WO2023207548A1 - 一种流量检测方法、装置、设备及存储介质 - Google Patents
一种流量检测方法、装置、设备及存储介质 Download PDFInfo
- Publication number
- WO2023207548A1 WO2023207548A1 PCT/CN2023/086763 CN2023086763W WO2023207548A1 WO 2023207548 A1 WO2023207548 A1 WO 2023207548A1 CN 2023086763 W CN2023086763 W CN 2023086763W WO 2023207548 A1 WO2023207548 A1 WO 2023207548A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network traffic
- traffic
- identification model
- target
- feature
- Prior art date
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 83
- 230000002159 abnormal effect Effects 0.000 claims abstract description 26
- 238000000034 method Methods 0.000 claims description 42
- 239000011159 matrix material Substances 0.000 claims description 32
- 239000013598 vector Substances 0.000 claims description 30
- 238000000605 extraction Methods 0.000 claims description 26
- 238000012549 training Methods 0.000 claims description 20
- 230000005856 abnormality Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 8
- 238000001914 filtration Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 8
- 230000014509 gene expression Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008685 targeting Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Definitions
- the present disclosure relates to the field of Internet technology, and specifically to a traffic detection method, device, equipment and storage medium.
- Container network is an open network architecture.
- General network defense solutions are mainly universal defense. For example, matching risky data packets through predefined regular expressions. Successful matching indicates the existence of intrusion risk. This detection method relies on network traffic analysis of historical attack methods to form relevant rules, thereby predefining regular expressions for risk matching.
- each container has a specific business meaning.
- Each container generally only handles network requests related to a single business. If a traditional unified security policy is adopted, in the container environment It may bring a lot of invalid filtering, and unknown risks cannot be identified.
- the traditional method of detecting abnormal network traffic in a container environment has the problem of low detection accuracy and is prone to missed negatives and false positives.
- Embodiments of the present disclosure provide at least one flow detection method, device, equipment and storage medium.
- an embodiment of the present disclosure provides a traffic detection method, which method includes:
- the target traffic identification model corresponding to the target service container from the pre-trained traffic identification model set, and detect based on the called target traffic identification model Whether the network traffic is abnormally accessed network traffic, and the target traffic identification model is trained based on the network traffic associated with the target business container;
- the network traffic is intercepted.
- the network status information includes IP quintuple information; according to the network status information, the target service container associated with the network traffic is searched, and a pre-trained traffic identification model is used. Centrally call the target traffic identification model corresponding to the target business container, including:
- a target service container group associated with the network traffic is determined; the target service container group includes a source container matching the source IP address and a source container matching the source IP address. The destination container matched by the destination IP address;
- the traffic identification models in the traffic identification model set are trained according to the following steps:
- the acquired network traffic is aggregated to obtain a network traffic set corresponding to the business container group; each of the business container groups includes The business information of the business containers is the same;
- the feature matrix is composed of feature vectors corresponding to the network traffic included in the network traffic set;
- a traffic identification model corresponding to the business container group is calculated; the traffic identification model is used to characterize the aggregated characteristics corresponding to normal access network traffic.
- the method further includes:
- the training process of the target traffic identification model is re-executed to update the target traffic identification model.
- feature extraction of multiple feature dimensions is performed on the network traffic set to obtain a feature matrix corresponding to the network traffic set, including:
- the traffic identification model corresponding to the business container group is calculated based on the feature matrix, including:
- the traffic identification model is formed by using the URL feature set of the network traffic set and the confidence interval of the Body parameter in each feature dimension.
- feature extraction is performed on the request body parameters of the network traffic collection, including:
- a Body parameter feature set corresponding to the network traffic set is obtained.
- detecting whether the network traffic is abnormally accessed network traffic based on the called target traffic identification model includes:
- the network traffic Network traffic with abnormal access includes:
- the network traffic is determined to be abnormally accessed network traffic, otherwise, It is determined that the network traffic is normal access network traffic.
- an embodiment of the present disclosure also provides a flow detection device, which includes:
- a data acquisition module used to obtain network traffic, and analyze the network traffic to obtain network status information related to the network traffic;
- a traffic detection module configured to search for a target service container associated with the network traffic according to the network status information, and call a target traffic identification model corresponding to the target service container from a set of pre-trained traffic identification models, based on the call
- the target traffic identification model detects whether the network traffic is abnormally accessed network traffic, and the target traffic identification model is trained based on the network traffic associated with the target business container;
- a traffic interception module is configured to intercept the network traffic when detecting that the network traffic is abnormally accessed.
- embodiments of the present disclosure also provide an electronic device, including: a processor, a memory, and a bus.
- the memory stores machine-readable instructions executable by the processor.
- the processing The processor communicates with the memory through a bus, and when the machine-readable instructions are executed by the processor, the steps of the above-mentioned first aspect, or any possible traffic detection method in the first aspect, are performed.
- embodiments of the present disclosure also provide a computer-readable storage medium.
- a computer program is stored on the computer-readable storage medium.
- the computer program executes the above-mentioned first aspect, or any of the first aspects. Steps of a possible traffic detection method.
- the traffic detection method can obtain network traffic, analyze the network traffic to obtain network status information related to the network traffic, and find the target service container associated with the network traffic based on the network status information. , and call the target traffic identification model corresponding to the target business container from the pre-trained traffic identification model set, and detect whether the network traffic is abnormally accessed network traffic based on the called target traffic identification model.
- the target traffic identification model It is obtained by training based on the network traffic associated with the target service container; when it is detected that the network traffic is abnormal access network traffic, the network traffic is intercepted.
- a traffic identification model matching the business container is trained based on the network traffic corresponding to the business information of the business container; when performing network traffic detection, it is possible to Find the business container associated with the network traffic, call the target traffic identification model corresponding to the business container from the pre-trained traffic identification model set, and detect the network traffic through the called target traffic identification model; embodiments of the present disclosure can target different Business containers with business meaning use different traffic identification models for traffic detection. Network traffic detection adapted to the business characteristics of the business container can be performed for the network traffic of each business container. Compared with the traditional unified detection strategy, it can be more accurate Perform risk identification and filtering to reduce missed reports and false positives of abnormal traffic.
- Figure 1 shows a schematic diagram of an application scenario provided by an embodiment of the present disclosure
- Figure 2 shows a flow chart of a traffic detection method provided by an embodiment of the present disclosure
- Figure 3 shows a flow chart of a traffic identification model training method provided by an embodiment of the present disclosure
- Figure 4 shows a flow chart of another traffic detection method provided by an embodiment of the present disclosure
- Figure 5 shows a flow chart of a traffic identification model update method provided by an embodiment of the present disclosure
- Figure 6 shows one of the schematic diagrams of a flow detection device provided by an embodiment of the present disclosure
- Figure 7 shows the second schematic diagram of a flow detection device provided by an embodiment of the present disclosure
- FIG. 8 shows a schematic diagram of an electronic device provided by an embodiment of the present disclosure.
- a and/or B can mean: A alone exists, A and B exist simultaneously, and B alone exists. situation.
- at least one herein means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, and C, which can mean including from A, Any one or more elements selected from the set composed of B and C.
- the traditional access detection method is to use a unified security policy, that is, using the same detection method to detect the traffic of business access in all container environments.
- each container has specific business Meaning, each container generally only handles network requests related to a single business. Therefore, using the same detection method for diverse businesses may bring a large number of invalid filters, and unknown risks may be difficult to identify, resulting in the inability to target each Targeted detection of the business characteristics of containers further makes the detection accuracy of abnormal network traffic in the container environment low, prone to omissions and false positives, and difficult to ensure normal network access in the container environment.
- the present disclosure provides a traffic detection method that can obtain network traffic and analyze the network traffic to obtain network status information related to the network traffic; based on the network status information, find the association with the network traffic The target business container, and call the target business container pair from the pre-trained traffic identification model set The corresponding target traffic identification model detects whether the network traffic is the network traffic of abnormal access based on the called target traffic identification model.
- the target traffic identification model is obtained by training based on the network traffic associated with the target business container; after detecting If the network traffic is abnormally accessed, the network traffic is intercepted.
- a traffic identification model matching the business container is trained based on the network traffic corresponding to the business information of the business container; when performing network traffic detection, it is possible to Find the business container associated with the network traffic, call the target traffic identification model corresponding to the business container from the pre-trained traffic identification model set, and detect the network traffic through the called target traffic identification model; embodiments of the present disclosure can target different Business containers with business meaning use different traffic identification models for traffic detection. Network traffic detection adapted to the business characteristics of the business container can be performed for the network traffic of each business container. Compared with the traditional unified detection strategy, it can be more accurate Perform risk identification and filtering to reduce missed reports and false positives of abnormal traffic.
- the execution subject of the flow detection method provided by the embodiment of the disclosure is generally a computer device with certain computing capabilities.
- the computer Devices include, for example, terminal devices or servers or other processing devices.
- the access detection method can be implemented by the processor calling computer-readable instructions stored in the memory.
- Figure 1 is a schematic diagram of an application scenario provided by an embodiment of the present disclosure.
- training can be performed based on the business information and sample network traffic of each business container sent by the container orchestration system and its corresponding business information, thereby training the traffic identification model, and targeting the trained Traffic identification model, the business container can send the network traffic to be detected to the traffic identification model to detect whether the network traffic is abnormally accessed network traffic based on the traffic identification model.
- FIG 2 is a flow chart of a traffic detection method provided by an embodiment of the present disclosure.
- the traffic detection method provided by the embodiment of the present disclosure includes steps S201 to S204, wherein:
- S201 Obtain network traffic, and analyze the network traffic to obtain network status information related to the network traffic.
- the network status information related to network traffic may include Internet Protocol (Internet Protocol Address, IP) quintuple information, Uniform Resource Locator (Uniform Resource Locator, URL) address, request body (Body) parameter information, etc.
- Internet Protocol Internet Protocol Address, IP
- Uniform Resource Locator Uniform Resource Locator
- URL Uniform Resource Locator
- request body Body
- the network traffic is generally in the form of Transmission Control Protocol (Transmission Control Protocol, TCP) data packets, which can be converted into Transmission Control Protocol (Transmission Control Protocol) through Deep Packet Inspection (DPI) technology.
- TCP Transmission Control Protocol
- DPI Deep Packet Inspection
- TCP Transmission Control Protocol
- HTTP Hyper Text Transfer Protocol
- network traffic can be obtained through a network hook.
- S202 Find the target service container associated with the network traffic according to the network status information, and call the target traffic identification model corresponding to the target service container from the pre-trained traffic identification model set, and identify the target traffic based on the call
- the model detects whether the network traffic is abnormally accessed network traffic, and the target traffic identification model It is trained based on the network traffic associated with the target business container.
- the traffic identification model set includes multiple traffic identification models, and each traffic identification model stores its corresponding business container, so the target business container associated with the network traffic can be used, A target traffic identification model corresponding to the target service container is determined, so that subsequent traffic detection is performed based on the target traffic identification model.
- the network status information includes IP five-tuple information
- the method of searching for a target service container associated with the network traffic according to the network status information, and calling a target traffic identification model corresponding to the target service container from a set of pre-trained traffic identification models including:
- a target service container group associated with the network traffic is determined; the target service container group includes a source container matching the source IP address and a source container matching the source IP address.
- the destination IP address matches the destination container;
- the network status information includes IP five-tuple information
- the source IP address and the destination IP address are one.
- the group has an IP address with a business access relationship, so a group of target service container groups with a business access relationship can be determined, which is the target service container group associated with the network traffic.
- the target service container group includes a source container matching the source IP address and a destination container matching the destination IP address.
- each target service container group corresponds to a pre-trained traffic identification model.
- the target traffic identification model corresponding to the target service container group can be determined from a set of pre-trained traffic identification models with the help of the target service container group.
- the target service container group associated with the network traffic in order to determine the target service container group associated with the network traffic, not only the source IP address and the destination IP address in the IP five-tuple information can be obtained, but also all the IP addresses can be obtained.
- the URL request and Body parameters indicated by the URL address are used to assist in determining the service characteristics of the target service container group and improve the accuracy of subsequent determination of the target traffic identification model matching the target service container group.
- the source IP address 10.224.41.163 and the destination IP address 10.224.60.24 can be extracted from the IP quintuple information in the network traffic, so that the source IP address can be determined
- the matching source container trade, the destination container order matching the destination IP address, and at the same time, the URL request /order/detail indicated by the uniform resource locator URL address can also be extracted from the network traffic, and the Body parameter ⁇ orderNo:23 ⁇ , thus it can be determined that the source container has transaction characteristics and the destination container has order characteristics.
- the two are a set of target business container groups with business access relationships for order transactions. When the target business container group is determined, it can be obtained from pre-training
- the traffic identification model is concentrated to determine the target traffic identification model corresponding to the target business container group.
- Each business container group corresponds to a pre-trained traffic identification model to achieve targeted detection of network traffic near the business source, achieving Precise protection in container network environment.
- the source container accesses the destination container
- the port used for business access it is possible to determine the port in the IP five-tuple information.
- the source port and destination port of the container enable network traffic to be transmitted through the source port of the source container and the destination port of the destination container to achieve business access.
- FIG. 3 is a flow chart of a traffic identification model training method provided by the embodiment of the present disclosure, including steps S301 to S303:
- S301 Aggregate the obtained network traffic according to the business information corresponding to the obtained network traffic and the business information of each service container, and obtain a network traffic set corresponding to each business container group; each business container group The business information of each business container in the container is the same.
- the network traffic used for training and its corresponding business information can be obtained, and at the same time, the business information of each business container can be obtained.
- the data of each business container in each business container group The business information is the same. After comparing the business information, the same business information can be determined. Therefore, for each business container group, the obtained network traffic corresponding to the same business information can be aggregated to generate a network traffic set. That is, the network traffic collection corresponding to each business container group is generated.
- the business information of each business container can be obtained through the application programming interface (Application Programming Interface, API) of the container orchestration system, and the business information includes the business attribute information of each business container.
- API Application Programming Interface
- the business attribute information of each business container such as nginx, mysql, kafka, etc.
- S302 Perform feature extraction on multiple feature dimensions of the network traffic set to obtain a feature matrix corresponding to the network traffic set; the feature matrix is composed of feature vectors corresponding to each network traffic in the network traffic set.
- the uniform resource locator URL in the network traffic collection can be Feature extraction is performed on the address and request body Body parameters respectively, and a URL feature set and a Body parameter feature set contained in the feature matrix are obtained.
- a feature matrix corresponding to the network traffic set can be formed.
- the feature extraction of the uniform resource locator URL addresses in the network traffic collection may be performed by using regular expressions to extract the characteristics of each network traffic in the network traffic collection. Extract the accessed resource path from the URL address to obtain the URL characteristics of each network traffic, and then perform deduplication processing on the URL characteristics of each network traffic in the network traffic collection to obtain the URL corresponding to the network traffic collection. feature set.
- the regular expression method can be used to detect whether there is a string matching the resource path pattern in the URL address of each network traffic in the network traffic collection. If it exists, the URL address can be filtered. , to extract the accessed resource path from the URL address, and then obtain the URL characteristics of each network traffic. In practical applications, the same URL address and the same resource path exist in the network traffic, so in order to To reduce resource occupation and improve the training speed of the traffic identification model, the URL features of each network traffic in the network traffic set can be deduplicated to delete duplicate URL features, thereby obtaining the URL feature set corresponding to the network traffic set. .
- character cleaning can also be performed using a regular expression method.
- feature extraction is performed on the request body Body parameters of the network traffic collection, including:
- a Body parameter feature set corresponding to the network traffic set is obtained.
- the multiple character-related dimensions include string length, number of special characters, proportion of letters, and proportion of numbers, etc.
- the Body parameter of the network traffic can be extracted.
- the length of the string, the number of special characters, the proportion of letters, and the proportion of numbers can be used to obtain the characteristics of the Body parameters of each network traffic in multiple character-related dimensions, and then the characteristics of multiple character-related dimensions can be integrated to achieve Obtain the Body parameter feature set corresponding to the network traffic set.
- the Body parameter is generally a Key-Value parameter structure.
- the Key value is related to the input parameter type, and the Value value is related to the business category.
- the string length in the Body parameter is extracted to determine the string length of the Value value.
- the length of the string corresponding to generally offensive network traffic is not fixed and corresponds to the normal access network traffic. There is a large deviation in the string length.
- extracting the number of special characters in the Body parameter is to determine the number of special characters in the Value value. If there are special characters such as *, $, %, &, etc. in the Value value, it generally corresponds to offensive network traffic. .
- extracting the proportion of letters in the Body parameter is to determine the letter type characters in the Value value among all characters.
- Proportion; extracting the proportion of numbers in the Body parameter is to determine the proportion of numeric characters in the Value value among all characters.
- S303 Based on the feature matrix, calculate a traffic identification model corresponding to the service container group; the traffic identification model is used to characterize the aggregated characteristics corresponding to normal access network traffic.
- a traffic identification model corresponding to the business container group can be calculated.
- the intermediate traffic identification model corresponding to a single business container can be calculated separately for the feature matrix corresponding to the source container and the feature matrix corresponding to the destination container, and then integrated to obtain the traffic corresponding to the business container group. Identify the model.
- the feature matrix corresponding to the source container and the feature matrix corresponding to the destination container can be integrated first to obtain the intermediate feature matrix corresponding to the business container group, and then calculate the The traffic identification model corresponding to the business container group.
- the traffic identification model corresponding to the business container group is calculated based on the feature matrix, including:
- the traffic identification model is formed by using the URL feature set of the network traffic set and the confidence interval of the Body parameter in each feature dimension.
- the Body parameters of the network traffic set can be calculated based on the Body parameter feature set in each
- the confidence interval under the feature dimension is used to form the traffic identification model by using the URL feature set of the network traffic set and the confidence interval of the Body parameter under each feature dimension.
- the Body parameter feature set includes the characteristics of the Body parameters of the network traffic in character-related dimensions such as string length, number of special characters, proportion of letters, and proportion of numbers. These features are all Numerical features, so the feature calculation method in each dimension is the same.
- the mean ⁇ and standard deviation ⁇ of the feature can be first calculated, and then based on the agreement Byshev's theorem, given a set of data ⁇ x 1 , x 2 ,..., x n ⁇ , the mean is ⁇ and the standard deviation is ⁇ , then for any k ⁇ 1, it is located in the interval [ ⁇ -k* ⁇ , ⁇ +k The proportion of data within * ⁇ ] is p ⁇ 1-1/k 2 .
- k is the tolerance. The larger the k value, the greater the probability that the feature value falls within the interval.
- ⁇ is the mean
- ⁇ is the standard deviation
- k is any value (k>0)
- P is the probability estimate of sample X.
- the confidence interval ⁇ [ ⁇ 1 , ⁇ 2 ] under the current feature dimension can be calculated.
- the target traffic identification model corresponding to the target service container can be called from the pre-trained traffic identification model set, and then the network traffic can be detected through the target traffic identification model.
- detecting whether the network traffic is abnormally accessed network traffic based on the invocation of the target traffic identification model includes:
- feature extraction can be performed on the network traffic to obtain a feature vector of the network traffic.
- the feature extraction of the network traffic here is similar to the method of feature extraction of multiple feature dimensions on the network traffic set introduced above.
- the uniform resource locator URL address and request body in the network traffic are Performing feature extraction on the parameters respectively is similar to the method of separately performing feature extraction on the uniform resource locator URL address and request body parameters in the network traffic collection described above, and will not be described again here.
- the feature vector of the network traffic can be formed based on the extracted URL features and the parameter features of the Body parameters in multiple feature dimensions.
- the features are The vector is compared with the target traffic identification model, so that it can be determined whether the network traffic is abnormally accessed network traffic.
- the target traffic identification model is formed by using the URL feature set of the network traffic set and the confidence interval of the Body parameter in each feature dimension.
- the extracted feature vector can be compared and matched with the URL feature set indicated in the target traffic identification model and the confidence interval of the Body parameter under each feature dimension, thereby determining whether the network traffic is Abnormally accessed network traffic.
- the network can be determined based on the URL characteristics of the to-be network traffic indicated by the feature vector and the parameter characteristics of the Body parameters of the network traffic in multiple feature dimensions. Whether the URL characteristics of the traffic belong to the URL characteristic set, and whether the parameter characteristics of the Body parameters in each characteristic dimension belong to the confidence interval;
- the network traffic is determined to be network traffic of abnormal access; otherwise, the network traffic is determined to be network traffic of normal access.
- this step it may be first determined based on the URL characteristics of the to-be network traffic indicated by the feature vector whether the URL characteristics of the network traffic belong to the URL feature set indicated in the target traffic identification model, and based on the characteristics
- the parameter characteristics of the Body parameters of the network traffic indicated by the vector in multiple feature dimensions are used to determine the network traffic Whether the parameter characteristics of the Body parameters in each feature dimension belong to the confidence interval, and then obtain the judgment result.
- the URL characteristics of the network traffic indicated by the feature vector do not belong to the target traffic identification model According to the indicated URL feature set, it can be determined that there is an abnormality in the network traffic.
- the abnormality probability corresponding to the network traffic is determined through mathematical transformation, as follows:
- p i is the feature abnormality determination result (abnormality is 1, normal is 0), and ⁇ i is the weight of the feature dimension.
- a set threshold configured in advance for the network traffic can be obtained.
- the abnormality probability corresponding to the network traffic is greater than the set threshold, it is determined that the access detection result corresponding to the network traffic is an abnormal access, and the current access is determined.
- the network traffic is the network traffic of abnormal access. Otherwise, when the abnormality probability corresponding to the network traffic is less than the set threshold, it is determined that the access detection result corresponding to the network traffic is normal access, and the current network traffic is judged to be normal. Accessed network traffic.
- abnormally accessed network traffic can be intercepted to ensure that all accessed network traffic passes detection.
- the access detection method provided by the embodiment of the present disclosure can obtain network traffic, analyze the network traffic to obtain network status information related to the network traffic, and find the target service container associated with the network traffic based on the network status information. , and call the target traffic identification model corresponding to the target business container from the pre-trained traffic identification model set, and detect whether the network traffic is abnormally accessed network traffic based on the called target traffic identification model.
- the target traffic identification model It is obtained by training based on the network traffic associated with the target service container; when it is detected that the network traffic is abnormal access network traffic, the network traffic is intercepted.
- a traffic identification model matching the business container is trained based on the network traffic corresponding to the business information of the business container; when performing network traffic detection, it is possible to Find the business container associated with the network traffic, call the target traffic identification model corresponding to the business container from the pre-trained traffic identification model set, and detect the network traffic through the called target traffic identification model; embodiments of the present disclosure can target different Business containers with business meaning use different traffic identification models for traffic detection. Network traffic detection adapted to the business characteristics of the business container can be performed for the network traffic of each business container. Compared with the traditional unified detection strategy, it can be more accurate Perform risk identification and filtering to reduce missed reports and false positives of abnormal traffic.
- FIG 4 is a flow chart of another traffic detection method provided by an embodiment of the present disclosure.
- the traffic detection method provided by the embodiment of the present disclosure includes steps S401 to S405, in which:
- S401 Obtain network traffic, and analyze the network traffic to obtain network status information related to the network traffic.
- S402 Find the target service container associated with the network traffic according to the network status information, and retrieve it from the pre-
- the trained traffic identification model centrally calls the target traffic identification model corresponding to the target business container. Based on the called target traffic identification model, it detects whether the network traffic is abnormally accessed network traffic.
- the target traffic identification model is based on the target traffic identification model. Obtained by training on network traffic associated with business containers.
- steps S401 to S403 can refer to the description of steps S201 to S203, and can achieve the same technical effects and solve the same technical problems, and will not be described again here.
- S405 Based on the network traffic generated within the preset time period, re-execute the training process of the target traffic identification model to update the target traffic identification model.
- the target traffic identification model corresponds to the target business container group, and the target business container group is associated with the network traffic. Therefore, if the source container and destination container in the business container group change , that is, after the target traffic identification model is trained and the target business container generates network traffic again, the target traffic identification model also needs to be adjusted and updated accordingly to effectively enhance the target traffic. Identification model robustness.
- Figure 5 is a flow chart of a traffic identification model update method provided by an embodiment of the present disclosure.
- the model can be Training, the method of model training is similar to the method introduced above, and will not be repeated here; if there is a corresponding target traffic identification model, it can be judged whether the target traffic identification model needs to be updated.
- the target business can be detected Whether the identifiers of the images corresponding to the source container and the destination container in the container group have changed. If the identifiers have not changed, it is determined that the target traffic identification model does not need to be updated, and the existing target traffic identification model can continue to be used. If the identifiers have changed, then Determine that the target traffic identification model needs to be updated;
- the target traffic identification model enters the model adjustment period.
- the length of the model adjustment period can be set according to the specific business conditions of the target business container group, such as one hour, etc. If the target traffic identification model is in the During the model adjustment period, it is determined that the target traffic identification model does not deviate, that is, the target traffic identification model can continue to use the existing near-source model. If the near-source model is not within the model adjustment period, it is determined If the near-source model deviates, the network traffic generated by the target container within the preset time period can be obtained. Based on the network traffic generated within the preset time period, the training process of the target traffic identification model can be re-executed to obtain The target traffic identification model is updated. It can be understood that the updated target traffic identification model corresponds to the current business container group.
- the traffic detection method can obtain network traffic, analyze the network traffic to obtain network status information related to the network traffic, and find the target service container associated with the network traffic based on the network status information. , and call the target traffic identification model corresponding to the target business container from the pre-trained traffic identification model set, and detect whether the network traffic is abnormally accessed network traffic based on the called target traffic identification model.
- the target traffic identification model It is obtained by training based on the network traffic associated with the target service container; when it is detected that the network traffic is abnormal access network traffic, the network traffic is intercepted.
- a traffic identification model matching the business container is trained based on the network traffic corresponding to the business information of the business container; when performing network traffic detection, it is possible to Find the business container associated with the network traffic, call the target traffic identification model corresponding to the business container from the pre-trained traffic identification model set, and detect the network traffic through the called target traffic identification model; embodiments of the present disclosure can target different Business containers with business meaning use different traffic identification models for traffic detection. Network traffic detection adapted to the business characteristics of the business container can be performed for the network traffic of each business container. Compared with the traditional unified detection strategy, it can be more accurate Perform risk identification and filtering to reduce missed reports and false positives of abnormal traffic.
- access interception can be performed on accurately identified abnormal access network traffic, thereby improving access security, avoiding unnecessary interception, and ensuring normal network access in a container environment.
- the writing order of each step does not mean a strict execution order and does not constitute any limitation on the implementation process.
- the specific execution order of each step should be based on its function and possible The internal logic is determined.
- the embodiment of the present disclosure also provides a flow detection device corresponding to the flow detection method. Since the principle of solving the problem of the device in the embodiment of the present disclosure is similar to the above-mentioned flow detection method of the embodiment of the present disclosure, the implementation of the device Please refer to the implementation of the method, and the repeated parts will not be repeated.
- FIG. 6 is a first schematic diagram of a flow detection device provided by an embodiment of the present disclosure
- FIG. 7 is a second schematic diagram of a flow detection device provided by an embodiment of the present disclosure.
- the flow detection device 600 provided by the embodiment of the present disclosure includes:
- the data acquisition module 601 is used to obtain network traffic, and analyze the network traffic to obtain network status information related to the network traffic;
- the traffic detection module 602 is configured to search for the target service container associated with the network traffic according to the network status information, and call the target traffic identification model corresponding to the target service container from the pre-trained traffic identification model set, based on The called target traffic identification model detects whether the network traffic is abnormally accessed network traffic, and the target traffic identification model is trained based on the network traffic associated with the target business container;
- the traffic interception module 603 intercepts the network traffic when detecting that the network traffic is abnormally accessed.
- the network status information includes IP five-tuple information
- the traffic detection module 602 is configured to find the target service container associated with the network traffic according to the network status information, and When calling the target traffic identification model corresponding to the target business container from the pre-trained traffic identification model set, it is specifically used for:
- a target service container group associated with the network traffic is determined; the target service container group includes a source container matching the source IP address and a source container matching the source IP address. The destination container matched by the destination IP address;
- the traffic detection module 602 trains to obtain the traffic identification model in the traffic identification model set according to the following steps:
- the acquired network traffic is aggregated to obtain a network traffic set corresponding to the business container group; each of the business containers The business information of the business containers included in the group is the same;
- the feature matrix is composed of feature vectors corresponding to the network traffic included in the network traffic set;
- a traffic identification model corresponding to the business container group is calculated; the traffic identification model is used to characterize the aggregated characteristics corresponding to normal access network traffic.
- the device further includes a model update module 604, which is used to:
- the training process of the target traffic identification model is re-executed to update the target traffic identification model.
- the traffic detection module 602 when used to extract features of multiple feature dimensions from the network traffic set to obtain the feature matrix corresponding to the network traffic set, it is specifically used to:
- the traffic detection module 602 When the traffic detection module 602 is used to calculate the traffic identification model corresponding to the business container group based on the feature matrix, it is specifically used to:
- the traffic identification model is formed by using the URL feature set of the network traffic set and the confidence interval of the Body parameter in each feature dimension.
- the traffic detection module 602 when used to extract features from the request body parameters of the network traffic collection, it is specifically used to:
- a Body parameter feature set corresponding to the network traffic set is obtained.
- the traffic detection module 602 when used to detect whether the network traffic is abnormally accessed network traffic based on the called target traffic identification model, it is specifically used to:
- the traffic detection module 602 is used to determine the confidence of each feature dimension based on the extracted feature vector and the URL feature set and Body parameters indicated in the target traffic identification model. degree interval, when determining whether the network traffic is abnormal access network traffic, it is specifically used for:
- the network traffic is determined to be network traffic of abnormal access; otherwise, the network traffic is determined to be network traffic of normal access.
- FIG. 8 a schematic structural diagram of an electronic device 800 provided for an embodiment of the present disclosure includes:
- Processor 810, memory 820, and bus 830 memory 820 is used to store execution instructions, including memory 821 and external memory 822; memory 821 here is also called internal memory, and is used to temporarily store operation data in processor 810, and with The processor 810 exchanges data with the external memory 822 such as a hard disk through the memory 821 and the external memory 822.
- the processor 810 and the memory 820 communicate through the bus 830, so that The processor 810 can execute the execution instructions mentioned in the above-mentioned traffic detection method embodiment.
- Embodiments of the present disclosure also provide a computer-readable storage medium.
- a computer program is stored on the computer-readable storage medium. When the computer program is run by a processor, the steps of the flow detection method described in the above method embodiment are executed.
- the storage medium may be a volatile or non-volatile computer-readable storage medium.
- Embodiments of the present disclosure also provide a computer program product.
- the computer program product includes computer instructions.
- the steps of the flow detection method described in the above method embodiments can be performed. For details, please refer to the above. Method embodiments will not be described again here.
- the above-mentioned computer program product can be specifically implemented by hardware, software or a combination thereof.
- the computer program product is embodied as a computer storage medium.
- the computer program product is embodied as a software product, such as a Software Development Kit (SDK), etc. wait.
- SDK Software Development Kit
- the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
- each functional unit in various embodiments of the present disclosure may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
- the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a non-volatile computer-readable storage medium that is executable by a processor.
- the technical solution of the present disclosure is essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product.
- the computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which can be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of the present disclosure.
- the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (12)
- 一种流量检测方法,所述方法包括:获取网络流量,并解析所述网络流量得到所述网络流量相关的网络状态信息;根据所述网络状态信息,查找与所述网络流量关联的目标业务容器,并从预先训练的流量识别模型集中调用与所述目标业务容器对应的目标流量识别模型,基于调用的目标流量识别模型检测所述网络流量是否为异常访问的网络流量,所述目标流量识别模型为根据与目标业务容器关联的网络流量训练得到的;在检测到所述网络流量为异常访问的网络流量的情况下,对所述网络流量进行拦截。
- 根据权利要求1所述的方法,其中,所述网络状态信息包括互联网协议IP五元组信息;所述根据所述网络状态信息,查找与所述网络流量关联的目标业务容器,并从预先训练的流量识别模型集中调用与所述目标业务容器对应的目标流量识别模型,包括:根据所述IP五元组信息中的源IP地址和目的IP地址,确定与所述网络流量关联的目标业务容器组;其中所述目标业务容器组包括与所述源IP地址匹配的源容器和与所述目的IP地址匹配的目的容器;从预先训练的流量识别模型集中,获取与所述目标业务容器组对应的目标流量识别模型。
- 根据权利要求1所述的方法,其中,所述流量识别模型集中的流量识别模型为根据以下步骤训练得到的:根据获取到的网络流量对应的业务信息以及一个或多个业务容器的业务信息,将获取到的网络流量进行聚合处理,得到与业务容器组对应的网络流量集合;每个所述业务容器组包括的业务容器的业务信息相同;对所述网络流量集合进行多个特征维度的特征提取,得到所述网络流量集合对应的特征矩阵;所述特征矩阵由所述网络流量集合包括的网络流量分别对应的特征向量组成;基于所述特征矩阵,计算得到所述业务容器组对应的流量识别模型;所述流量识别模型用于表征正常访问的网络流量对应的聚合特征。
- 根据权利要求1所述的方法,其中,在所述确定与所述目标业务容器对应的目标流量识别模型之后,还包括:获取在预设时间段内产生的网络流量;基于在预设时间段内产生的网络流量,重新执行所述目标流量识别模型的训练过程,以对所述目标流量识别模型进行更新。
- 根据权利要求3所述的方法,其中,所述对所述网络流量集合进行多个特征维度的特征提取,得到所述网络流量集合对应的特征矩阵,包括:对所述网络流量集合中的统一资源定位符URL地址和请求体Body参数分别进行特征提取,得到所述特征矩阵包含的URL特征集和Body参数特征集;所述基于所述特征矩阵,计算得到所述业务容器组对应的流量识别模型,包括:基于所述Body参数特征集,计算所述网络流量集合的Body参数在每个特征维度下的置信度区间;采用所述网络流量集合的URL特征集和所述Body参数在每个特征维度下的置信度区 间,构成所述流量识别模型。
- 根据权利要求5所述的方法,其中,所述对所述网络流量集合的请求体Body参数进行特征提取,包括:针对所述网络流量集合中每个网络流量,提取该网络流量的Body参数在多个字符相关维度下的特征;基于所述网络流量集合包括的网络流量的Body参数在多个字符相关维度下的特征,得到所述网络流量集合对应的Body参数特征集。
- 根据权利要求1所述的方法,其中,所述基于调用的目标流量识别模型检测所述网络流量是否为异常访问的网络流量,包括:对所述网络流量中的统一资源定位符URL地址和请求体Body参数分别进行特征提取,得到所述网络流量的特征向量包含的URL特征和Body参数在多个特征维度下的参数特征;基于提取的所述特征向量,以及所述目标流量识别模型中指示的URL特征集和Body参数在每个特征维度下的置信度区间,确定所述网络流量是否为异常访问的网络流量。
- 根据权利要求7所述的方法,其中,所述基于提取的所述特征向量,以及所述目标流量识别模型中指示的URL特征集和Body参数在每个特征维度下的置信度区间,确定所述网络流量是否为异常访问的网络流量,包括:基于所述特征向量指示的所述网络流量的URL特征,以及所述网络流量的Body参数在多个特征维度下的参数特征,确定所述网络流量的URL特征是否属于所述URL特征集,以及所述Body参数在每个特征维度下的参数特征是否属于所述置信度区间;根据判断结果,以及所述URL特征和Body参数的每个特征维度分别对应的权重值,确定所述网络流量对应的异常概率;在所述异常概率大于设定阈值时,确定所述网络流量为异常访问的网络流量,否则,确定所述网络流量为正常访问的网络流量。
- 一种流量检测装置,所述装置包括:数据获取模块,用于获取网络流量,并解析所述网络流量得到所述网络流量相关的网络状态信息;流量检测模块,用于根据所述网络状态信息,查找与所述网络流量关联的目标业务容器,并从预先训练的流量识别模型集中调用与所述目标业务容器对应的目标流量识别模型,基于调用的目标流量识别模型检测所述网络流量是否为异常访问的网络流量,所述目标流量识别模型为根据与目标业务容器关联的网络流量训练得到的;流量拦截模块,用于在检测到所述网络流量为异常访问的网络流量的情况下,对所述网络流量进行拦截。
- 一种电子设备,包括:处理器、存储器和总线,所述存储器存储有所述处理器可执行的机器可读指令,当电子设备运行时,所述处理器与所述存储器之间通过总线通信,所述机器可读指令被所述处理器执行时执行如权利要求1至9中任一项所述的流量检测方法的步骤。
- 一种计算机可读存储介质,该计算机可读存储介质上存储有计算机程序,该计算机程序被处理器运行时执行如权利要求1至9中任一项所述的流量检测方法的步骤。
- 一种计算机程序产品,所述计算机程序产品在设备上运行时,使得所述设备执行如权利要求1至9中任一项所述的流量检测方法的步骤。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP23794981.3A EP4344134A1 (en) | 2022-04-29 | 2023-04-07 | Traffic detection method and apparatus, device and storage medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210468301.1A CN114666162B (zh) | 2022-04-29 | 2022-04-29 | 一种流量检测方法、装置、设备及存储介质 |
CN202210468301.1 | 2022-04-29 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023207548A1 true WO2023207548A1 (zh) | 2023-11-02 |
Family
ID=82037364
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2023/086763 WO2023207548A1 (zh) | 2022-04-29 | 2023-04-07 | 一种流量检测方法、装置、设备及存储介质 |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP4344134A1 (zh) |
CN (1) | CN114666162B (zh) |
WO (1) | WO2023207548A1 (zh) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114666162B (zh) * | 2022-04-29 | 2023-05-05 | 北京火山引擎科技有限公司 | 一种流量检测方法、装置、设备及存储介质 |
CN115174131B (zh) * | 2022-07-13 | 2023-07-11 | 陕西合友网络科技有限公司 | 基于异常流量识别的信息拦截方法、系统及云平台 |
CN115499383A (zh) * | 2022-07-29 | 2022-12-20 | 天翼云科技有限公司 | 一种流量识别方法、装置、电子设备及存储介质 |
CN116582468B (zh) * | 2023-04-26 | 2024-01-16 | 杭州云之盟科技有限公司 | 互联网流量监测方法、装置、设备及存储介质 |
CN117097578B (zh) * | 2023-10-20 | 2024-01-05 | 杭州烛微智能科技有限责任公司 | 一种网络流量的安全监控方法、系统、介质及电子设备 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102821002A (zh) * | 2011-06-09 | 2012-12-12 | 中国移动通信集团河南有限公司信阳分公司 | 网络流量异常检测方法和系统 |
CN113746692A (zh) * | 2021-07-21 | 2021-12-03 | 网宿科技股份有限公司 | 网络流量统计的方法、电子设备及存储介质 |
CN113949527A (zh) * | 2021-09-07 | 2022-01-18 | 中云网安科技有限公司 | 异常访问的检测方法、装置、电子设备及可读存储介质 |
US20220060491A1 (en) * | 2020-08-21 | 2022-02-24 | Palo Alto Networks, Inc. | Malicious traffic detection with anomaly detection modeling |
CN114666162A (zh) * | 2022-04-29 | 2022-06-24 | 北京火山引擎科技有限公司 | 一种流量检测方法、装置、设备及存储介质 |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108667853B (zh) * | 2013-11-22 | 2021-06-01 | 华为技术有限公司 | 恶意攻击的检测方法和装置 |
KR101761737B1 (ko) * | 2014-05-20 | 2017-07-26 | 한국전자통신연구원 | 제어 시스템의 이상행위 탐지 시스템 및 방법 |
US11277420B2 (en) * | 2017-02-24 | 2022-03-15 | Ciena Corporation | Systems and methods to detect abnormal behavior in networks |
CN108616498A (zh) * | 2018-02-24 | 2018-10-02 | 国家计算机网络与信息安全管理中心 | 一种web访问异常检测方法和装置 |
CN109660517B (zh) * | 2018-11-19 | 2021-05-07 | 北京天融信网络安全技术有限公司 | 异常行为检测方法、装置及设备 |
CN109714322B (zh) * | 2018-12-14 | 2020-04-24 | 中国科学院声学研究所 | 一种检测网络异常流量的方法及其系统 |
CN109951500B (zh) * | 2019-04-29 | 2021-10-26 | 宜人恒业科技发展(北京)有限公司 | 网络攻击检测方法及装置 |
TWI780411B (zh) * | 2020-03-04 | 2022-10-11 | 國立中正大學 | 基於長短期記憶模型之異常網路流量偵測系統及方法 |
CN113746686A (zh) * | 2020-05-27 | 2021-12-03 | 阿里巴巴集团控股有限公司 | 一种网络流量的状态确定方法、计算设备及存储介质 |
CN111813498A (zh) * | 2020-07-02 | 2020-10-23 | 深圳市国电科技通信有限公司 | 终端容器的监测方法、监测装置、存储介质及处理器 |
CN113379469A (zh) * | 2021-07-06 | 2021-09-10 | 上海明略人工智能(集团)有限公司 | 一种异常流量检测方法、装置、设备及存储介质 |
CN114117429A (zh) * | 2021-11-29 | 2022-03-01 | 新华三大数据技术有限公司 | 一种网络流量的检测方法及装置 |
-
2022
- 2022-04-29 CN CN202210468301.1A patent/CN114666162B/zh active Active
-
2023
- 2023-04-07 EP EP23794981.3A patent/EP4344134A1/en active Pending
- 2023-04-07 WO PCT/CN2023/086763 patent/WO2023207548A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102821002A (zh) * | 2011-06-09 | 2012-12-12 | 中国移动通信集团河南有限公司信阳分公司 | 网络流量异常检测方法和系统 |
US20220060491A1 (en) * | 2020-08-21 | 2022-02-24 | Palo Alto Networks, Inc. | Malicious traffic detection with anomaly detection modeling |
CN113746692A (zh) * | 2021-07-21 | 2021-12-03 | 网宿科技股份有限公司 | 网络流量统计的方法、电子设备及存储介质 |
CN113949527A (zh) * | 2021-09-07 | 2022-01-18 | 中云网安科技有限公司 | 异常访问的检测方法、装置、电子设备及可读存储介质 |
CN114666162A (zh) * | 2022-04-29 | 2022-06-24 | 北京火山引擎科技有限公司 | 一种流量检测方法、装置、设备及存储介质 |
Also Published As
Publication number | Publication date |
---|---|
CN114666162B (zh) | 2023-05-05 |
CN114666162A (zh) | 2022-06-24 |
EP4344134A1 (en) | 2024-03-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2023207548A1 (zh) | 一种流量检测方法、装置、设备及存储介质 | |
TWI673625B (zh) | 統一資源定位符(url)攻擊檢測方法、裝置以及電子設備 | |
CN107547555B (zh) | 一种网站安全监测方法及装置 | |
US10009358B1 (en) | Graph based framework for detecting malicious or compromised accounts | |
CN107483488B (zh) | 一种恶意Http检测方法及系统 | |
US20220368703A1 (en) | Method and device for detecting security based on machine learning in combination with rule matching | |
US20200358819A1 (en) | Systems and methods using computer vision and machine learning for detection of malicious actions | |
US9621570B2 (en) | System and method for selectively evolving phishing detection rules | |
WO2019134334A1 (zh) | 网络异常数据检测方法、装置、计算机设备和存储介质 | |
KR101949338B1 (ko) | 기계 학습 모델에 기반하여 페이로드로부터 sql 인젝션을 탐지하는 방법 및 이를 이용한 장치 | |
CN107786545A (zh) | 一种网络攻击行为检测方法及终端设备 | |
US10110616B1 (en) | Using group analysis to determine suspicious accounts or activities | |
CN108632227A (zh) | 一种恶意域名检测处理方法及装置 | |
WO2015039553A1 (en) | Method and system for identifying fraudulent websites priority claim and related application | |
WO2024098699A1 (zh) | 实体对象的威胁检测方法、装置、设备及存储介质 | |
US8910281B1 (en) | Identifying malware sources using phishing kit templates | |
US10372702B2 (en) | Methods and apparatus for detecting anomalies in electronic data | |
CN109495471B (zh) | 一种对web攻击结果判定方法、装置、设备及可读存储介质 | |
CN110955890B (zh) | 恶意批量访问行为的检测方法、装置和计算机存储介质 | |
CN111131309A (zh) | 分布式拒绝服务检测方法、装置及模型创建方法、装置 | |
US9332031B1 (en) | Categorizing accounts based on associated images | |
US11647046B2 (en) | Fuzzy inclusion based impersonation detection | |
RU2580027C1 (ru) | Система и способ формирования правил поиска данных, используемых для фишинга | |
CN114024701A (zh) | 域名检测方法、装置及通信系统 | |
US11907658B2 (en) | User-agent anomaly detection using sentence embedding |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 23794981 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 18573252 Country of ref document: US Ref document number: 2023794981 Country of ref document: EP Ref document number: 23794981.3 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2023794981 Country of ref document: EP Effective date: 20231221 |