WO2020034756A1 - Procédé et appareil pour prédire un dispositif cible, dispositif électronique et support de stockage - Google Patents

Procédé et appareil pour prédire un dispositif cible, dispositif électronique et support de stockage Download PDF

Info

Publication number
WO2020034756A1
WO2020034756A1 PCT/CN2019/092369 CN2019092369W WO2020034756A1 WO 2020034756 A1 WO2020034756 A1 WO 2020034756A1 CN 2019092369 W CN2019092369 W CN 2019092369W WO 2020034756 A1 WO2020034756 A1 WO 2020034756A1
Authority
WO
WIPO (PCT)
Prior art keywords
preset
devices
log
remote login
logs
Prior art date
Application number
PCT/CN2019/092369
Other languages
English (en)
Chinese (zh)
Inventor
徐子腾
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2020034756A1 publication Critical patent/WO2020034756A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour

Definitions

  • the present disclosure relates to the field of computer technology, and in particular, to a method, an apparatus, an electronic device, and a storage medium for predicting a target device.
  • some devices are application devices and some devices are operation and maintenance management and control devices. Managers or developers can log in to other application devices through some specific devices for operation and maintenance management operations. These specific devices usually have the ability to log in to a large number of other devices, which can be called operation and maintenance management and control devices. Once the operation and maintenance management equipment is compromised by hackers, a large number of application equipment will be directly compromised. Therefore, how to sort out these operation and maintenance management and control equipment is a common problem in the industry.
  • Embodiments of the present disclosure provide a method, an apparatus, an electronic device, and a computer-readable storage medium for predicting a target device and training a device prediction model.
  • an embodiment of the present disclosure provides a method for predicting a target device, including: obtaining a remote login log generated by a preset device in a predetermined time period under a network topology; and extracting a preset from the remote login log Feature attributes; using a pre-trained device prediction model to process the preset feature attributes and predict whether the preset device is a target device under the network topology; wherein the target device is used for management and control Multiple devices in the network topology.
  • the preset characteristic attribute includes the number and / or number of times that the preset device remotely logs in to other devices in the network topology within the predetermined period of time.
  • the preset characteristic attribute further includes at least one of the following: whether the preset device uses a key to log in when remotely logging in to other devices; and which user the preset device uses Remotely log in to another device as an identity; whether the preset device is successfully logged in.
  • the method further comprises: obtaining a plurality of training samples; wherein the training samples include a feature portion and a result labeling portion, the feature portion includes the preset feature attributes, and the result labeling portion is used to label all Whether the training sample is a positive training sample or a negative training sample; using a plurality of the training samples to train an artificial intelligence model to obtain the device prediction model.
  • the acquiring multiple training samples includes: acquiring remote login logs generated by multiple devices in a historical time period under the network topology; and determining the number of times that the multiple devices log in to other devices from the remote login logs. And / or the number; generating a positive training sample from the remote login log corresponding to the first device that the number and / or number meet the preset condition, and from the number and / or number that does not satisfy the preset condition
  • the remote login log corresponding to the second device generates a negative training sample.
  • an embodiment of the present disclosure provides a method for training a device prediction model, including: acquiring remote login logs generated by multiple devices in a historical time period under a network topology; and determining the multiple login logs from the remote login logs. The number and / or number of times that each device logs in to another device; generating a positive training sample from the remote login log corresponding to the first device that meets the preset conditions with the number and / or number A remote login log corresponding to the second device that does not satisfy the preset condition generates a negative training sample; and uses the positive training sample and the negative training sample to train an artificial intelligence model to obtain a device prediction model.
  • a positive training sample is generated from a remote login log corresponding to the first device whose number and / or number satisfies a preset condition, and from a second device whose number and / or number does not satisfy the preset condition
  • Generating a negative training sample from the remote login log corresponding to the device includes: extracting a first preset feature attribute from the remote login log corresponding to the first device, generating the positive training sample according to the first preset feature attribute;
  • the remote login log corresponding to the second device extracts the second preset feature attribute, and generates the negative training sample according to the second preset feature attribute.
  • the first preset characteristic attribute includes at least the number and / or number of remote logins of the first device to other devices; and / or, the second preset characteristic attribute includes at least the second device remote Number and / or number of logins to other devices.
  • the first preset characteristic attribute further includes at least one of the following: whether the first device uses a key to log in when remotely logging in to another device; In which user's identity the first device remotely logs in to other devices; whether the first device is successfully logged in; and / or, for each of the remote login logs corresponding to the first device, the second preset The characteristic attributes further include at least one of the following: whether the second device logs in using a key when remotely logging in to other devices; in which user identity the second device remotely logs in to other devices; and whether the second device logs in successfully.
  • an embodiment of the present disclosure provides a device for predicting a target device, including: a first acquisition module configured to acquire a remote login log generated by a preset device in a network topology within a predetermined period of time; an extraction module, Configured to extract preset feature attributes from the remote login log; a prediction module configured to process the preset feature attributes using a pre-trained device prediction model, and predict whether the preset device is the desired one The target device under the network topology structure; wherein the target device is used to manage multiple devices under the network topology structure.
  • the preset characteristic attribute includes the number and / or number of times that the preset device remotely logs in to other devices in the network topology within the predetermined period of time.
  • the preset characteristic attribute further includes at least one of the following: whether the preset device uses a key to log in when remotely logging in to other devices; and which user the preset device uses Remotely log in to another device as an identity; whether the preset device is successfully logged in.
  • the device further includes: a second acquisition module configured to acquire a plurality of training samples; wherein the training samples include a feature portion and a result labeling portion, and the feature portion includes the preset feature attribute, so that The result labeling section is used to label whether the training sample is a positive training sample or a negative training sample.
  • the first training module is configured to use a plurality of the training samples to train an artificial intelligence model to obtain the device prediction model.
  • the second acquisition module includes: a first acquisition sub-module configured to acquire remote login logs generated by a plurality of devices in the network topology in a historical time period; a first determination sub-module configured to Determining the number and / or number of times that the multiple devices log in to other devices from the remote login log; generating a submodule configured to correspond to the first device corresponding to the number and / or number of first devices that meet a preset condition
  • a remote login log generates a positive training sample, and a negative training sample is generated from a remote login log corresponding to the number and / or number of second devices that do not meet the preset condition.
  • the functions may be implemented by hardware, and may also be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the structure of the prediction device of the target device includes a memory and a processor.
  • the memory is configured to store one or more computers that support the prediction device of the target device and execute the prediction method of the target device in the first aspect.
  • the processor is configured to execute computer instructions stored in the memory.
  • the prediction device of the target device may further include a communication interface, and the prediction device for the target device communicates with other devices or a communication network.
  • an embodiment of the present disclosure provides a device for training a device prediction model, including: a third acquisition module configured to acquire a remote login log generated by multiple devices in a historical time period under a network topology; a first A determining module is configured to determine the number and / or number of times that the multiple devices log in to other devices from the remote login log; a generating module is configured to determine, from the number and / or number, that A remote login log corresponding to a device generates a positive training sample, and a negative training sample is generated from a remote login log corresponding to the second device that the number and / or number does not meet the preset condition; a second training module is configured In order to train the artificial intelligence model by using the positive training samples and the negative training samples, a device prediction model is obtained.
  • the generating module includes a first extraction sub-module configured to extract a first preset characteristic attribute from a remote login log corresponding to the first device, and generate the first preset characteristic attribute according to the first preset characteristic attribute.
  • a positive training sample a positive training sample
  • a second extraction submodule configured to extract the second preset feature attribute from a remote login log corresponding to the second device, and generate the negative training sample according to the second preset feature attribute.
  • the first preset characteristic attribute includes at least the number and / or number of remote logins of the first device to other devices; and / or, the second preset characteristic attribute includes at least the second device remote Number and / or number of logins to other devices.
  • the first preset characteristic attribute further includes at least one of the following: whether the first device uses a key to log in when remotely logging in to another device; In which user's identity the first device remotely logs in to other devices; whether the first device is successfully logged in; and / or, for each of the remote login logs corresponding to the first device, the second preset The characteristic attributes further include at least one of the following: whether the second device logs in using a key when remotely logging in to other devices; in which user identity the second device remotely logs in to other devices; and whether the second device logs in successfully.
  • the functions may be implemented by hardware, and may also be implemented by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • the structure of the training device for the device prediction model includes a memory and a processor.
  • the memory is used to store one or more training devices that support the device prediction model to perform the training of the device prediction model in the first aspect.
  • Computer instructions of a method, the processor being configured to execute computer instructions stored in the memory.
  • the device for training the device prediction model may further include a communication interface, and the device for training the device prediction model communicates with other devices or a communication network.
  • an embodiment of the present disclosure provides an electronic device including a memory and a processor; wherein the memory is used to store one or more computer instructions, and the one or more computer instructions are processed by the processor.
  • the processor executes to implement the method steps described in the first aspect or the second aspect.
  • an embodiment of the present disclosure provides a computer-readable storage medium for storing computer instructions used by a prediction device of a target device or a training device of a device prediction model, which includes instructions for executing the target device in the first aspect.
  • the preset feature attributes are analyzed and processed according to a pre-trained device prediction model to predict whether the device is a target device.
  • a pre-trained device prediction model to predict whether the device is a target device.
  • related features can be extracted from massive remote login logs, and related features can be analyzed and processed through a pre-trained device prediction model to locate target devices with mass control capabilities from other devices.
  • the present disclosure greatly improves the accuracy of locating a target device from a remote login log by using device training technology, and solves the problem that it is difficult to locate a device with management and control capabilities in a large network topology.
  • FIG. 1 shows a flowchart of a method for predicting a target device according to an embodiment of the present disclosure
  • FIG. 2 shows a flowchart of a device prediction model training part in a method for predicting a target device according to an embodiment of the present disclosure
  • FIG. 3 shows a flowchart of step S201 according to the embodiment shown in FIG. 2;
  • FIG. 4 illustrates a flowchart of a method for training a device prediction model according to an embodiment of the present disclosure
  • FIG. 5 shows a flowchart of step S403 according to the embodiment shown in FIG. 4;
  • FIG. 6 shows a structural block diagram of a prediction device for a target device according to an embodiment of the present disclosure
  • FIG. 7 shows a structural block diagram of a device for training a device prediction model according to an embodiment of the present disclosure
  • FIG. 8 is a schematic structural diagram of an electronic device suitable for implementing a prediction method of a target device according to an embodiment of the present disclosure.
  • FIG. 1 illustrates a flowchart of a prediction method of a target device according to an embodiment of the present disclosure. As shown in FIG. 1, the method for predicting a target device includes the following steps S101-S103:
  • step S101 acquiring a remote login log generated by a preset device in a network topology within a predetermined period of time;
  • step S102 a preset feature attribute is extracted from the remote login log
  • step S103 the preset feature attributes are processed by using a pre-trained device prediction model, and whether the preset device is a target device in the network topology structure is used, where the target device is used To manage and control multiple devices in the network topology.
  • a network topology may include a plurality of devices interconnected through a transmission medium, and these devices may perform network communication.
  • Most of the devices in the network topology may be devices that execute corresponding applications.
  • Some devices serve as target devices for controlling other devices, and can be used by administrators to remotely log in to other devices, and then maintain and manage other devices.
  • the target device is an operation and maintenance management device capable of remotely logging in to other devices under the network topology and controlling other devices, and has the ability to remotely log in to a large number of other devices.
  • the preset device can be any device in the network topology, it can be an operation and maintenance management device, or it can be another application device.
  • the remote login logs generated by any device in the network topology can be stored in the database in advance, and when the target device is located, the remote login logs generated by the preset device within a predetermined period of time can be obtained from the database. Since the frequency with which the target device remotely logs in to other application devices is not necessarily high, a predetermined time period can be set, and whether the preset device is the target device can be determined based on the remote login log generated within the predetermined time period.
  • the unit of the predetermined time period can be week, month, etc., which can be set according to actual conditions, and there is no restriction on this.
  • the remote login log may be an SSH login log.
  • An SSH login log records related information of a preset device to log in to other devices, and may include the following fields, for example:
  • relevant preset feature attributes can be extracted from the above fields in the SSH login log, and then the pre-trained device prediction model is used to process the extracted preset feature attributes, and Predict whether a preset device is a target device or not.
  • the common features of the target device include: remotely logging in to other devices multiple times in a period of time, and the number of logging in to other devices will not be basically 1 (because an operation and maintenance management and control device usually manages and maintains multiple other devices) .
  • the target device as an operation and maintenance management and control device, remotely logs in to other devices for the purpose of managing and maintaining other devices. It has greater rights and may have a higher probability of logging in to other devices as the root user.
  • preset feature attributes can be set in advance, and after obtaining the SSH login log within a predetermined period of time, the preset feature attributes can be extracted from the SSH login log and used to pre-train the device prediction model. prediction.
  • the device prediction model is also obtained by pre-training through the preset feature attributes, and can predict whether the preset device is the target device based on the preset feature attributes extracted from the SSH login log of the preset device.
  • Equipment prediction models can be trained using artificial intelligence models. Artificial intelligence models include, but are not limited to, one or more of logistic regression, convolutional neural networks, deep neural networks, support vector machines, K-means, K-neighbors, decision trees, random forests, and Bayesian networks .
  • the preset feature attributes are analyzed and processed according to a pre-trained prediction model to predict whether the device is a target device.
  • a pre-trained prediction model to predict whether the device is a target device.
  • related features can be extracted from massive remote login logs, and related features can be analyzed and processed through a pre-trained device prediction model to locate target devices with mass control capabilities from other devices.
  • the present disclosure greatly improves the accuracy of locating a target device from a remote login log by using the device training technology, and solves the problem that it is difficult to locate a device for management and control in a large network topology.
  • the preset characteristic attribute includes the number and / or number of times that the preset device remotely logs in to other devices in the network topology within the predetermined period of time.
  • the number of times a preset device logs in to another device may be determined based on the method of adding 1 to each other when logging in remotely; and the number of other devices logged in may be based on other users who have logged in in a predetermined period of time.
  • the number of devices can be understood that the same device may be remotely logged in multiple times, so the number is greater than the number.
  • the target device will log in to other devices remotely for at least a period of time, and usually more than one other device is logged in.
  • the target device will also log in to other devices remotely for at least a period of time, and log in to other devices more than once.
  • the preset device is the target device can be determined based on one or a combination of the number and number of times that the preset device remotely logs into other devices based on the two preset characteristic attributes.
  • the target device will log in several other devices and how many other devices in a period of time, which is related to the network topology and application environment in which it is located. Therefore, for different network topologies and application environments, at least you can use the preset device to log in remotely.
  • a combination of one or two of the number and number of other devices is pre-trained to obtain a device prediction model, and in actual applications, the device prediction model is used to predict the network topology and preset devices in the application environment. In this way, a device prediction model with higher accuracy can be obtained, making the prediction of the target device more accurate.
  • the preset characteristic attribute further includes at least one of the following:
  • the preset device uses a key to log in when remotely logging in to other devices
  • preset characteristic attributes include, but are not limited to, a preset login method for a device to remotely log in to another device, a user identity, and whether the login is successful.
  • the login method includes whether to log in with a key, and the user identity includes a system user, a root user, and an ordinary user.
  • the target device may log in to other devices multiple times in a short period of time.
  • the operation and maintenance personnel will generate a key pair for other devices, that is, a pair of public and private keys, and store the public key on other devices, and the target device stores the private key.
  • the target device logs in to other devices, , You can automatically pair the private key on the target device with the public key on other devices, and then log in to other devices. In this way, the login and authentication process is automatic, without manual intervention, so it can save the time of operation and maintenance personnel. And energy.
  • the target device usually logs in to the other device as the root user, so that it can control the other device with the maximum permissions.
  • these preset feature attributes for prediction can exclude situations where some users log in to their devices remotely to work.
  • the above-mentioned other preset feature attributes may also be used for training, so that the prediction accuracy of the device prediction model is further improved.
  • the method further includes the following steps S201-S202:
  • step S201 a plurality of training samples are obtained, wherein the training samples include a feature portion and a result labeling portion, the feature portion includes the preset feature attributes, and the result labeling portion is used to label the training sample as Positive training samples or negative training samples;
  • step S202 the artificial intelligence model is trained by using a plurality of the training samples to obtain the device prediction model.
  • an appropriate artificial intelligence model may be selected first.
  • Artificial intelligence models include, but are not limited to, one or more of logistic regression, convolutional neural networks, deep neural networks, support vector machines, K-means, K-neighbors, decision trees, random forests, and Bayesian networks .
  • the type and structure of the corresponding artificial intelligence model can be selected according to the actual situation, and the artificial intelligence model can be established according to the number of preset feature attributes and the like. After that, training samples can be collected.
  • the training sample may include a feature part and a result labeling part, and the feature part includes preset feature attributes for training, which may be extracted from a remote login log of a target device (a case where the target device is known) in the past period, and It can be extracted from the remote login log of a non-target device (a case of a non-target device) in the past, and the result labeling part is used to label the training sample as a positive training sample or a negative training sample.
  • the positive training sample corresponds to The target device is the target device, while the negative training sample corresponds to the non-target device.
  • the step 201 that is, the step of obtaining multiple training samples, further includes the following steps S301-S303:
  • step S301 acquiring remote login logs generated by a plurality of devices in a historical time period under the network topology structure
  • step S302 the number and / or number of times that the multiple devices log in to other devices are determined from the remote login log;
  • step S303 a positive training sample is generated from a remote login log corresponding to the first device whose number and / or number satisfies a preset condition, and from a number of times and / or the number which does not satisfy the preset condition, The remote login log corresponding to the second device generates a negative training sample.
  • the historical time period may be a certain period of time in the past, which is specifically set according to actual conditions.
  • the time length of the historical time period and the predetermined time period is similar, that is, the difference between the time length of the historical time period and the predetermined time period may be less than a preset threshold, because when applying a device prediction model to make a prediction,
  • the preset characteristic attribute includes the number and number of times that the preset device logs in to other devices within a predetermined period of time. If during the training of the device prediction model, the difference between the length of the historical time period and the predetermined time period used is small, the prediction accuracy of the device prediction model can be made higher.
  • this implementation uses the remote login logs generated by multiple devices in the historical time period under a preset network topology to count the number and / or number of times each device logs in to other devices (including the number of times, Or a combination of the two), and determine whether the device is a target device based on the number and / or number, and then extract preset feature attributes from the remote login log to generate positive training samples and negative training samples.
  • This is because after statistical analysis, it can be found that when the number and / or number of times a device logs in to other devices is greater than a large threshold, it can basically be determined that the device is the target device, and the number and / or number are less than With a smaller threshold, you can basically determine that the device is a non-target device. Therefore, in this way, it is possible to collect enough positive training samples and negative training samples without determining the target device.
  • the training process of the device prediction model will be described in detail through a specific example.
  • feature extraction is performed on each SSH login log data.
  • the specific method is as follows:
  • the login result feature attribute (the third preset feature attribute): if the login is successful, the login result feature attribute is set to 1, and if the login fails, the login result feature attribute is set to 0.
  • the login mode feature attribute (the fourth preset feature attribute): If it is logged in with a public key, the login mode feature attribute is set to 1, and other methods set the login mode feature attribute to 0.
  • Users are divided into three categories, the first category is the root user, the second category is the system user (admin, log, agent), and the third category is other users; if the logged-in user identity is the root user, The root user identity characteristic attribute (the fifth preset feature attribute) in the user identity characteristic attribute is set to 1, and if the logged-in user identity is a system user, the system user identity characteristic attribute (the The six preset feature attributes are set to 1, otherwise the root user identity feature attributes and the system user identity feature attributes are both set to 0.
  • the carding of operation and maintenance management and control equipment is essentially a binary classification problem. From the SSH log, you can determine whether a device is an O & M device or not. Therefore, the generation of positive and negative training samples is the same. Based on the existing experience, a batch of equipment can be determined as operation and maintenance management and control equipment, and a batch of equipment can be determined as non-operational maintenance and control equipment. The following explains the positive and negative training sample generation logic in this example:
  • O & M management and control equipment usually logs in a large number of different devices, which not only meets the requirements of the number of logins, but also the number of different devices. So the generation of positive training samples meets two requirements:
  • Negative training sample generation logic is relatively simple. Either of the following two conditions can be met:
  • a logistic regression model is selected for training.
  • the logistic regression algorithm needs to specify feature columns and result columns.
  • the above six preset feature attributes are specified as feature columns.
  • Set the logistic regression model parameters as follows:
  • FIG. 4 shows a flowchart of a method for training a device prediction model according to another embodiment of the present disclosure.
  • the method for training the device prediction model includes the following steps S401-S404:
  • step S401 acquiring remote login logs generated by multiple devices in a historical topology in a network topology structure
  • step S402 the number and / or number of times that the multiple devices log in to other devices are determined from the remote login log;
  • a positive training sample is generated from a remote login log corresponding to the first device that the number of times and / or the number satisfies a preset condition, and from the number of times and / or the number that does not satisfy the preset condition,
  • the remote login log corresponding to the second device generates a negative training sample
  • step S404 the artificial intelligence model is trained by using the positive training samples and the negative training samples to obtain a device prediction model.
  • the target device is a device that can be used to log in to other devices in the network topology, and then manage and maintain other devices.
  • Most of the network topology are non-target devices, that is, application devices used to execute applications, and a small part are target devices.
  • an artificial intelligence model can be trained by training samples to obtain a device prediction model.
  • the number of times a device logs in to other devices and the number of other devices logged into the device are calculated from the remote login logs generated by multiple devices in the historical time period under the network topology. And / or the number meets the preset conditions to determine whether it is the first device or the second device. If it is the first device, a positive training sample can be generated according to the remote login log corresponding to the first device, and if it is the second device, it can be Generate a negative training sample according to the remote login log corresponding to the second device. That is, if the number of times and / or the number meets a preset condition, the device may be considered as a target device, and if the preset condition is not met, the device is a non-target device.
  • the preset conditions can be set according to the actual conditions of the target device and the non-target device in the network topology. This is because after statistical analysis, when the number and / or number of times a device logs in to other devices is greater than a large threshold, it can basically be determined that the device is the target device, and the number and / or number is less than one In the case of a small threshold, the device can basically be determined as a non-target device, while the larger and smaller thresholds can be set according to the actual situation. In this way, when the target device is unknown, it is still possible to generate positive training samples and negative training samples, and the number of generated positive and negative training samples can be sufficient.
  • a suitable artificial intelligence model can be selected for training.
  • Artificial intelligence models include, but are not limited to, one or more of logistic regression, convolutional neural networks, deep neural networks, support vector machines, K-means, K-neighbors, decision trees, random forests, and Bayesian networks .
  • the corresponding type of artificial intelligence model can be selected according to the actual situation, and an artificial intelligence model can be established according to the number of preset feature attributes and the like.
  • the established artificial intelligence model can be trained using training samples until the number of trainings reaches a certain value, or the parameters of the artificial intelligence model converge, and the training is stopped, and the training obtained is a device prediction model capable of predicting whether it is a target device.
  • the order of collection of training samples, selection and establishment of artificial intelligence models can be determined according to the actual situation, training samples can be collected first, or artificial intelligence models can be selected and established first.
  • the step S403 is to generate a positive training from a remote login log corresponding to the first device that meets the preset number and / or times.
  • the step of generating a negative training sample from the remote login log corresponding to the second device that the number of times and / or the number of which does not satisfy the preset condition further includes the following steps:
  • step S501 a first preset feature attribute is extracted from a remote login log corresponding to the first device, and the positive training sample is generated according to the first preset feature attribute;
  • step S502 the second preset feature attribute is extracted from a remote login log corresponding to the second device, and the negative training sample is generated according to the second preset feature attribute.
  • the first login device can further extract the first device from the remote login logs corresponding to the first device and the second device.
  • the preset feature attributes and the second preset feature attributes are used to generate a positive training sample and a negative training sample.
  • the feature part includes features that can characterize whether the device is a target device, that is, the first preset feature attributes and the second mentioned previously
  • the feature attributes are preset
  • the result labeling part is used to label whether the feature part corresponds to a feature of a target device or a feature of a non-target device.
  • the first preset feature attribute and the second preset feature attribute must include at least the number of times that the first device and the second device log in to other devices and the number of other different devices during the historical period, except for the two preset characteristics.
  • other characteristic attributes can also be included.
  • the first preset characteristic attribute includes at least the number and / or number of remote logins of the first device to other devices; and / or, the second preset characteristic The attribute includes at least the number and / or number of remote logins of the second device to other devices.
  • the first preset characteristic attribute further includes at least one of the following:
  • the first device uses a key to log in when remotely logging in to other devices
  • the second preset characteristic attribute further includes at least one of the following:
  • the second device uses a key to log in when remotely logging in to another device
  • the first preset characteristic attribute corresponding to the first device includes, in addition to the number and / or number of remote logins of the first device to other devices, a login when the first device logs in to other devices.
  • the login method may include whether to log in using a key, and the user identity may include a system user, a root user, and an ordinary user.
  • the target device will use the key to log in to other devices, and the penguin target device will usually log in to the other device as the root user, so that it can control other devices with maximum authority.
  • Using other preset feature attributes for training can further improve the prediction accuracy of the device prediction model.
  • FIG. 6 shows a structural block diagram of a prediction device for a target device according to an embodiment of the present disclosure.
  • the device may be implemented as part or all of an electronic device through software, hardware, or a combination of both.
  • the prediction device of the target device includes a first acquisition module 601, an extraction module 602, and a prediction module 603:
  • a first obtaining module 601, configured to obtain a remote login log generated by a preset device in a network topology within a predetermined period of time;
  • An extraction module 602 configured to extract preset feature attributes from the remote login log
  • the prediction module 603 is configured to process the preset feature attribute by using a pre-trained device prediction model, and predict whether the preset device is a target device under the network topology structure, wherein the target device Is used to manage multiple devices in the network topology.
  • a network topology may include multiple devices interconnected through a transmission medium, and they are co-located in the same production domain. These devices can communicate with each other through the network. Most devices in the network topology can perform corresponding operations.
  • Application devices, and a small number of devices as target devices for controlling other devices can be used by administrators to remotely log in to other devices, and then maintain and manage other devices.
  • the target device is an operation and maintenance management device capable of remotely logging in to other devices under the network topology and controlling other devices, and has the ability to remotely log in to a large number of other devices.
  • the preset device can be any device in the network topology, it can be an operation and maintenance management device, or it can be another application device.
  • the remote login logs generated by any device in the network topology can be stored in the database in advance, and when the target device is located, the remote login logs generated by the preset device within a predetermined period of time can be obtained from the database. Since the frequency with which the target device remotely logs in to other application devices is not necessarily high, a predetermined time period can be set, and whether the preset device is the target device can be determined based on the remote login log generated within the predetermined time period.
  • the unit of the predetermined time period can be week, month, etc., which can be set according to actual conditions, and there is no restriction on this.
  • the remote login log may be an SSH login log.
  • An SSH login log records related information of a preset device to log in to other devices, and may include the following fields, for example:
  • relevant preset feature attributes can be extracted from the above fields in the SSH login log, and then the pre-trained device prediction model is used to process the extracted preset feature attributes, and Predict whether a preset device is a target device or not.
  • the common features of the target device include: remotely logging in to other devices multiple times in a period of time, and the number of logging in to other devices will not be basically 1 (because an operation and maintenance management and control device usually manages and maintains multiple other devices) .
  • the target device as an operation and maintenance management and control device, remotely logs in to other devices for the purpose of managing and maintaining other devices. It has greater rights and may have a higher probability of logging in to other devices as the root user.
  • preset feature attributes can be set in advance, and after obtaining the SSH login log within a predetermined period of time, the preset feature attributes can be extracted from the SSH login log and used to pre-train the device prediction model. prediction.
  • the device prediction model is also obtained by pre-training through the preset feature attributes, and can predict whether the preset device is the target device based on the preset feature attributes extracted from the SSH login log of the preset device.
  • Equipment prediction models can be trained using artificial intelligence models. Artificial intelligence models include, but are not limited to, one or more of logistic regression, convolutional neural networks, deep neural networks, support vector machines, K-means, K-neighbors, decision trees, random forests, and Bayesian networks .
  • the first obtaining module 601 obtains a remote login log of a device in a network topology.
  • the prediction module 603 performs the preset feature attributes according to a pre-trained prediction model. Analyze and process to predict whether the device is the target device.
  • related features can be extracted from massive remote login logs, and related features can be analyzed and processed through a pre-trained device prediction model to locate target devices with mass control capabilities from other devices.
  • the present disclosure greatly improves the accuracy of locating a target device from a remote login log by using the device training technology, and solves the problem that it is difficult to locate a device for management and control in a large network topology.
  • the preset characteristic attribute includes the number and / or number of times that the preset device remotely logs in to other devices in the network topology within the predetermined period of time.
  • the number of times a preset device logs in to another device may be determined based on the method of adding 1 to each other when logging in remotely; and the number of other devices logged in may be based on other users who have logged in in a predetermined period of time.
  • the number of devices can be understood that the same device may be remotely logged in multiple times, so the number is greater than the number.
  • the target device will log in to other devices remotely for at least a period of time, and usually more than one other device is logged in.
  • the target device will also log in to other devices remotely for at least a period of time, and log in to other devices more than once.
  • the preset device is the target device can be determined based on one or a combination of the number and number of times that the preset device remotely logs into other devices based on the two preset characteristic attributes.
  • the target device will log in several other devices and how many other devices in a period of time, which is related to the network topology and application environment in which it is located. Therefore, for different network topologies and application environments, at least you can use the preset device to log in remotely.
  • a combination of one or two of the number and number of other devices is pre-trained to obtain a device prediction model, and in actual applications, the device prediction model is used to predict the network topology and preset devices in the application environment. In this way, a device prediction model with higher accuracy can be obtained, making the prediction of the target device more accurate.
  • the preset characteristic attribute further includes at least one of the following:
  • the preset device uses a key to log in when remotely logging in to other devices
  • preset characteristic attributes include, but are not limited to, a preset login method for a device to remotely log in to another device, a user identity, and whether the login is successful.
  • the login method includes whether to log in with a key, and the user identity includes a system user, a root user, and an ordinary user.
  • the target device may log in to other devices multiple times in a short period of time.
  • the operation and maintenance personnel will generate a key pair for other devices, that is, a pair of public and private keys, and store the public key on other devices, and the target device stores the private key.
  • the target device logs in to other devices, , You can automatically pair the private key on the target device with the public key on other devices, and then log in to other devices. In this way, the login and authentication process is automatic, without manual intervention, so it can save the time of operation and maintenance personnel. And energy.
  • the target device usually logs in to the other device as the root user, so that it can control the other device with the maximum permissions.
  • Using these preset feature attributes for prediction can exclude situations where some users log in to their devices remotely to work.
  • the above other preset feature attributes can also be used for training, so that the prediction accuracy of the device prediction model is further improved.
  • the apparatus further includes:
  • a second acquisition module is configured to acquire a plurality of training samples, wherein the training samples include a feature portion and a result labeling portion, the feature portion includes the preset feature attribute, and the result labeling portion is used to label the training sample. Whether the training samples are positive training samples or negative training samples;
  • a first training module is configured to train an artificial intelligence model by using a plurality of the training samples to obtain the device prediction model.
  • an appropriate artificial intelligence model may be selected first.
  • Artificial intelligence models include, but are not limited to, one or more of logistic regression, convolutional neural networks, deep neural networks, support vector machines, K-means, K-neighbors, decision trees, random forests, and Bayesian networks .
  • the type and structure of the corresponding artificial intelligence model can be selected according to the actual situation, and the artificial intelligence model can be established according to the number of preset feature attributes and the like.
  • the second acquisition module can collect training samples.
  • the training sample may include a feature part and a result labeling part, and the feature part includes preset feature attributes for training, which may be extracted from a remote login log of a target device (a case where the target device is known) in the past period, and It can be extracted from the remote login log of a non-target device (a case of a non-target device) in the past, and the result labeling part is used to label the training sample as a positive training sample or a negative training sample.
  • the positive training sample corresponds to The target device is the target device, while the negative training sample corresponds to the non-target device.
  • the training module can use the training samples to train the established artificial intelligence model until the number of trainings reaches a certain value, or the parameters of the artificial intelligence model converge, stop training, and the training is able to predict Whether it is a device prediction model for the target device.
  • the second obtaining module includes:
  • a first acquisition submodule configured to acquire a remote login log generated by a plurality of devices in the network topology structure in a historical time period
  • a first determining submodule configured to determine, from the remote login log, the number and / or number of times that the multiple devices log in to other devices;
  • a generating sub-module configured to generate a positive training sample from a remote login log corresponding to the first device that the number of times and / or the number satisfies a preset condition, and from the number and / or the number that does not satisfy the preset
  • the remote login log corresponding to the conditional second device generates a negative training sample.
  • the historical time period may be a certain period of time in the past, which is specifically set according to the actual situation.
  • the time length of the historical time period and the predetermined time period is similar, that is, the difference between the time length of the historical time period and the predetermined time period may be less than a preset threshold, because when applying a device prediction model to make a prediction,
  • the preset characteristic attribute includes the number and number of times that the preset device logs in to other devices within a predetermined period of time. If during the training of the device prediction model, the difference between the length of the historical time period and the predetermined time period used is small, the prediction accuracy of the device prediction model can be made higher.
  • the first acquisition submodule in this implementation collects remote login logs generated by multiple devices in the historical time period under a preset network topology, and the first determination submodule counts the number of times each device logs in to another device And / or the number (including the number of times, the number, or a combination of the two), the generation submodule determines whether the device is the target device based on the number of times and / or the number, and then extracts the preset feature attributes from the remote login log to generate Positive training samples and negative training samples.
  • FIG. 7 illustrates a structural block diagram of a device for training a device prediction model according to an embodiment of the present disclosure.
  • the device may be implemented as part or all of an electronic device through software, hardware, or a combination of both.
  • the training of the device prediction model includes a third acquisition module 701, a first determination module 702, a generation module 703, and a training module 704:
  • a third obtaining module 701, configured to obtain remote login logs generated by multiple devices in a network topology within a historical time period
  • a first determining module 702 configured to determine, from the remote login log, the number and / or number of times that the multiple devices log in to other devices;
  • a generating module 703 is configured to generate a positive training sample from a remote login log corresponding to the first device whose number and / or number meets a preset condition, and from the number and / or number that does not satisfy the preset
  • the remote login log corresponding to the conditional second device generates a negative training sample
  • a second training module 704 is configured to use the positive training samples and the negative training samples to train an artificial intelligence model to obtain a device prediction model.
  • the target device is a device that can be used to log in to other devices in the network topology, and then manage and maintain other devices.
  • Most of the network topology are non-target devices, that is, application devices used to execute applications, and a small part are target devices.
  • an artificial intelligence model can be trained by training samples to obtain a device prediction model.
  • the third acquisition module 701 calculates the number of times a device logs in to other devices and the device by using the remote login logs generated by multiple devices in the historical period from the network topology. After logging in the number of other different devices, the generating module 703 further determines whether it is the first device or the second device according to whether the number and / or number meets a preset condition. If it is the first device, the generating module 703 may The remote login log corresponding to the device generates a positive training sample. If it is a second device, the generating module 703 may generate a negative training sample according to the remote login log corresponding to the second device.
  • the device may be considered as a target device, and if the preset condition is not met, the device is a non-target device.
  • the preset conditions can be set according to the actual conditions of the target device and the non-target device in the network topology. This is because after statistical analysis, it can be found that when the number and / or number of times a device logs in to other devices is greater than a large threshold, it can basically be determined that the device is the target device, and the number and / or number are less than In the case of a smaller threshold, the device can basically be determined as a non-target device, while the larger threshold and the smaller threshold can be set according to the actual situation. In this way, when the target device is unknown, it is still possible to generate positive training samples and negative training samples, and the number of generated positive and negative training samples can be sufficient.
  • the second training module 704 may select a suitable artificial intelligence model for training.
  • Artificial intelligence models include, but are not limited to, one or more of logistic regression, convolutional neural networks, deep neural networks, support vector machines, K-means, K-neighbors, decision trees, random forests, and Bayesian networks .
  • the corresponding type of artificial intelligence model can be selected according to the actual situation, and an artificial intelligence model can be established according to the number of preset feature attributes and the like.
  • the established artificial intelligence model can be trained using training samples until the number of trainings reaches a certain value, or the parameters of the artificial intelligence model converge, and the training is stopped, and the training obtained is a device prediction model capable of predicting whether it is a target device.
  • the order of collection of training samples, selection and establishment of artificial intelligence models can be determined according to the actual situation, training samples can be collected first, or artificial intelligence models can be selected and established first.
  • the generating module 703 includes:
  • a first extraction submodule configured to extract a first preset feature attribute from a remote login log corresponding to the first device, and generate the positive training sample according to the first preset feature attribute;
  • a second extraction submodule is configured to extract the second preset feature attribute from a remote login log corresponding to the second device, and generate the negative training sample according to the second preset feature attribute.
  • the first extraction submodule and the second extraction submodule may also be extracted from the first device and the first device.
  • the remote login log corresponding to the two devices extracts the first preset feature attribute and the second preset feature attribute, and then generates a positive training sample and a negative training sample.
  • the feature part includes features that can characterize whether the device is a target device, that is, the first preset feature attributes and the second mentioned previously
  • the feature attributes are preset
  • the result labeling part is used to label whether the feature part corresponds to a feature of a target device or a feature of a non-target device.
  • the first preset feature attribute and the second preset feature attribute must include at least the number of times that the first device and the second device log in to other devices and the number of other different devices during the historical period, except for the two preset characteristics.
  • other characteristic attributes can also be included.
  • the first preset characteristic attribute includes at least the number and / or number of remote logins of the first device to other devices; and / or, the second preset characteristic The attribute includes at least the number and / or number of remote logins of the second device to other devices.
  • the first preset characteristic attribute further includes at least one of the following:
  • the first device uses a key to log in when remotely logging in to other devices
  • the second preset characteristic attribute further includes at least one of the following:
  • the second device uses a key to log in when remotely logging in to another device
  • the first preset characteristic attribute corresponding to the first device includes, in addition to the number and / or number of remote logins of the first device to other devices, a login when the first device logs in to other devices.
  • the login method may include whether to log in using a key
  • the user identity may include a system user, a root user, and an ordinary user.
  • the target device uses a key to log in to other devices, and the target device usually logs in to other devices as the root user, so that it can control other devices with the maximum rights.
  • Using other preset feature attributes for training can further improve the prediction accuracy of the device prediction model.
  • FIG. 8 is a schematic structural diagram of an electronic device suitable for implementing a prediction method of a target device according to an embodiment of the present disclosure.
  • the electronic device 800 includes a central processing unit (CPU) 801, which can be loaded into a random access memory (RAM) 803 according to a program stored in a read-only memory (ROM) 802 or from a storage section 808. Instead, various processes in the embodiment shown in FIG. 1 are executed. In the RAM 803, various programs and data required for the operation of the electronic device 800 are also stored.
  • the CPU 801, the ROM 802, and the RAM 803 are connected to each other through a bus 804.
  • An input / output (I / O) interface 805 is also connected to the bus 804.
  • the following components are connected to the I / O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output portion 807 including a cathode ray tube (CRT), a liquid crystal display (LCD), and a speaker; a storage portion 808 including a hard disk and the like ; And a communication section 809 including a network interface card such as a LAN card, a modem, and the like. The communication section 809 performs communication processing via a network such as the Internet.
  • the driver 810 is also connected to the I / O interface 805 as needed.
  • a removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is installed on the drive 810 as needed, so that a computer program read out therefrom is installed into the storage section 808 as needed.
  • the method described above with reference to FIG. 1 may be implemented as a computer software program.
  • embodiments of the present disclosure include a computer program product including a computer program tangibly embodied on a readable medium thereon, the computer program containing program code for performing the method of FIG. 1.
  • the computer program may be downloaded and installed from a network through the communication section 809, and / or installed from a removable medium 811.
  • the above-mentioned electronic device shown in FIG. 8 is also suitable for implementing a method for training a device prediction model according to another embodiment of the present disclosure.
  • each block in the roadmap or block diagram may represent a module, program segment, or portion of code that contains one or more components that implement a specified logical function Executable instructions.
  • the functions noted in the blocks may also occur in a different order than those marked in the drawings. For example, two successively represented boxes may actually be executed substantially in parallel, and they may sometimes be executed in the reverse order, depending on the functions involved.
  • each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts can be implemented by a dedicated hardware-based system that performs the specified function or operation , Or it can be implemented with a combination of dedicated hardware and computer instructions.
  • the units or modules described in the embodiments of the present disclosure may be implemented by software, and may also be implemented by hardware.
  • the described units or modules may also be provided in the processor, and the names of these units or modules do not, in some cases, define the unit or module itself.
  • the present disclosure also provides a computer-readable storage medium.
  • the computer-readable storage medium may be a computer-readable storage medium included in the device described in the foregoing embodiments; Computer-readable storage media incorporated into a device.
  • the computer-readable storage medium stores one or more programs, which are used by one or more processors to perform the methods described in the present disclosure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Debugging And Monitoring (AREA)

Abstract

L'invention concerne un procédé et un appareil pour prédire un dispositif cible, ainsi qu'un dispositif électronique et un support de stockage. Le procédé comprend les étapes consistant à : acquérir un journal de connexion à distance généré par un dispositif prédéfini dans une structure de topologie de réseau dans une période de temps prédéterminée ; extraire un attribut de caractéristique prédéfini à partir du journal de connexion à distance ; et traiter l'attribut de caractéristique prédéfini à l'aide d'un modèle de prédiction de dispositif préappris, et prédire si le dispositif prédéfini est un dispositif cible dans la structure de topologie de réseau, le dispositif cible étant utilisé pour commander de multiples dispositifs dans la structure de topologie de réseau. Au moyen des modes de réalisation de la présente invention, des caractéristiques pertinentes peuvent être extraites à partir d'un grand nombre de journaux de connexion à distance, et les caractéristiques pertinentes peuvent être analysées et traitées au moyen d'un modèle de prédiction de dispositif préappris de façon à déterminer, à partir d'un grand nombre de dispositifs, un dispositif cible ayant une capacité de commande pour d'autres dispositifs.
PCT/CN2019/092369 2018-08-14 2019-06-21 Procédé et appareil pour prédire un dispositif cible, dispositif électronique et support de stockage WO2020034756A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810924481.3 2018-08-14
CN201810924481.3A CN109218077A (zh) 2018-08-14 2018-08-14 目标设备的预测方法、装置、电子设备及存储介质

Publications (1)

Publication Number Publication Date
WO2020034756A1 true WO2020034756A1 (fr) 2020-02-20

Family

ID=64988653

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/092369 WO2020034756A1 (fr) 2018-08-14 2019-06-21 Procédé et appareil pour prédire un dispositif cible, dispositif électronique et support de stockage

Country Status (3)

Country Link
CN (1) CN109218077A (fr)
TW (1) TWI706646B (fr)
WO (1) WO2020034756A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109218077A (zh) * 2018-08-14 2019-01-15 阿里巴巴集团控股有限公司 目标设备的预测方法、装置、电子设备及存储介质
CN110753039B (zh) * 2019-09-29 2022-04-22 苏州浪潮智能科技有限公司 一种远程登录安全防护的方法及装置

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105119750A (zh) * 2015-09-08 2015-12-02 南京联成科技发展有限公司 一种基于大数据的分布式信息安全运维管理平台
CN106778259A (zh) * 2016-12-28 2017-05-31 北京明朝万达科技股份有限公司 一种基于大数据机器学习的异常行为发现方法及系统
CN206332681U (zh) * 2016-11-24 2017-07-14 国网新疆电力公司信息通信公司 便携式pda网络告警采集器
CN107800683A (zh) * 2017-09-08 2018-03-13 微梦创科网络科技(中国)有限公司 一种挖掘恶意ip的方法及装置
CN107819631A (zh) * 2017-11-23 2018-03-20 东软集团股份有限公司 一种设备异常检测方法、装置及设备
CN109218077A (zh) * 2018-08-14 2019-01-15 阿里巴巴集团控股有限公司 目标设备的预测方法、装置、电子设备及存储介质

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201110614A (en) * 2009-09-04 2011-03-16 Chunghwa Telecom Co Ltd Broadband network information service topology analysis method
CN101694652B (zh) * 2009-09-30 2012-11-28 西安交通大学 一种基于极速神经网络的网络资源个性化推荐方法
CN102263790A (zh) * 2011-07-18 2011-11-30 华北电力大学 一种基于集成学习的入侵检测方法
CN103077347B (zh) * 2012-12-21 2015-11-04 中国电力科学研究院 一种基于改进核心向量机数据融合的复合式入侵检测方法
US9553772B2 (en) * 2013-02-05 2017-01-24 Cisco Technology, Inc. Dynamically determining node locations to apply learning machine based network performance improvement
TW201703474A (zh) * 2015-07-14 2017-01-16 Chunghwa Telecom Co Ltd 用於內容傳遞網路之智慧重導向系統及其方法
CN105450442B (zh) * 2015-11-06 2019-02-15 广东电网有限责任公司电力科学研究院 一种网络拓扑排查方法及其系统
CN105227383B (zh) * 2015-11-06 2018-07-03 广东电网有限责任公司电力科学研究院 一种网络拓扑排查的装置
US10949765B2 (en) * 2016-09-15 2021-03-16 Accenture Global Solutions Limited Automated inference of evidence from log information
TW201822521A (zh) * 2016-12-02 2018-06-16 台灣大哥大股份有限公司 電信網路因應行動裝置應用程式之優化系統與方法
CN108306760A (zh) * 2017-12-28 2018-07-20 中国银联股份有限公司 用于在分布式系统中使管理能力自恢复的方法和装置

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105119750A (zh) * 2015-09-08 2015-12-02 南京联成科技发展有限公司 一种基于大数据的分布式信息安全运维管理平台
CN206332681U (zh) * 2016-11-24 2017-07-14 国网新疆电力公司信息通信公司 便携式pda网络告警采集器
CN106778259A (zh) * 2016-12-28 2017-05-31 北京明朝万达科技股份有限公司 一种基于大数据机器学习的异常行为发现方法及系统
CN107800683A (zh) * 2017-09-08 2018-03-13 微梦创科网络科技(中国)有限公司 一种挖掘恶意ip的方法及装置
CN107819631A (zh) * 2017-11-23 2018-03-20 东软集团股份有限公司 一种设备异常检测方法、装置及设备
CN109218077A (zh) * 2018-08-14 2019-01-15 阿里巴巴集团控股有限公司 目标设备的预测方法、装置、电子设备及存储介质

Also Published As

Publication number Publication date
CN109218077A (zh) 2019-01-15
TWI706646B (zh) 2020-10-01
TW202010292A (zh) 2020-03-01

Similar Documents

Publication Publication Date Title
US20240129331A1 (en) Threat Disposition Analysis and Modeling Using Supervised Machine Learning
CN106992994B (zh) 一种云服务的自动化监控方法和系统
US10592666B2 (en) Detecting anomalous entities
WO2018103595A1 (fr) Procédé et dispositif de recommandation de politique d'autorisation, serveur et support d'informations
US20170126717A1 (en) Lateral movement detection
US11943235B2 (en) Detecting suspicious user logins in private networks using machine learning
WO2015180291A1 (fr) Procédé et système de surveillance de grappe de serveurs
Yuan et al. Ada: Adaptive deep log anomaly detector
WO2019196534A1 (fr) Procédé et appareil de reconnaissance homme/machine basée sur un code de vérification
US11593639B1 (en) Scoring events using noise-contrastive estimation for anomaly detection
CN110533489B (zh) 应用于模型训练的样本获取方法及装置、设备、存储介质
CN110798440B (zh) 异常用户检测方法、装置、系统及计算机存储介质
WO2020034756A1 (fr) Procédé et appareil pour prédire un dispositif cible, dispositif électronique et support de stockage
US20210035025A1 (en) Systems and methods for optimizing machine learning models by summarizing list characteristics based on multi-dimensional feature vectors
CN109783459A (zh) 从日志中提取数据的方法、装置及计算机可读存储介质
US20230331266A1 (en) Automated positive train control event data extraction and analysis engine and method therefor
Krasov et al. Behavioral analysis of resource allocation systems in cloud infrastructure
Unuvar et al. Selecting optimum cloud availability zones by learning user satisfaction levels
WO2019062404A1 (fr) Procédé et appareil de traitement de programme d'application, support de stockage et dispositif électronique
US20170302516A1 (en) Entity embedding-based anomaly detection for heterogeneous categorical events
Zhang et al. Unsupervised IoT fingerprinting method via variational auto-encoder and K-means
US11755848B1 (en) Processing structured and unstructured text to identify sensitive information
Voutyras et al. Achieving autonomicity in IoT systems via situational-aware, cognitive and social things
CN115883392B (zh) 算力网络的数据感知方法、装置、电子设备及存储介质
Shih et al. Implementation and visualization of a netflow log data lake system for cyberattack detection using distributed deep learning

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19850542

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19850542

Country of ref document: EP

Kind code of ref document: A1