CN117909978A - Analysis management method and system based on big data security - Google Patents
Analysis management method and system based on big data security Download PDFInfo
- Publication number
- CN117909978A CN117909978A CN202410289835.7A CN202410289835A CN117909978A CN 117909978 A CN117909978 A CN 117909978A CN 202410289835 A CN202410289835 A CN 202410289835A CN 117909978 A CN117909978 A CN 117909978A
- Authority
- CN
- China
- Prior art keywords
- code
- data
- ota
- protection
- optimization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000007726 management method Methods 0.000 title claims abstract description 28
- 238000004458 analytical method Methods 0.000 title claims abstract description 25
- 238000005457 optimization Methods 0.000 claims abstract description 97
- 241000700605 Viruses Species 0.000 claims abstract description 67
- 238000005516 engineering process Methods 0.000 claims abstract description 28
- 238000000034 method Methods 0.000 claims abstract description 23
- 230000007246 mechanism Effects 0.000 claims abstract description 22
- 238000012216 screening Methods 0.000 claims abstract description 10
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 8
- 230000008859 change Effects 0.000 claims description 3
- 230000001131 transforming effect Effects 0.000 claims description 2
- 238000004891 communication Methods 0.000 claims 1
- 230000008569 process Effects 0.000 description 7
- 230000008901 benefit Effects 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 238000007796 conventional method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 230000002498 deadly effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/13—File access structures, e.g. distributed indices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to an analysis management method and system based on big data security, the method includes obtaining network protection information of a big data service channel port, adding first protection log data into a virus library, compressing the first protection code data in an OTA optimizing library, creating an OTA optimizing folder for storing the first protection code data in the OTA optimizing library, and carrying out association binding on the OTA optimizing folder and the virus library by using an OTA over-the-air downloading technology; identifying attack means codes by using a matching tree mechanism, screening and matching the first protection log data with second protection log data with the same kind of purpose in a virus library, and identifying second protection code data corresponding to the second protection log data; selecting an OTA optimization code in the second protection code data, and converting the OTA optimization code into OTA optimization data by combining a virtualization data updating technology and a paas architecture technology; and optimizing the first protection code data in the OTA optimization folder through the OTA optimization data.
Description
Technical Field
The invention relates to the technical field of data security, in particular to an analysis management method and system based on big data security.
Background
In the big data age, the value of data is increasingly prominent, and the data security problem is also becoming serious. The large data platform is used as a core for data processing and storage, and the security of the large data platform is directly related to the stability of the whole data ecology and the availability of the data. The traditional data security management method is subject to massive data, complex network environments and continuously evolving attack means, and is easy to catch and break through, so that the increasingly-growing security requirements are difficult to meet.
Firstly, the conventional method often cannot acquire and process the network protection information of the big data service channel port in real time, so that hysteresis exists in the safety response. This hysteresis is especially deadly in the face of rapidly propagating malicious code and zero-day attacks, and can cause immeasurable losses.
Secondly, when the conventional method is used for coping with complex attack means, accurate identification and defense are often difficult due to lack of an effective code identification and matching mechanism. This not only reduces the accuracy of the security protection, but also increases the risk of data leakage and system paralysis.
Furthermore, the conventional method has limitations in optimizing and updating data security protection. Because the latest security protection strategy and code optimization scheme cannot be timely obtained, the security protection capability of the large data platform is difficult to continuously improve.
Disclosure of Invention
The invention mainly aims to provide an analysis management method and system based on big data security, which are used for realizing the security protection and the optimization updating of a big data service channel port by acquiring network protection information of the big data service channel port in real time, utilizing a matching tree mechanism to identify attack means codes and combining an OTA optimization technology and a PaaS architecture technology.
In order to achieve the above object, the present invention provides an analysis management method based on big data security, which is used in a data platform and is communicatively connected with a plurality of big data service channel ports through the data platform, the method includes:
Acquiring network protection information of a big data service channel port, wherein the network protection information comprises first protection log data and first protection code data;
at the same moment, adding the first protection log data into a virus library, and recording the attacked information, the protection success information and the attack means code in the first protection log data through the virus library;
At the same moment, the first protection code data is compressed in an OTA optimizing library, an OTA optimizing folder for storing the first protection code data is created in the OTA optimizing library, and the OTA optimizing folder and a virus library are associated and bound by using an OTA over-the-air downloading technology;
Identifying the attack means codes by using a matching tree mechanism, screening and matching the first protection log data with second protection log data with the same kind of purpose in a virus library, and identifying second protection code data corresponding to the second protection log data;
Selecting an OTA optimization code in the second protection code data, and converting the OTA optimization code into OTA optimization data by combining a virtualization data updating technology and a paas architecture technology;
and optimizing the first protection code data in the OTA optimization folder through the OTA optimization data, and then generating an OTA update request and sending the OTA update request to the corresponding big data service channel port.
Further, the step of identifying the attack means code by using a matching tree mechanism, screening and matching the first protection log data with second protection log data with the same kind of purpose in a virus library, and identifying the second protection code data corresponding to the second protection log data includes:
Identifying the attack means code in the first protection code data to identify the code type, the application field and the source code of the attack means code;
Performing first-step classification according to the application field by using a matching tree mechanism, determining a storage folder in the same field from a virus library, and performing second-step classification from the folder by using a code type to mark approximate case codes matched with the code type in the folder, wherein the matched approximate case codes comprise one or more items;
And forming a call instruction for the approximate case code, so that the approximate case code is output as the second protection code data according to the call instruction.
Further, the step of classifying the storage folders in the same domain from the virus library according to the application domain by using a matching tree mechanism in the first step, and classifying the storage folders in the same domain according to the code type in the second step to mark out approximate case codes matched with the code type in the folders comprises the following steps:
Using the attack means code as a first node of a matching tree;
using a commit query language which is classified downwards in a first step by taking the specific language DSL in the code domain of the attack means as a first node, and using the application domain to query corresponding folders in the same domain in a virus library through commit query, wherein the folders comprise one or a plurality of items as second nodes;
Performing language rewrite on the commit query language by combining the code language of the folder, writing the commit query language into an ANTLR4 language, querying corresponding approximate case codes from one or a plurality of second nodes by utilizing code types through the ANTLR4 language, and taking the approximate case codes of one or a plurality of items as a third node;
And forming a virus update query tree corresponding to the first protection code through the first node, the second node and the third node, wherein the virus update query tree is used for updating optimization and data call of a virus library.
Further, selecting an OTA optimization code in the second protection code data, and combining a virtualized data updating technology and paas architecture technology to convert the OTA optimization code into OTA optimization data, wherein the method comprises the following steps of:
Matching the attacked information, the protection success information and the second protection code data to select an OTA optimization code for optimizing the first protection code data from the second protection code data;
Editing the configuration file of the OTA optimization code by using the paas architecture, so that the first protection code data and the second protection code data are framed in the same paas architecture;
And carrying out network bridging on the OTA optimization codes edited by the configuration file by utilizing a pre-deployed KVM virtual module, so as to be used for deploying the OTA optimization codes on the first protection code data of the OTA optimization folder.
Further, the step of optimizing the first protection code data in the OTA optimization folder by the OTA optimization data, and then generating an OTA update request and sending the OTA update request to the corresponding big data service channel port includes:
deploying the OTA optimization code on a corresponding code position of first protection code data of an OTA optimization folder;
If the first protection code data is judged to be changed and updated, generating an OTA update request by the OTA optimization folder;
And sending the OTA update request to a big data service channel port, and updating codes of the corresponding big data service channel port according to the change of the first protection code data if the big data service channel port receives the OTA update request.
The invention also provides an analysis management system based on big data security, which comprises:
the system comprises an acquisition unit, a data processing unit and a data processing unit, wherein the acquisition unit is used for acquiring network protection information of a big data service channel port, and the network protection information comprises first protection log data and first protection code data;
The first storage unit is used for adding the first protection log data to a virus library at the same moment, and recording the attacked information, the protection success information and the attack means code in the first protection log data through the virus library;
the second storage unit is used for compressing the first protection code data in an OTA optimizing library at the same moment, creating an OTA optimizing folder for storing the first protection code data in the OTA optimizing library, and performing association binding on the OTA optimizing folder and a virus library by using an OTA over-the-air downloading technology;
The code matching unit is used for identifying the attack means codes by utilizing a matching tree mechanism, screening and matching the first protection log data with second protection log data with the same kind of purposes in a virus library, and identifying second protection code data corresponding to the second protection log data;
The framework unit is used for selecting an OTA optimization code in the second protection code data, and converting the OTA optimization code into OTA optimization data by combining a virtualization data updating technology and a paas architecture technology;
And the optimization updating unit is used for optimizing the first protection code data in the OTA optimization folder through the OTA optimization data, and then generating an OTA updating request and sending the OTA updating request to the corresponding big data service channel port.
Further, the code matching unit includes:
The identification module is used for identifying the attack means code in the first protection code data so as to identify the code type, the application field and the source code of the attack means code;
The matching tree module is used for carrying out first-step classification according to the application field by utilizing a matching tree mechanism, determining a storage folder in the same field from a virus library, and carrying out second-step classification from the folder through a code type so as to mark approximate case codes matched with the code type in the folder, wherein the matched approximate case codes comprise one or more items;
and the calling module is used for forming a calling instruction for the approximate case code so as to output the approximate case code as the second protection code data according to the calling instruction.
Further, the matching tree module includes:
A first node sub-module, which uses the attack means code as a first node of a matching tree;
A second node submodule, configured to use a commit query language classified in a first step downwards by using a specific language DSL in the code domain of the attack means as a first node, and use the application domain to query a corresponding folder in the same domain in a virus library through commit query, where the folder includes one or several items as a second node;
The third node submodule is used for carrying out language rewriting on the commit query language in combination with the code language of the folder, writing the commit query language into an ANTLR4 language, querying corresponding approximate case codes from one or a plurality of second nodes by utilizing the code types through the ANTLR4 language, and taking the approximate case codes of one or a plurality of second nodes as a third node;
And the query tree module is used for forming a virus update query tree corresponding to the first protection code through the first node, the second node and the third node, wherein the virus update query tree is used for updating optimization and data calling of a virus library.
The invention also provides a computer device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the analysis management method based on big data security when executing the computer program.
The present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the above-described big data security based analysis management method.
The analysis management method and system based on big data security provided by the invention have the following beneficial effects:
(1) By acquiring and processing the network protection information of the big data service channel port in real time, the invention can respond to various security threats in real time, and effectively reduce the security risk caused by response lag.
(2) By utilizing an advanced matching tree mechanism to identify the attack means code, the invention can more accurately identify and defend complex attacks, thereby improving the precision of safety protection and reducing false alarm and missing report rate.
(3) By combining an OTA (Over-the-Air) optimization technology and a PaaS (Platform AS A SERVICE) architecture technology, the invention realizes the dynamic optimization and updating of the security protection strategy, so that the system can flexibly cope with the continuously evolving security threat and has good expandability.
(4) By means of real-time monitoring and dynamic adjustment of the safety protection strategy, the safety of a large data platform can be obviously improved, and the integrity, confidentiality and usability of data are effectively protected.
(5) The automatic safety analysis and management reduces the manual intervention requirement, reduces the operation and maintenance cost and improves the safety management efficiency.
Drawings
FIG. 1 is a flow chart of a big data security based analysis management method according to an embodiment of the invention;
FIG. 2 is a block diagram of an analysis management system based on big data security in an embodiment of the present invention;
Fig. 3 is a block diagram schematically illustrating a structure of a computer device according to an embodiment of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, a flow chart of an analysis management method based on big data security according to the present invention is provided, and the analysis management method based on big data security is used in a data platform and is communicatively connected with a plurality of big data service channel ports through the data platform, and the method includes:
s1, acquiring network protection information of a big data service channel port, wherein the network protection information comprises first protection log data and first protection code data;
S2.1, adding the first protection log data to a virus library at the same moment, and recording attacked information, protection success information and attack means codes in the first protection log data through the virus library;
S2.2, at the same moment, the first protection code data are compressed in an OTA optimizing library, an OTA optimizing folder for storing the first protection code data is created in the OTA optimizing library, and the OTA optimizing folder and a virus library are associated and bound by using an OTA over-the-air downloading technology;
S3, identifying the attack means codes by using a matching tree mechanism, screening and matching the first protection log data with second protection log data with the same kind of purposes in a virus library, and identifying second protection code data corresponding to the second protection log data;
S4, selecting an OTA optimization code in the second protection code data, and converting the OTA optimization code into OTA optimization data by combining a virtualization data updating technology and a paas architecture technology;
And S5, optimizing the first protection code data in the OTA optimization folder through the OTA optimization data, and then generating an OTA update request and sending the OTA update request to the corresponding big data service channel port.
Specifically, the step of identifying the attack means code by using a matching tree mechanism, screening and matching the first protection log data with second protection log data with the same kind of purpose in a virus library, and identifying the second protection code data corresponding to the second protection log data includes:
Identifying the attack means code in the first protection code data to identify the code type, the application field and the source code of the attack means code;
Performing first-step classification according to the application field by using a matching tree mechanism, determining a storage folder in the same field from a virus library, and performing second-step classification from the folder by using a code type to mark approximate case codes matched with the code type in the folder, wherein the matched approximate case codes comprise one or more items;
And forming a call instruction for the approximate case code, so that the approximate case code is output as the second protection code data according to the call instruction.
Further, the step of classifying the storage folders in the same domain from the virus library according to the application domain by using a matching tree mechanism in the first step, and classifying the storage folders in the same domain according to the code type in the second step to mark out approximate case codes matched with the code type in the folders comprises the following steps:
Using the attack means code as a first node of a matching tree;
using a commit query language which is classified downwards in a first step by taking the specific language DSL in the code domain of the attack means as a first node, and using the application domain to query corresponding folders in the same domain in a virus library through commit query, wherein the folders comprise one or a plurality of items as second nodes;
Performing language rewrite on the commit query language by combining the code language of the folder, writing the commit query language into an ANTLR4 language, querying corresponding approximate case codes from one or a plurality of second nodes by utilizing code types through the ANTLR4 language, and taking the approximate case codes of one or a plurality of items as a third node;
And forming a virus update query tree corresponding to the first protection code through the first node, the second node and the third node, wherein the virus update query tree is used for updating optimization and data call of a virus library.
In the specific embodiment of the present invention,
In the process of constructing the matching tree, the known attack means code is first used as the root node or the first node of the matching tree. This means that the construction of the entire matching tree will be spread around these specific attack codes so that potential attack behaviour similar to these codes can be identified quickly and accurately later.
Next, the construction of the matching tree is further refined using Domain Specific Language (DSL) associated with the attack means code. DSL is a computer language that is generally simpler, easier to understand and use than a general purpose programming language for a particular field or problem. Here, DSL is converted into a commit query language for querying the virus library for folders in the same domain as the attack means code. These folders may contain other code or information related to the means of attack and are important references for building a matching tree.
The queried folder is considered to be the second node of the matching tree. These folders may contain one or more pieces of content related to the attack means code that will play a key role in the subsequent construction of the matching tree. By taking the folder as the second node, the depth and breadth of the matching tree can be further expanded, and the identification capability of the matching tree on potential attacks can be improved.
In order to more effectively query cases from folders that are similar to attack means codes, the commit query language needs to be rewritten. Here, the ANTLR4 language is selected for overwriting. ANTLR4 is a powerful parser generator that can generate corresponding parsers and lexical parsers from input grammar rules. By rewriting the commit query language to the ANTLR4 language, cases similar to the attack means code can be more accurately queried using the resolution capability of ANTLR 4.
Using the rewritten ANTLR4 query language, a similar approximate case code to the attack means code can be queried from the second node (i.e., folder) according to the code type. These approximate case codes are considered the third node of the matching tree, which provides more detail and depth to the matching tree, helping to more accurately identify potential aggression.
Finally, by combining the first node (attack means code), the second node (folder), and the third node (approximate case code), a complete virus update query tree is formed. The query tree can help us to quickly and accurately identify potential threats similar to known attack means, and can also be used for updating optimization and data calling of a virus library. By continuously updating and optimizing the virus library, the safety protection capability of a big data platform can be improved, and the integrity and usability of data are ensured.
In one embodiment, selecting an OTA optimization code in the second protection code data, and transforming the OTA optimization code into OTA optimization data by combining a virtualization data update technique and a paas architecture technique, includes:
Matching the attacked information, the protection success information and the second protection code data to select an OTA optimization code for optimizing the first protection code data from the second protection code data;
Editing the configuration file of the OTA optimization code by using the paas architecture, so that the first protection code data and the second protection code data are framed in the same paas architecture;
And carrying out network bridging on the OTA optimization codes edited by the configuration file by utilizing a pre-deployed KVM virtual module, so as to be used for deploying the OTA optimization codes on the first protection code data of the OTA optimization folder.
In the specific implementation process:
performing configuration file editing on the OTA optimization code through the PaaS architecture: the PaaS (Platform AS A SERVICE) architecture provides an integrated environment for developing and deploying applications. In this step, the system uses the PaaS architecture to edit the configuration file of the OTA optimization code. The purpose of this is to ensure that the first and second guard code data can be framed in the same PaaS architecture, thereby enabling seamless integration and co-operation.
Network bridging is performed by using a pre-deployed KVM virtual module: KVM (kernel-based Virtual Machine) is a virtualization technology that allows multiple virtual machines to run on the same physical server. In this step, the system utilizes the pre-deployed KVM virtual module for network bridging. This means that the OTA optimization code will be deployed in a virtualized environment and can communicate with other system components through network bridging. This has the advantage that flexible resource allocation can be achieved, different security domains can be isolated and the overall reliability of the system can be improved.
Deploying the OTA optimization code on the first protection code data of the OTA optimization folder: the final step is to deploy the OTA optimization code through configuration file editing and network bridging to the first protection code data in the OTA optimization folder. By the aid of the method, the first protection code data can be timely updated and optimized, and accordingly safety protection capability of the system is improved. Meanwhile, by integrating the OTA optimization code with the first protection code data, the system can respond to new security threats more quickly and take corresponding protection measures.
And optimizing the first protection code data in the OTA optimization folder through the OTA optimization data, and generating an OTA update request and sending the OTA update request to the corresponding big data service channel port, wherein the step comprises the following steps:
deploying the OTA optimization code on a corresponding code position of first protection code data of an OTA optimization folder;
If the first protection code data is judged to be changed and updated, generating an OTA update request by the OTA optimization folder;
And sending the OTA update request to a big data service channel port, and updating codes of the corresponding big data service channel port according to the change of the first protection code data if the big data service channel port receives the OTA update request.
Referring to fig. 2, an analysis management system based on big data security according to the present invention includes:
the system comprises an acquisition unit, a data processing unit and a data processing unit, wherein the acquisition unit is used for acquiring network protection information of a big data service channel port, and the network protection information comprises first protection log data and first protection code data;
The first storage unit is used for adding the first protection log data to a virus library at the same moment, and recording the attacked information, the protection success information and the attack means code in the first protection log data through the virus library;
the second storage unit is used for compressing the first protection code data in an OTA optimizing library at the same moment, creating an OTA optimizing folder for storing the first protection code data in the OTA optimizing library, and performing association binding on the OTA optimizing folder and a virus library by using an OTA over-the-air downloading technology;
The code matching unit is used for identifying the attack means codes by utilizing a matching tree mechanism, screening and matching the first protection log data with second protection log data with the same kind of purposes in a virus library, and identifying second protection code data corresponding to the second protection log data;
The framework unit is used for selecting an OTA optimization code in the second protection code data, and converting the OTA optimization code into OTA optimization data by combining a virtualization data updating technology and a paas architecture technology;
And the optimization updating unit is used for optimizing the first protection code data in the OTA optimization folder through the OTA optimization data, and then generating an OTA updating request and sending the OTA updating request to the corresponding big data service channel port.
Specifically, the code matching unit includes:
The identification module is used for identifying the attack means code in the first protection code data so as to identify the code type, the application field and the source code of the attack means code;
The matching tree module is used for carrying out first-step classification according to the application field by utilizing a matching tree mechanism, determining a storage folder in the same field from a virus library, and carrying out second-step classification from the folder through a code type so as to mark approximate case codes matched with the code type in the folder, wherein the matched approximate case codes comprise one or more items;
and the calling module is used for forming a calling instruction for the approximate case code so as to output the approximate case code as the second protection code data according to the calling instruction.
Specifically, the matching tree module includes:
A first node sub-module, which uses the attack means code as a first node of a matching tree;
A second node submodule, configured to use a commit query language classified in a first step downwards by using a specific language DSL in the code domain of the attack means as a first node, and use the application domain to query a corresponding folder in the same domain in a virus library through commit query, where the folder includes one or several items as a second node;
The third node submodule is used for carrying out language rewriting on the commit query language in combination with the code language of the folder, writing the commit query language into an ANTLR4 language, querying corresponding approximate case codes from one or a plurality of second nodes by utilizing the code types through the ANTLR4 language, and taking the approximate case codes of one or a plurality of second nodes as a third node;
And the query tree module is used for forming a virus update query tree corresponding to the first protection code through the first node, the second node and the third node, wherein the virus update query tree is used for updating optimization and data calling of a virus library.
Referring to fig. 3, in an embodiment of the present invention, there is further provided a computer device, which may be a server, and an internal structure thereof may be as shown in fig. 3. The computer device includes a processor, a memory, a display screen, an input device, a network interface, and a database connected by a system bus. Wherein the computer is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used to store the corresponding data in this embodiment. The network interface of the computer device is used for communicating with an external terminal through a network connection. Which computer program, when being executed by a processor, carries out the above-mentioned method.
It will be appreciated by those skilled in the art that the architecture shown in fig. 3 is merely a block diagram of a portion of the architecture in connection with the present inventive arrangements and is not intended to limit the computer devices to which the present inventive arrangements are applicable.
An embodiment of the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the above method. It is understood that the computer readable storage medium in this embodiment may be a volatile readable storage medium or a nonvolatile readable storage medium.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium provided by the present invention and used in embodiments may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual speed data rate SDRAM (SSRSDRAM), enhanced SDRAM (ESDRAM), synchronous link (SYNCHLINK) DRAM (SLDRAM), memory bus (rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, apparatus, article, or method that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, apparatus, article, or method. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, apparatus, article, or method that comprises the element.
The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the invention, and all equivalent structures or equivalent processes using the descriptions and drawings of the present invention or direct or indirect application in other related technical fields are included in the scope of the present invention.
Claims (10)
1. The analysis management method based on big data security is used in a data platform and is in communication connection with a plurality of big data service channel ports through the data platform, and is characterized by comprising the following steps:
Acquiring network protection information of a big data service channel port, wherein the network protection information comprises first protection log data and first protection code data;
at the same moment, adding the first protection log data into a virus library, and recording the attacked information, the protection success information and the attack means code in the first protection log data through the virus library;
At the same moment, the first protection code data is compressed in an OTA optimizing library, an OTA optimizing folder for storing the first protection code data is created in the OTA optimizing library, and the OTA optimizing folder and a virus library are associated and bound by using an OTA over-the-air downloading technology;
Identifying the attack means codes by using a matching tree mechanism, screening and matching the first protection log data with second protection log data with the same kind of purpose in a virus library, and identifying second protection code data corresponding to the second protection log data;
Selecting an OTA optimization code in the second protection code data, and converting the OTA optimization code into OTA optimization data by combining a virtualization data updating technology and a paas architecture technology;
and optimizing the first protection code data in the OTA optimization folder through the OTA optimization data, and then generating an OTA update request and sending the OTA update request to the corresponding big data service channel port.
2. The analysis and management method based on big data security according to claim 1, wherein the step of identifying the attack means code by using a matching tree mechanism, screening and matching the first protection log data with second protection log data of the same kind of purpose in the virus library, and identifying the second protection code data corresponding to the second protection log data includes:
Identifying the attack means code in the first protection code data to identify the code type, the application field and the source code of the attack means code;
Performing first-step classification according to the application field by using a matching tree mechanism, determining a storage folder in the same field from a virus library, and performing second-step classification from the folder by using a code type to mark approximate case codes matched with the code type in the folder, wherein the matched approximate case codes comprise one or more items;
And forming a call instruction for the approximate case code, so that the approximate case code is output as the second protection code data according to the call instruction.
3. The analysis management method based on big data security according to claim 2, wherein the step of performing a first step of classification according to application fields by using a matching tree mechanism, determining a storage folder in the same field from a virus library, and performing a second step of classification from the folder by code types to map out approximate case codes matched with the code types in the folder, comprises:
Using the attack means code as a first node of a matching tree;
using a commit query language which is classified downwards in a first step by taking the specific language DSL in the code domain of the attack means as a first node, and using the application domain to query corresponding folders in the same domain in a virus library through commit query, wherein the folders comprise one or a plurality of items as second nodes;
Performing language rewrite on the commit query language by combining the code language of the folder, writing the commit query language into an ANTLR4 language, querying corresponding approximate case codes from one or a plurality of second nodes by utilizing code types through the ANTLR4 language, and taking the approximate case codes of one or a plurality of items as a third node;
And forming a virus update query tree corresponding to the first protection code through the first node, the second node and the third node, wherein the virus update query tree is used for updating optimization and data call of a virus library.
4. The analysis and management method based on big data security according to claim 1, wherein the step of selecting an OTA optimization code in the second protection code data and transforming the OTA optimization code into OTA optimization data by combining a virtualized data update technique and a paas architecture technique comprises:
Matching the attacked information, the protection success information and the second protection code data to select an OTA optimization code for optimizing the first protection code data from the second protection code data;
Editing the configuration file of the OTA optimization code by using the paas architecture, so that the first protection code data and the second protection code data are framed in the same paas architecture;
And carrying out network bridging on the OTA optimization codes edited by the configuration file by utilizing a pre-deployed KVM virtual module, so as to be used for deploying the OTA optimization codes on the first protection code data of the OTA optimization folder.
5. The big data security based analysis management method according to claim 1, wherein the step of optimizing the first protection code data in the OTA optimization folder by the OTA optimization data, and then generating an OTA update request and sending the OTA update request to the corresponding big data service channel port includes:
deploying the OTA optimization code on a corresponding code position of first protection code data of an OTA optimization folder;
If the first protection code data is judged to be changed and updated, generating an OTA update request by the OTA optimization folder;
And sending the OTA update request to a big data service channel port, and updating codes of the corresponding big data service channel port according to the change of the first protection code data if the big data service channel port receives the OTA update request.
6. An analysis management system based on big data security, comprising:
the system comprises an acquisition unit, a data processing unit and a data processing unit, wherein the acquisition unit is used for acquiring network protection information of a big data service channel port, and the network protection information comprises first protection log data and first protection code data;
The first storage unit is used for adding the first protection log data to a virus library at the same moment, and recording the attacked information, the protection success information and the attack means code in the first protection log data through the virus library;
the second storage unit is used for compressing the first protection code data in an OTA optimizing library at the same moment, creating an OTA optimizing folder for storing the first protection code data in the OTA optimizing library, and performing association binding on the OTA optimizing folder and a virus library by using an OTA over-the-air downloading technology;
The code matching unit is used for identifying the attack means codes by utilizing a matching tree mechanism, screening and matching the first protection log data with second protection log data with the same kind of purposes in a virus library, and identifying second protection code data corresponding to the second protection log data;
The framework unit is used for selecting an OTA optimization code in the second protection code data, and converting the OTA optimization code into OTA optimization data by combining a virtualization data updating technology and a paas architecture technology;
And the optimization updating unit is used for optimizing the first protection code data in the OTA optimization folder through the OTA optimization data, and then generating an OTA updating request and sending the OTA updating request to the corresponding big data service channel port.
7. The big data security based analysis management system of claim 6, wherein the code matching unit comprises:
The identification module is used for identifying the attack means code in the first protection code data so as to identify the code type, the application field and the source code of the attack means code;
The matching tree module is used for carrying out first-step classification according to the application field by utilizing a matching tree mechanism, determining a storage folder in the same field from a virus library, and carrying out second-step classification from the folder through a code type so as to mark approximate case codes matched with the code type in the folder, wherein the matched approximate case codes comprise one or more items;
and the calling module is used for forming a calling instruction for the approximate case code so as to output the approximate case code as the second protection code data according to the calling instruction.
8. The big data security based analytics management system of claim 7, wherein the matching tree module comprises:
A first node sub-module, which uses the attack means code as a first node of a matching tree;
A second node submodule, configured to use a commit query language classified in a first step downwards by using a specific language DSL in the code domain of the attack means as a first node, and use the application domain to query a corresponding folder in the same domain in a virus library through commit query, where the folder includes one or several items as a second node;
The third node submodule is used for carrying out language rewriting on the commit query language in combination with the code language of the folder, writing the commit query language into an ANTLR4 language, querying corresponding approximate case codes from one or a plurality of second nodes by utilizing the code types through the ANTLR4 language, and taking the approximate case codes of one or a plurality of second nodes as a third node;
And the query tree module is used for forming a virus update query tree corresponding to the first protection code through the first node, the second node and the third node, wherein the virus update query tree is used for updating optimization and data calling of a virus library.
9. A computer device comprising a memory and a processor, the memory having stored therein a computer program, characterized in that the processor, when executing the computer program, implements the steps of the big data security based analysis management method of any of claims 1 to 5.
10. A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the big data security based analysis management method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410289835.7A CN117909978B (en) | 2024-03-14 | 2024-03-14 | Analysis management method and system based on big data security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410289835.7A CN117909978B (en) | 2024-03-14 | 2024-03-14 | Analysis management method and system based on big data security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117909978A true CN117909978A (en) | 2024-04-19 |
| CN117909978B CN117909978B (en) | 2024-06-28 |
Family
ID=90684207
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410289835.7A Active CN117909978B (en) | 2024-03-14 | 2024-03-14 | Analysis management method and system based on big data security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117909978B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050108562A1 (en) * | 2003-06-18 | 2005-05-19 | Khazan Roger I. | Technique for detecting executable malicious code using a combination of static and dynamic analyses |
| CN105897728A (en) * | 2016-04-27 | 2016-08-24 | 江苏警官学院 | Anti-virus system based on SDN (Software Defined Network) |
| CN106778268A (en) * | 2016-11-28 | 2017-05-31 | 广东省信息安全测评中心 | Malicious code detecting method and system |
| CN110135157A (en) * | 2019-04-04 | 2019-08-16 | 国家计算机网络与信息安全管理中心 | Malware homology analysis method, system, electronic equipment and storage medium |
| CN111400724A (en) * | 2020-05-08 | 2020-07-10 | 中国人民解放军国防科技大学 | Operating system vulnerability detection method, system and medium based on code similarity analysis |
| CN111726357A (en) * | 2020-06-18 | 2020-09-29 | 北京优特捷信息技术有限公司 | Attack behavior detection method and device, computer equipment and storage medium |
| CN113076543A (en) * | 2021-03-22 | 2021-07-06 | 四川大学 | Construction method for vulnerability exploitation knowledge base in social network |
| CN113971288A (en) * | 2021-10-18 | 2022-01-25 | 广东科学技术职业学院 | Big data technology-based smart campus security management and control platform |
| CN115001839A (en) * | 2022-06-21 | 2022-09-02 | 南通荣合计算机科技有限公司 | Information security protection system and method based on Internet big data |
| KR20230103275A (en) * | 2021-12-31 | 2023-07-07 | 주식회사 샌즈랩 | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information |
| CN116842515A (en) * | 2023-07-04 | 2023-10-03 | 华中科技大学 | Source code classification model robustness enhancement method, system and processor |
| CN116992440A (en) * | 2022-04-18 | 2023-11-03 | 深圳市腾讯网域计算机网络有限公司 | Code matching method, device, electronic equipment and storage medium |
-
2024
- 2024-03-14 CN CN202410289835.7A patent/CN117909978B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050108562A1 (en) * | 2003-06-18 | 2005-05-19 | Khazan Roger I. | Technique for detecting executable malicious code using a combination of static and dynamic analyses |
| CN105897728A (en) * | 2016-04-27 | 2016-08-24 | 江苏警官学院 | Anti-virus system based on SDN (Software Defined Network) |
| CN106778268A (en) * | 2016-11-28 | 2017-05-31 | 广东省信息安全测评中心 | Malicious code detecting method and system |
| CN110135157A (en) * | 2019-04-04 | 2019-08-16 | 国家计算机网络与信息安全管理中心 | Malware homology analysis method, system, electronic equipment and storage medium |
| CN111400724A (en) * | 2020-05-08 | 2020-07-10 | 中国人民解放军国防科技大学 | Operating system vulnerability detection method, system and medium based on code similarity analysis |
| CN111726357A (en) * | 2020-06-18 | 2020-09-29 | 北京优特捷信息技术有限公司 | Attack behavior detection method and device, computer equipment and storage medium |
| CN113076543A (en) * | 2021-03-22 | 2021-07-06 | 四川大学 | Construction method for vulnerability exploitation knowledge base in social network |
| CN113971288A (en) * | 2021-10-18 | 2022-01-25 | 广东科学技术职业学院 | Big data technology-based smart campus security management and control platform |
| KR20230103275A (en) * | 2021-12-31 | 2023-07-07 | 주식회사 샌즈랩 | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information |
| CN116992440A (en) * | 2022-04-18 | 2023-11-03 | 深圳市腾讯网域计算机网络有限公司 | Code matching method, device, electronic equipment and storage medium |
| CN115001839A (en) * | 2022-06-21 | 2022-09-02 | 南通荣合计算机科技有限公司 | Information security protection system and method based on Internet big data |
| CN116842515A (en) * | 2023-07-04 | 2023-10-03 | 华中科技大学 | Source code classification model robustness enhancement method, system and processor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117909978B (en) | 2024-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| CN107317724B (en) | Data acquisition system and method based on cloud computing technology | |
| CN111984228B (en) | Interface document processing method and device, computer equipment and storage medium | |
| CN110022311B (en) | Attack graph-based automatic generation method for cloud outsourcing service data leakage safety test case | |
| CN103778373A (en) | Virus detection method and device | |
| CN106250104A (en) | A kind of remote operating system for server, method and device | |
| CN108322458B (en) | Web application intrusion detection method, system, computer equipment and storage medium | |
| CN111881473A (en) | Privacy file protection method and device, computer equipment and readable storage medium | |
| CN113486350B (en) | Method, device, equipment and storage medium for identifying malicious software | |
| CN103679027A (en) | Searching and killing method and device for kernel level malware | |
| CN114285626B (en) | Honeypot attack chain construction method and honeypot system | |
| CN117909978B (en) | Analysis management method and system based on big data security | |
| CN111625296B (en) | Method for protecting program by constructing code copy | |
| CN109040089B (en) | Network policy auditing method, equipment and computer readable storage medium | |
| CN117093320A (en) | Gasket layer for intercepting calls between upper and lower layers of a container image | |
| CN113489773B (en) | Data access method, device, equipment and medium | |
| CN113518055B (en) | Data security protection processing method and device, storage medium and terminal | |
| CN109492144B (en) | Association relation analysis method, device and storage medium for software system | |
| CN113992371A (en) | Method and device for generating threat tag of flow log and electronic equipment | |
| CN107741956B (en) | Log searching method based on web container configuration file | |
| CN113162951B (en) | Threat detection method, threat model generation method, threat detection device, threat model generation device, electronic equipment and storage medium | |
| CN112394940B (en) | Method, device and computer equipment for converting code grammar | |
| CN118363586B (en) | Method, device, computer equipment and storage medium for taking feature number in strong real time | |
| CN114553930B (en) | System integration method, device, computer equipment and storage medium | |
| CN117034278A (en) | Vulnerability detection method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |