CN117201090A - Abnormal behavior detection processing method and system - Google Patents
Abnormal behavior detection processing method and system Download PDFInfo
- Publication number
- CN117201090A CN117201090A CN202311086338.9A CN202311086338A CN117201090A CN 117201090 A CN117201090 A CN 117201090A CN 202311086338 A CN202311086338 A CN 202311086338A CN 117201090 A CN117201090 A CN 117201090A
- Authority
- CN
- China
- Prior art keywords
- abnormal
- behavior
- preset threshold
- abnormal behavior
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 206010000117 Abnormal behaviour Diseases 0.000 title claims abstract description 109
- 238000001514 detection method Methods 0.000 title claims abstract description 42
- 238000003672 processing method Methods 0.000 title claims abstract description 19
- 230000006399 behavior Effects 0.000 claims abstract description 73
- 230000002159 abnormal effect Effects 0.000 claims abstract description 41
- 238000012545 processing Methods 0.000 claims abstract description 34
- 238000004458 analytical method Methods 0.000 claims abstract description 33
- 238000000034 method Methods 0.000 claims abstract description 32
- 238000002955 isolation Methods 0.000 claims description 8
- 238000011084 recovery Methods 0.000 claims description 8
- 238000000605 extraction Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 abstract description 11
- 238000004891 communication Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 4
- 238000005859 coupling reaction Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000005236 sound signal Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The application discloses a method and a system for detecting and processing abnormal behaviors. Wherein the method comprises the following steps: acquiring behavior statistical data and rule policy data; extracting access statistical information in the behavior statistical data; comparing the access statistical information with a preset threshold value to obtain a comparison result; generating abnormal behavior target information according to the comparison result; extracting a behavior record of the abnormal behavior target information, and matching the behavior record with the rule policy data to obtain a matching result, wherein the matching result comprises: abnormal, non-abnormal. The application solves the technical problems that the abnormal behavior detection and processing method in the prior art only analyzes the access flow according to the flow monitoring means, but the single analysis method often brings inaccurate analysis results on one side to the analysis work, and reduces the efficiency and accuracy of abnormal behavior detection processing.
Description
Technical Field
The application relates to the field of exception handling, in particular to an exception behavior detection processing method and system.
Background
Along with the continuous development of intelligent science and technology, intelligent equipment is increasingly used in life, work and study of people, and the quality of life of people is improved and the learning and working efficiency of people is increased by using intelligent science and technology means.
At present, in the abnormal behavior detection process in the internet surfing behavior management, the abnormal behavior is usually analyzed by monitoring access flow, and the behavior analysis result is processed and treated to obtain an emergency treatment result. However, the method for detecting and processing the abnormal behavior in the prior art only analyzes the access flow according to the flow monitoring method, however, the single analysis method often brings inaccurate analysis results on one side to the analysis work, and reduces the efficiency and accuracy of the abnormal behavior detection processing.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides an abnormal behavior detection processing method and system, which at least solve the technical problems that the abnormal behavior detection and processing method in the prior art only analyzes access flow according to a flow monitoring means, but the single analysis method often brings inaccurate one-sided analysis results to analysis work, and reduces the efficiency and accuracy of abnormal behavior detection processing.
According to an aspect of an embodiment of the present application, there is provided an abnormal behavior detection processing method, including: acquiring behavior statistical data and rule policy data; extracting access statistical information in the behavior statistical data; comparing the access statistical information with a preset threshold value to obtain a comparison result; generating abnormal behavior target information according to the comparison result; extracting a behavior record of the abnormal behavior target information, and matching the behavior record with the rule policy data to obtain a matching result, wherein the matching result comprises: abnormal, non-abnormal.
Optionally, the comparing the access statistical information with a preset threshold value to obtain a comparison result includes: acquiring the preset threshold, wherein the preset threshold characterizes an abnormal limit statistics; comparing each data element in the access statistical information with the preset threshold value to obtain a comparison result, wherein the comparison result comprises: and data elements exceeding the preset threshold.
Optionally, the generating the abnormal behavior target information according to the comparison result includes: and summarizing the data elements exceeding the preset threshold value to generate the abnormal behavior target information.
Optionally, after the extracting the behavior record of the abnormal behavior target information and matching the behavior record with the rule policy data to obtain a matching result, the method further includes: executing an exception handler according to the matching result, wherein the exception handler comprises: abnormal region recovery, abnormal behavior isolation, and abnormal behavior analysis.
According to another aspect of the embodiment of the present application, there is also provided an abnormal behavior detection processing system, including: the acquisition module is used for acquiring the behavior statistical data and the rule policy data; the extraction module is used for extracting access statistical information in the behavior statistical data; the comparison module is used for comparing the access statistical information with a preset threshold value to obtain a comparison result; the generation module is used for generating abnormal behavior target information according to the comparison result; the matching module is used for extracting the behavior record of the abnormal behavior target information, and matching the behavior record with the rule policy data to obtain a matching result, wherein the matching result comprises the following steps: abnormal, non-abnormal.
Optionally, the comparison module includes: the acquisition unit is used for acquiring the preset threshold, wherein the preset threshold represents an abnormal limit statistics; the comparison unit is used for comparing each data element in the access statistical information with the preset threshold value to obtain a comparison result, wherein the comparison result comprises the following steps: and data elements exceeding the preset threshold.
Optionally, the generating module includes: and the summarizing unit is used for summarizing the data elements exceeding the preset threshold value and generating the abnormal behavior target information.
Optionally, the system further comprises: the processing module is used for executing an exception handling program according to the matching result, wherein the exception handling program comprises: abnormal region recovery, abnormal behavior isolation, and abnormal behavior analysis.
According to another aspect of the embodiment of the present application, there is also provided a nonvolatile storage medium, where the nonvolatile storage medium includes a stored program, and when the program runs, the device in which the nonvolatile storage medium is controlled to execute an abnormal behavior detection processing method.
According to another aspect of an embodiment of the present application, there is also provided an electronic system including a processor and a memory; the memory stores computer readable instructions, and the processor is configured to execute the computer readable instructions, where the computer readable instructions execute an abnormal behavior detection processing method when executed.
In the embodiment of the application, the behavior statistical data and the rule policy data are acquired; extracting access statistical information in the behavior statistical data; comparing the access statistical information with a preset threshold value to obtain a comparison result; generating abnormal behavior target information according to the comparison result; extracting a behavior record of the abnormal behavior target information, and matching the behavior record with the rule policy data to obtain a matching result, wherein the matching result comprises: the abnormal and non-abnormal modes solve the technical problems that the abnormal behavior detection and processing method in the prior art only analyzes the access flow according to the flow monitoring means, but the single analysis method often brings one-sided inaccurate analysis results to analysis work, and reduces the efficiency and accuracy of abnormal behavior detection processing.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a flow chart of an abnormal behavior detection processing method according to an embodiment of the present application;
FIG. 2 is a block diagram of an abnormal behavior detection processing system according to an embodiment of the present application;
fig. 3 is a block diagram of a terminal device for performing the method according to the application according to an embodiment of the application;
fig. 4 is a memory unit for holding or carrying program code for implementing a method according to the application, according to an embodiment of the application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an embodiment of the present application, there is provided a method embodiment of an abnormal behavior detection processing method, it should be noted that the steps shown in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order different from that shown or described herein.
Example 1
FIG. 1 is a flowchart of a method for processing abnormal behavior detection according to an embodiment of the present application, as shown in FIG. 1, the method includes the steps of:
step S102, behavior statistical data and rule policy data are obtained.
Specifically, in order to solve the technical problems that in the prior art, the abnormal behavior detection and processing method only analyzes the access traffic according to the traffic monitoring means, however, the single analysis method often brings inaccurate analysis results to analysis work on one side, and reduces the efficiency and accuracy of abnormal behavior detection processing, when the abnormal behavior detection is performed, behavior statistics data and rule policy data are obtained according to a behavior traffic controller, wherein the behavior statistics data can be access logs obtained through surfing the internet or access traffic monitoring, all surfing behaviors of each terminal through the server are included, so that a behavior summarized behavior statistics data set is obtained, and in addition, the rule policy data are used for judging whether the rule data files belong to the category of the abnormal behaviors according to different surfing behavior data.
Step S104, extracting access statistical information in the behavior statistical data.
Specifically, in order to perform the first step of detection operation of abnormal behavior detection according to the behavior statistical data, the embodiment of the application needs to extract the access statistical information in the behavior statistical data, wherein the access statistical information includes the IP access conditions of all terminals, and the technical purpose of statistical analysis is achieved by using a mode of combining flow statistics and IP.
And S106, comparing the access statistical information with a preset threshold value to obtain a comparison result.
Optionally, the comparing the access statistical information with a preset threshold value to obtain a comparison result includes: acquiring the preset threshold, wherein the preset threshold characterizes an abnormal limit statistics; comparing each data element in the access statistical information with the preset threshold value to obtain a comparison result, wherein the comparison result comprises: and data elements exceeding the preset threshold.
Specifically, after the access statistical information is obtained, in order to extract the protruding access terminal therein, the embodiment of the application needs to obtain the preset threshold, wherein the preset threshold characterizes the abnormal limit statistics; comparing each data element in the access statistical information with the preset threshold value to obtain a comparison result, wherein the comparison result comprises: and data elements exceeding the preset threshold.
It should be noted that, the method for accessing the interface may include two ways: (1) Public login is performed by publishing a token, the token can be updated at any time, and the original token is invalid after each update. (2) The application program links the gitlab server to adopt Linux commands, for example, java, and encapsulates git commands, typically embedded Linux script commands, when run by runtimes in Java, which are not referred to herein. The application program and the gitlab server carry out interface call, taking Java as an example, API call is carried out in Java, interface call is carried out through HTTP client or Restful style, and returned data are all in JSON format.
Optionally, the preset threshold is obtained through a user configuration client.
Specifically, the preset threshold value is configured by a user to configure the client, the threshold value setting in the threshold value configuration ui interface in the client is adjusted to a threshold value range determined according to the security level or the job guidance file or the rule, the threshold value is output as an important standard of access control, and abnormal access flow data can be generated by using the threshold value configured by the user in the subsequent access control, so that detection processing operation is performed.
And S108, generating abnormal behavior target information according to the comparison result.
Optionally, the generating the abnormal behavior target information according to the comparison result includes: and summarizing the data elements exceeding the preset threshold value to generate the abnormal behavior target information.
Specifically, as the access summary exceeding the threshold value is the detection result of the abnormal behavior, the data elements exceeding the preset threshold value are summarized and sorted, and the sorted data set is used as the target information of the abnormal behavior for transmission and storage, so that the abnormal behavior can be further matched later.
Step S110, extracting a behavior record of the abnormal behavior target information, and matching the behavior record with the rule policy data to obtain a matching result, wherein the matching result comprises: abnormal, non-abnormal.
Specifically, after some target units of the abnormal behavior are obtained through the statistical access information, the embodiment of the application cannot completely judge that the abnormal units are the terminal units with the abnormal behavior, so that rule matching is required to be carried out on the target information of the abnormal behavior, and a preset rule strategy is utilized to generate a matching result, so that the situation that the behaviors belong to real and error-free abnormal behaviors is further determined.
Optionally, after the extracting the behavior record of the abnormal behavior target information and matching the behavior record with the rule policy data to obtain a matching result, the method further includes: executing an exception handler according to the matching result, wherein the exception handler comprises: abnormal region recovery, abnormal behavior isolation, and abnormal behavior analysis.
Through the embodiment, the technical problems that the detection and processing method of the abnormal behavior in the prior art only analyzes the access flow according to the flow monitoring means, but the single analysis method often brings one-sided inaccurate analysis results to analysis work and reduces the efficiency and accuracy of the detection and processing of the abnormal behavior are solved.
Example two
FIG. 2 is a block diagram of an abnormal behavior detection processing system according to an embodiment of the present application, as shown in FIG. 2, the system includes:
and the acquisition module is used for acquiring the behavior statistical data and the rule policy data.
Specifically, in order to solve the technical problems that in the prior art, the abnormal behavior detection and processing method only analyzes the access traffic according to the traffic monitoring means, however, the single analysis method often brings inaccurate analysis results to analysis work on one side, and reduces the efficiency and accuracy of abnormal behavior detection processing, when the abnormal behavior detection is performed, behavior statistics data and rule policy data are obtained according to a behavior traffic controller, wherein the behavior statistics data can be access logs obtained through surfing the internet or access traffic monitoring, all surfing behaviors of each terminal through the server are included, so that a behavior summarized behavior statistics data set is obtained, and in addition, the rule policy data are used for judging whether the rule data files belong to the category of the abnormal behaviors according to different surfing behavior data.
And the extraction module is used for extracting the access statistical information in the behavior statistical data.
Specifically, in order to perform the first step of detection operation of abnormal behavior detection according to the behavior statistical data, the embodiment of the application needs to extract the access statistical information in the behavior statistical data, wherein the access statistical information includes the IP access conditions of all terminals, and the technical purpose of statistical analysis is achieved by using a mode of combining flow statistics and IP.
And the comparison module is used for comparing the access statistical information with a preset threshold value to obtain a comparison result.
Optionally, the comparison module includes: the acquisition unit is used for acquiring the preset threshold, wherein the preset threshold represents an abnormal limit statistics; the comparison unit is used for comparing each data element in the access statistical information with the preset threshold value to obtain a comparison result, wherein the comparison result comprises the following steps: and data elements exceeding the preset threshold.
Specifically, after the access statistical information is obtained, in order to extract the protruding access terminal therein, the embodiment of the application needs to obtain the preset threshold, wherein the preset threshold characterizes the abnormal limit statistics; comparing each data element in the access statistical information with the preset threshold value to obtain a comparison result, wherein the comparison result comprises: and data elements exceeding the preset threshold.
Optionally, the preset threshold is obtained through a user configuration client.
And the generation module is used for generating abnormal behavior target information according to the comparison result.
Optionally, the generating module includes: and the summarizing unit is used for summarizing the data elements exceeding the preset threshold value and generating the abnormal behavior target information.
Specifically, as the access summary exceeding the threshold value is the detection result of the abnormal behavior, the data elements exceeding the preset threshold value are summarized and sorted, and the sorted data set is used as the target information of the abnormal behavior for transmission and storage, so that the abnormal behavior can be further matched later.
The matching module is used for extracting the behavior record of the abnormal behavior target information, and matching the behavior record with the rule policy data to obtain a matching result, wherein the matching result comprises the following steps: abnormal, non-abnormal.
Specifically, after some target units of the abnormal behavior are obtained through the statistical access information, the embodiment of the application cannot completely judge that the abnormal units are the terminal units with the abnormal behavior, so that rule matching is required to be carried out on the target information of the abnormal behavior, and a preset rule strategy is utilized to generate a matching result, so that the situation that the behaviors belong to real and error-free abnormal behaviors is further determined.
Optionally, the system further comprises: the processing module is used for executing an exception handling program according to the matching result, wherein the exception handling program comprises: abnormal region recovery, abnormal behavior isolation, and abnormal behavior analysis.
Through the embodiment, the technical problems that the detection and processing method of the abnormal behavior in the prior art only analyzes the access flow according to the flow monitoring means, but the single analysis method often brings one-sided inaccurate analysis results to analysis work and reduces the efficiency and accuracy of the detection and processing of the abnormal behavior are solved.
According to another aspect of the embodiment of the present application, there is also provided a nonvolatile storage medium, where the nonvolatile storage medium includes a stored program, and when the program runs, the device in which the nonvolatile storage medium is controlled to execute an abnormal behavior detection processing method.
Specifically, the method comprises the following steps: acquiring behavior statistical data and rule policy data; extracting access statistical information in the behavior statistical data; comparing the access statistical information with a preset threshold value to obtain a comparison result; generating abnormal behavior target information according to the comparison result; extracting a behavior record of the abnormal behavior target information, and matching the behavior record with the rule policy data to obtain a matching result, wherein the matching result comprises: abnormal, non-abnormal. Optionally, the comparing the access statistical information with a preset threshold value to obtain a comparison result includes: acquiring the preset threshold, wherein the preset threshold characterizes an abnormal limit statistics; comparing each data element in the access statistical information with the preset threshold value to obtain a comparison result, wherein the comparison result comprises: and data elements exceeding the preset threshold. Optionally, the generating the abnormal behavior target information according to the comparison result includes: and summarizing the data elements exceeding the preset threshold value to generate the abnormal behavior target information. Optionally, after the extracting the behavior record of the abnormal behavior target information and matching the behavior record with the rule policy data to obtain a matching result, the method further includes: executing an exception handler according to the matching result, wherein the exception handler comprises: abnormal region recovery, abnormal behavior isolation, and abnormal behavior analysis.
According to another aspect of an embodiment of the present application, there is also provided an electronic system including a processor and a memory; the memory stores computer readable instructions, and the processor is configured to execute the computer readable instructions, where the computer readable instructions execute an abnormal behavior detection processing method when executed.
Specifically, the method comprises the following steps: acquiring behavior statistical data and rule policy data; extracting access statistical information in the behavior statistical data; comparing the access statistical information with a preset threshold value to obtain a comparison result; generating abnormal behavior target information according to the comparison result; extracting a behavior record of the abnormal behavior target information, and matching the behavior record with the rule policy data to obtain a matching result, wherein the matching result comprises: abnormal, non-abnormal. Optionally, the comparing the access statistical information with a preset threshold value to obtain a comparison result includes: acquiring the preset threshold, wherein the preset threshold characterizes an abnormal limit statistics; comparing each data element in the access statistical information with the preset threshold value to obtain a comparison result, wherein the comparison result comprises: and data elements exceeding the preset threshold. Optionally, the generating the abnormal behavior target information according to the comparison result includes: and summarizing the data elements exceeding the preset threshold value to generate the abnormal behavior target information. Optionally, after the extracting the behavior record of the abnormal behavior target information and matching the behavior record with the rule policy data to obtain a matching result, the method further includes: executing an exception handler according to the matching result, wherein the exception handler comprises: abnormal region recovery, abnormal behavior isolation, and abnormal behavior analysis.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The system embodiments described above are merely exemplary, and for example, the division of the units may be a logic function division, and there may be another division manner when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, fig. 3 is a schematic hardware structure of a terminal device according to an embodiment of the present application. As shown in fig. 3, the terminal device may include an input device 30, a processor 31, an output device 32, a memory 33, and at least one communication bus 34. The communication bus 34 is used to enable communication connections between the elements. The memory 33 may comprise a high-speed RAM memory or may further comprise a non-volatile memory NVM, such as at least one magnetic disk memory, in which various programs may be stored for performing various processing functions and implementing the method steps of the present embodiment.
Alternatively, the processor 31 may be implemented as, for example, a central processing unit (Central Processing Unit, abbreviated as CPU), an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), a Digital Signal Processing Device (DSPD), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a controller, a microcontroller, a microprocessor, or other electronic components, and the processor 31 is coupled to the input device 30 and the output device 32 through wired or wireless connections.
Alternatively, the input device 30 may include a variety of input devices, for example, may include at least one of a user-oriented user interface, a device-oriented device interface, a programmable interface of software, a camera, and a sensor. Optionally, the device interface facing the device may be a wired interface for data transmission between devices, or may be a hardware insertion interface (such as a USB interface, a serial port, etc.) for data transmission between devices; alternatively, the user-oriented user interface may be, for example, a user-oriented control key, a voice input device for receiving voice input, and a touch-sensitive device (e.g., a touch screen, a touch pad, etc. having touch-sensitive functionality) for receiving user touch input by a user; optionally, the programmable interface of the software may be, for example, an entry for a user to edit or modify a program, for example, an input pin interface or an input interface of a chip, etc.; optionally, the transceiver may be a radio frequency transceiver chip, a baseband processing chip, a transceiver antenna, etc. with a communication function. An audio input device such as a microphone may receive voice data. The output device 32 may include a display, audio, or the like.
In this embodiment, the processor of the terminal device may include functions for executing each module of the data processing system in each device, and specific functions and technical effects may be referred to the above embodiments and are not described herein again.
Fig. 4 is a schematic hardware structure of a terminal device according to another embodiment of the present application. Fig. 4 is a specific embodiment of the implementation of fig. 3. As shown in fig. 4, the terminal device of the present embodiment includes a processor 41 and a memory 42.
The processor 41 executes the computer program code stored in the memory 42 to implement the methods of the above-described embodiments.
The memory 42 is configured to store various types of data to support operation at the terminal device. Examples of such data include instructions for any application or method operating on the terminal device, such as messages, pictures, video, etc. The memory 42 may include a random access memory (random access memory, simply referred to as RAM) and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.
Optionally, a processor 41 is provided in the processing assembly 40. The terminal device may further include: a communication component 43, a power supply component 44, a multimedia component 45, an audio component 46, an input/output interface 47 and/or a sensor component 48. The components and the like specifically included in the terminal device are set according to actual requirements, which are not limited in this embodiment.
The processing component 40 generally controls the overall operation of the terminal device. The processing component 40 may include one or more processors 41 to execute instructions to perform all or part of the steps of the methods described above. Further, the processing component 40 may include one or more modules that facilitate interactions between the processing component 40 and other components. For example, processing component 40 may include a multimedia module to facilitate interaction between multimedia component 45 and processing component 40.
The power supply assembly 44 provides power to the various components of the terminal device. Power supply components 44 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for terminal devices.
The multimedia component 45 comprises a display screen between the terminal device and the user providing an output interface. In some embodiments, the display screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the display screen includes a touch panel, the display screen may be implemented as a touch screen to receive input signals from a user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may sense not only the boundary of a touch or slide action, but also the duration and pressure associated with the touch or slide operation.
The audio component 46 is configured to output and/or input audio signals. For example, the audio component 46 includes a Microphone (MIC) configured to receive external audio signals when the terminal device is in an operational mode, such as a speech recognition mode. The received audio signals may be further stored in the memory 42 or transmitted via the communication component 43. In some embodiments, audio assembly 46 further includes a speaker for outputting audio signals.
The input/output interface 47 provides an interface between the processing assembly 40 and peripheral interface modules, which may be click wheels, buttons, etc. These buttons may include, but are not limited to: volume button, start button and lock button.
The sensor assembly 48 includes one or more sensors for providing status assessment of various aspects for the terminal device. For example, the sensor assembly 48 may detect the open/closed state of the terminal device, the relative positioning of the assembly, the presence or absence of user contact with the terminal device. The sensor assembly 48 may include a proximity sensor configured to detect the presence of nearby objects in the absence of any physical contact, including detecting the distance between the user and the terminal device. In some embodiments, the sensor assembly 48 may also include a camera or the like.
The communication component 43 is configured to facilitate communication between the terminal device and other devices in a wired or wireless manner. The terminal device may access a wireless network based on a communication standard, such as WiFi,2G or 3G, or a combination thereof. In one embodiment, the terminal device may include a SIM card slot, where the SIM card slot is used to insert a SIM card, so that the terminal device may log into a GPRS network, and establish communication with a server through the internet.
From the above, it will be appreciated that the communication component 43, the audio component 46, and the input/output interface 47, the sensor component 48 referred to in the embodiment of fig. 4 may be implemented as an input device in the embodiment of fig. 3.
In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The system embodiments described above are merely exemplary, and for example, the division of the units may be a logic function division, and there may be another division manner when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.
Claims (10)
1. An abnormal behavior detection processing method is characterized by comprising the following steps:
acquiring behavior statistical data and rule policy data;
extracting access statistical information in the behavior statistical data;
comparing the access statistical information with a preset threshold value to obtain a comparison result;
generating abnormal behavior target information according to the comparison result;
extracting a behavior record of the abnormal behavior target information, and matching the behavior record with the rule policy data to obtain a matching result, wherein the matching result comprises: abnormal, non-abnormal.
2. The method of claim 1, wherein comparing the access statistics with a preset threshold value comprises:
acquiring the preset threshold, wherein the preset threshold characterizes an abnormal limit statistics;
comparing each data element in the access statistical information with the preset threshold value to obtain a comparison result, wherein the comparison result comprises: and data elements exceeding the preset threshold.
3. The method of claim 1, wherein generating the abnormal behavior target information from the comparison result comprises:
and summarizing the data elements exceeding the preset threshold value to generate the abnormal behavior target information.
4. The method according to claim 1, wherein after the extracting the behavior record of the abnormal behavior target information and matching the behavior record with the rule policy data, the method further comprises:
executing an exception handler according to the matching result, wherein the exception handler comprises: abnormal region recovery, abnormal behavior isolation, and abnormal behavior analysis.
5. An abnormal behavior detection processing system, comprising:
the acquisition module is used for acquiring the behavior statistical data and the rule policy data;
the extraction module is used for extracting access statistical information in the behavior statistical data;
the comparison module is used for comparing the access statistical information with a preset threshold value to obtain a comparison result;
the generation module is used for generating abnormal behavior target information according to the comparison result;
the matching module is used for extracting the behavior record of the abnormal behavior target information, and matching the behavior record with the rule policy data to obtain a matching result, wherein the matching result comprises the following steps: abnormal, non-abnormal.
6. The system of claim 5, wherein the comparison module comprises:
the acquisition unit is used for acquiring the preset threshold, wherein the preset threshold represents an abnormal limit statistics;
the comparison unit is used for comparing each data element in the access statistical information with the preset threshold value to obtain a comparison result, wherein the comparison result comprises the following steps: and data elements exceeding the preset threshold.
7. The system of claim 5, wherein the generating module comprises:
and the summarizing unit is used for summarizing the data elements exceeding the preset threshold value and generating the abnormal behavior target information.
8. The system of claim 5, wherein the system further comprises:
the processing module is used for executing an exception handling program according to the matching result, wherein the exception handling program comprises: abnormal region recovery, abnormal behavior isolation, and abnormal behavior analysis.
9. A non-volatile storage medium, characterized in that the non-volatile storage medium comprises a stored program, wherein the program, when run, controls a device in which the non-volatile storage medium is located to perform the method of any one of claims 1 to 4.
10. An electronic system comprising a processor and a memory; the memory has stored therein computer readable instructions for executing the processor, wherein the computer readable instructions when executed perform the method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311086338.9A CN117201090A (en) | 2023-08-28 | 2023-08-28 | Abnormal behavior detection processing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311086338.9A CN117201090A (en) | 2023-08-28 | 2023-08-28 | Abnormal behavior detection processing method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117201090A true CN117201090A (en) | 2023-12-08 |
Family
ID=89000856
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311086338.9A Pending CN117201090A (en) | 2023-08-28 | 2023-08-28 | Abnormal behavior detection processing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201090A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104915455A (en) * | 2015-07-02 | 2015-09-16 | 焦点科技股份有限公司 | Website exception access identification method and system based on user behaviors |
| CN106650433A (en) * | 2016-12-15 | 2017-05-10 | 咪咕数字传媒有限公司 | Detecting method and system for abnormal behavior |
| KR20170056045A (en) * | 2015-11-12 | 2017-05-23 | 주식회사 엔젠소프트 | Method and apparatus of fraud detection for analyzing behavior pattern |
| KR101743269B1 (en) * | 2016-01-13 | 2017-06-05 | 주식회사 엔젠소프트 | Method and apparatus of fraud detection by analysis of PC information and modeling of behavior pattern |
| CN108377241A (en) * | 2018-02-12 | 2018-08-07 | 平安普惠企业管理有限公司 | Monitoring method, device, equipment based on access frequency and computer storage media |
| CN110086649A (en) * | 2019-03-19 | 2019-08-02 | 深圳壹账通智能科技有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| CN116015842A (en) * | 2022-12-23 | 2023-04-25 | 中能融合智慧科技有限公司 | Network attack detection method based on user access behaviors |
-
2023
- 2023-08-28 CN CN202311086338.9A patent/CN117201090A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104915455A (en) * | 2015-07-02 | 2015-09-16 | 焦点科技股份有限公司 | Website exception access identification method and system based on user behaviors |
| KR20170056045A (en) * | 2015-11-12 | 2017-05-23 | 주식회사 엔젠소프트 | Method and apparatus of fraud detection for analyzing behavior pattern |
| KR101743269B1 (en) * | 2016-01-13 | 2017-06-05 | 주식회사 엔젠소프트 | Method and apparatus of fraud detection by analysis of PC information and modeling of behavior pattern |
| CN106650433A (en) * | 2016-12-15 | 2017-05-10 | 咪咕数字传媒有限公司 | Detecting method and system for abnormal behavior |
| CN108377241A (en) * | 2018-02-12 | 2018-08-07 | 平安普惠企业管理有限公司 | Monitoring method, device, equipment based on access frequency and computer storage media |
| CN110086649A (en) * | 2019-03-19 | 2019-08-02 | 深圳壹账通智能科技有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| CN116015842A (en) * | 2022-12-23 | 2023-04-25 | 中能融合智慧科技有限公司 | Network attack detection method based on user access behaviors |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115426525B (en) | High-speed dynamic frame linkage image splitting method and device | |
| CN117201090A (en) | Abnormal behavior detection processing method and system | |
| CN116302041B (en) | Optimization method and device for light field camera interface module | |
| CN116723419B (en) | Acquisition speed optimization method and device for billion-level high-precision camera | |
| CN116723298B (en) | Method and device for improving transmission efficiency of camera end | |
| CN116506423A (en) | Information security data reporting method and device | |
| CN115695267B (en) | Data interface-oriented testing and verifying method and device | |
| CN116389915B (en) | Method and device for reducing flicker of light field camera | |
| CN116431392A (en) | Important data separation method and device | |
| CN116260963B (en) | Emergency handling method and device for camera fault | |
| CN118415596A (en) | Sleep monitoring method and device | |
| CN115511735B (en) | Snow field gray scale picture optimization method and device | |
| CN117871419A (en) | Air quality detection method and device based on optical camera holder control | |
| CN116468883B (en) | High-precision image data volume fog recognition method and device | |
| CN116030501B (en) | Method and device for extracting bird detection data | |
| CN115984333B (en) | Smooth tracking method and device for airplane target | |
| CN115576989A (en) | Big data flow monitoring method and device | |
| CN116700037A (en) | Remote home control method and system based on cloud platform | |
| CN117118822A (en) | Network diagnosis processing method and system | |
| CN116228593B (en) | Image perfecting method and device based on hierarchical antialiasing | |
| CN116774929A (en) | Data storage method and system based on big data | |
| CN117911870A (en) | Emergency safety prediction method based on hundred million-level image acquisition means | |
| CN116663886A (en) | Information security event combing method and device | |
| CN116389887A (en) | Dynamic optimization-based light field camera configuration method and device | |
| CN116466905A (en) | OpenHarmony-based window split-screen operation interaction method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |