WO2020258672A1 - Procédé et dispositif de détection d'anomalie d'accès au réseau - Google Patents

Procédé et dispositif de détection d'anomalie d'accès au réseau Download PDF

Info

Publication number
WO2020258672A1
WO2020258672A1 PCT/CN2019/118437 CN2019118437W WO2020258672A1 WO 2020258672 A1 WO2020258672 A1 WO 2020258672A1 CN 2019118437 W CN2019118437 W CN 2019118437W WO 2020258672 A1 WO2020258672 A1 WO 2020258672A1
Authority
WO
WIPO (PCT)
Prior art keywords
network access
feature set
terminal device
access request
candidate feature
Prior art date
Application number
PCT/CN2019/118437
Other languages
English (en)
Chinese (zh)
Inventor
黎立桂
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020258672A1 publication Critical patent/WO2020258672A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present application relates to the technical field of security detection. Specifically, the present application relates to a method and device for detecting abnormality of network access.
  • the current method is to collect data such as click time and mouse drag trajectory during the user verification process to identify the user type based on this behavior data. This type of method has a high error rate and is easy to identify a real user as an abnormal user. The accuracy is low.
  • this application provides an abnormality detection method for network access, which includes the following steps:
  • the feature number of each candidate feature set is compared in the order of the smallest to the most, and the support for the simultaneous appearance frequency of the features in each candidate feature set is obtained, and the candidate features that are greater than or equal to the minimum support are obtained
  • the set is set as a frequent feature set
  • acquiring multiple non-linear characteristics of the relevant parameters of the terminal device according to the network access request, and forming multiple candidate feature sets ,Also includes:
  • a corresponding characteristic list is formed.
  • the feature type of the feature list includes the necessary information type generated by the terminal device initiating a network access request.
  • the step of receiving a network access request sent by a terminal device, acquiring multiple non-linear characteristics of relevant parameters of the terminal device according to the network access request, and forming multiple candidate feature sets includes :
  • the feature number of each candidate feature set is compared hierarchically in ascending order to obtain the support for the simultaneous appearance frequency of features in each candidate feature set, respectively, And before the step of setting candidate feature sets greater than or equal to the minimum support as frequent feature sets, it also includes:
  • the step of obtaining the corresponding inverse confidence degree according to the confidence degree of the frequent feature set includes:
  • the inverse confidence of the best frequent feature set is used as an abnormality threshold.
  • the minimum support degree is the upper quartile of all candidate feature sets formed within a set time period.
  • an abnormality detection device for network access which includes:
  • a forming module configured to receive a network access request sent by a terminal device, obtain multiple non-linear characteristics of relevant parameters of the terminal device according to the network access request, and form multiple candidate feature sets;
  • the setting module is used to compare the feature numbers of each candidate feature set in order from small to many according to the candidate feature set, and obtain the support degree of the simultaneous appearance frequency of the features in each candidate feature set respectively, and it is greater than or equal to
  • the candidate feature set with the minimum support is set as a frequent feature set;
  • An obtaining module configured to obtain a corresponding inverse confidence degree according to the confidence degree of the frequent feature set
  • the judging module is used for judging that the corresponding network access is abnormal when the reverse confidence of the frequent feature set is greater than the abnormal threshold.
  • this application also provides a server, which includes:
  • One or more processors are One or more processors;
  • One or more computer-readable instructions wherein the one or more computer-readable instructions are stored in the memory and configured to be executed by the one or more processors, and the one or more computers may The read instruction configuration is used to execute the network access abnormality detection method described in the embodiment of the first aspect.
  • the present application also provides a computer-readable storage medium having computer-readable instructions stored on the computer-readable storage medium.
  • the computer-readable instructions When the computer-readable instructions are executed by a processor, the computer-readable instructions described in the embodiments of the first aspect are implemented. Anomaly detection method for network access.
  • the method and device for detecting anomaly of network access are based on the candidate feature set formed by several features obtained according to the network request, and the support and confidence of the candidate feature set are obtained as the decision point. According to the basis of whether the network access is abnormal, the result of determining whether the corresponding network access request is abnormal is finally obtained.
  • the technical solution provided by this application forms multiple candidate feature sets from the features acquired in the network access request, and compares the support and confidence values, avoiding the identification and reprocessing of the corresponding features, and the transformation of the detection object , Simplifies the processing of detection data, improves detection efficiency, and ultimately improves the ability to detect abnormal access to terminal equipment.
  • FIG. 1 is an application environment diagram of the anomaly detection solution for network access in an embodiment of the present application
  • FIG. 2 is a flowchart of a method for detecting anomaly of network access according to an embodiment of the present application
  • FIG. 3 is a schematic diagram of an abnormality detection device for network access according to an embodiment of this application.
  • FIG. 4 is a schematic structural diagram of a server according to an embodiment of the application.
  • terminal and “terminal equipment” used herein include both wireless signal receiver equipment, equipment that only has wireless signal receivers without transmitting capability, and equipment receiving and transmitting hardware.
  • Such equipment may include: cellular or other communication equipment, which has a single-line display or multi-line display or cellular or other communication equipment without a multi-line display; PCS (Personal Communications Service, personal communication system), which can combine voice, data processing, fax and/or data communication capabilities; PDA (Personal Digital Assistant, personal digital assistant), which can include radio frequency receivers, pagers, Internet/Intranet access, web browsers, notepads, calendars, and/or GPS (Global Positioning System (Global Positioning System) receiver; conventional laptop and/or palmtop computer or other device, which has and/or includes a radio frequency receiver, conventional laptop and/or palmtop computer or other device.
  • GPS Global Positioning System (Global Positioning System) receiver
  • conventional laptop and/or palmtop computer or other device which has and/or includes a radio frequency receiver, conventional laptop and/or palmtop computer or other device.
  • terminal and terminal equipment used here may be portable, transportable, installed in vehicles (aviation, sea and/or land), or suitable and/or configured to operate locally, and/or In a distributed form, it runs on the earth and/or any other location in space.
  • the "terminal” and “terminal equipment” used here can also be communication terminals, Internet terminals, music/video playback terminals, such as PDA, MID (Mobile Internet Device, mobile Internet device) and/or mobile phone with music/video playback function, it can also be a smart TV, set-top box and other devices.
  • the remote network device used here includes but is not limited to a computer, a network host, a single network server, a set of multiple network servers, or a cloud composed of multiple servers.
  • cloud is based on cloud computing (Cloud Computing) consists of a large number of computers or network servers.
  • cloud computing is a type of distributed computing, a super virtual computer composed of a group of loosely coupled computer sets.
  • the remote network equipment, terminal equipment and WNS server can communicate through any communication method, including but not limited to mobile communication based on 3GPP, LTE, WIMAX, and TCP/IP, UDP protocol-based mobile communications.
  • Computer network communication and short-range wireless transmission based on Bluetooth and infrared transmission standards.
  • Figure 1 is an application environment diagram of the embodiment of the application; in this embodiment, the technical solution of the application can be implemented on a server.
  • the terminal devices 110 and 120 can access the server through the internet 130.
  • the terminal device 110 and/or 120 sends a network request to the server 130, and the server 130 performs data interaction according to the network request.
  • the server 130 obtains the access data and attribute data of the terminal device 110 and/or 120 according to the request information of the terminal device 110 and/or 120, and performs abnormality detection on the terminal device according to the data.
  • S210 Receive a network access request sent by a terminal device, obtain multiple nonlinear features of relevant parameters of the terminal device according to the network access request, and form multiple candidate feature sets.
  • the server When the server interacts with the terminal device, it obtains the relevant parameters of the terminal device according to the network request sent by the terminal device. Regarding the acquisition of the feature, relevant information can be extracted according to processing needs, and the related information can be analyzed to obtain the corresponding feature, and the multiple nonlinear features obtained in the foregoing manner.
  • the user sends registration and verification requests, and the front-end uses JavaScript scripts to obtain the relevant characteristics of the terminal device, including device type (IPone, Mac, Andriod), system information (OS type, version, resolution), and device
  • device type IPone, Mac, Andriod
  • OS type system information
  • device Multiple features such as the maximum number of touchable points and IP supported in a touch screen event, and the features are in a non-linear relationship with each other.
  • Several features may be extracted or randomly selected as needed to form multiple candidate feature sets to perform abnormality detection on the network access request sent by the terminal device.
  • the candidate feature set the feature numbers of the candidate feature sets are compared hierarchically in ascending order to obtain the support for the simultaneous appearance frequency of features in each candidate feature set, and the support is greater than or equal to the minimum support.
  • the candidate feature set is set as a frequent feature set.
  • the support of each candidate feature set is calculated separately, and the frequency of simultaneous appearance of each candidate feature set.
  • the feature may include a certain system version information of the terminal device, and the terminal device supports touch control.
  • the feature of a certain system version information of the terminal device can be obtained by obtaining the user_agent of the device through JS, and obtained by analyzing the user_agent.
  • the features of the terminal device supporting touch control can be directly obtained through JS.
  • the support of all candidate feature sets is compared with the minimum support, and the candidate feature set greater than or equal to the minimum support is set as a frequent feature set.
  • the hierarchical comparison is performed in the order of the feature number of each candidate feature set from small to large, and the specific method of hierarchical comparison is as follows:
  • the candidate feature set with three features is only: ⁇ 1, 2, 3 ⁇ .
  • the confidence of each frequent feature set is calculated. According to the confidence, the inverse confidence of the corresponding frequent feature set is obtained.
  • the sample to be inspected is the corresponding frequent feature set of a certain network access request initiated by the terminal device obtained according to the above steps S210-S230.
  • the reverse confidence of the sample to be checked is greater than the abnormal threshold, it is determined that the corresponding network access is an abnormal access.
  • the abnormal threshold may be set for the network access request sent by the terminal device, and the set abnormal threshold may be 70%.
  • the abnormal threshold may also be obtained based on the obtained frequent feature set.
  • the anomaly detection method for network access is based on multiple nonlinear features obtained from a network access request, and combining several features into multiple candidate feature sets, and comparing the corresponding support degree with the minimum support degree, The corresponding frequent feature set is obtained, and finally, according to the confidence of the above frequent feature set, the detection result of whether the network access request is abnormal is obtained by comparing with the abnormal threshold.
  • the technical solution of the present application uses the support and confidence calculation of the candidate feature set formed by the features obtained by the network access request initiated by the terminal device to generate a distinguished feature set, which is faster, and use this as whether to respond The basis of the request.
  • the feature engineering and machine learning algorithms are used in this application to independently learn the distinguishing rules in user data .
  • With strong interpretability can identify diverse abnormal scenes, and as the sample size grows, it can cover more and more complex situations.
  • step S210 it further includes:
  • a corresponding characteristic list is formed.
  • corresponding features can be obtained from the network access request initiated by the terminal device according to preset feature items, and the preset feature items are aggregated to form a feature list.
  • the feature item in the feature list may be specific information about a certain category, for example, the operating system of the terminal device may be specifically IOS system or windows system; the model of the terminal device may be specific It is a mac computer or a windows computer; for the touch screen events of the terminal device, different features can be set according to the specific touch points supported by the current main terminal device and/or operating system. In this way, after different features are combined, abnormal situations can be found more accurately from the correspondence between features.
  • the feature type of the feature list includes the necessary information type generated by the terminal device initiating a network access request.
  • the necessary information type is the type of the feature that must be generated in the process of the terminal device initiating the network access request, and can be obtained without secondary calculation or statistics. Such as information about the model of the terminal device, operating system version number information, IP information or touch screen events.
  • the fundamental feature information generated by the abnormal access can be directly processed and the result of the data processing can be judged, so that the data can be processed as little as possible, and the accuracy rate can be easily improved.
  • step S210 it includes:
  • A1. Receive each network access request sent by the terminal device, and obtain multiple non-linear characteristics according to the corresponding network access request;
  • the characteristics obtained from the terminal device are obtained for each network access request initiated by the terminal device.
  • the acquired features can be correspondingly acquired and collected corresponding to the feature items in the feature list.
  • some or all of the feature items are extracted from the collected feature items, and a plurality of candidate feature sets are formed correspondingly, so as to provide corresponding data for the network access anomaly detection of the terminal device.
  • step S220 it may further include:
  • the maximum number of touch points supported in the touch screen event of a computer running a windows system obtained through JS is 255.
  • computers running mac or windows operating systems generally do not support touch. If the touch screen event information obtained through JS supports touch, it is likely to be an abnormal user.
  • the corresponding server is started to run the operation of step S220, and the support degree of each candidate feature set is calculated.
  • the support degree of each candidate feature set is calculated.
  • it includes the operating system characteristics of the terminal device and the characteristics of the maximum number of touch points supported by the terminal device.
  • the device model feature of the terminal device may be added to the candidate feature set.
  • the step of obtaining the corresponding inverse confidence based on the confidence of the frequent feature set in step S230 includes:
  • the inverse confidence of the best frequent feature set is used as an abnormality threshold.
  • the confidence of each frequent feature set is performed, and the confidence of each frequent feature set is compared. According to the comparison result, the frequent feature set with the highest confidence is obtained as the best frequent feature set.
  • the inverse confidence degree is calculated for the highest confidence degree, that is, the inverse confidence degree of the best frequent feature set is used as the abnormal threshold.
  • abnormal detection is performed on the corresponding network access request.
  • the support and confidence are updated to obtain the corresponding best frequent feature set at this time, and based on the inverse confidence of the best frequent feature set The degree is used as the judgment basis for abnormal detection.
  • the corresponding parameters can be updated and adjusted at any time according to the obtained data changes regarding the characteristics of the terminal equipment, so as to adjust the judgment standard according to the data changes.
  • the server directly rejects the request or re-requires the terminal device to perform access verification; if the network request currently initiated by the terminal device is determined to be a normal access request, then Respond directly to requests.
  • the minimum support degree mentioned in step S220 may be set.
  • the minimum support degree is the upper quartile of all candidate feature sets formed within a set time period.
  • the minimum support can be adjusted according to the acquired features and changes in the candidate feature set composed of the features, to ensure that the frequent feature set is more accurately acquired, and to ensure the accuracy and flexibility of anomaly detection results Sex.
  • an embodiment of the present application also provides an abnormality detection device for network access, as shown in FIG. 3, including:
  • the forming module 310 is configured to receive a network access request sent by a terminal device, obtain multiple nonlinear characteristics of relevant parameters of the terminal device according to the network access request, and form multiple candidate feature sets;
  • the setting module 320 is configured to compare the number of features of each candidate feature set in order from small to many according to the candidate feature set, and obtain the support degree of the simultaneous appearance frequency of the features in each candidate feature set, and set it to be greater than The candidate feature set equal to the minimum support is set as a frequent feature set;
  • the obtaining module 330 is configured to obtain the corresponding inverse confidence according to the confidence of the frequent feature set
  • the determining module 340 is configured to determine that the corresponding network access is an abnormal access when the reverse confidence of the frequent feature set is greater than the abnormal threshold.
  • FIG. 4 is a schematic diagram of the internal structure of the server in an embodiment.
  • the server includes a processor 410, a storage medium 420, a memory 430, and a network interface 440 connected through a system bus.
  • the storage medium 420 of the server stores an operating system, a database, and computer-readable instructions.
  • the database may store control information sequences.
  • the processor 410 can implement a network
  • the processor 410 can implement the functions of the feature formation module 310, the setting module 320, the acquisition module 330, and the determination module 340 in a network access abnormality detection device in the embodiment shown in FIG.
  • the processor 410 of the server is used to provide computing and control capabilities to support the operation of the entire server.
  • the memory 430 of the server may store computer-readable instructions, and when the computer-readable instructions are executed by the processor 410, the processor 410 can execute a method for detecting abnormality of network access.
  • the network interface 440 of the server is used to connect and communicate with the terminal.
  • the present application also proposes a storage medium storing computer-readable instructions.
  • the one or more processors perform the following steps: receiving The network access request sent by the terminal device acquires multiple nonlinear features of the relevant parameters of the terminal device according to the network access request, and forms multiple candidate feature sets; according to the candidate feature set, each candidate feature The feature number of the set is compared in the order from small to most, and the support for the simultaneous appearance frequency of features in each candidate feature set is obtained, and the candidate feature set with the minimum support is set as a frequent feature set; according to the frequent features The confidence of the set is obtained, and the corresponding inverse confidence is obtained; when the inverse confidence of the frequent feature set is greater than the abnormal threshold, the corresponding network access is determined to be an abnormal access.
  • the method and device for detecting anomaly of network access are based on the candidate feature set formed by several features obtained according to the network request, and the support and confidence of the candidate feature set are obtained as the decision point. According to the basis of whether the network access is abnormal, the result of determining whether the corresponding network access request is abnormal is finally obtained.
  • the technical solution provided by this application forms multiple candidate feature sets from the features acquired in the network access request, and compares the support and confidence values, avoiding the identification and reprocessing of the corresponding features, and the transformation of the detection object , Simplifies the processing of detection data, improves detection efficiency, and ultimately improves the ability to detect abnormal access to terminal equipment.
  • the anomaly detection method and device of the present application through network access uses the candidate feature set formed by the combination of features that embody normal network access verification, and based on the comparison result of its support and confidence, the judgment is obtained Whether network access is the result of abnormal access.
  • the technical solution provided in this application can convert characteristic information into parameter information that is convenient for comparison, reducing the difficulty of obtaining information by the terminal device, and is similar to the surface phenomenon of the use track in the prior art when the user initiates a network access request.
  • the comparison of methods for determining abnormal access also improves the accuracy of detection.
  • the aforementioned storage medium may be a magnetic disk, an optical disk, a read-only storage memory (Read-Only Memory, ROM) and other storage media.
  • the storage medium may be a non-volatile storage medium, or a random access memory (Random Access Memory, RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention se rapporte au domaine technique du contrôle de sécurité, et concerne un procédé et un dispositif de détection d'anomalie d'accès au réseau. Le procédé consiste à : recevoir une demande d'accès au réseau envoyée par un appareil terminal, acquérir, conformément à la demande d'accès au réseau, de multiples caractéristiques non linéaires de paramètres associés à l'appareil terminal, et former de multiples ensembles de caractéristiques candidats ; exécuter, conformément aux ensembles de caractéristiques candidats, une comparaison hiérarchique des ensembles de caractéristiques candidats selon un ordre croissant du nombre de caractéristiques en leur sein, obtenir un niveau de prise en charge d'une fréquence de cooccurrence de caractéristiques de chacun des ensembles de caractéristiques candidats, et définir un ensemble de caractéristiques candidats ayant un niveau de prise en charge supérieur ou égal à un niveau de prise en charge minimal en tant qu'ensemble de caractéristiques fréquent ; obtenir un niveau de confiance inverse correspondant conformément à un niveau de confiance de l'ensemble de caractéristiques fréquent ; et si le niveau de confiance inverse de l'ensemble de caractéristiques fréquent est supérieur à un seuil d'anomalie, déterminer un accès au réseau correspondant en tant qu'accès anormal. Le procédé améliore la capacité de détection d'anomalie d'accès au réseau courant d'appareils terminaux.
PCT/CN2019/118437 2019-06-28 2019-11-14 Procédé et dispositif de détection d'anomalie d'accès au réseau WO2020258672A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910580036.4A CN110392046B (zh) 2019-06-28 2019-06-28 网络访问的异常检测方法和装置
CN201910580036.4 2019-06-28

Publications (1)

Publication Number Publication Date
WO2020258672A1 true WO2020258672A1 (fr) 2020-12-30

Family

ID=68286022

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/118437 WO2020258672A1 (fr) 2019-06-28 2019-11-14 Procédé et dispositif de détection d'anomalie d'accès au réseau

Country Status (2)

Country Link
CN (1) CN110392046B (fr)
WO (1) WO2020258672A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113850499A (zh) * 2021-09-23 2021-12-28 平安银行股份有限公司 一种数据处理方法、装置、电子设备和存储介质

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110392046B (zh) * 2019-06-28 2021-12-24 平安科技(深圳)有限公司 网络访问的异常检测方法和装置
CN114666391B (zh) * 2020-12-03 2023-09-19 中国移动通信集团广东有限公司 访问轨迹确定方法、装置、设备及存储介质
CN113726814B (zh) * 2021-09-09 2022-09-02 中国电信股份有限公司 用户异常行为识别方法、装置、设备及存储介质

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020082886A1 (en) * 2000-09-06 2002-06-27 Stefanos Manganaris Method and system for detecting unusual events and application thereof in computer intrusion detection
CN104539484A (zh) * 2014-12-31 2015-04-22 深圳先进技术研究院 一种动态评估网络连接可信度的方法及系统
CN105512210A (zh) * 2015-11-27 2016-04-20 网神信息技术(北京)股份有限公司 关联事件类型的检测方法及装置
CN105681312A (zh) * 2016-01-28 2016-06-15 李青山 一种基于频繁项集挖掘的移动互联网异常用户检测方法
CN108255996A (zh) * 2017-12-29 2018-07-06 西安交大捷普网络科技有限公司 基于Apriori算法的安全日志分析方法
CN108595667A (zh) * 2018-04-28 2018-09-28 广东电网有限责任公司 一种网络异常数据的关联性分析方法
CN110392046A (zh) * 2019-06-28 2019-10-29 平安科技(深圳)有限公司 网络访问的异常检测方法和装置

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10326789B1 (en) * 2015-09-25 2019-06-18 Amazon Technologies, Inc. Web Bot detection and human differentiation
CA3011936A1 (fr) * 2017-08-03 2019-02-03 Interset Software, Inc. Systemes et methodes de discrimination entre les interactions humaines et les interactions non-humaines au moyen de dispositifs informatiques sur un reseau d'ordinateurs
CN107704764A (zh) * 2017-10-18 2018-02-16 广州华多网络科技有限公司 构建训练集的方法、装置、设备及人机识别的方法
CN109120634B (zh) * 2018-09-05 2021-02-05 广州视源电子科技股份有限公司 一种端口扫描检测的方法、装置、计算机设备和存储介质
CN109408556B (zh) * 2018-09-28 2024-02-02 中国平安人寿保险股份有限公司 基于大数据的异常用户识别方法及装置、电子设备、介质
CN109936561B (zh) * 2019-01-08 2022-05-13 平安科技(深圳)有限公司 用户请求的检测方法、装置、计算机设备及存储介质

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020082886A1 (en) * 2000-09-06 2002-06-27 Stefanos Manganaris Method and system for detecting unusual events and application thereof in computer intrusion detection
CN104539484A (zh) * 2014-12-31 2015-04-22 深圳先进技术研究院 一种动态评估网络连接可信度的方法及系统
CN105512210A (zh) * 2015-11-27 2016-04-20 网神信息技术(北京)股份有限公司 关联事件类型的检测方法及装置
CN105681312A (zh) * 2016-01-28 2016-06-15 李青山 一种基于频繁项集挖掘的移动互联网异常用户检测方法
CN108255996A (zh) * 2017-12-29 2018-07-06 西安交大捷普网络科技有限公司 基于Apriori算法的安全日志分析方法
CN108595667A (zh) * 2018-04-28 2018-09-28 广东电网有限责任公司 一种网络异常数据的关联性分析方法
CN110392046A (zh) * 2019-06-28 2019-10-29 平安科技(深圳)有限公司 网络访问的异常检测方法和装置

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HONG, SHIJIE: "Non-official translation: Research of Intrusion Detection Based on Sequential Pattern Mining", INFORMATION & TECHNOLOGY, CHINA MASTER’S THESES FULL-TEXT DATABASE, no. 09, 15 September 2009 (2009-09-15), DOI: 20200228121637X *
LI, HANGUANG ET AL.: "Intrusion Detection Technology Research Based on Apriori Algorithm", 2012 INTERNATIONAL CONFERENCE ON APPLIED PHYSICS AND INDUSTRIAL ENGINEERING, 31 December 2012 (2012-12-31), XP028473266, DOI: 20200228122011A *
LI, HELING: "Non-official translation: Study on Application of Data Mining to Network Intrusion Detection", INFORMATION & TECHNOLOGY, CHINA MASTER'S THESES FULL-TEXT DATABASE, no. 09, 15 September 2013 (2013-09-15), DOI: 20200228121753A *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113850499A (zh) * 2021-09-23 2021-12-28 平安银行股份有限公司 一种数据处理方法、装置、电子设备和存储介质
CN113850499B (zh) * 2021-09-23 2024-04-09 平安银行股份有限公司 一种数据处理方法、装置、电子设备和存储介质

Also Published As

Publication number Publication date
CN110392046A (zh) 2019-10-29
CN110392046B (zh) 2021-12-24

Similar Documents

Publication Publication Date Title
WO2020258672A1 (fr) Procédé et dispositif de détection d'anomalie d'accès au réseau
WO2020258657A1 (fr) Procédé et appareil de détection d'anomalie, dispositif informatique et support d'informations
WO2020143322A1 (fr) Procédé et appareil de détection de demande d'utilisateur, dispositif informatique et support de stockage
WO2017213400A1 (fr) Détection de logiciels malveillants par exploitation des variations de re-composition de logiciel malveillant
WO2020155773A1 (fr) Procédé de surveillance d'entrée de texte suspecte, dispositif, appareil informatique et support de sockage
WO2020253135A1 (fr) Procédé et dispositif d'analyse automatique, équipement utilisateur et support de stockage
WO2020107762A1 (fr) Procédé et dispositif d'estimation de ctr et support d'enregistrement lisible par ordinateur
WO2020015060A1 (fr) Procédé et appareil d'estimation d'anomalie de consommation d'énergie, et support d'enregistrement informatique
WO2020073494A1 (fr) Procédé de détection de porte arrière de page web, dispositif, support d'informations et appareil
WO2021072881A1 (fr) Procédé, appareil et dispositif de traitement de demande fondée sur un stockage d'objet, et support de stockage
WO2020119369A1 (fr) Procédé, appareil et dispositif de positionnement de défaut de fonctionnement et de maintenance informatique intelligent, et support de stockage lisible
WO2020062644A1 (fr) Procédé, appareil et dispositif de détection du bogue de détournement json et support d'enregistrement
WO2016190652A1 (fr) Dispositif électronique, système de fourniture d'informations et procédé de fourniture d'informations associé
WO2014077458A1 (fr) Procédé de distinction de type de réseau de communication et procédé de fourniture de contenu l'utilisant
WO2020233060A1 (fr) Procédé et appareil de notification d'événement, serveur de notification d'événement et support de stockage
WO2020103275A1 (fr) Procédé, appareil et dispositif de commande de déduction d'argent, support d'informations lisible
WO2020186780A1 (fr) Procédé et appareil d'enregistrement et de restauration d'opération d'utilisateur, dispositif et support d'informations lisible
WO2018014594A1 (fr) Procédé de traitement de demande et de réponse de réseau, dispositif, terminal, serveur, et support de stockage
WO2020085558A1 (fr) Appareil de traitement d'image d'analyse à grande vitesse et procédé de commande associé
WO2020258658A1 (fr) Procédé et appareil d'identification d'opération anormale, dispositif informatique et support d'enregistrement
WO2019124770A1 (fr) Appareil terminal et procédé de commande d'appareil terminal
WO2014148784A1 (fr) Base de données de modèles linguistiques pour la reconnaissance linguistique, dispositif et procédé et système de reconnaissance linguistique
WO2020258673A1 (fr) Procédé et appareil de détermination d'anomalie d'accès au réseau, serveur et support d'informations
WO2016036049A1 (fr) Programme informatique, procédé, système et appareil de fourniture de service de recherche
WO2020062655A1 (fr) Procédé, appareil et dispositif de reconnaissance de collecteur, et support de stockage lisible non volatil

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19934771

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19934771

Country of ref document: EP

Kind code of ref document: A1