WO2019075637A1 - Method and device for detecting input/output request behavior, and storage medium - Google Patents

Method and device for detecting input/output request behavior, and storage medium Download PDF

Info

Publication number
WO2019075637A1
WO2019075637A1 PCT/CN2017/106543 CN2017106543W WO2019075637A1 WO 2019075637 A1 WO2019075637 A1 WO 2019075637A1 CN 2017106543 W CN2017106543 W CN 2017106543W WO 2019075637 A1 WO2019075637 A1 WO 2019075637A1
Authority
WO
WIPO (PCT)
Prior art keywords
concept
input
output request
request behavior
generated
Prior art date
Application number
PCT/CN2017/106543
Other languages
French (fr)
Chinese (zh)
Inventor
谭喆
姚开方
裴卫斌
Original Assignee
深圳中兴力维技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳中兴力维技术有限公司 filed Critical 深圳中兴力维技术有限公司
Priority to CN201780030666.3A priority Critical patent/CN109716723B/en
Priority to PCT/CN2017/106543 priority patent/WO2019075637A1/en
Publication of WO2019075637A1 publication Critical patent/WO2019075637A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of network security technologies, and in particular, to a method and device for detecting input and output request behavior, and a computer readable storage medium.
  • the main object of the present invention is to provide a method and apparatus for detecting input and output request behavior, and a computer readable storage medium, aiming at solving the problems of the prior art.
  • a first aspect of the embodiments of the present invention provides a method for detecting an input/output request behavior, where the method includes the following steps:
  • the concept of the generated concept is pre-constructed and judged whether a secondary top-level concept is generated;
  • the selection information of whether the input/output request behavior is passed or rejected is generated, and the user's selection operation is received to perform corresponding processing.
  • the information in the input and output request behavior includes an input/output request packet body itself, source address information, destination address information, an input/output request occurrence time, and whether it is an intermediate routing packet. Or a variety.
  • the trained concept lattice model is implemented by the following steps:
  • the concept of minimizing the maximum connotation of the generated concept is recorded as the top-level concept, and the minimum connotation of the extension is most presumably recorded as the underlying concept, and the parent-child relationship of the top-level concept and the underlying concept is constructed and a concept lattice is formed.
  • the performing the top-down and the generalization of the content from top to bottom includes:
  • the epitaxial intersecting phase-phase operation is performed from top to bottom.
  • the receiving the user's selection operation to perform corresponding processing includes:
  • the selected user's selection operation is to request the behavior through the input and output, the generated concept is added to the trained concept lattice model, and a new concept lattice model is formed;
  • a second aspect of the embodiments of the present invention provides a device for detecting an input/output request behavior, where the device includes a filtering module, a rule recognition determining module, and a behavior admission module; [0021] a filtering module, configured to filter the network driver, intercept the input and output request behavior in the network driver; mark the information in the intercepted input and output request behavior and generate a concept;
  • the rule recognition judging module is configured to pre-construct the concept generated by the filtering module according to the trained concept lattice model and determine whether a sub-top concept is generated;
  • the behavior admission module is configured to generate, if the secondary top-level concept is generated, whether to pass or reject the selection information of the input and output request behavior, and receive a user's selection operation to perform corresponding processing.
  • the device further includes a concept lattice construction module
  • the concept lattice construction module is configured to filter the network driver, intercept the input and output request behavior in the network driver, mark the information in the intercepted input and output request behavior, and generate a concept; [0026] The concept of minimizing the maximum connotation of the generated concept is recorded as the top-level concept, and the maximum concept of the extended minimum connotation is recorded as the underlying concept, and the parent-child relationship of the top-level concept and the underlying concept is constructed and a concept lattice is formed.
  • the behavior admission module includes a model lattice self-learning unit and a blocking unit;
  • the model lattice self-learning unit is configured to: if the receiving operation of the received user is to request the behavior through the input and output, add the generated concept to the trained concept lattice model, and form a new concept lattice Model
  • the blocking unit is configured to block the execution thread of the input and output request behavior and report to the user interface if the receiving operation of the received user is to reject the input/output request behavior.
  • a third aspect of the embodiments of the present invention provides a device for detecting an input/output request behavior, where the apparatus for detecting input and output request behavior includes: a memory, a processor, and a memory stored in the memory And a detection program for input/output request behavior running on the processor, the detection program of the input/output request behavior being executed by the processor, and the step of implementing the detection method of the input/output request behavior described in the first aspect .
  • a fourth aspect of the embodiments of the present invention provides a computer readable storage medium, where the computer readable storage medium stores a detection program for input and output request behavior, and the input and output request The detection program of the behavior is executed by the processor, the step of implementing the detection method of the input/output request behavior described in the first aspect.
  • the method and device for detecting the input and output request behavior provided by the embodiment of the present invention, and the computer readable storage medium, can count the direction information of the request behavior, the time information, and the like, and form a binary structure, thereby
  • the meta-sample structure is constructed as a concept lattice model; through the constructed concept lattice model, the legal 10 request behavior is allowed; the concept lattice model can guide the orientation of the anomaly 10 request behavior, and the user can decide to conduct self-learning and concept. Grid structure optimization. Brief description of the drawing
  • FIG. 1 is a schematic diagram of a hierarchical structure of a network protocol stack filter driver according to an embodiment of the present invention
  • FIG. 2 is a schematic flow chart of a method for detecting an input/output request behavior according to a first embodiment of the present invention
  • FIG. 3 is a schematic flowchart of another method for detecting an input/output request behavior according to a first embodiment of the present invention.
  • FIG. 4 and FIG. 8 are schematic diagrams showing a structure of a concept lattice construction process according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of an apparatus for detecting an input/output request behavior according to a second embodiment of the present invention.
  • FIG. 10 is another schematic structural diagram of an apparatus for detecting an input/output request behavior according to a second embodiment of the present invention.
  • FIG. 11 is a behavior admission module in an apparatus for detecting input and output request behavior according to a second embodiment of the present invention. Schematic;
  • FIG. 12 is a schematic diagram showing the sequence structure of each module in the apparatus for detecting input and output request behavior according to the second embodiment of the present invention.
  • FIG. 13 is a schematic structural diagram of an apparatus for detecting an input/output request behavior according to a third embodiment of the present invention.
  • Network protocol stack filter driver technology is a very mature technology. In the Windows NT operating system, the network protocol is hierarchical. From the bottom up, it is NIC (Network Interface Card) Adapter) Driver, NDIS (Network Driver Interface Specification), TCP/IP (Transmission Control Protocol/Internet Protocol) driver, AFD (Auxiliary Function)
  • the network protocol stack filter driver hierarchy can be seen in Figure 1.
  • a layer of filter drivers can be added between the two layers of drivers to intercept the network 10 (Input and Output, input).
  • Output Request the package for monitoring purposes.
  • the intercepted content may be the source address of the 10 request packet, the source port, the destination address, the destination port, the uplink or the downlink, and the like.
  • Concept Lattice is a discrete mathematical model commonly used in data mining and machine learning.
  • a concept lattice is a set of poses with a concept as an element. It can be visualized by a Haas diagram, where each node is a concept.
  • the concept lattice structure model is derived from FCA (Formal Concept Analysis) theory and is the core data analysis tool in FCA. It essentially describes the relationship between objects (samples) and attributes (features).
  • FCA Form Concept Analysis
  • This lattice L induced by the background (0, D, R) is called a concept lattice.
  • Each node in L is a sequence, called a concept, denoted as (X, Y), where X is called the extension of the concept ( ⁇ , ⁇ ); Y is called the concept (X, Y) Intent.
  • X, Y a concept
  • a first embodiment of the present invention provides a method for detecting an input/output request behavior, where the method includes the following steps:
  • the information in the input and output request behavior includes an input and output request packet body itself. , source address information, destination address information, input and output request occurrence time, whether it is one or more of the intermediate routing packets.
  • the source address is 192.168.1.101.
  • the extension attribute can be marked as 1, the extension source port.
  • the I0 request packet itself can be marked as a connotation.
  • the concept lattice model is imagined as an inverted tree, the underlying concept is a tree root, and the first layer concept under the top concept is a leaf, and the top layer The concept is actually a leaf.
  • the formation of leaves indicates that in addition to the top-level concept, the leaf node has the largest extension and the smallest connotation, which in turn can explain the latest process of request behavior.
  • the trained concept lattice model is implemented by the following steps:
  • [0061] 121 Filter the network driver, intercept the input and output request behavior in the network driver; mark the information in the intercepted input and output request behavior and generate a concept;
  • FIG. 4-8 In order to better understand the construction process of the trained concept lattice model, an example will be described by taking FIG. 4-8 as an example.
  • the top-level concept 5#( ⁇ 1,2,3,4,5,6,7,8 ⁇ is the concept of the smallest maximum connotation of the extension, the underlying concept 6#( ⁇ N ULL ⁇ , ⁇ ab C d ⁇ )
  • the parent-child relationship between the top-level concept and the underlying concept is constructed and the initial concept lattice is formed, in which the top-level concept is on, the underlying concept is below, and the initial concept lattice is formed as shown in Figure 4.
  • the 1# concept is added to the initial concept lattice to perform the work of extension and generalization, and the parent-child relationship is updated.
  • a new concept lattice can be formed as shown in FIG. 5.
  • the 1# concept and the top-level concept perform the extension and intersection of the top-level and the connotation, and the generated new concept is the same as the 1# concept, but the sub-concept as the top-level concept exists;
  • 1# concept and the underlying concept extend the connotation
  • the generated concept is also the same as the 1# concept, but the parent concept as the underlying concept exists.
  • the 3# concept is added to the concept lattice in FIG. 6 to perform the operation and update the parent-child relationship, and a new concept lattice is formed as shown in FIG. 7.
  • the 3# concept is added to the concept lattice structure shown in FIG. 6, and it can be seen that the 3# concept is a sub-concept of the 2# concept, and the 3# concept extension is a subset of the 2# concept, and 1# Concept and And the operation ⁇ forms a new concept ( ⁇ 5, 7 ⁇ , ⁇ a, b, C ⁇ ), and exists as a child node of the 3# concept, thus forming a concept lattice structure as shown in FIG.
  • the 4# concept is added to the concept lattice in FIG. 7 to perform the operation and update the parent-child relationship, and a new concept lattice is formed as shown in FIG. 8. So far the concept lattice is constructed.
  • the corresponding processing of the receiving user's selection operation includes:
  • the selected user's selection operation is to request the behavior through the input and output, the generated concept is added to the trained concept lattice model, and a new concept lattice model is formed;
  • the method for detecting an input/output request behavior may count 10 direction information of request behavior, daytime information, and the like, and form a binary structure, thereby constructing these binary sample structures into a concept lattice.
  • Model Through the constructed concept lattice model, the legal 10 request behavior is allowed; the concept lattice model can guide the orientation of the anomaly 10 request behavior, and the user can decide to self-learn and conceptual lattice structure optimization.
  • a second embodiment of the present invention provides a device for detecting input and output request behavior, wherein
  • the device includes a filtering module 21, a rule recognition determining module 22, and a behavior admission module 23;
  • the filtering module 21 is configured to filter the network driver, intercept the input and output request behavior in the network driver, mark the information in the intercepted input and output request behavior, and generate a concept;
  • the rule recognition judging module 22 is configured to pre-construct the concept generated by the filtering module 21 according to the trained concept lattice model and determine whether a sub-top concept is generated;
  • the behavior admission module 23 is configured to generate, if the secondary top-level concept is generated, whether to pass or reject the selection information of the input/output request behavior, and receive a user's selection operation to perform corresponding processing.
  • the behavior admission module 23 includes a model lattice self-learning unit.
  • the model lattice self-learning unit 231 is configured to: if the received user's selection operation is to input through the input When the request behavior is performed, the generated concept is added to the trained concept lattice model, and a new concept lattice model is formed;
  • the blocking unit 232 is configured to block the execution thread of the input and output request behavior and report to the user interface if the receiving operation of the received user is to reject the input/output request behavior.
  • the device further includes a concept lattice construction module 24;
  • the concept lattice construction module 24 is configured to filter the network driver, intercept the input and output request behavior in the network driver, mark the information in the intercepted input and output request behavior, and generate a concept;
  • the concept of minimizing the maximum connotation of the generated concept is recorded as the top-level concept, and the minimum connotation of the extension is most presumably recorded as the underlying concept, and the parent-child relationship of the top-level concept and the underlying concept is constructed and a concept lattice is formed.
  • the filtering module filters the network driver and intercepts 10 of the network drivers.
  • Request behavior (10 request packets in the figure); Marks the information in the intercepted 10 request behavior and generates the concept, and then the concept lattice construction module trains the concept lattice model according to the generated concept.
  • the filtering module filters the network driver again, intercepts the 10 request behavior in the network driver, marks the information in the intercepted 10 request behavior, and generates a concept.
  • the rule recognition judgment module constructs the concept lattice model trained by the module according to the concept lattice, and constructs the concept concept by the concept lattice construction module to determine whether the secondary top concept is generated.
  • the behavior admission module If the secondary top-level concept is generated, the behavior admission module generates selection information whether to pass or reject the input/output request behavior, and receives the user's selection operation to perform corresponding processing.
  • the selected user's selection operation is to request the behavior through the input and output
  • the generated concept is added to the trained concept lattice model by the model lattice self-learning unit, and a new concept lattice model is formed.
  • the apparatus for detecting input and output request behavior provided by the embodiment of the present invention may count 10 direction information of request behavior, time information, and the like, and form a binary structure, thereby constructing these binary sample structures into a concept lattice.
  • Model by constructing the concept lattice model, the legal 10 request behavior is allowed; After the model is built, it can guide the direction of the abnormal 10 request behavior, and the user can decide to self-learn and optimize the concept lattice structure.
  • a third embodiment of the present invention provides a device for detecting input and output request behavior, and the device for detecting input and output request behavior includes: a memory 31, a processor 32, and a memory stored in the memory.
  • the concept of the generated concept is pre-constructed and judged whether a secondary top-level concept is generated;
  • the detection program of the input/output request behavior is executed by the processor 32, and is also used to implement the steps of the detection method of the input/output request behavior described below:
  • the information in the input/output request behavior includes one or more of the input/output request packet body itself, the source address information, the destination address information, the input/output request occurrence time, and whether it is an intermediate routing packet.
  • the detection program of the input/output request behavior is executed by the processor 32, and is also used to implement the steps of the detection method of the input/output request behavior described below:
  • the concept of minimizing the maximum connotation of the generated concept is recorded as the top-level concept, and the minimum connotation of the extension is most roughly referred to as the underlying concept, and the parent-child relationship of the top-level concept and the underlying concept is constructed and a concept lattice is formed.
  • the detection program of the input/output request behavior is executed by the processor 32, and is also used to implement the steps of the detection method of the input/output request behavior described below:
  • the work of performing epitaxial instantiation and connotation generalization from top to bottom includes:
  • the epitaxial intersecting phase-phase operation is performed from top to bottom.
  • the detection program of the input/output request behavior is executed by the processor 32, and is also used to implement the steps of the detection method of the input/output request behavior described below:
  • the corresponding operation of the receiving user's selection operation includes:
  • the selected user's selection operation is to reject the input/output request behavior
  • the execution thread of the input/output request behavior is blocked and reported to the user interface.
  • the apparatus for detecting input and output request behavior provided by the embodiment of the present invention may count 10 direction information of request behavior, time information, and the like, and form a binary structure, thereby constructing these binary sample structures into a concept lattice.
  • Model Through the constructed concept lattice model, the legal 10 request behavior is allowed; the concept lattice model can guide the orientation of the anomaly 10 request behavior, and the user can decide to self-learn and conceptual lattice structure optimization.
  • a fourth embodiment of the present invention provides a computer readable storage medium, wherein the computer readable storage medium stores a detection program for an input/output request behavior, and the detection program of the input/output request behavior is executed by a processor. The steps of the detection method of the input/output request behavior described in the first embodiment are implemented.
  • the computer readable storage medium may count 10 direction information of request behavior, time information, and the like, and form a binary structure, thereby constructing these binary sample structures into a concept lattice model; Through the constructed concept lattice model, the legal 10 request behavior is allowed; the concept lattice model can guide the orientation of the anomaly 10 request behavior, and the user can decide to self-learn and conceptual lattice structure optimization.
  • the method and device for detecting input and output request behavior and the computer readable storage medium provided by the embodiment of the present invention can count 10 direction information of request behavior, time information, etc., and form a binary structure, thereby
  • the meta-sample structure is constructed as a concept lattice model; through the constructed concept lattice model, the legal 10 request behavior is allowed; the concept lattice model can guide the orientation of the anomaly 10 request behavior, and the user can decide to conduct self-learning and concept. Grid structure optimization.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method and device for detecting an input/output request behavior, and a computer readable storage medium. The method comprises the steps of: filtering a network driver to intercept an input/output request behavior in the network driver; marking information in the intercepted input/output request behavior and generating a concept (11, 121); according to a trained concept lattice model, carrying out concept lattice pre-construction on the generated concept and determining whether a sub-top-layer concept can be generated (12); and if the sub-top-layer concept is generated, generating selection information about whether to pass or reject the input/output request behavior, and receiving a user's selection operation to perform corresponding processing (13). According to the method, a legitimate IO request behavior is permitted by means of a constructed concept lattice model. After a concept lattice model is constructed, the tendency towards an abnormal IO request behavior can be supervised, and self-learning and concept lattice structure optimization can be carried out by means of a user decision.

Description

输入输出请求行为的检测方法及装置、 存储介质 技术领域  Method and device for detecting input and output request behavior, storage medium
[0001] 本发明涉及网络安全技术领域, 尤其涉及一种输入输出请求行为的检测方法及 装置、 计算机可读存储介质。  [0001] The present invention relates to the field of network security technologies, and in particular, to a method and device for detecting input and output request behavior, and a computer readable storage medium.
背景技术  Background technique
[0002] 随着互联网的发展, 网络安全越来越成为一个重大的问题, web (World wide Web , 全球广域网或万维网) 攻击、 ARP (Address Resolution Protocol, 地址解 析协议) 攻击、 SYN (Synchronous , 同步) 攻击等多种网络攻击形式层出不穷 [0002] With the development of the Internet, network security has become a major issue. Web (World wide Web, World Wide Web or World Wide Web) attacks, ARP (Address Resolution Protocol) attacks, SYN (Synchronous, synchronization) Attacks and other forms of network attacks are emerging one after another.
, 严重损害了互联网的正常使用。 , seriously damage the normal use of the Internet.
[0003] 因此, 如何对层出不穷的网络攻击进行分析、 识别以及过滤, 成为了一个非常 重要的研究课题。 [0003] Therefore, how to analyze, identify and filter the endless network attacks has become a very important research topic.
技术问题  technical problem
[0004] 本发明的主要目的在于提出一种输入输出请求行为的检测方法及装置、 计算机 可读存储介质, 旨在解决现有技术存在的问题。  The main object of the present invention is to provide a method and apparatus for detecting input and output request behavior, and a computer readable storage medium, aiming at solving the problems of the prior art.
问题的解决方案  Problem solution
技术解决方案  Technical solution
[0005] 为实现上述目的, 本发明实施例第一方面提供一种输入输出请求行为的检测方 法, 所述方法包括步骤:  [0005] In order to achieve the above object, a first aspect of the embodiments of the present invention provides a method for detecting an input/output request behavior, where the method includes the following steps:
[0006] 对网络驱动进行过滤, 截取网络驱动中的输入输出请求行为; 对截取到的输入 输出请求行为中的信息进行标记并生成概念; [0006] filtering the network driver, intercepting the input and output request behavior in the network driver; marking the information in the intercepted input and output request behavior and generating a concept;
[0007] 根据已训练的概念格模型, 对生成的概念进行概念格的预构造并判断是否会生 成次顶层概念; [0007] According to the trained concept lattice model, the concept of the generated concept is pre-constructed and judged whether a secondary top-level concept is generated;
[0008] 若生成次顶层概念, 则生成是否通过或者拒绝所述输入输出请求行为的选择信 息, 并接收用户的选择操作作出相应的处理。  [0008] If the secondary top-level concept is generated, the selection information of whether the input/output request behavior is passed or rejected is generated, and the user's selection operation is received to perform corresponding processing.
[0009] 可选的, 所述输入输出请求行为中的信息包括输入输出请求包包体本身、 源地 址信息、 目的地址信息、 输入输出请求发生吋间、 是否为中间路由包中的一种 或多种。 [0009] Optionally, the information in the input and output request behavior includes an input/output request packet body itself, source address information, destination address information, an input/output request occurrence time, and whether it is an intermediate routing packet. Or a variety.
[0010] 可选的, 所述已训练的概念格模型通过以下步骤实现:  [0010] Optionally, the trained concept lattice model is implemented by the following steps:
[0011] 对网络驱动进行过滤, 截取网络驱动中的输入输出请求行为; 对截取到的输入 输出请求行为中的信息进行标记并生成概念;  [0011] filtering the network driver, intercepting the input and output request behavior in the network driver; marking the information in the intercepted input and output request behavior and generating a concept;
[0012] 将生成的概念中外延最大内涵最小的概念记为顶层概念、 外延最小内涵最大概 念记为底层概念, 构建所述顶层概念和所述底层概念的父子关系并形成概念格  [0012] The concept of minimizing the maximum connotation of the generated concept is recorded as the top-level concept, and the minimum connotation of the extension is most presumably recorded as the underlying concept, and the parent-child relationship of the top-level concept and the underlying concept is constructed and a concept lattice is formed.
[0013] 选择一个生成的概念, 根据形成的概念格自顶向下进行外延例化、 内涵泛化的 工作并生成新概念; 针对生成的新概念, 调整概念之间的父子关系; [0013] selecting a generated concept, performing the work of extension and generalization based on the formed concept lattice from top to bottom, and generating a new concept; adjusting the parent-child relationship between the concepts for the generated new concept;
[0014] 重复上一个步骤, 直至所有生成的概念完成操作并生成最终的概念格。 [0014] Repeat the previous step until all generated concepts complete the operation and generate the final concept lattice.
[0015] 可选的, 所述自顶向下进行外延例化、 内涵泛化的工作包括: [0015] Optionally, the performing the top-down and the generalization of the content from top to bottom includes:
[0016] 自顶向下进行外延相交内涵相并操作。 [0016] The epitaxial intersecting phase-phase operation is performed from top to bottom.
[0017] 可选的, 所述接收用户的选择操作作出相应的处理包括: [0017] Optionally, the receiving the user's selection operation to perform corresponding processing includes:
[0018] 若接收的用户的选择操作为通过所述输入输出请求行为, 则将生成的概念加入 到已训练的概念格模型中, 并形成新的概念格模型;  [0018] if the selected user's selection operation is to request the behavior through the input and output, the generated concept is added to the trained concept lattice model, and a new concept lattice model is formed;
[0019] 若接收的用户的选择操作为拒绝所述输入输出请求行为, 则阻止所述输入输出 请求行为的执行线程并向用户界面申报。 [0019] If the receiving operation of the received user is to reject the input/output request behavior, the execution thread of the input and output request behavior is blocked and reported to the user interface.
[0020] 其次, 为实现上述目的, 本发明实施例第二方面提供一种输入输出请求行为的 检测装置, 所述装置包括过滤模块、 规则识别判断模块以及行为准入模块; [0021] 所述过滤模块, 用于对网络驱动进行过滤, 截取网络驱动中的输入输出请求行 为; 对截取到的输入输出请求行为中的信息进行标记并生成概念; [0020] Secondly, in order to achieve the above object, a second aspect of the embodiments of the present invention provides a device for detecting an input/output request behavior, where the device includes a filtering module, a rule recognition determining module, and a behavior admission module; [0021] a filtering module, configured to filter the network driver, intercept the input and output request behavior in the network driver; mark the information in the intercepted input and output request behavior and generate a concept;
[0022] 所述规则识别判断模块, 用于根据已训练的概念格模型, 对所述过滤模块生成 的概念进行概念格的预构造并判断是否会生成次顶层概念; [0022] The rule recognition judging module is configured to pre-construct the concept generated by the filtering module according to the trained concept lattice model and determine whether a sub-top concept is generated;
[0023] 所述行为准入模块, 用于若生成次顶层概念, 则生成是否通过或者拒绝所述输 入输出请求行为的选择信息, 并接收用户的选择操作作出相应的处理。 [0023] The behavior admission module is configured to generate, if the secondary top-level concept is generated, whether to pass or reject the selection information of the input and output request behavior, and receive a user's selection operation to perform corresponding processing.
[0024] 可选的, 所述装置还包括概念格构造模块; [0024] Optionally, the device further includes a concept lattice construction module;
[0025] 所述概念格构造模块, 用于对网络驱动进行过滤, 截取网络驱动中的输入输出 请求行为; 对截取到的输入输出请求行为中的信息进行标记并生成概念; [0026] 将生成的概念中外延最大内涵最小的概念记为顶层概念、 外延最小内涵最大概 念记为底层概念, 构建所述顶层概念和所述底层概念的父子关系并形成概念格 [0025] the concept lattice construction module is configured to filter the network driver, intercept the input and output request behavior in the network driver, mark the information in the intercepted input and output request behavior, and generate a concept; [0026] The concept of minimizing the maximum connotation of the generated concept is recorded as the top-level concept, and the maximum concept of the extended minimum connotation is recorded as the underlying concept, and the parent-child relationship of the top-level concept and the underlying concept is constructed and a concept lattice is formed.
[0027] 选择一个生成的概念, 根据形成的概念格自顶向下进行外延例化、 内涵泛化的 工作并生成新概念; 针对生成的新概念, 调整概念之间的父子关系; [0027] selecting a generated concept, performing the work of extension and generalization based on the formed concept lattice from top to bottom, and generating a new concept; adjusting the parent-child relationship between the concepts for the generated new concept;
[0028] 重复上一个步骤, 直至所有生成的概念完成操作并生成最终的概念格。 [0028] Repeat the previous step until all generated concepts complete the operation and generate the final concept lattice.
[0029] 可选的, 所述行为准入模块包括模型格自学习单元和阻止单元; [0029] Optionally, the behavior admission module includes a model lattice self-learning unit and a blocking unit;
[0030] 所述模型格自学习单元, 用于若接收的用户的选择操作为通过所述输入输出请 求行为, 则将生成的概念加入到已训练的概念格模型中, 并形成新的概念格模 型; [0030] the model lattice self-learning unit is configured to: if the receiving operation of the received user is to request the behavior through the input and output, add the generated concept to the trained concept lattice model, and form a new concept lattice Model
[0031] 所述阻止单元, 用于若接收的用户的选择操作为拒绝所述输入输出请求行为, 则阻止所述输入输出请求行为的执行线程并向用户界面申报。  [0031] The blocking unit is configured to block the execution thread of the input and output request behavior and report to the user interface if the receiving operation of the received user is to reject the input/output request behavior.
[0032] 其次, 为实现上述目的, 本发明实施例第三方面提供一种输入输出请求行为的 检测装置, 所述输入输出请求行为的检测装置包括: 存储器、 处理器及存储在 所述存储器上并可在所述处理器上运行的输入输出请求行为的检测程序, 所述 输入输出请求行为的检测程序被所述处理器执行吋实现第一方面所述的输入输 出请求行为的检测方法的步骤。  [0032] Next, in order to achieve the above object, a third aspect of the embodiments of the present invention provides a device for detecting an input/output request behavior, where the apparatus for detecting input and output request behavior includes: a memory, a processor, and a memory stored in the memory And a detection program for input/output request behavior running on the processor, the detection program of the input/output request behavior being executed by the processor, and the step of implementing the detection method of the input/output request behavior described in the first aspect .
[0033] 再者, 为实现上述目的, 本发明实施例第四方面提供一种计算机可读存储介质 , 所述计算机可读存储介质上存储有输入输出请求行为的检测程序, 所述输入 输出请求行为的检测程序被处理器执行吋实现第一方面所述的输入输出请求行 为的检测方法的步骤。  [0033] In order to achieve the above object, a fourth aspect of the embodiments of the present invention provides a computer readable storage medium, where the computer readable storage medium stores a detection program for input and output request behavior, and the input and output request The detection program of the behavior is executed by the processor, the step of implementing the detection method of the input/output request behavior described in the first aspect.
发明的有益效果  Advantageous effects of the invention
有益效果  Beneficial effect
[0034] 本发明实施例提供的输入输出请求行为的检测方法及装置、 计算机可读存储介 质, 可以统计 10请求行为的方向信息、 吋间信息等, 并形成一个二元结构, 从 而将这些二元样本结构构造为一个概念格模型; 通过构造的概念格模型, 合法 的 10请求行为被允许; 概念格模型建好后可以指导异常 10请求行为的走向, 并 且可以通过用户决定进行自我学习和概念格结构优化。 对附图的简要说明 The method and device for detecting the input and output request behavior provided by the embodiment of the present invention, and the computer readable storage medium, can count the direction information of the request behavior, the time information, and the like, and form a binary structure, thereby The meta-sample structure is constructed as a concept lattice model; through the constructed concept lattice model, the legal 10 request behavior is allowed; the concept lattice model can guide the orientation of the anomaly 10 request behavior, and the user can decide to conduct self-learning and concept. Grid structure optimization. Brief description of the drawing
附图说明  DRAWINGS
[0035] 图 1为本发明实施例的网络协议栈过滤驱动层次结构示意图;  1 is a schematic diagram of a hierarchical structure of a network protocol stack filter driver according to an embodiment of the present invention;
[0036] 图 2为本发明第一实施例的输入输出请求行为的检测方法流程示意图; 2 is a schematic flow chart of a method for detecting an input/output request behavior according to a first embodiment of the present invention;
[0037] 图 3为本发明第一实施例的输入输出请求行为的检测方法另一流程示意图; [0038] 图 4-图 8为本发明实施例的概念格构造过程结构示意图; 3 is a schematic flowchart of another method for detecting an input/output request behavior according to a first embodiment of the present invention; [0038] FIG. 4 and FIG. 8 are schematic diagrams showing a structure of a concept lattice construction process according to an embodiment of the present invention;
[0039] 图 9为本发明第二实施例的输入输出请求行为的检测装置结构示意图; 9 is a schematic structural diagram of an apparatus for detecting an input/output request behavior according to a second embodiment of the present invention;
[0040] 图 10为本发明第二实施例的输入输出请求行为的检测装置另一结构示意图; [0041] 图 11为本发明第二实施例的输入输出请求行为的检测装置中行为准入模块结构 示意图; 10 is another schematic structural diagram of an apparatus for detecting an input/output request behavior according to a second embodiment of the present invention; [0041] FIG. 11 is a behavior admission module in an apparatus for detecting input and output request behavior according to a second embodiment of the present invention; Schematic;
[0042] 图 12为本发明第二实施例的输入输出请求行为的检测装置中各个模块的吋序结 构示意图;  12 is a schematic diagram showing the sequence structure of each module in the apparatus for detecting input and output request behavior according to the second embodiment of the present invention;
[0043] 图 13为本发明第三实施例的输入输出请求行为的检测装置结构示意图。  13 is a schematic structural diagram of an apparatus for detecting an input/output request behavior according to a third embodiment of the present invention.
[0044] 本发明目的的实现、 功能特点及优点将结合实施例, 参照附图做进一步说明。 The implementation, functional features, and advantages of the present invention will be further described with reference to the accompanying drawings.
本发明的实施方式 Embodiments of the invention
[0045] 应当理解, 此处所描述的具体实施例仅仅用以解释本发明, 并不用于限定本发 明。  The specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
[0046] 现在将参考附图描述实现本发明各个实施例的。 在后续的描述中, 使用用于表 示元件的诸如 "模块"、 "部件 "或"单元"的后缀仅为了有利于本发明的说明, 其本 身并没有特定的意义。  [0046] Various embodiments of the present invention will now be described with reference to the drawings. In the following description, the suffixes such as "module", "part" or "unit" used to denote elements are merely illustrative of the present invention, and are not intended to be specific in their own right.
[0047] 还应当进一步理解, 在本发明说明书和所附权利要求书中使用的术语 "和 /或"是 指相关联列出的项中的一个或多个的任何组合以及所有可能组合, 并且包括这 些组合。  [0047] It is further understood that the term "and/or" used in the description of the invention and the appended claims means any combination and all possible combinations of one or more of the associated listed items, and These combinations are included.
[0048] 为了便于理解本发明的实施例, 以下对相关的技术术语进行说明:  [0048] In order to facilitate an understanding of embodiments of the present invention, related technical terms are described below:
[0049] 1、 网络协议栈过滤驱动技术 [0049] 1. Network Protocol Stack Filtering Drive Technology
[0050] 网络协议栈过滤驱动技术是一项非常成熟的技术。 在 Windows NT操作系统中 , 网络协议是分层的。 从底向上大致依次是 NIC (Network Interface Card, 网络 适配器) 驱动、 NDIS (Network Driver Interface Specification, 网络驱动接口规 范) 、 TCP/IP (Transmission Control Protocol/Internet Protocol, 传输控制协议 /因 特网互联协议) 驱动、 AFD(Auxiliary Function [0050] Network protocol stack filter driver technology is a very mature technology. In the Windows NT operating system, the network protocol is hierarchical. From the bottom up, it is NIC (Network Interface Card) Adapter) Driver, NDIS (Network Driver Interface Specification), TCP/IP (Transmission Control Protocol/Internet Protocol) driver, AFD (Auxiliary Function)
Drive, 辅助功能驱动)、 TDI (Transport Driver  Drive, auxiliary function driver), TDI (Transport Driver
Interface, 传输驱动接口) 、 Socket (套接字) 。 网络协议栈过滤驱动层次结构 可参考图 1所示, 在层层叠叠的驱动中, 可以在两层驱动之间加入一层过滤驱动 程序, 以便截取上下层流向的网络 10 (Input and Output, 输入输出) 请求包, 从 而达到监控的目的。 截取的内容可以是 10请求包的源地址, 源端口, 目的地址 , 目的端口、 上行或下行等。  Interface, Transport Driver Interface), Socket (Socket). The network protocol stack filter driver hierarchy can be seen in Figure 1. In a layered drive, a layer of filter drivers can be added between the two layers of drivers to intercept the network 10 (Input and Output, input). Output) Request the package for monitoring purposes. The intercepted content may be the source address of the 10 request packet, the source port, the destination address, the destination port, the uplink or the downlink, and the like.
[0051] 2、 概念格 [0051] 2. Concept lattice
[0052] 概念格 (Concept Lattice) 是一种离散数学模型, 常用于数据挖掘和机器学习 领域。 概念格是一个以概念为元素的偏序集, 它可以通过哈斯图可视化, 其中 每个节点是一个概念。 概念格结构模型来源于 FCA(Formal Concept Analysis , 形 式概念分析)理论, 是 FCA中的核心数据分析工具, 它本质上描述了对象 (样本 ) 与属性 (特征) 之间的关联。 形式背景可以表示为三元组 T=(0, D, R), 其中 0是事例 (对象) 集合, D是描述符 (属性) 集合, R是 0和 D之间的一个二元关 系, 则存在唯一的一个偏序集与之对应, 并且这个偏序集产生一种格结构, 这 种由背景 (0, D, R) 所诱导的格 L称为概念格。 格 L中的每个节点是一个序偶 , 称为概念, 记为 (X, Y), 其中 X称为概念 (Χ, Υ)的外延 (extent) ; Y称为概 念 (X, Y)的内涵 (intent) 。 构建格的方法多种多样, 包括自顶向下算法、 自底 向上算法以及枚举算法。 在概念格规模很大吋, 也可以通过约减行为形成约减 概念格、 近似概念格, 从而有效控制格的规模和增长。  [0052] Concept Lattice is a discrete mathematical model commonly used in data mining and machine learning. A concept lattice is a set of poses with a concept as an element. It can be visualized by a Haas diagram, where each node is a concept. The concept lattice structure model is derived from FCA (Formal Concept Analysis) theory and is the core data analysis tool in FCA. It essentially describes the relationship between objects (samples) and attributes (features). The formal background can be expressed as a triple T=(0, D, R), where 0 is the instance (object) set, D is the descriptor (attribute) set, and R is a binary relationship between 0 and D. There is a unique partial order set corresponding to it, and this partial order set produces a lattice structure. This lattice L induced by the background (0, D, R) is called a concept lattice. Each node in L is a sequence, called a concept, denoted as (X, Y), where X is called the extension of the concept (Χ, Υ); Y is called the concept (X, Y) Intent. There are many ways to construct a grid, including top-down algorithms, bottom-up algorithms, and enumeration algorithms. In the case of a large scale of concept, it is also possible to form a reduction concept lattice and an approximate concept lattice by reducing the behavior, thereby effectively controlling the scale and growth of the lattice.
[0053] 第一实施例 First embodiment
[0054] 如图 2所示, 本发明第一实施例提供一种输入输出请求行为的检测方法, 所述 方法包括步骤:  [0054] As shown in FIG. 2, a first embodiment of the present invention provides a method for detecting an input/output request behavior, where the method includes the following steps:
[0055] 11、 对网络驱动进行过滤, 截取网络驱动中的输入输出请求行为; 对截取到的 输入输出请求行为中的信息进行标记并生成概念;  [0055] 11. Filtering the network driver, intercepting the input and output request behavior in the network driver; marking the information in the intercepted input and output request behavior and generating a concept;
[0056] 在本实施例中, 所述输入输出请求行为中的信息包括输入输出请求包包体本身 、 源地址信息、 目的地址信息、 输入输出请求发生吋间、 是否为中间路由包中 的一种或多种。 [0056] In this embodiment, the information in the input and output request behavior includes an input and output request packet body itself. , source address information, destination address information, input and output request occurrence time, whether it is one or more of the intermediate routing packets.
[0057] 作为示例的, 假设源地址为 192.168.1.101这条外延属性可标记为 1, 外延源端口 [0057] As an example, assume that the source address is 192.168.1.101. The extension attribute can be marked as 1, the extension source port.
3456可标记为 2, 而协议族、 缓冲区地址、 缓冲区长度等也可以作为外延属性, I 0请求包本身作为内涵可以标记为 a。 3456 can be marked as 2, and the protocol family, buffer address, buffer length, etc. can also be used as an extension attribute. The I0 request packet itself can be marked as a connotation.
[0058] 12、 根据已训练的概念格模型, 对生成的概念进行概念格的预构造并判断是否 会生成次顶层概念; [0058] 12. According to the trained concept lattice model, the concept of the generated concept is pre-constructed and judged whether a sub-top concept is generated;
[0059] 在本实施例中, 根据已训练的概念格模型, 如果把概念格模型想象成一个倒置 的树, 则底层概念为树根, 顶层概念之下的第一层概念为叶子, 次顶层概念其 实就是一个叶子。 形成叶子, 则说明除顶层概念之外, 该叶子节点外延最大, 内涵最小, 进而可以解释 10请求行为最新的一个过程。  [0059] In this embodiment, according to the trained concept lattice model, if the concept lattice model is imagined as an inverted tree, the underlying concept is a tree root, and the first layer concept under the top concept is a leaf, and the top layer The concept is actually a leaf. The formation of leaves indicates that in addition to the top-level concept, the leaf node has the largest extension and the smallest connotation, which in turn can explain the latest process of request behavior.
[0060] 请参考图 3所示, 在本实施例中, 所述已训练的概念格模型通过以下步骤实现  [0060] Please refer to FIG. 3, in the embodiment, the trained concept lattice model is implemented by the following steps:
[0061] 121、 对网络驱动进行过滤, 截取网络驱动中的输入输出请求行为; 对截取到 的输入输出请求行为中的信息进行标记并生成概念; [0061] 121: Filter the network driver, intercept the input and output request behavior in the network driver; mark the information in the intercepted input and output request behavior and generate a concept;
[0062] 122、 将生成的概念中外延最大内涵最小的概念记为顶层概念、 外延最小内涵 最大概念记为底层概念, 构建所述顶层概念和所述底层概念的父子关系并形成 概念格; [0062] 122. The concept of minimizing the maximum content of the extended concept in the generated concept is recorded as the top-level concept, the minimum content of the extension, and the maximum concept is recorded as the underlying concept, and the parent-child relationship of the top-level concept and the underlying concept is constructed and a concept lattice is formed;
[0063] 123、 选择一个生成的概念, 根据形成的概念格自顶向下进行外延例化、 内涵 泛化的工作并生成新概念; 针对生成的新概念, 调整概念之间的父子关系; [0064] 124、 重复上一个步骤, 直至所有生成的概念完成操作并生成最终的概念格。  [0063] 123, selecting a generated concept, performing the work of extension and generalization according to the formed concept lattice from top to bottom, and generating a new concept; adjusting the parent-child relationship between the concepts for the generated new concept; 0064] 124. Repeat the previous step until all generated concepts complete the operation and generate the final concept lattice.
[0065] 为了更好地理解已训练的概念格模型的构造过程, 现以图 4-图 8为例进行说明 [0065] In order to better understand the construction process of the trained concept lattice model, an example will be described by taking FIG. 4-8 as an example.
[0066] 假如有如下形式背景: [0066] If there is a background in the following form:
[]
Figure imgf000009_0001
[]
Figure imgf000009_0001
[0067] 在进行标记后生成 4个概念 l#({2,3,5,7 },{a})、 2#({ 1,4,5,6,7,8 }, {b})、 3#({4,5,7 },{ c})、 4#({ l,2,3,6,8 },{d})和顶层概念、 底层概念 5#({ 1,2,3,4,5,6,7,8 },{NULL})、 6#( {NUI },{abcd})。  [0067] Four concepts l#({2,3,5,7 },{a}), 2#({ 1,4,5,6,7,8 }, {b}) are generated after marking , 3#({4,5,7 },{ c}), 4#({ l,2,3,6,8 },{d}) and the top concept, the underlying concept 5#({ 1,2, 3,4,5,6,7,8 },{NULL}), 6#( {NUI },{abcd}).
[0068] 其中顶层概念 5#({ 1,2,3,4,5,6,7,8 }为外延最大内涵最小的概念, 底层概念 6#({N ULL},{abCd})为外延最小内涵最大概念。 构建顶层概念和底层概念的父子关系并 形成初始概念格, 其中顶层概念在上, 底层概念在下, 形成的初始概念格可参 考图 4所示。 [0068] The top-level concept 5#({ 1,2,3,4,5,6,7,8 } is the concept of the smallest maximum connotation of the extension, the underlying concept 6#({N ULL},{ab C d}) In order to extend the concept of minimum connotation, the parent-child relationship between the top-level concept and the underlying concept is constructed and the initial concept lattice is formed, in which the top-level concept is on, the underlying concept is below, and the initial concept lattice is formed as shown in Figure 4.
[0069] 再将 1#概念加入初始概念格中进行外延例化、 内涵泛化的工作并更新父子关系 , 形成新的概念格可参考图 5所示。 具体地, 1#概念与顶层概念自顶向下地进行 外延相交内涵相并操作, 生成的新概念与 1#概念相同, 但是作为顶层概念的子 概念存在; 1#概念与底层概念进行外延相交内涵相并操作, 生成的概念也与 1# 概念相同, 但是作为底层概念的父概念存在。  [0069] The 1# concept is added to the initial concept lattice to perform the work of extension and generalization, and the parent-child relationship is updated. A new concept lattice can be formed as shown in FIG. 5. Specifically, the 1# concept and the top-level concept perform the extension and intersection of the top-level and the connotation, and the generated new concept is the same as the 1# concept, but the sub-concept as the top-level concept exists; 1# concept and the underlying concept extend the connotation In conjunction with the operation, the generated concept is also the same as the 1# concept, but the parent concept as the underlying concept exists.
[0070] 需要说明的是, 外延例化、 内涵泛化的工作可参考以下公式所示: 内涵泛化公 式为 intent(N3)=intent(Nl)Uintent(N2), 夕卜延例化公式为 extent(N3)=extent(Nl)next ent(N2) , 其中 N3为新生成的概念, N1和 N2为既有的概念。  [0070] It should be noted that the work of epitaxial instantiation and connotation generalization can be referred to the following formula: The intension generalization formula is intent(N3)=intent(Nl)Uintent(N2), and the formula of the extension formula is extent( N3)=extent(Nl)next ent(N2) , where N3 is a newly generated concept, and N1 and N2 are existing concepts.
[0071] 再将 2#概念加入图 5中的概念格进行与并操作 (外延相交, 内涵相并) 并更新 父子关系, 形成新的概念格见图 6。 具体地, 每个概念与 2#概念进行与并操作, 与顶层概念与并操作吋生成的仍然是 2#概念, 作为顶层概念的子概念存在, 与 1 #概念进行与并操作吋形成概念 ({5,7 },{a,b}) 并作为 1#概念和 2#概念的子概念 存在, 从而形成如图 6所示的概念格结构。  [0071] Then add the 2# concept to the concept lattice in Fig. 5 to perform the parallel operation and the parallel operation, and update the parent-child relationship to form a new concept lattice. Specifically, each concept is operated and operated with the 2# concept, and the top-level concept and operation are still generated by the 2# concept, as a sub-concept of the top-level concept, and with the 1 # concept, and the operation is formed into a concept ( {5,7 },{a,b}) exists as a sub-concept of the 1# concept and the 2# concept, thereby forming a concept lattice structure as shown in FIG. 6.
[0072] 再将 3#概念加入图 6中的概念格中进行与并操作并更新父子关系, 形成新的概 念格见图 7。 具体地, 在图 6所示的概念格结构基础上将 3#概念加入进去, 可以 看出 3#概念是 2#概念的子概念, 3#概念外延是 2#概念的子集, 与 1#概念进行与 并操作吋形成新概念 ({5,7},{a,b,C } ) , 并作为 3#概念的子节点存在, 因而形成 如图 7所示的概念格结构。 [0072] The 3# concept is added to the concept lattice in FIG. 6 to perform the operation and update the parent-child relationship, and a new concept lattice is formed as shown in FIG. 7. Specifically, the 3# concept is added to the concept lattice structure shown in FIG. 6, and it can be seen that the 3# concept is a sub-concept of the 2# concept, and the 3# concept extension is a subset of the 2# concept, and 1# Concept and And the operation 吋 forms a new concept ({5, 7}, {a, b, C }), and exists as a child node of the 3# concept, thus forming a concept lattice structure as shown in FIG.
[0073] 再将 4#概念加入图 7中的概念格中进行与并操作并更新父子关系, 形成新的概 念格见图 8。 至此概念格构造完成。 [0073] The 4# concept is added to the concept lattice in FIG. 7 to perform the operation and update the parent-child relationship, and a new concept lattice is formed as shown in FIG. 8. So far the concept lattice is constructed.
[0074] 13、 若生成次顶层概念, 则生成是否通过或者拒绝所述输入输出请求行为的选 择信息, 并接收用户的选择操作作出相应的处理。 [0074] 13. If the secondary top-level concept is generated, whether to select or reject the selection information of the input/output request behavior, and receive the user's selection operation to perform corresponding processing.
[0075] 在本实施例中, 所述接收用户的选择操作作出相应的处理包括: [0075] In this embodiment, the corresponding processing of the receiving user's selection operation includes:
[0076] 若接收的用户的选择操作为通过所述输入输出请求行为, 则将生成的概念加入 到已训练的概念格模型中, 并形成新的概念格模型; [0076] if the selected user's selection operation is to request the behavior through the input and output, the generated concept is added to the trained concept lattice model, and a new concept lattice model is formed;
[0077] 若接收的用户的选择操作为拒绝所述输入输出请求行为, 则阻止所述输入输出 请求行为的执行线程并向用户界面申报。 And [0077] if the receiving operation of the received user is to reject the input/output request behavior, the execution thread of the input/output request behavior is blocked and reported to the user interface.
[0078] 本发明实施例提供的输入输出请求行为的检测方法, 可以统计 10请求行为的方 向信息、 吋间信息等, 并形成一个二元结构, 从而将这些二元样本结构构造为 一个概念格模型; 通过构造的概念格模型, 合法的 10请求行为被允许; 概念格 模型建好后可以指导异常 10请求行为的走向, 并且可以通过用户决定进行自我 学习和概念格结构优化。 The method for detecting an input/output request behavior provided by an embodiment of the present invention may count 10 direction information of request behavior, daytime information, and the like, and form a binary structure, thereby constructing these binary sample structures into a concept lattice. Model; Through the constructed concept lattice model, the legal 10 request behavior is allowed; the concept lattice model can guide the orientation of the anomaly 10 request behavior, and the user can decide to self-learn and conceptual lattice structure optimization.
[0079] 第二实施例  Second Embodiment
[0080] 如图 9所示, 本发明第二实施例提供一种输入输出请求行为的检测装置, 其中 [0080] As shown in FIG. 9, a second embodiment of the present invention provides a device for detecting input and output request behavior, wherein
, 所述装置包括过滤模块 21、 规则识别判断模块 22以及行为准入模块 23; The device includes a filtering module 21, a rule recognition determining module 22, and a behavior admission module 23;
[0081] 所述过滤模块 21, 用于对网络驱动进行过滤, 截取网络驱动中的输入输出请求 行为; 对截取到的输入输出请求行为中的信息进行标记并生成概念; [0081] The filtering module 21 is configured to filter the network driver, intercept the input and output request behavior in the network driver, mark the information in the intercepted input and output request behavior, and generate a concept;
[0082] 所述规则识别判断模块 22, 用于根据已训练的概念格模型, 对所述过滤模块 21 生成的概念进行概念格的预构造并判断是否会生成次顶层概念; [0082] The rule recognition judging module 22 is configured to pre-construct the concept generated by the filtering module 21 according to the trained concept lattice model and determine whether a sub-top concept is generated;
[0083] 所述行为准入模块 23, 用于若生成次顶层概念, 则生成是否通过或者拒绝所述 输入输出请求行为的选择信息, 并接收用户的选择操作作出相应的处理。 The behavior admission module 23 is configured to generate, if the secondary top-level concept is generated, whether to pass or reject the selection information of the input/output request behavior, and receive a user's selection operation to perform corresponding processing.
[0084] 请参考图 11所示, 在本实施例中, 所述行为准入模块 23包括模型格自学习单元Referring to FIG. 11, in the embodiment, the behavior admission module 23 includes a model lattice self-learning unit.
231和阻止单元 232; 231 and blocking unit 232;
[0085] 所述模型格自学习单元 231, 用于若接收的用户的选择操作为通过所述输入输 出请求行为, 则将生成的概念加入到已训练的概念格模型中, 并形成新的概念 格模型; [0085] the model lattice self-learning unit 231 is configured to: if the received user's selection operation is to input through the input When the request behavior is performed, the generated concept is added to the trained concept lattice model, and a new concept lattice model is formed;
[0086] 所述阻止单元 232, 用于若接收的用户的选择操作为拒绝所述输入输出请求行 为, 则阻止所述输入输出请求行为的执行线程并向用户界面申报。  [0086] The blocking unit 232 is configured to block the execution thread of the input and output request behavior and report to the user interface if the receiving operation of the received user is to reject the input/output request behavior.
[0087] 请参考图 10所示, 在一种实施方式中, 所述装置还包括概念格构造模块 24;  [0087] Please refer to FIG. 10, in an embodiment, the device further includes a concept lattice construction module 24;
[0088] 所述概念格构造模块 24, 用于对网络驱动进行过滤, 截取网络驱动中的输入输 出请求行为; 对截取到的输入输出请求行为中的信息进行标记并生成概念; [0088] the concept lattice construction module 24 is configured to filter the network driver, intercept the input and output request behavior in the network driver, mark the information in the intercepted input and output request behavior, and generate a concept;
[0089] 将生成的概念中外延最大内涵最小的概念记为顶层概念、 外延最小内涵最大概 念记为底层概念, 构建所述顶层概念和所述底层概念的父子关系并形成概念格 [0089] The concept of minimizing the maximum connotation of the generated concept is recorded as the top-level concept, and the minimum connotation of the extension is most presumably recorded as the underlying concept, and the parent-child relationship of the top-level concept and the underlying concept is constructed and a concept lattice is formed.
[0090] 选择一个生成的概念, 根据形成的概念格自顶向下进行外延例化、 内涵泛化的 工作并生成新概念; 针对生成的新概念, 调整概念之间的父子关系; [0090] selecting a generated concept, performing the work of extension and generalization based on the formed concept lattice from top to bottom, and generating a new concept; adjusting the parent-child relationship between the concepts for the generated new concept;
[0091] 重复上一个步骤, 直至所有生成的概念完成操作并生成最终的概念格。 [0091] Repeat the previous step until all generated concepts complete the operation and generate the final concept lattice.
[0092] 为了更好地阐述本实施例, 现以图 12的各个模块的吋序结构示意图进行说明: [0093] 如图 12所示, 过滤模块对网络驱动进行过滤, 截取网络驱动中的 10请求行为 ( 图中的 10请求包) ; 对截取到的 10请求行为中的信息进行标记并生成概念, 之 后概念格构造模块根据生成的概念, 训练概念格模型。 [0092] In order to better illustrate the present embodiment, a schematic diagram of the sequence structure of each module of FIG. 12 will be described: [0093] As shown in FIG. 12, the filtering module filters the network driver and intercepts 10 of the network drivers. Request behavior (10 request packets in the figure); Marks the information in the intercepted 10 request behavior and generates the concept, and then the concept lattice construction module trains the concept lattice model according to the generated concept.
[0094] 之后, 过滤模块再次对网络驱动进行过滤, 截取网络驱动中的 10请求行为, 对 截取到的 10请求行为中的信息进行标记并生成概念。 规则识别判断模块根据概 念格构造模块已训练的概念格模型, 通过概念格构造模块对生成的概念进行概 念格的预构造并判断是否会生成次顶层概念。  [0094] After that, the filtering module filters the network driver again, intercepts the 10 request behavior in the network driver, marks the information in the intercepted 10 request behavior, and generates a concept. The rule recognition judgment module constructs the concept lattice model trained by the module according to the concept lattice, and constructs the concept concept by the concept lattice construction module to determine whether the secondary top concept is generated.
[0095] 若生成次顶层概念, 行为准入模块则生成是否通过或者拒绝所述输入输出请求 行为的选择信息, 并接收用户的选择操作作出相应的处理。  [0095] If the secondary top-level concept is generated, the behavior admission module generates selection information whether to pass or reject the input/output request behavior, and receives the user's selection operation to perform corresponding processing.
[0096] 若接收的用户的选择操作为通过所述输入输出请求行为, 则通过模型格自学习 单元将生成的概念加入到已训练的概念格模型中, 并形成新的概念格模型。  [0096] If the selected user's selection operation is to request the behavior through the input and output, the generated concept is added to the trained concept lattice model by the model lattice self-learning unit, and a new concept lattice model is formed.
[0097] 本发明实施例提供的输入输出请求行为的检测装置, 可以统计 10请求行为的方 向信息、 吋间信息等, 并形成一个二元结构, 从而将这些二元样本结构构造为 一个概念格模型; 通过构造的概念格模型, 合法的 10请求行为被允许; 概念格 模型建好后可以指导异常 10请求行为的走向, 并且可以通过用户决定进行自我 学习和概念格结构优化。 The apparatus for detecting input and output request behavior provided by the embodiment of the present invention may count 10 direction information of request behavior, time information, and the like, and form a binary structure, thereby constructing these binary sample structures into a concept lattice. Model; by constructing the concept lattice model, the legal 10 request behavior is allowed; After the model is built, it can guide the direction of the abnormal 10 request behavior, and the user can decide to self-learn and optimize the concept lattice structure.
[0098] 第三实施例 Third Embodiment
[0099] 如图 13所示, 本发明第三实施例提供一种输入输出请求行为的检测装置, 所述 输入输出请求行为的检测装置 30包括: 存储器 31、 处理器 32及存储在所述存储 器 31上并可在所述处理器 32上运行的输入输出请求行为的检测程序, 所述输入 输出请求行为的检测程序被所述处理器 32执行吋, 用于实现以下所述的输入输 出请求行为的检测方法的步骤:  [0099] As shown in FIG. 13, a third embodiment of the present invention provides a device for detecting input and output request behavior, and the device for detecting input and output request behavior includes: a memory 31, a processor 32, and a memory stored in the memory. An input/output request behavior detecting program running on the processor 32, the detection program of the input/output request behavior being executed by the processor 32, for implementing the input/output request behavior described below Steps of the detection method:
[0100] 对网络驱动进行过滤, 截取网络驱动中的输入输出请求行为; 对截取到的输入 输出请求行为中的信息进行标记并生成概念;  [0100] filtering the network driver, intercepting the input and output request behavior in the network driver; marking the information in the intercepted input and output request behavior and generating a concept;
[0101] 根据已训练的概念格模型, 对生成的概念进行概念格的预构造并判断是否会生 成次顶层概念;  [0101] According to the trained concept lattice model, the concept of the generated concept is pre-constructed and judged whether a secondary top-level concept is generated;
[0102] 若生成次顶层概念, 则生成是否通过或者拒绝所述输入输出请求行为的选择信 息, 并接收用户的选择操作作出相应的处理。  [0102] If the secondary top-level concept is generated, whether or not the selection information of the input/output request behavior is passed or rejected is generated, and the user's selection operation is received to perform corresponding processing.
[0103] 所述输入输出请求行为的检测程序被所述处理器 32执行吋, 还用于实现以下所 述的输入输出请求行为的检测方法的步骤: [0103] The detection program of the input/output request behavior is executed by the processor 32, and is also used to implement the steps of the detection method of the input/output request behavior described below:
[0104] 所述输入输出请求行为中的信息包括输入输出请求包包体本身、 源地址信息、 目的地址信息、 输入输出请求发生吋间、 是否为中间路由包中的一种或多种。 [0104] The information in the input/output request behavior includes one or more of the input/output request packet body itself, the source address information, the destination address information, the input/output request occurrence time, and whether it is an intermediate routing packet.
[0105] 所述输入输出请求行为的检测程序被所述处理器 32执行吋, 还用于实现以下所 述的输入输出请求行为的检测方法的步骤: [0105] The detection program of the input/output request behavior is executed by the processor 32, and is also used to implement the steps of the detection method of the input/output request behavior described below:
[0106] 对网络驱动进行过滤, 截取网络驱动中的输入输出请求行为; 对截取到的输入 输出请求行为中的信息进行标记并生成概念; [0106] filtering the network driver, intercepting the input and output request behavior in the network driver; marking the information in the intercepted input and output request behavior and generating a concept;
[0107] 将生成的概念中外延最大内涵最小的概念记为顶层概念、 外延最小内涵最大概 念记为底层概念, 构建所述顶层概念和所述底层概念的父子关系并形成概念格 [0107] The concept of minimizing the maximum connotation of the generated concept is recorded as the top-level concept, and the minimum connotation of the extension is most roughly referred to as the underlying concept, and the parent-child relationship of the top-level concept and the underlying concept is constructed and a concept lattice is formed.
[0108] 选择一个生成的概念, 根据形成的概念格自顶向下进行外延例化、 内涵泛化的 工作并生成新概念; 针对生成的新概念, 调整概念之间的父子关系; [0108] selecting a generated concept, performing the work of extension and generalization based on the formed concept lattice from top to bottom, and generating a new concept; adjusting the parent-child relationship between the concepts for the generated new concept;
[0109] 重复上一个步骤, 直至所有生成的概念完成操作并生成最终的概念格。 [0110] 所述输入输出请求行为的检测程序被所述处理器 32执行吋, 还用于实现以下所 述的输入输出请求行为的检测方法的步骤: [0109] Repeat the previous step until all generated concepts complete the operation and generate the final concept lattice. [0110] The detection program of the input/output request behavior is executed by the processor 32, and is also used to implement the steps of the detection method of the input/output request behavior described below:
[0111] 所述自顶向下进行外延例化、 内涵泛化的工作包括: [0111] The work of performing epitaxial instantiation and connotation generalization from top to bottom includes:
[0112] 自顶向下进行外延相交内涵相并操作。 [0112] The epitaxial intersecting phase-phase operation is performed from top to bottom.
[0113] 所述输入输出请求行为的检测程序被所述处理器 32执行吋, 还用于实现以下所 述的输入输出请求行为的检测方法的步骤:  [0113] The detection program of the input/output request behavior is executed by the processor 32, and is also used to implement the steps of the detection method of the input/output request behavior described below:
[0114] 所述接收用户的选择操作作出相应的处理包括: [0114] The corresponding operation of the receiving user's selection operation includes:
[0115] 若接收的用户的选择操作为通过所述输入输出请求行为, 则将生成的概念加入 到已训练的概念格模型中, 并形成新的概念格模型;  [0115] if the selected user's selection operation is to request the behavior through the input and output, the generated concept is added to the trained concept lattice model, and a new concept lattice model is formed;
[0116] 若接收的用户的选择操作为拒绝所述输入输出请求行为, 则阻止所述输入输出 请求行为的执行线程并向用户界面申报。  [0116] If the selected user's selection operation is to reject the input/output request behavior, the execution thread of the input/output request behavior is blocked and reported to the user interface.
[0117] 本发明实施例提供的输入输出请求行为的检测装置, 可以统计 10请求行为的方 向信息、 吋间信息等, 并形成一个二元结构, 从而将这些二元样本结构构造为 一个概念格模型; 通过构造的概念格模型, 合法的 10请求行为被允许; 概念格 模型建好后可以指导异常 10请求行为的走向, 并且可以通过用户决定进行自我 学习和概念格结构优化。  [0117] The apparatus for detecting input and output request behavior provided by the embodiment of the present invention may count 10 direction information of request behavior, time information, and the like, and form a binary structure, thereby constructing these binary sample structures into a concept lattice. Model; Through the constructed concept lattice model, the legal 10 request behavior is allowed; the concept lattice model can guide the orientation of the anomaly 10 request behavior, and the user can decide to self-learn and conceptual lattice structure optimization.
[0118] 第四实施例  Fourth Embodiment
[0119] 本发明第四实施例提供一种计算机可读存储介质, 所述计算机可读存储介质上 存储有输入输出请求行为的检测程序, 所述输入输出请求行为的检测程序被处 理器执行吋实现第一实施例所述的输入输出请求行为的检测方法的步骤。  A fourth embodiment of the present invention provides a computer readable storage medium, wherein the computer readable storage medium stores a detection program for an input/output request behavior, and the detection program of the input/output request behavior is executed by a processor. The steps of the detection method of the input/output request behavior described in the first embodiment are implemented.
[0120] 本发明实施例提供的计算机可读存储介质, 可以统计 10请求行为的方向信息、 吋间信息等, 并形成一个二元结构, 从而将这些二元样本结构构造为一个概念 格模型; 通过构造的概念格模型, 合法的 10请求行为被允许; 概念格模型建好 后可以指导异常 10请求行为的走向, 并且可以通过用户决定进行自我学习和概 念格结构优化。  [0120] The computer readable storage medium provided by the embodiment of the present invention may count 10 direction information of request behavior, time information, and the like, and form a binary structure, thereby constructing these binary sample structures into a concept lattice model; Through the constructed concept lattice model, the legal 10 request behavior is allowed; the concept lattice model can guide the orientation of the anomaly 10 request behavior, and the user can decide to self-learn and conceptual lattice structure optimization.
[0121] 需要说明的是, 在本文中, 术语"包括"、 "包含 "或者其任何其他变体意在涵盖 非排他性的包含, 从而使得包括一系列要素的过程、 方法、 物品或者装置不仅 包括那些要素, 而且还包括没有明确列出的其他要素, 或者是还包括为这种过 程、 方法、 物品或者装置所固有的要素。 在没有更多限制的情况下, 由语句 "包 括一个 ...... "限定的要素, 并不排除在包括该要素的过程、 方法、 物品或者装置 中还存在另外的相同要素。 [0121] It is to be understood that the term "comprising", "including" or any other variants thereof is intended to encompass a non-exclusive inclusion, such that a process, method, article, or device that comprises a Those elements, but also other elements that are not explicitly listed, or are included for this The elements inherent in a process, method, item, or device. An element that is defined by the phrase "comprising a ..." does not exclude the presence of additional elements in the process, method, article, or device that comprises the element.
[0122] 以上仅为本发明的优选实施例, 并非因此限制本发明的专利范围, 凡是利用本 发明说明书及附图内容所作的等效结构或等效流程变换, 或直接或间接运用在 其他相关的技术领域, 均同理包括在本发明的专利保护范围内。 The above are only the preferred embodiments of the present invention, and are not intended to limit the scope of the present invention, and the equivalent structure or equivalent process transformations made by the description of the present invention and the contents of the drawings may be directly or indirectly applied to other related The technical field is equally included in the scope of patent protection of the present invention.
工业实用性  Industrial applicability
[0123] 本发明实施例提供的输入输出请求行为的检测方法及装置、 计算机可读存储介 质, 可以统计 10请求行为的方向信息、 吋间信息等, 并形成一个二元结构, 从 而将这些二元样本结构构造为一个概念格模型; 通过构造的概念格模型, 合法 的 10请求行为被允许; 概念格模型建好后可以指导异常 10请求行为的走向, 并 且可以通过用户决定进行自我学习和概念格结构优化。  The method and device for detecting input and output request behavior and the computer readable storage medium provided by the embodiment of the present invention can count 10 direction information of request behavior, time information, etc., and form a binary structure, thereby The meta-sample structure is constructed as a concept lattice model; through the constructed concept lattice model, the legal 10 request behavior is allowed; the concept lattice model can guide the orientation of the anomaly 10 request behavior, and the user can decide to conduct self-learning and concept. Grid structure optimization.

Claims

权利要求书 Claim
一种输入输出请求行为的检测方法, 其中, 所述方法包括步骤: 对网络驱动进行过滤, 截取网络驱动中的输入输出请求行为; 对截取 到的输入输出请求行为中的信息进行标记并生成概念; A method for detecting input and output request behavior, wherein the method comprises the steps of: filtering a network driver, intercepting an input and output request behavior in a network driver; marking information in the intercepted input and output request behavior and generating a concept ;
根据已训练的概念格模型, 对生成的概念进行概念格的预构造并判断 是否会生成次顶层概念; According to the trained concept lattice model, the generated concept is pre-constructed and the sub-top concept is generated.
若生成次顶层概念, 则生成是否通过或者拒绝所述输入输出请求行为 的选择信息, 并接收用户的选择操作作出相应的处理。 If the secondary top-level concept is generated, the selection information of whether the input/output request behavior is passed or rejected is generated, and the user's selection operation is received to perform corresponding processing.
根据权利要求 1所述的一种输入输出请求行为的检测方法, 其中, 所 述输入输出请求行为中的信息包括输入输出请求包包体本身、 源地址 信息、 目的地址信息、 输入输出请求发生吋间、 是否为中间路由包中 的一种或多种。 The method for detecting an input/output request behavior according to claim 1, wherein the information in the input/output request behavior includes an input/output request packet body itself, source address information, destination address information, and an input/output request. Whether it is one or more of the intermediate routing packages.
根据权利要求 1所述的一种输入输出请求行为的检测方法, 其中, 所 述已训练的概念格模型通过以下步骤实现: A method for detecting input and output request behavior according to claim 1, wherein said trained concept lattice model is implemented by the following steps:
对网络驱动进行过滤, 截取网络驱动中的输入输出请求行为; 对截取 到的输入输出请求行为中的信息进行标记并生成概念; Filtering the network driver, intercepting the input and output request behavior in the network driver; marking the information in the intercepted input and output request behavior and generating a concept;
将生成的概念中外延最大内涵最小的概念记为顶层概念、 外延最小内 涵最大概念记为底层概念, 构建所述顶层概念和所述底层概念的父子 关系并形成概念格; The concept of minimizing the maximum connotation of the generated concept is recorded as the top-level concept, and the maximum concept of the extension of the minimum is recorded as the underlying concept, and the parent-child relationship of the top-level concept and the underlying concept is constructed and the concept lattice is formed;
选择一个生成的概念, 根据形成的概念格自顶向下进行外延例化、 内 涵泛化的工作并生成新概念; 针对生成的新概念, 调整概念之间的父 子关系; Select a generated concept, and carry out the work of extension and internalization according to the formed concept lattice from top to bottom and generate new concepts; adjust the parent-child relationship between concepts for the new concept generated;
重复上一个步骤, 直至所有生成的概念完成操作并生成最终的概念格 根据权利要求 3所述的一种输入输出请求行为的检测方法, 其中, 所 述自顶向下进行外延例化、 内涵泛化的工作包括: Repeating the previous step until all the generated concepts complete the operation and generating the final concept lattice. According to claim 3, an input/output request behavior detecting method is described, wherein the top-down generalization and connotation are performed. The work includes:
自顶向下进行外延相交内涵相并操作。 The epitaxial intersecting phase-phase operation is performed from top to bottom.
根据权利要求 1所述的一种输入输出请求行为的检测方法, 其中, 所 述接收用户的选择操作作出相应的处理包括: A method for detecting an input/output request behavior according to claim 1, wherein The corresponding processing of the receiving user's selection operation includes:
若接收的用户的选择操作为通过所述输入输出请求行为, 则将生成的 概念加入到已训练的概念格模型中, 并形成新的概念格模型; 若接收的用户的选择操作为拒绝所述输入输出请求行为, 则阻止所述 输入输出请求行为的执行线程并向用户界面申报。  If the selected user's selection operation is to request the behavior through the input and output, the generated concept is added to the trained concept lattice model, and a new concept lattice model is formed; if the received user's selection operation is to reject the The input and output request behavior blocks the execution thread of the input and output request behavior and reports to the user interface.
[权利要求 6] —种输入输出请求行为的检测装置, 其中, 所述装置包括过滤模块、 规则识别判断模块以及行为准入模块;  [Claim 6] The apparatus for detecting input and output request behavior, wherein the apparatus includes a filtering module, a rule identification determining module, and a behavior admission module;
所述过滤模块, 用于对网络驱动进行过滤, 截取网络驱动中的输入输 出请求行为; 对截取到的输入输出请求行为中的信息进行标记并生成 概念;  The filtering module is configured to filter the network driver, intercept the input and output request behavior in the network driver, mark the information in the intercepted input and output request behavior, and generate a concept;
所述规则识别判断模块, 用于根据已训练的概念格模型, 对所述过滤 模块生成的概念进行概念格的预构造并判断是否会生成次顶层概念; 所述行为准入模块, 用于若生成次顶层概念, 则生成是否通过或者拒 绝所述输入输出请求行为的选择信息, 并接收用户的选择操作作出相 应的处理。  The rule recognition judging module is configured to pre-construct the concept generated by the filtering module according to the trained concept lattice model, and determine whether a sub-top concept is generated; the behavior admission module is used to The secondary top-level concept is generated, and the selection information of whether the input/output request behavior is passed or rejected is generated, and the user's selection operation is received to perform corresponding processing.
[权利要求 7] 根据权利要求 6所述的一种输入输出请求行为的检测装置, 其中, 所 述装置还包括概念格构造模块;  [Claim 7] The apparatus for detecting input and output request behavior according to claim 6, wherein the apparatus further includes a concept lattice construction module;
所述概念格构造模块, 用于对网络驱动进行过滤, 截取网络驱动中的 输入输出请求行为; 对截取到的输入输出请求行为中的信息进行标记 并生成概念;  The concept lattice construction module is configured to filter the network driver, intercept the input and output request behavior in the network driver, mark the information in the intercepted input and output request behavior, and generate a concept;
将生成的概念中外延最大内涵最小的概念记为顶层概念、 外延最小内 涵最大概念记为底层概念, 构建所述顶层概念和所述底层概念的父子 关系并形成概念格;  The concept of minimizing the maximum connotation of the generated concept is recorded as the top-level concept, and the maximum concept of the extension of the minimum is recorded as the underlying concept, and the parent-child relationship of the top-level concept and the underlying concept is constructed and the concept lattice is formed;
选择一个生成的概念, 根据形成的概念格自顶向下进行外延例化、 内 涵泛化的工作并生成新概念; 针对生成的新概念, 调整概念之间的父 子关系;  Select a generated concept, and carry out the work of extension and internalization according to the formed concept lattice from top to bottom and generate new concepts; adjust the parent-child relationship between concepts for the new concept generated;
重复上一个步骤, 直至所有生成的概念完成操作并生成最终的概念格 [权利要求 8] 根据权利要求 6所述的一种输入输出请求行为的检测装置, 其中, 所 述行为准入模块包括模型格自学习单元和阻止单元; Repeat the previous step until all generated concepts complete the operation and generate the final concept lattice [Claim 8] The apparatus for detecting input and output request behavior according to claim 6, wherein the behavior admission module comprises a model lattice self-learning unit and a blocking unit;
所述模型格自学习单元, 用于若接收的用户的选择操作为通过所述输 入输出请求行为, 则将生成的概念加入到已训练的概念格模型中, 并 形成新的概念格模型;  The model lattice self-learning unit is configured to: if the receiving operation of the received user is to output a request behavior through the input, add the generated concept to the trained concept lattice model, and form a new concept lattice model;
所述阻止单元, 用于若接收的用户的选择操作为拒绝所述输入输出请 求行为, 则阻止所述输入输出请求行为的执行线程并向用户界面申报  The blocking unit is configured to block the execution thread of the input and output request behavior and report to the user interface if the receiving operation of the received user is to reject the input and output request behavior
[权利要求 9] 一种输入输出请求行为的检测装置, 其中, 所述输入输出请求行为的 检测装置包括: 存储器、 处理器及存储在所述存储器上并可在所述处 理器上运行的输入输出请求行为的检测程序, 所述输入输出请求行为 的检测程序被所述处理器执行吋实现如权利要求 1至 5中任一项所述的 输入输出请求行为的检测方法的步骤。 [Claim 9] A detecting device for inputting and outputting a request behavior, wherein the detecting means for inputting and outputting a request behavior comprises: a memory, a processor, and an input stored on the memory and operable on the processor A detection program for outputting a request behavior, the detection program of the input/output request behavior being executed by the processor, the step of implementing the detection method of the input/output request behavior according to any one of claims 1 to 5.
[权利要求 10] 一种计算机可读存储介质, 其中, 所述计算机可读存储介质上存储有 输入输出请求行为的检测程序, 所述输入输出请求行为的检测程序被 处理器执行吋实现如权利要求 1至 5中任一项所述的输入输出请求行为 的检测方法的步骤。  [Claim 10] A computer readable storage medium, wherein the computer readable storage medium stores a detection program of an input/output request behavior, and the detection program of the input/output request behavior is executed by a processor, such as a right The step of detecting the input/output request behavior described in any one of 1 to 5.
PCT/CN2017/106543 2017-10-17 2017-10-17 Method and device for detecting input/output request behavior, and storage medium WO2019075637A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201780030666.3A CN109716723B (en) 2017-10-17 2017-10-17 Method and device for detecting input/output request behavior and storage medium
PCT/CN2017/106543 WO2019075637A1 (en) 2017-10-17 2017-10-17 Method and device for detecting input/output request behavior, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/106543 WO2019075637A1 (en) 2017-10-17 2017-10-17 Method and device for detecting input/output request behavior, and storage medium

Publications (1)

Publication Number Publication Date
WO2019075637A1 true WO2019075637A1 (en) 2019-04-25

Family

ID=66173098

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/106543 WO2019075637A1 (en) 2017-10-17 2017-10-17 Method and device for detecting input/output request behavior, and storage medium

Country Status (2)

Country Link
CN (1) CN109716723B (en)
WO (1) WO2019075637A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111966723A (en) * 2020-06-23 2020-11-20 太原理工大学 Fault detection decision rule extraction method based on optimistic concept

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110889114B (en) * 2019-11-06 2023-09-26 深圳力维智联技术有限公司 Software credibility measurement method and device based on concept lattice

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101393563A (en) * 2008-09-26 2009-03-25 复旦大学 Web data processing method based on form concept analysis
JP2014225198A (en) * 2013-05-17 2014-12-04 日本電信電話株式会社 Program analysis device and method and program
CN105912637A (en) * 2016-04-08 2016-08-31 西藏飞跃智能科技有限公司 Knowledge-based user interest mining method
CN106293785A (en) * 2015-05-21 2017-01-04 富士通株式会社 The method and apparatus that the rule set of Cascading Style Sheet is optimized
CN106294092A (en) * 2016-08-17 2017-01-04 Tcl移动通信科技(宁波)有限公司 A kind of semi-automatic log analysis method based on ontology knowledge base and system
CN106484863A (en) * 2016-10-10 2017-03-08 中南大学 Increase algorithm based on attribute structure concept lattice

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070033180A1 (en) * 2005-08-05 2007-02-08 Mitsubishi Electric Corporation Apparatus and method for searching for software units for use in the manufacturing industry
WO2016043846A2 (en) * 2014-07-23 2016-03-24 Hrl Laboratories Llc A general formal concept analysis (fca) framework for classification
CN105243081B (en) * 2015-09-07 2017-06-16 河南大学 A kind of file system directory structures method for organizing based on formal notion

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101393563A (en) * 2008-09-26 2009-03-25 复旦大学 Web data processing method based on form concept analysis
JP2014225198A (en) * 2013-05-17 2014-12-04 日本電信電話株式会社 Program analysis device and method and program
CN106293785A (en) * 2015-05-21 2017-01-04 富士通株式会社 The method and apparatus that the rule set of Cascading Style Sheet is optimized
CN105912637A (en) * 2016-04-08 2016-08-31 西藏飞跃智能科技有限公司 Knowledge-based user interest mining method
CN106294092A (en) * 2016-08-17 2017-01-04 Tcl移动通信科技(宁波)有限公司 A kind of semi-automatic log analysis method based on ontology knowledge base and system
CN106484863A (en) * 2016-10-10 2017-03-08 中南大学 Increase algorithm based on attribute structure concept lattice

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111966723A (en) * 2020-06-23 2020-11-20 太原理工大学 Fault detection decision rule extraction method based on optimistic concept
CN111966723B (en) * 2020-06-23 2023-11-17 太原理工大学 Optimistic concept-based fault detection decision rule extraction method

Also Published As

Publication number Publication date
CN109716723B (en) 2021-01-15
CN109716723A (en) 2019-05-03

Similar Documents

Publication Publication Date Title
US10868737B2 (en) Security policy analysis framework for distributed software defined networking (SDN) based cloud environments
US7813350B2 (en) System and method to process data packets in a network using stateful decision trees
Su et al. Redundant rule detection for software-defined networking
EP3079313B1 (en) Data splitting method and splitter
US8260886B2 (en) Compiling method for command based router classifiers
CN107683478A (en) Alleviate the system and method for Malware
CN105224692A (en) Support the system and method for the SDN multilevel flow table parallel search of polycaryon processor
Masud et al. A multi-partition multi-chunk ensemble technique to classify concept-drifting data streams
WO2015131717A1 (en) Method and device for managing access control list of network device
US9692705B1 (en) System and method for measurement of flow statistics
CN111355686B (en) Method, device, system and storage medium for defending flood attacks
US11095518B2 (en) Determining violation of a network invariant
Vissicchio et al. Safe, efficient, and robust SDN updates by combining rule replacements and additions
CN109766694A (en) Program protocol white list linkage method and device of industrial control host
WO2019075637A1 (en) Method and device for detecting input/output request behavior, and storage medium
CN103475653A (en) Method for detecting network data package
WO2014187040A1 (en) Hash table based keyword mapping processing method and device
CN104641607B (en) A kind of method and device for being used to make ultralow delay disposal decision-making
Liu et al. An overlay automata approach to regular expression matching
CN104205745B (en) Method and device for processing message
Batista et al. Flow-based conflict detection in OpenFlow networks using first-order logic
CN109088756B (en) Network topology completion method based on network equipment identification
US8793358B1 (en) Flexible packet processing for network devices
JP6524911B2 (en) Network controller, network control method and program
KR101437008B1 (en) Apparatus and Method for Traffic Analysis

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17929099

Country of ref document: EP

Kind code of ref document: A1