, acquiring the target access operation data;
re-detecting the target access operation data to determine whether the access operation behavior in the target access operation data belongs to machine access behavior operation or not again.
In one embodiment, optionally, the preset multi-dimensional recognition mode includes at least one of the following:
operating an access time array interval dislocation computing and identifying mode;
a step-by-step sliding window identification mode is moved;
the time interval average division identification mode;
operation time and operation parameter ASSIC value identification mode.
In one embodiment, optionally, the operation access time array interval misalignment calculation identification method includes:
grouping the access operation data according to the target client, and aggregating the grouped access operation data according to the operation time to obtain aggregated access operation data;
performing time interval difference calculation on the aggregated access operation data corresponding to each target client in an array mode to generate a time interval difference array;
Determining the fluctuation condition of the interval time difference according to the time interval difference array;
searching and acquiring the longest constant-frequency operation access sequence with the constant-frequency time interval and the continuous length exceeding a first preset length in a time interval difference array corresponding to each target client according to the fluctuation condition of the interval time difference;
and determining the access operation data corresponding to the longest equal-frequency operation access sequence as target access operation data belonging to suspected machine access behavior operation.
In one embodiment, optionally, the identifying process of the moving step sliding window identifying mode includes:
sorting the access operation data according to the operation time of the target client to obtain sorted operation access data;
calculating the operation time difference between any two operation access sequences adjacent in time to obtain an operation time difference sequence;
calculating a variation coefficient of each operation time difference according to the operation time difference and a sliding window with a preset size;
searching and acquiring a longest operation access sequence with a variation coefficient smaller than a first preset coefficient and a continuous length exceeding a second preset length in an operation time difference sequence corresponding to each target client according to the variation coefficient of each operation time difference;
And determining the access operation data corresponding to the longest operation access sequence as target access operation data belonging to suspected machine access behavior operation.
In one embodiment, optionally, the identifying process of the time period interval average division identifying mode includes:
sorting the access operation data according to the operation time of the target client to obtain sorted operation access data;
according to a preset time interval dividing mode, data grouping is carried out on the operation access data after sequencing, and a plurality of time interval groups are obtained;
determining the total number of first target time interval groups containing access operation behaviors in all time interval groups and the number of access operation behaviors contained in each time interval group;
calculating the operation number variation coefficient of each time interval group according to the total number and the times;
searching and acquiring a time interval group sequence of which the total number exceeds a preset number and the variation coefficient of the operation number is smaller than a second preset coefficient in an operation access data group corresponding to each target client;
and determining the access operation data corresponding to the time interval group sequence as target access operation data belonging to suspected machine access behavior operation.
In one embodiment, optionally, the identifying process of the operation time and the operation parameter ASSIC value identifying manner includes:
according to the access operation data, calculating an ASIC code value of each parameter character string;
grouping and aggregating the ASIC code values of each parameter string according to the target clients to obtain the integral ASIC code value corresponding to each target client;
calculating the variation coefficient, the maximum ASIC code value and the time interval seconds of the whole ASIC code value of each target client according to the whole ASIC code value corresponding to each target client;
and identifying and acquiring target access operation data belonging to suspected machine access behavior operation according to the variation coefficient of the overall ASIC code value of each target client, the maximum ASIC code value and the time interval seconds and preset and optimized limiting values.
In one embodiment, optionally, the access operation data in the preset time period is obtained through a high-order SQL statement, and the access operation data is detected according to a preset multi-dimensional recognition mode.
It should be noted that, the functions or steps that can be implemented by the computer readable storage medium or the electronic device may correspond to the relevant descriptions in the foregoing method embodiments, and are not described herein for avoiding repetition.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
It should be understood that although the terms first, second, etc. may be used in embodiments of the present application to describe the setting units, these setting units should not be limited by these terms. These terms are only used to distinguish the setting units from each other. For example, the first setting unit may also be referred to as a second setting unit, and similarly, the second setting unit may also be referred to as a first setting unit, without departing from the scope of the embodiments of the present application.
Depending on the context, the word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to detection". Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the elements is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention.

Claims (9)

1. A machine behavior anomaly detection method, characterized by comprising:
acquiring access operation data in a preset time period;
detecting the access operation data according to a preset multi-dimensional identification mode to determine whether target access operation data of which the access operation behavior belongs to suspected machine access behavior operation exists in the access operation data;
when determining that the access operation data has target access operation data of which the access operation behavior belongs to suspected machine access behavior operation, acquiring the target access operation data;
re-detecting the target access operation data to determine whether the access operation behavior in the target access operation data belongs to machine access behavior operation or not again;
The preset multi-dimensional identification mode comprises at least one of the following steps:
operating an access time array interval dislocation computing and identifying mode;
a step-by-step sliding window identification mode is moved;
the time interval average division identification mode;
operation time and operation parameter ASSIC value identification mode.
2. The machine behavior anomaly detection method according to claim 1, wherein the operation access time array interval misalignment calculation recognition process includes:
grouping the access operation data according to the target client, and aggregating the grouped access operation data according to the operation time to obtain aggregated access operation data;
performing time interval difference calculation on the aggregated access operation data corresponding to each target client in an array mode to generate a time interval difference array;
determining the fluctuation condition of the interval time difference according to the time interval difference array;
searching and acquiring the longest constant-frequency operation access sequence with the constant-frequency time interval and the continuous length exceeding a first preset length in a time interval difference array corresponding to each target client according to the fluctuation condition of the interval time difference;
and determining the access operation data corresponding to the longest equal-frequency operation access sequence as target access operation data belonging to suspected machine access behavior operation.
3. The machine behavior anomaly detection method according to claim 1, wherein the identification process of the moving step-by-step sliding window identification means includes:
sorting the access operation data according to the operation time of the target client to obtain sorted operation access data;
calculating the operation time difference between any two operation access sequences adjacent in time to obtain an operation time difference sequence;
calculating a variation coefficient of each operation time difference according to the operation time difference and a sliding window with a preset size;
searching and acquiring a longest operation access sequence with a variation coefficient smaller than a first preset coefficient and a continuous length exceeding a second preset length in an operation time difference sequence corresponding to each target client according to the variation coefficient of each operation time difference;
and determining the access operation data corresponding to the longest operation access sequence as target access operation data belonging to suspected machine access behavior operation.
4. The machine behavior anomaly detection method according to claim 1, wherein the identifying process of the time period interval average division identifying means includes:
sorting the access operation data according to the operation time of the target client to obtain sorted operation access data;
According to a preset time interval dividing mode, data grouping is carried out on the operation access data after sequencing, and a plurality of time interval groups are obtained;
determining the total number of first target time interval groups containing access operation behaviors in all time interval groups and the number of access operation behaviors contained in each time interval group;
calculating the operation number variation coefficient of each time interval group according to the total number and the times;
searching and acquiring a time interval group sequence of which the total number exceeds a preset number and the variation coefficient of the operation number is smaller than a second preset coefficient in an operation access data group corresponding to each target client;
and determining the access operation data corresponding to the time interval group sequence as target access operation data belonging to suspected machine access behavior operation.
5. The machine behavior anomaly detection method according to claim 1, wherein the operation time and operation parameter ASSIC value recognition means recognition process includes:
according to the access operation data, calculating an ASIC code value of each parameter character string;
grouping and aggregating the ASIC code values of each parameter string according to the target clients to obtain the integral ASIC code value corresponding to each target client;
Calculating the variation coefficient, the maximum ASIC code value and the time interval seconds of the whole ASIC code value of each target client according to the whole ASIC code value corresponding to each target client;
and identifying and acquiring target access operation data belonging to suspected machine access behavior operation according to the variation coefficient of the overall ASIC code value of each target client, the maximum ASIC code value and the time interval seconds and preset and optimized limiting values.
6. The machine behavior anomaly detection method according to claim 1, wherein access operation data in the preset time period is obtained through a high-order SQL statement, and the access operation data is detected according to a preset multi-dimensional recognition mode.
7. A machine behavior abnormality detection device, characterized by comprising:
the first acquisition module is used for acquiring access operation data in a preset time period;
the detection module is used for detecting the access operation data according to a preset multi-dimensional identification mode so as to determine whether target access operation data of which the access operation behavior belongs to suspected machine access behavior operation exists in the access operation data;
the second acquisition module is used for acquiring target access operation data when determining that the access operation behavior belongs to target access operation data of suspected machine access behavior operation in the access operation data;
The re-detection module is used for re-detecting the target access operation data so as to determine whether the access operation behavior in the target access operation data belongs to machine access behavior operation or not again;
the preset multi-dimensional identification mode comprises at least one of the following steps:
operating an access time array interval dislocation computing and identifying mode;
a step-by-step sliding window identification mode is moved;
the time interval average division identification mode;
operation time and operation parameter ASSIC value identification mode.
8. A computer device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the preceding claims 1 to 6.
9. A computer readable storage medium storing computer executable instructions for performing the method of any one of claims 1 to 6.
CN202310744948.7A 2023-06-25 2023-06-25 Machine behavior abnormality detection method, device, equipment and medium Active CN116488948B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310744948.7A CN116488948B (en) 2023-06-25 2023-06-25 Machine behavior abnormality detection method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310744948.7A CN116488948B (en) 2023-06-25 2023-06-25 Machine behavior abnormality detection method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN116488948A true CN116488948A (en) 2023-07-25
CN116488948B CN116488948B (en) 2023-09-01

Family

ID=87227244

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310744948.7A Active CN116488948B (en) 2023-06-25 2023-06-25 Machine behavior abnormality detection method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN116488948B (en)

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150264068A1 (en) * 2014-03-11 2015-09-17 Vectra Networks, Inc. Method and system for detecting bot behavior
US20170149809A1 (en) * 2015-11-24 2017-05-25 Fujitsu Limited Recording medium, deciding method, and deciding apparatus
US20180359270A1 (en) * 2017-06-12 2018-12-13 International Business Machines Corporation Clustering for Detection of Anomalous Behavior and Insider Threat
US10200384B1 (en) * 2013-03-14 2019-02-05 Fireeye, Inc. Distributed systems and methods for automatically detecting unknown bots and botnets
US10270794B1 (en) * 2018-02-09 2019-04-23 Extrahop Networks, Inc. Detection of denial of service attacks
CN109981647A (en) * 2019-03-27 2019-07-05 北京百度网讯科技有限公司 Method and apparatus for detecting Brute Force
CN111818011A (en) * 2020-05-29 2020-10-23 中国平安财产保险股份有限公司 Abnormal access behavior recognition method and device, computer equipment and storage medium
CN112540904A (en) * 2020-12-15 2021-03-23 北京百度网讯科技有限公司 Machine operation behavior recognition method and device, electronic equipment and computer medium
CN112579418A (en) * 2020-12-25 2021-03-30 泰康保险集团股份有限公司 Method, device, equipment and computer readable medium for identifying access log
CN113344133A (en) * 2021-06-30 2021-09-03 上海观安信息技术股份有限公司 Method and system for detecting abnormal fluctuation of time sequence behavior
CN113360899A (en) * 2021-07-06 2021-09-07 上海观安信息技术股份有限公司 Machine behavior identification method and system
CN113420073A (en) * 2021-08-23 2021-09-21 平安科技(深圳)有限公司 Abnormal sample detection method based on improved isolated forest and related equipment
WO2022124575A1 (en) * 2020-12-07 2022-06-16 (주)디엑솜 Method for diagnosing microsatellite instability using coefficient of variation of sequence lengths in microsatellite loci
CN115499205A (en) * 2022-09-15 2022-12-20 中债金科信息技术有限公司 Method and device for detecting abnormal external connection behavior, storage medium and electronic equipment
US11568421B1 (en) * 2019-07-24 2023-01-31 Walgreen Co. Client side diagnostics for enhanced customer care

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10200384B1 (en) * 2013-03-14 2019-02-05 Fireeye, Inc. Distributed systems and methods for automatically detecting unknown bots and botnets
US20150264068A1 (en) * 2014-03-11 2015-09-17 Vectra Networks, Inc. Method and system for detecting bot behavior
US20170149809A1 (en) * 2015-11-24 2017-05-25 Fujitsu Limited Recording medium, deciding method, and deciding apparatus
US20180359270A1 (en) * 2017-06-12 2018-12-13 International Business Machines Corporation Clustering for Detection of Anomalous Behavior and Insider Threat
US10270794B1 (en) * 2018-02-09 2019-04-23 Extrahop Networks, Inc. Detection of denial of service attacks
CN109981647A (en) * 2019-03-27 2019-07-05 北京百度网讯科技有限公司 Method and apparatus for detecting Brute Force
US11568421B1 (en) * 2019-07-24 2023-01-31 Walgreen Co. Client side diagnostics for enhanced customer care
CN111818011A (en) * 2020-05-29 2020-10-23 中国平安财产保险股份有限公司 Abnormal access behavior recognition method and device, computer equipment and storage medium
WO2022124575A1 (en) * 2020-12-07 2022-06-16 (주)디엑솜 Method for diagnosing microsatellite instability using coefficient of variation of sequence lengths in microsatellite loci
CN112540904A (en) * 2020-12-15 2021-03-23 北京百度网讯科技有限公司 Machine operation behavior recognition method and device, electronic equipment and computer medium
CN112579418A (en) * 2020-12-25 2021-03-30 泰康保险集团股份有限公司 Method, device, equipment and computer readable medium for identifying access log
CN113344133A (en) * 2021-06-30 2021-09-03 上海观安信息技术股份有限公司 Method and system for detecting abnormal fluctuation of time sequence behavior
CN113360899A (en) * 2021-07-06 2021-09-07 上海观安信息技术股份有限公司 Machine behavior identification method and system
CN113420073A (en) * 2021-08-23 2021-09-21 平安科技(深圳)有限公司 Abnormal sample detection method based on improved isolated forest and related equipment
CN115499205A (en) * 2022-09-15 2022-12-20 中债金科信息技术有限公司 Method and device for detecting abnormal external connection behavior, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN116488948B (en) 2023-09-01

Similar Documents

Publication Publication Date Title
CN110443274B (en) Abnormality detection method, abnormality detection device, computer device, and storage medium
US10503903B2 (en) Method, system, and device for inferring malicious code rule based on deep learning method
US11132248B2 (en) Automated information technology system failure recommendation and mitigation
CN110442712B (en) Risk determination method, risk determination device, server and text examination system
US11113317B2 (en) Generating parsing rules for log messages
CN109359026A (en) Log reporting method, device, electronic equipment and computer readable storage medium
JP2019502196A (en) Fast pattern discovery for log analysis
US20180210897A1 (en) Model generation method, word weighting method, device, apparatus, and computer storage medium
CN113765873B (en) Method and device for detecting abnormal access traffic
US20220019836A1 (en) Method and System for Detecting Drift in Text Streams
CN110348471B (en) Abnormal object identification method, device, medium and electronic equipment
CN111586695B (en) Short message identification method and related equipment
CN106294406B (en) Method and equipment for processing application access data
CN109413047A (en) Determination method, system, server and the storage medium of Behavior modeling
CN115632874A (en) Method, device, equipment and storage medium for detecting threat of entity object
CN103399957A (en) Searching method, system and engine as well as client
CN108804501B (en) Method and device for detecting effective information
CN111914859A (en) Service multiplexing method, computing device and computer readable storage medium
CN108804917B (en) File detection method and device, electronic equipment and storage medium
CN111368128B (en) Target picture identification method, device and computer readable storage medium
CN116488948B (en) Machine behavior abnormality detection method, device, equipment and medium
CN117093556A (en) Log classification method, device, computer equipment and computer readable storage medium
CN112003834A (en) Abnormal behavior detection method and device
CN115589339A (en) Network attack type identification method, device, equipment and storage medium
CN113569552A (en) Log template extraction method and device, electronic equipment and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant