[go: up one dir, main page]

CN111818050A - Target access behavior detection method, system, device, equipment and storage medium - Google Patents

Target access behavior detection method, system, device, equipment and storage medium Download PDF

Info

Publication number
CN111818050A
CN111818050A CN202010652958.4A CN202010652958A CN111818050A CN 111818050 A CN111818050 A CN 111818050A CN 202010652958 A CN202010652958 A CN 202010652958A CN 111818050 A CN111818050 A CN 111818050A
Authority
CN
China
Prior art keywords
data
time
similarity
access
time series
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010652958.4A
Other languages
Chinese (zh)
Other versions
CN111818050B (en
Inventor
陈嘉豪
郭豪
宜娜
张融
洪春华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202010652958.4A priority Critical patent/CN111818050B/en
Publication of CN111818050A publication Critical patent/CN111818050A/en
Application granted granted Critical
Publication of CN111818050B publication Critical patent/CN111818050B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a target access behavior detection method, a target access behavior detection device and a storage medium, and belongs to the technical field of network security. The method comprises the following steps: carrying out periodic detection on the time series characteristic data to obtain an access period corresponding to the time series characteristic data; segmenting the time series characteristic data according to the access period to obtain at least two data segments; carrying out similarity detection on at least two data fragments; and responding to the detection result of the similarity detection to indicate that the time series characteristic data is the periodic similar data, and determining that the behavior corresponding to the time series characteristic data belongs to the target access behavior. According to the technical scheme, the access period is obtained through period detection, the problem that the period which is set manually is easy to bypass is solved, similarity detection is carried out on the data fragments obtained after time series characteristic data are segmented, the reasonability of the period can be verified, and therefore the time series characteristic data of the corresponding behavior belonging to the target access behavior can be determined accurately.

Description

Target access behavior detection method, system, device, equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, a system, an apparatus, a device, and a storage medium for detecting a target access behavior.
Background
In the field of network security technology, a suspicious external network IP periodic connection (secure Rare IP Access) refers to a behavior that a certain host periodically accesses an external Rare IP (Internet Protocol) within a specific local area network (e.g., an intranet) during a certain historical time, and other hosts within the local area network hardly or never Access the Rare IP. The suspicious external network IP periodic connection behavior belongs to a remote Control (Command & Control) attack means, and the safety of a specific local area network can be effectively protected by timely detecting the suspicious external network IP periodic connection behavior.
At present, because the suspected external network IP periodic connection has a certain periodicity, the access data can be sampled and segmented according to a period set manually, then the mean variance of each segment is calculated, and whether a periodic component is included is judged based on a statistical rule, so that whether the suspected external network IP periodic connection exists is detected.
According to the technical scheme, the manually set period is easily bypassed, so that the suspicious external network IP periodic connection behavior cannot be detected.
Disclosure of Invention
The embodiment of the application provides a target access behavior detection method, a target access behavior detection system, a target access behavior detection device and a storage medium, wherein the access cycle is obtained by periodically detecting time series characteristic data, so that the problem that a manually set cycle is easy to bypass is solved, and the reasonability of the cycle can be verified by performing similarity detection on data segments obtained by segmenting the time series characteristic data, so that the time series characteristic data of the corresponding behavior belonging to the target access behavior can be accurately determined. The technical scheme is as follows:
in one aspect, a method for detecting a target access behavior is provided, and the method includes:
carrying out periodic detection on time series characteristic data to obtain an access period corresponding to the time series characteristic data, wherein the time series characteristic data is used for representing the characteristics of network access data in a target duration;
segmenting the time sequence characteristic data according to the access period to obtain at least two data segments;
performing similarity detection on the at least two data segments;
and determining that the behavior corresponding to the time series characteristic data belongs to the target access behavior in response to the detection result of the similarity detection indicating that the time series characteristic data is the periodic similar data.
In another aspect, an apparatus for detecting access behavior of a target is provided, the apparatus including:
the system comprises a period detection module, a time sequence feature data acquisition module and a time sequence feature data processing module, wherein the period detection module is used for carrying out period detection on the time sequence feature data to obtain an access period corresponding to the time sequence feature data, and the time sequence feature data is used for representing the features of network access data in a target time length;
the data dividing module is used for segmenting the time sequence characteristic data according to the access period to obtain at least two data segments;
the similarity detection module is used for carrying out similarity detection on the at least two data fragments;
and the determining module is used for responding to the detection result of the similarity detection and indicating that the time series characteristic data is the periodic similar data, and determining that the behavior corresponding to the time series characteristic data belongs to the target access behavior.
In an optional implementation manner, the period detection module is configured to convert the time-series characteristic data into frequency-domain data; and determining the access frequency with the highest amplitude as an access cycle according to the amplitude-frequency relationship of the frequency domain data.
In an optional implementation manner, the similarity detection module includes:
the similarity obtaining submodule is used for respectively obtaining the similarity between two data fragments adjacent in time;
the target data segment obtaining submodule is used for obtaining a data segment with the similarity not greater than the similarity threshold value as a target data segment;
and the detection result acquisition submodule is used for determining that the time series characteristic data is periodic similar data as a detection result in response to the fact that the proportion of the target data segment in the at least two data segments is greater than the target proportion.
In an optional implementation manner, the similarity obtaining sub-module includes:
a dynamic time warping distance obtaining unit, configured to obtain, for two data segments adjacent to each other at any time, a dynamic time warping distance between the two data segments, where the dynamic time warping distance is used to represent a shortest cumulative euclidean distance between the two data segments;
and the similarity determining unit is used for determining the similarity between the two data fragments according to the dynamic time warping distance.
In an optional implementation manner, the similarity determining unit is configured to obtain a sequence length of the time-series feature data; and normalizing the dynamic time warping distance according to the sequence length to obtain the similarity between the two data fragments.
In an optional implementation manner, the determining module is configured to, in response to that the detection result indicates that the time-series characteristic data is the periodic similar data, obtain a target access address included in the time-series characteristic data, where the target access address is an address to which access points; acquiring a first quantity of target initiation addresses included in comparison data, wherein the comparison data are time sequence characteristic data of non-target access behaviors, and the target initiation addresses are addresses for initiating access to the target access addresses; and determining that the behavior corresponding to the time series characteristic data belongs to target access behavior in response to the fact that the first number is not larger than a preset second number.
In an optional implementation, the apparatus further includes:
the log data acquisition module is used for acquiring flow log data in a target duration;
the data preprocessing module is used for preprocessing the flow log data to obtain the network access data to be detected;
and the characteristic extraction module is used for extracting the characteristics of the network access data to obtain at least one time series characteristic data.
In an optional implementation, the apparatus further includes:
the data conversion module is used for converting the time series characteristic data into visual data;
and the display module is used for displaying the visual data on a visual display interface.
In another aspect, a computer device is provided, and the computer device includes a processor and a memory, where the memory is used to store at least one piece of program code, and the at least one piece of program code is loaded and executed by the processor to implement the operations performed in the target access behavior detection method in the embodiments of the present application.
In another aspect, a storage medium is provided, where at least one program code is stored in the storage medium, and the at least one program code is used to execute the target access behavior detection method in the embodiment of the present application.
In another aspect, a computer program product or a computer program is provided, the computer program product or the computer program comprising computer program code, the computer program code being stored in a computer readable storage medium. The processor of the computer device reads the computer program code from the computer-readable storage medium, and the processor executes the computer program code to cause the computer device to perform the target access behavior detection method provided in the above aspect or the various alternative implementations of the above aspect.
The technical scheme provided by the embodiment of the application has the following beneficial effects:
in the embodiment of the application, the access period is acquired by periodically detecting the time series characteristic data, so that the problem that the manually set period is easy to bypass is solved, and the reasonability of the period can be verified by performing similarity detection on the data segments obtained by segmenting the time series characteristic data, so that the time series characteristic data of the corresponding behavior belonging to the target access behavior can be accurately determined.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of an implementation environment of a target access behavior detection method according to an embodiment of the present application;
FIG. 2 is a flowchart of a target access behavior detection method provided according to an embodiment of the present application;
FIG. 3 is a flowchart of a target access behavior detection method provided according to an embodiment of the present application;
fig. 4 is a schematic diagram of converting time domain data into frequency domain data according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a DWT distance provided by an embodiment of the present application;
FIG. 6 is a flow chart of another method for detecting target access behavior provided according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a target access behavior detection system provided in accordance with an embodiment of the present application;
FIG. 8 is a schematic view of a visual presentation interface provided in accordance with an embodiment of the present application;
FIG. 9 is a schematic diagram of a detection scenario configuration interface provided in an embodiment of the present application;
fig. 10 is a block diagram of a target access behavior detection apparatus provided according to an embodiment of the present application;
fig. 11 is a block diagram of a terminal according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of a server provided according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
In order to facilitate understanding of the technical processes of the embodiments of the present application, some terms referred to in the embodiments of the present application are explained below:
cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, organizations, secure Cloud platforms for Cloud-based business model applications. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.
The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.
The suspicious external network IP periodic connection (suspicious random IP Access) means that within a specific local area network (e.g., an intranet), there is a behavior that a certain host has periodic Access to an external Rare IP (internet protocol) in a certain historical time, and other hosts within the local area network have little or never Access to the Rare IP.
The Transmission Control Protocol (TCP), a connection-oriented, reliable transport layer communication protocol based on a byte stream, is defined by RFC793 of the IETF. TCP is intended to accommodate layered protocol hierarchies that support multiple network applications. Reliable communication services are provided by means of TCP between pairs of processes in host computers connected to different but interconnected computer communication networks. TCP assumes that it can obtain simple, possibly unreliable, datagram service from lower level protocols. In principle, TCP should be able to operate over a variety of communication systems connected from hard wire to packet switched or circuit switched networks.
Hereinafter, an embodiment of the present application will be described.
In the embodiment of the present application, the electronic device can be provided as a terminal or a server, and optionally, when the electronic device is provided as a terminal, the terminal implements the operation performed by the target access behavior detection method; optionally, when the server is provided, the server implements the operation performed by the target access behavior detection method, the server receives the network access data sent by the terminal, and the server performs feature extraction and detection based on the received network access data to obtain a detection result; optionally, the server and the terminal interact to implement the operation executed by the target access behavior detection method.
Fig. 1 is a schematic diagram of an implementation environment of a target access behavior detection method according to an embodiment of the present application. Taking the example where the electronic device is provided as a server, referring to fig. 1, the implementation environment includes a terminal 110 and a server 120.
The terminal 110 and the server 120 may be directly or indirectly connected through wired or wireless communication, and the application is not limited thereto. The terminal 110 may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal 110 may access the extranet IP based on an intranet IP (Internet Protocol) distributed within a local area network (e.g., an intranet) to browse extranet contents.
The server 120 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, middleware service, a domain name service, a security service, a CDN, a big data and artificial intelligence platform, and the like. The server 120 is used for providing services of detection, storage and the like of the time series characteristic data. Alternatively, the server 120 may undertake primary detection and the terminal 110 may undertake secondary detection; alternatively, the server 120 undertakes the secondary detection work and the terminal 110 undertakes the primary detection work; alternatively, the server 120 or the terminal 110 may respectively undertake the detection work separately; alternatively, a distributed detection architecture is adopted between the server 120 and the terminal 110 for cooperative detection.
Alternatively, the server 120 may be composed of an access server, a background server, and a database server. The access server is used to provide access services for the terminal 110. The background server is used for providing detection service. The background server can be one or more. When there are multiple background servers, there are at least two background servers for providing different services, and/or there are at least two background servers for providing the same service, for example, providing the same service in a load balancing manner, which is not limited in the embodiment of the present application.
The terminal 110 may be generally referred to as one of a plurality of terminals, and the embodiment is only illustrated by the terminal 110. And the corresponding intranet IP of different terminals is different. Those skilled in the art will appreciate that the number of terminals described above may be greater or fewer. For example, the number of the terminals may be one, or several tens or hundreds of the terminals, or more. The number of terminals and the type of the device are not limited in the embodiments of the present application.
Fig. 2 is a flowchart of a target access behavior detection method provided according to an embodiment of the present application. As shown in fig. 2, the target access behavior detection method includes the following steps:
201. and the computer equipment performs periodic detection on the time series characteristic data to obtain an access period corresponding to the time series characteristic data, wherein the time series characteristic data is used for representing the characteristics of the network access data in the target time length.
In the embodiment of the application, when detecting whether the behavior of accessing the external network IP by the internal network IP belongs to a target access behavior, such as a suspicious external network IP periodic connection behavior, the server can acquire network access data within a target time duration for the internal network IP and the external network IP, and then perform feature extraction on the network access data to obtain time series feature data. Optionally, the time series feature data includes a first address initiating access, a second address pointing to access, a timestamp initiating access, and a data transmission value during access, and the server uses the intranet IP as the first address initiating access and uses the extranet IP as the second address pointing to access. The computer equipment can perform periodic detection on the acquired time series characteristic data to determine an access period corresponding to the time series characteristic data. Because the access period is automatically acquired based on the algorithm, the problem that the manually set period is easy to bypass is avoided.
202. And the computer equipment segments the time series characteristic data according to the access period to obtain at least two data segments.
In the embodiment of the application, the computer device can segment the time series characteristic data based on the acquired access period. For example, if the access period is T and the target duration corresponding to the time series characteristic data is N, the computer device can divide the access data into N/T data segments. Wherein N and T are positive integers. If N/T is less than 2, the time series characteristic data is a non-periodic series, and subsequent steps are not required. If N/T is greater than or equal to 2, it indicates that the time series characteristic data is a periodic series, and step 203 is executed.
203. The computer device performs similarity detection on at least two data segments.
In the embodiment of the application, after obtaining at least two data segments, the computer device can compare the similarity of two data segments adjacent in time. Optionally, when there are M data segments, the computer device can obtain M-1 similarities, and store the M-1 similarities in a list form. Wherein M is a positive integer. The computer device can determine whether the data segments are similar or not through the size relationship between each similarity stored in the list and a preset similarity threshold. The computer device can determine the detection result of the similarity detection according to the proportion of the similar data segments in each data segment. The detection result can indicate that the time series characteristic data is a periodic similar sequence or a periodic sequence.
204. In response to the detection result of the similarity detection indicating that the time series characteristic data is the periodic similarity data, the computer device determines that the behavior corresponding to the time series characteristic data belongs to the target access behavior.
In this embodiment of the application, after obtaining a detection result of the similarity detection, when determining that the time series characteristic data is the periodic similar data based on the detection result, the computer device may determine that a behavior corresponding to the time series characteristic data belongs to the target access behavior. Optionally, when the computer device determines that the time series characteristic data is the periodic similar data based on the detection result, the computer device may further filter the time series characteristic data based on an address of an access point included in the time series characteristic data, so as to reduce occurrence of false detection and improve accuracy of detection.
In the embodiment of the application, the access period is acquired by periodically detecting the time series characteristic data, so that the problem that the manually set period is easy to bypass is solved, and the reasonability of the period can be verified by performing similarity detection on the data segments obtained by segmenting the time series characteristic data, so that the time series characteristic data of the corresponding behavior belonging to the target access behavior can be accurately determined.
In the embodiment of the present application, when the technical solution provided by the embodiment of the present application is implemented by a computer device, the computer device can be configured as a server and also can be configured as a terminal. Of course, the technical solution provided in the embodiment of the present application can also be implemented through interaction between a server and a terminal, which is not limited in the embodiment of the present application.
Fig. 3 is a flowchart of a target access behavior detection method according to an embodiment of the present application, and as shown in fig. 3, in the embodiment of the present application, a computer device configured as a server is taken as an example for explanation. The target access behavior detection method comprises the following steps:
301. and the server extracts the characteristics of the network access data to be detected to obtain at least one time series characteristic data.
In the embodiment of the present application, when a user performs data exchange with an external network through a specific local area network (e.g., an intranet), a server can record contents such as IP addresses, initiation time, end time, and data transmission amount of both parties initiating the data exchange, and store the contents in the form of a traffic log. When the target access behavior is detected, the server can obtain the traffic logs recorded within a certain time period to obtain the traffic logs corresponding to the target time duration, then preprocessing the traffic logs, and filtering to obtain data pointing to an external IP from an internal IP as network access data to be detected, wherein the network access data to be detected is the network access data within the target time duration. When the server extracts the characteristics of the network access data, the server can extract the characteristics by taking the internal network IP initiating the access as a source IP and taking the external network IP pointing to the access as a target IP, and the extracted characteristic value is the size of the data transmission quantity. The server can take the source IP, the extranet IP, the timestamp for initiating the network access and the data transmission quantity as the time series characteristic data.
For example, the network access data to be detected obtained by the server is three hours of network access data, and the network access data includes a plurality of source IPs and corresponding destination IPs for each timeOne source IP and the corresponding destination IP, the server extracts the time stamp of the access initiated by the source IP, and then accumulates the size of the byte _ server transmission data volume of the TCP in z minutes by taking z minutes as granularity. Wherein Z is within the range of 1-60, and belongs to Z+. The server represents a source IP by src _ IP, represents a destination IP by dest _ IP, and represents a timestamp by timestamp in units of minutes; the data _ vol represents the data transmission quantity, and the data transmission quantity takes kilobytes as a unit; time series characteristic data { src _ ip:. 130.14. sup. dest _ ip:. 98.75. sup. times, timestamp:30, data _ vol:1000} are obtained.
It should be noted that, the server can perform noise reduction and smoothing processing on at least one piece of obtained time series feature data through the smoothing filter to reduce noise of the time series feature data, so that the change of the time series feature data is relatively smooth. In addition, if the time-series characteristic data is sparse time-series characteristic data, noise reduction smoothing processing is not performed. The judgment standard of the sparse time characteristic data is as follows: and when the 0 norm ratio of the eigenvalue included in the time series characteristic data is greater than 98%, determining the time series characteristic data as sparse. The 0 norm represents the number of non-zero elements in the vector.
302. And for any time series characteristic data, the server performs periodic detection on the time series characteristic data to obtain an access period corresponding to the time series characteristic data.
In the embodiment of the application, the server can detect the periodicity of the time series characteristic data through a period detection algorithm to obtain the access period of the time series characteristic data. Optionally, the periodic detection algorithm is FFT (Fast fourier transform). Optionally, the server may convert the time series characteristic data from time domain data to frequency domain data through FFT, and then the server determines the access period according to the amplitude-frequency relationship of the frequency domain data. As for the time sequence with invariable period time, the periodicity can be accurately and efficiently detected based on the FFT, and the efficiency and the accuracy of period detection are improved.
For example, referring to fig. 4, fig. 4 is a schematic diagram illustrating a method for converting time domain data into frequency domain data according to an embodiment of the present application. Before conversion, a graph corresponding to time series characteristic data is obtained, the period of the time series characteristic data is 1440 minutes, the data after FFT conversion is an amplitude-frequency graph, and correspondingly, the abscissa corresponding to the point with the highest amplitude is 1440, that is, the frequency is 1440.
It should be noted that, the FFT performs periodic detection on the time-varying signal and the non-periodic time series characteristic data, and the obtained access period needs to be further verified. See step 303.
303. And the server segments the time series characteristic data according to the access period to obtain at least two data segments.
In the embodiment of the application, after obtaining the access period, the server can divide the time series characteristic data corresponding to the target duration into a plurality of data segments based on the access period to obtain at least two data segments. If the number of the data segments obtained by the server after the segmentation is less than two, the time series characteristic data is represented as a non-periodic sequence, and subsequent detection steps are not needed.
For example, if the access period is T and the target duration corresponding to the time series characteristic data is N, the computer device can divide the access data into N/T data segments. Wherein N and T are positive integers. If N/T is less than 2, the time series characteristic data is a non-periodic series, and subsequent steps are not required. If N/T is more than or equal to 2, the time series characteristic data is a periodic series, and the subsequent steps are continuously executed.
304. The server performs similarity detection on at least two data fragments.
In the embodiment of the application, the server can judge whether the whole time series characteristic data is the periodic similar data according to whether the data segments are similar.
In an alternative implementation manner, the server can respectively obtain the similarity between two data segments adjacent in time. Then, the data segment with the similarity not greater than the similarity threshold is obtained as the target data segment. In response to the fact that the proportion of the target data segments in the at least two data segments is larger than the target proportion, the server can determine that the time series characteristic data are periodic similar data as a detection result; in response to the fact that the proportion of the target data segment in the at least two data segments is not larger than the target proportion, the server can determine the time series characteristic data as periodic data as the detection result. The target ratio may be 50%, 60%, 70%, and the like, which is not limited in the embodiments of the present application. When the proportion of the data segments with the similarity not greater than the similarity threshold is greater than the target proportion, the whole time series characteristic data is determined to be a periodic similar sequence, and when the proportion of the data segments with the similarity not greater than the similarity threshold is not greater than the target proportion, the whole time series characteristic data is determined to be a periodic sequence, so that the time series characteristic data with periodicity but without similarity can be filtered, and the accuracy of the detection result is improved.
In an alternative implementation, the server can determine the similarity between the data segments by a DWT (Dynamic Time Warping) algorithm. Correspondingly, the step of the server respectively obtaining the similarity between two data fragments adjacent in time is as follows: for two data fragments adjacent at any time, the server can obtain a dynamic time warping distance between the two data fragments, wherein the dynamic time warping distance is used for representing the shortest cumulative Euclidean distance between the two data fragments. The server can then determine a similarity between the two data segments based on the dynamic time warping distance. By calculating the DWT distance between the two data segments, the similarity between the two data segments can be reflected more accurately.
For example, referring to fig. 5, fig. 5 is a schematic diagram of a DWT distance provided by an embodiment of the present application. As shown in FIG. 5, there are two time series feature data x (t)1) And y (t)2) And the time lengths corresponding to the two time series feature data are n and m, respectively, an n × m matrix D (i, j) may be formed, where the value D (i, j) ═ x (i) -y (j) | of each matrix is the euclidean distance between x (i) and y (j). DWT can obtain the shortest path from D (0, 0) to D (n, m)
Figure BDA0002575659500000111
The shortest path is the two time series characteristic data x (t)1) And y (t)2) The similarity value of (a).
It should be noted that, the DTW has low reference for similarity detection of sparse time series feature data. Therefore, in order to ensure the detection effectiveness, a separate statistical comparison is performed on the sparse time series characteristic data. And performing DTW similarity calculation on non-sparse time series characteristic data. The judgment standard of the sparse time characteristic data is as follows: and when the 0 norm ratio of the eigenvalue included in the time series characteristic data is greater than 98%, determining the time series characteristic data as sparse. The 0 norm represents the number of non-zero elements in the vector.
In an alternative implementation manner, since the calculation result of the DTW is affected by a plurality of factors, and the setting of the similarity threshold is related to the calculation result of the DTW, the server performs a normalization operation on all time series feature data before calculating the DTW. The length of the DTW and the time series feature data is then taken as a similarity value. Correspondingly, the step of determining the similarity between the two data segments by the server according to the dynamic time warping distance is as follows: the server can obtain the sequence length of the time sequence characteristic data, and then normalize the dynamic time regular distance according to the sequence length to obtain the similarity between two data fragments. Since DTW is the cumulative euclidean distance where two sequences are the shortest, the longer the sequence length is, the larger the cumulative value is, and by dividing the DTW value by the length of the time-series characteristic data, the standards of different time-series characteristic data can be unified.
For example, the similarity value is expressed as
Figure BDA0002575659500000121
Where length (x) represents the sequence length of the time-series feature data. When the similarity of the two data segments is not larger than the similarity threshold, namely the similarity threshold is larger than the similarity, the two data segments are similar, otherwise, the two data segments are not similar.Then for the entire time series feature data, when there are N data segments, the server can get N-1 similarities, and the N-1 similarities are stored in the dist _ list. When the similarity of more than 50% in the list indicates that the data segments are similar, determining the time series characteristic data as a periodic similar sequence, otherwise determining as a periodic sequence.
305. And in response to the detection result of the similarity detection indicating that the time series characteristic data is the periodic similar data, the server determines that the behavior corresponding to the time series characteristic data belongs to the target access behavior.
In this embodiment of the application, if the detection result indicates that the time series characteristic data is the periodic similar data, it indicates that the source IP included in the time series characteristic data periodically accesses the same destination IP, and the sizes of the transmission data amounts are similar. The target location behavior refers to suspicious extranet IP periodic connection behavior.
In an alternative implementation, the server is further capable of further filtering the time series characteristic data according to the comparison data. Correspondingly, the step of determining that the behavior corresponding to the time series characteristic data belongs to the target access behavior by the server in response to the detection result indicating that the time series characteristic data is the periodic similar data is as follows: in response to the detection result indicating that the time series characteristic data is the periodic similar data, the server can acquire a target access address included in the time series characteristic data, wherein the target access address is an address pointed by the access. The server can then obtain a first number of target origination addresses that access the target access address that are included in comparison data, the comparison data being time series characteristic data of the non-target access behavior. In response to the first number not being greater than the preset second number, the server can determine that the behavior corresponding to the time series characteristic data belongs to the target access behavior. By further screening the book and sword sequence characteristic data based on the comparison data, the time sequence characteristic data corresponding to the normal access behavior is eliminated, and the accuracy of the detection result can be improved.
For example, the server uses the time series characteristic data detected as the periodic similar data as the suspicious data, and for any destination IP in all destination IPs included in the suspicious data, that is, the external network IP address to which the access points, the server counts for a fixed time, for example, within 24 hours, the number of source IPs accessing the destination IP in the time series characteristic data with normal traffic determined as the non-target access behavior is obtained by performing a deduplication count to obtain a first number normal _ count. If the first number is larger than the preset second number, the number of times that the target IP is accessed is more, the behavior of accessing the target IP does not belong to the target access behavior, and otherwise, the behavior belongs to the target access behavior.
306. And responding to the detection result of the similarity detection to indicate that the time series characteristic data is periodic data, and determining that the behavior corresponding to the time series characteristic data does not belong to the target access behavior by the server.
It should be noted that, the above steps 301 to 306 are optional implementations of the target access behavior detection method provided in the present application, and accordingly, the target access behavior detection method has still other optional implementations, for example, as shown in fig. 6, fig. 6 is a flowchart of another target access behavior detection method provided according to an embodiment of the present application. As shown in fig. 6, the method comprises the following steps: 601. TCP flow preprocessing; 602. TCP data feature extraction; 603. constructing time series characteristic data; 604. FFT periodic detection; 605. detecting the similarity of DTW; 606. the screening strategy filters the results; 607. and sorting the time series characteristic data remained after filtering. The embodiment of the present application does not limit this.
It should be noted that the target access behavior detection method can be applied to a target access behavior detection system, as shown in fig. 7, the system includes a data access processing layer, a feature extraction layer, an algorithm layer, a policy layer, and a normalization output layer. Correspondingly, the work flow of the target access behavior detection system is as follows: 701. TCP flow preprocessing; 702. extracting characteristics; 703. constructing time series characteristic data, and carrying out periodic detection and similarity detection; 704. determining whether the behavior corresponding to the time series characteristic data belongs to a target access behavior; 705. converting the time series characteristic data into visual data; 706. and (5) displaying the page.
The data access preprocessing layer is used for acquiring traffic log data, scheduling a preprocessing task to preprocess the traffic log data, and obtaining network access data to be detected. Correspondingly, the step of obtaining the network access data to be detected by the data access preprocessing layer is referred to as the step 301, which is not described herein again.
It should be noted that, when the data access preprocessing layer preprocesses the traffic log data, the data access preprocessing layer may further set a key field to further filter the traffic log, so as to obtain the network access data meeting the requirement of the detection task.
And the characteristic extraction layer is used for scheduling a characteristic extraction task to perform characteristic extraction on the network access data to obtain at least one time series characteristic data. When the preprocessing operation of the flow log is completed, the feature extraction layer can schedule a feature extraction task, and the processed network access data is sent to the feature extraction module for feature extraction to obtain time series feature data. And can also be used to fill in and order missing values in the time series characteristic data. Accordingly, the step of performing the feature extraction by the feature extraction layer is referred to as the step 301, and is not described herein again.
And the algorithm layer is used for respectively detecting the at least one time series characteristic data by the scheduling algorithm task to obtain at least one detection result, and the detection result is used for indicating whether the corresponding time series characteristic data is the periodic similar data. The detection process comprises two steps of periodic detection and similarity detection, and the algorithm layer is used for periodically detecting any time series characteristic data to obtain an access period; segmenting the time series characteristic data according to the access period to obtain at least two data segments; and carrying out similarity detection on the at least two data fragments to obtain a detection result. Accordingly, the steps of the algorithm layer for detection may refer to the above steps 302 to 304, which are not described herein again.
And the strategy layer is used for scheduling the strategy task, filtering at least one piece of time series characteristic data according to at least one detection result and obtaining the time series characteristic data of the corresponding behavior belonging to the target access behavior. Accordingly, the step of filtering the at least one time series characteristic data by the policy layer may refer to step 305, which is not described herein again.
It should be noted that the policy layer can also set a white list, a dynamic policy, and other filtering manners to filter at least one piece of time series characteristic data, which is not limited in this embodiment of the present application.
And the normalization output layer is used for scheduling a normalization task, converting the time series characteristic data of the corresponding behavior belonging to the target access behavior into visual data, and the visual data is used for carrying out visual display. And can also be used to demonstrate data pulling, normalization, and writing data into databases, etc., which may be mysql, kafka (an open source streaming platform developed by Apache software foundation), ES (Elasticsearch is a Lucene-based search server), etc.
For example, referring to fig. 8, fig. 8 is a schematic view of a visualization display interface provided according to an embodiment of the present application. As shown in fig. 8, the tabs corresponding to the top 10 ranked extranet IPs are included. The user can display the image of the date of the accessed outer network IP on the upper side of the right side of the interface by clicking any tab displayed on the left side of the interface, display at least one tab of the inner network IP for accessing the outer network IP on the lower side of the right side of the interface, and can view the statistical data of the inner network IP for accessing the outer network IP by clicking the tab corresponding to any inner network IP.
It should be noted that, when the user uses the target access behavior detection system to perform target access behavior detection, detection content may be configured by user-defining through a detection scene configuration interface, where the detection scene configuration interface includes a feature data configuration option, an algorithm configuration option, and a policy configuration option. The feature data configuration option is used for configuring the content included in the time series feature data, namely the feature extracted by the feature; the algorithm configuration option is used for configuring algorithms used in the detection process, such as the FFT algorithm, the DTW algorithm and the like; the policy configuration option is used for configuring a screening policy for the detection result, such as the above-mentioned control data screening, white list screening, and the like. The user can set the flow of the target access behavior detection method in a dragging mode.
For example, referring to fig. 9, fig. 9 is a schematic diagram of a detection scenario configuration interface provided according to an embodiment of the present application. As shown in fig. 9, the left side of the detection scene configuration interface includes three configuration options, namely feature data, an algorithm, and a policy, and the right side of the detection scene configuration interface is a detection process for completing configuration, where the process includes: the form of the feature data is form a2, the algorithm is algorithm B3, and the policy is policy C1.
In the embodiment of the application, the access period is acquired by periodically detecting the time series characteristic data, so that the problem that the manually set period is easy to bypass is solved, and the reasonability of the period can be verified by performing similarity detection on the data segments obtained by segmenting the time series characteristic data, so that the time series characteristic data of the corresponding behavior belonging to the target access behavior can be accurately determined.
Fig. 10 is a block diagram of a target access behavior detection apparatus according to an embodiment of the present application. The apparatus is used for executing the steps executed by the target access behavior detection method, and referring to fig. 10, the apparatus includes: a period detection module 1001, a data division module 1002, a similarity detection module 1003 and a determination module 1004.
A period detection module 1001, configured to perform period detection on time series characteristic data to obtain an access period corresponding to the time series characteristic data, where the time series characteristic data is used to represent characteristics of network access data within a target duration;
a data dividing module 1002, configured to segment the time series characteristic data according to the access period to obtain at least two data segments;
a similarity detection module 1003, configured to perform similarity detection on the at least two data segments;
the determining module 1004 is configured to, in response to a detection result of the similarity detection indicating that the time-series characteristic data is the periodic similar data, determine that a behavior corresponding to the time-series characteristic data belongs to the target access behavior.
In one possible implementation manner, the period detection module 1001 is configured to convert the time series characteristic data into frequency domain data; and determining the access frequency with the highest amplitude as an access cycle according to the amplitude-frequency relation of the frequency domain data.
In one possible implementation manner, the similarity detection module 1003 includes:
the similarity obtaining submodule is used for respectively obtaining the similarity between two data fragments adjacent in time;
the target data segment obtaining submodule is used for obtaining a data segment with the similarity not greater than the similarity threshold value as a target data segment;
and the detection result acquisition submodule is used for determining that the time series characteristic data is periodic similar data as a detection result in response to the fact that the proportion of the target data segment in the at least two data segments is greater than the target proportion.
In a possible implementation manner, the similarity obtaining sub-module includes:
a dynamic time warping distance obtaining unit, configured to obtain, for two data segments adjacent to each other at any time, a dynamic time warping distance between the two data segments, where the dynamic time warping distance is used to represent a shortest cumulative euclidean distance between the two data segments;
and the similarity determining unit is used for determining the similarity between the two data fragments according to the dynamic time warping distance.
In a possible implementation manner, the similarity determining unit is configured to obtain a sequence length of the time-series feature data; and normalizing the dynamic time warping distance according to the sequence length to obtain the similarity between the two data fragments.
In a possible implementation manner, the determining module 1004 is configured to, in response to the detection result indicating that the time-series characteristic data is the periodic similar data, obtain a target access address included in the time-series characteristic data, where the target access address is an address to which access points; acquiring a first quantity of target initiation addresses included in comparison data, wherein the comparison data are time sequence characteristic data of non-target access behaviors, and the target initiation addresses are addresses for initiating access to the target access addresses; and in response to the first number not being larger than a preset second number, determining that the behavior corresponding to the time series characteristic data belongs to the target access behavior.
In one possible implementation, the apparatus further includes:
the log data acquisition module is used for acquiring flow log data in a target duration;
the data preprocessing module is used for preprocessing the flow log data to obtain the network access data to be detected;
and the characteristic extraction module is used for extracting the characteristics of the network access data to obtain at least one time series characteristic data.
In one possible implementation, the apparatus further includes:
the data conversion module is used for converting the time series characteristic data into visual data;
and the display module is used for displaying the visual data on a visual display interface.
In the embodiment of the application, the access period is acquired by periodically detecting the time series characteristic data through the period detection module, the problem that the manually set period is easy to bypass is solved, similarity detection is performed on the data fragments obtained after the time series characteristic data are segmented through the data dividing module and the similarity detection module, the reasonability of the period can be verified, and therefore the time series characteristic data of the target access behavior can be accurately determined through the determination module.
It should be noted that: in the target access behavior detection apparatus provided in the foregoing embodiment, only the division of the functional modules is illustrated in the foregoing, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the apparatus is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the target access behavior detection apparatus provided in the foregoing embodiment and the target access behavior detection method embodiment belong to the same concept, and specific implementation processes thereof are described in the method embodiment and are not described herein again.
In this embodiment of the present application, the computer device can be configured as a terminal or a server, when the computer device is configured as a terminal, the terminal can be used as an execution subject to implement the technical solution provided in the embodiment of the present application, when the computer device is configured as a server, the server can be used as an execution subject to implement the technical solution provided in the embodiment of the present application, and the technical solution provided in the present application can also be implemented through interaction between the terminal and the server, for example, a technician obtains time series feature data from the server through the terminal, and determines that a behavior corresponding to the time series feature data belongs to a target access behavior based on the time series feature data, which is not limited in this embodiment of the present application.
The computer device is configured as a terminal, and fig. 11 is a block diagram of a terminal 1100 provided according to an embodiment of the present application. The terminal 1100 may be: smart phones, tablet computers, MP3 players (Moving Picture Experts group Audio Layer III, motion video Experts compression standard Audio Layer 3), MP4 players (Moving Picture Experts compression standard Audio Layer IV, motion video Experts compression standard Audio Layer 4), notebook computers, or desktop computers. Terminal 1100 may also be referred to by other names such as user equipment, portable terminal, laptop terminal, desktop terminal, and so forth.
In general, terminal 1100 includes: a processor 1101 and a memory 1102.
Processor 1101 may include one or more processing cores, such as a 4-core processor, an 8-core processor, or the like. The processor 1101 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 1101 may also include a main processor and a coprocessor, the main processor is a processor for processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 1101 may be integrated with a GPU (Graphics Processing Unit) that is responsible for rendering and rendering content that the display screen needs to display. In some embodiments, the processor 1101 may further include an AI (Artificial Intelligence) processor for processing computing operations related to machine learning.
Memory 1102 may include one or more computer-readable storage media, which may be non-transitory. Memory 1102 can also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in the memory 1102 is used to store at least one program code for execution by the processor 1101 to implement the target access behavior detection method provided by the method embodiments herein.
In some embodiments, the terminal 1100 may further include: a peripheral interface 1103 and at least one peripheral. The processor 1101, memory 1102 and peripheral interface 1103 may be connected by a bus or signal lines. Various peripheral devices may be connected to the peripheral interface 1103 by buses, signal lines, or circuit boards. Specifically, the peripheral device includes: at least one of radio frequency circuitry 1104, display screen 1105, camera assembly 1106, audio circuitry 1107, positioning assembly 1108, and power supply 1109.
The peripheral interface 1103 may be used to connect at least one peripheral associated with I/O (Input/Output) to the processor 1101 and the memory 1102. In some embodiments, the processor 1101, memory 1102, and peripheral interface 1103 are integrated on the same chip or circuit board; in some other embodiments, any one or two of the processor 1101, the memory 1102 and the peripheral device interface 1103 may be implemented on separate chips or circuit boards, which is not limited by this embodiment.
The Radio Frequency circuit 1104 is used to receive and transmit RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuit 1104 communicates with communication networks and other communication devices via electromagnetic signals. The radio frequency circuit 1104 converts an electric signal into an electromagnetic signal to transmit, or converts a received electromagnetic signal into an electric signal. Optionally, the radio frequency circuit 1104 includes: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. The radio frequency circuit 1104 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: metropolitan area networks, various generation mobile communication networks (2G, 3G, 4G, and 5G), Wireless local area networks, and/or WiFi (Wireless Fidelity) networks. In some embodiments, the rf circuit 1104 may further include NFC (Near Field Communication) related circuits, which are not limited in this application.
The display screen 1105 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display screen 1105 is a touch display screen, the display screen 1105 also has the ability to capture touch signals on or over the surface of the display screen 1105. The touch signal may be input to the processor 1101 as a control signal for processing. At this point, the display screen 1105 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, display 1105 may be one, disposed on a front panel of terminal 1100; in other embodiments, the display screens 1105 can be at least two, respectively disposed on different surfaces of the terminal 1100 or in a folded design; in other embodiments, display 1105 can be a flexible display disposed on a curved surface or on a folded surface of terminal 1100. Even further, the display screen 1105 may be arranged in a non-rectangular irregular pattern, i.e., a shaped screen. The Display screen 1105 may be made of LCD (Liquid Crystal Display), OLED (Organic Light-emitting diode), and the like.
Camera assembly 1106 is used to capture images or video. Optionally, camera assembly 1106 includes a front camera and a rear camera. Generally, a front camera is disposed at a front panel of the terminal, and a rear camera is disposed at a rear surface of the terminal. In some embodiments, the number of the rear cameras is at least two, and each rear camera is any one of a main camera, a depth-of-field camera, a wide-angle camera and a telephoto camera, so that the main camera and the depth-of-field camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize panoramic shooting and VR (Virtual Reality) shooting functions or other fusion shooting functions. In some embodiments, camera assembly 1106 may also include a flash. The flash lamp can be a monochrome temperature flash lamp or a bicolor temperature flash lamp. The double-color-temperature flash lamp is a combination of a warm-light flash lamp and a cold-light flash lamp, and can be used for light compensation at different color temperatures.
The audio circuitry 1107 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals to the processor 1101 for processing or inputting the electric signals to the radio frequency circuit 1104 to achieve voice communication. For stereo capture or noise reduction purposes, multiple microphones may be provided, each at a different location of terminal 1100. The microphone may also be an array microphone or an omni-directional pick-up microphone. The speaker is used to convert electrical signals from the processor 1101 or the radio frequency circuit 1104 into sound waves. The loudspeaker can be a traditional film loudspeaker or a piezoelectric ceramic loudspeaker. When the speaker is a piezoelectric ceramic speaker, the speaker can be used for purposes such as converting an electric signal into a sound wave audible to a human being, or converting an electric signal into a sound wave inaudible to a human being to measure a distance. In some embodiments, the audio circuitry 1107 may also include a headphone jack.
Positioning component 1108 is used to locate the current geographic position of terminal 1100 for purposes of navigation or LBS (location based Service). The positioning component 1108 may be a positioning component based on the united states GPS (global positioning System), the chinese beidou System, the russian graves System, or the european union's galileo System.
Power supply 1109 is configured to provide power to various components within terminal 1100. The power supply 1109 may be alternating current, direct current, disposable or rechargeable. When the power supply 1109 includes a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.
In some embodiments, terminal 1100 can also include one or more sensors 1110. The one or more sensors 1110 include, but are not limited to: acceleration sensor 1111, gyro sensor 1112, pressure sensor 1113, fingerprint sensor 1114, optical sensor 1115, and proximity sensor 1116.
Acceleration sensor 1111 may detect acceleration levels in three coordinate axes of a coordinate system established with terminal 1100. For example, the acceleration sensor 1111 may be configured to detect components of the gravitational acceleration in three coordinate axes. The processor 1101 may control the display screen 1105 to display the user interface in a landscape view or a portrait view according to the gravitational acceleration signal collected by the acceleration sensor 1111. The acceleration sensor 1111 may also be used for acquisition of motion data of a game or a user.
The gyro sensor 1112 may detect a body direction and a rotation angle of the terminal 1100, and the gyro sensor 1112 may cooperate with the acceleration sensor 1111 to acquire a 3D motion of the user with respect to the terminal 1100. From the data collected by gyroscope sensor 1112, processor 1101 may implement the following functions: motion sensing (such as changing the UI according to a user's tilting operation), image stabilization at the time of photographing, game control, and inertial navigation.
Pressure sensor 1113 may be disposed on a side bezel of terminal 1100 and/or underlying display screen 1105. When the pressure sensor 1113 is disposed on the side frame of the terminal 1100, the holding signal of the terminal 1100 from the user can be detected, and the processor 1101 performs left-right hand recognition or shortcut operation according to the holding signal collected by the pressure sensor 1113. When the pressure sensor 1113 is disposed at the lower layer of the display screen 1105, the processor 1101 controls the operability control on the UI interface according to the pressure operation of the user on the display screen 1105. The operability control comprises at least one of a button control, a scroll bar control, an icon control and a menu control.
The fingerprint sensor 1114 is configured to collect a fingerprint of the user, and the processor 1101 identifies the user according to the fingerprint collected by the fingerprint sensor 1114, or the fingerprint sensor 1114 identifies the user according to the collected fingerprint. Upon recognizing that the user's identity is a trusted identity, the user is authorized by the processor 1101 to perform relevant sensitive operations including unlocking the screen, viewing encrypted information, downloading software, paying for and changing settings, etc. Fingerprint sensor 1114 may be disposed on the front, back, or side of terminal 1100. When a physical button or vendor Logo is provided on the terminal 1100, the fingerprint sensor 1114 may be integrated with the physical button or vendor Logo.
Optical sensor 1115 is used to collect ambient light intensity. In one embodiment, the processor 1101 may control the display brightness of the display screen 1105 based on the ambient light intensity collected by the optical sensor 1115. Specifically, when the ambient light intensity is high, the display brightness of the display screen 1105 is increased; when the ambient light intensity is low, the display brightness of the display screen 1105 is reduced. In another embodiment, processor 1101 may also dynamically adjust the shooting parameters of camera assembly 1106 based on the ambient light intensity collected by optical sensor 1115.
Proximity sensor 1116, also referred to as a distance sensor, is typically disposed on a front panel of terminal 1100. Proximity sensor 1116 is used to capture the distance between the user and the front face of terminal 1100. In one embodiment, when the proximity sensor 1116 detects that the distance between the user and the front face of the terminal 1100 is gradually decreased, the display screen 1105 is controlled by the processor 1101 to switch from a bright screen state to a dark screen state; when the proximity sensor 1116 detects that the distance between the user and the front face of the terminal 1100 becomes progressively larger, the display screen 1105 is controlled by the processor 1101 to switch from a breath-screen state to a light-screen state.
Those skilled in the art will appreciate that the configuration shown in fig. 11 does not constitute a limitation of terminal 1100, and may include more or fewer components than those shown, or may combine certain components, or may employ a different arrangement of components.
The computer device is configured as a server. Fig. 12 is a schematic structural diagram of a server 1200 according to an embodiment of the present application, where the server 1200 may generate a relatively large difference due to a difference in configuration or performance, and may include one or more processors (CPUs) 1201 and one or more memories 1202, where the memory 1202 stores at least one program code, and the at least one program code is loaded and executed by the processors 1201 to implement the target access behavior detection method provided by each method embodiment. Of course, the server may also have components such as a wired or wireless network interface, a keyboard, and an input/output interface, so as to perform input/output, and the server may also include other components for implementing the functions of the device, which are not described herein again.
The embodiment of the present application further provides a computer-readable storage medium, which is applied to a computer device, and the computer-readable storage medium stores at least one program code, where the at least one program code is used for being executed by a processor and implementing the operations executed by the computer device in the target access behavior detection method in the embodiment of the present application.
Embodiments of the present application also provide a computer program product or a computer program comprising computer program code stored in a computer readable storage medium. The processor of the computer device reads the computer program code from the computer-readable storage medium, and the processor executes the computer program code to cause the computer device to perform the target access behavior detection method provided in the above aspect or the various alternative implementations of the above aspect.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by program code to instruct relevant hardware to implement the above embodiments, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic or optical disk, etc.
The above description is only exemplary of the present application and should not be taken as limiting, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (15)

1. A method for detecting access behavior of a target, the method comprising:
carrying out periodic detection on time series characteristic data to obtain an access period corresponding to the time series characteristic data, wherein the time series characteristic data is used for representing the characteristics of network access data in a target duration;
segmenting the time sequence characteristic data according to the access period to obtain at least two data segments;
performing similarity detection on the at least two data segments;
and determining that the behavior corresponding to the time series characteristic data belongs to the target access behavior in response to the detection result of the similarity detection indicating that the time series characteristic data is the periodic similar data.
2. The method according to claim 1, wherein the performing periodic detection on the time-series characteristic data to obtain an access period corresponding to the time-series characteristic data comprises:
converting the time series characteristic data into frequency domain data;
and determining the access frequency with the highest amplitude as an access cycle according to the amplitude-frequency relationship of the frequency domain data.
3. The method of claim 1, wherein the performing similarity detection on the at least two data segments comprises:
respectively acquiring the similarity between two data segments adjacent in time;
acquiring a data segment with the similarity not greater than a similarity threshold as a target data segment;
and determining the time series characteristic data as periodic similarity data as a detection result in response to the fact that the proportion of the target data segment in the at least two data segments is larger than a target proportion.
4. The method according to claim 3, wherein the obtaining the similarity between two data segments adjacent in time respectively comprises:
for two adjacent data fragments at any time, acquiring a dynamic time warping distance between the two data fragments, wherein the dynamic time warping distance is used for representing the shortest cumulative Euclidean distance between the two data fragments;
and determining the similarity between the two data fragments according to the dynamic time warping distance.
5. The method of claim 4, wherein determining the similarity between the two data segments according to the dynamic time warping distance comprises:
acquiring the sequence length of the time sequence characteristic data;
and normalizing the dynamic time warping distance according to the sequence length to obtain the similarity between the two data fragments.
6. The method according to claim 1, wherein the determining that the behavior corresponding to the time-series characteristic data belongs to the target access behavior in response to the detection result indicating that the time-series characteristic data is the periodic similarity data comprises:
responding to the detection result to indicate that the time series characteristic data are periodic similar data, and acquiring a target access address included in the time series characteristic data, wherein the target access address is an address to which access points;
acquiring a first quantity of target initiation addresses included in comparison data, wherein the comparison data are time sequence characteristic data of non-target access behaviors, and the target initiation addresses are addresses for initiating access to the target access addresses;
and determining that the behavior corresponding to the time series characteristic data belongs to target access behavior in response to the fact that the first number is not larger than a preset second number.
7. The method of claim 1, wherein prior to the periodic detection of the time series signature data, the method further comprises:
acquiring flow log data within a target duration;
preprocessing the flow log data to obtain the network access data to be detected;
and performing feature extraction on the network access data to obtain at least one time series feature data.
8. The method of claim 1, wherein after determining that the behavior corresponding to the time-series characteristic data belongs to a target access behavior, the method further comprises:
converting the time series characteristic data into visual data;
and displaying the visual data on a visual display interface.
9. An apparatus for detecting access behavior of a target, the apparatus comprising:
the system comprises a period detection module, a time sequence feature data acquisition module and a time sequence feature data processing module, wherein the period detection module is used for carrying out period detection on the time sequence feature data to obtain an access period corresponding to the time sequence feature data, and the time sequence feature data is used for representing the features of network access data in a target time length;
the data dividing module is used for segmenting the time sequence characteristic data according to the access period to obtain at least two data segments;
the similarity detection module is used for carrying out similarity detection on the at least two data fragments;
and the determining module is used for responding to the detection result of the similarity detection and indicating that the time series characteristic data is the periodic similar data, and determining that the behavior corresponding to the time series characteristic data belongs to the target access behavior.
10. The apparatus of claim 9, wherein the period detection module is configured to convert the time-series feature data into frequency-domain data; and determining the access frequency with the highest amplitude as an access cycle according to the amplitude-frequency relationship of the frequency domain data.
11. The apparatus of claim 9, wherein the similarity detection module comprises:
the similarity obtaining submodule is used for respectively obtaining the similarity between two data fragments adjacent in time;
the target data segment obtaining submodule is used for obtaining a data segment with the similarity not greater than the similarity threshold value as a target data segment;
and the detection result acquisition submodule is used for determining that the time series characteristic data is periodic similar data as a detection result in response to the fact that the proportion of the target data segment in the at least two data segments is greater than the target proportion.
12. The apparatus of claim 11, wherein the similarity obtaining sub-module comprises:
a dynamic time warping distance obtaining unit, configured to obtain, for two data segments adjacent to each other at any time, a dynamic time warping distance between the two data segments, where the dynamic time warping distance is used to represent a shortest cumulative euclidean distance between the two data segments;
and the similarity determining unit is used for determining the similarity between the two data fragments according to the dynamic time warping distance.
13. The apparatus according to claim 12, wherein the similarity determining unit is configured to obtain a sequence length of the time-series feature data; and normalizing the dynamic time warping distance according to the sequence length to obtain the similarity between the two data fragments.
14. A computer device, characterized in that the computer device comprises a processor and a memory for storing at least one piece of program code, which is loaded by the processor and which performs the object access behavior detection method according to any of claims 1 to 8.
15. A storage medium for storing at least one piece of program code for performing the method of object access behavior detection of any of claims 1 to 8.
CN202010652958.4A 2020-07-08 2020-07-08 Target access behavior detection method, system, device, equipment and storage medium Active CN111818050B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010652958.4A CN111818050B (en) 2020-07-08 2020-07-08 Target access behavior detection method, system, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010652958.4A CN111818050B (en) 2020-07-08 2020-07-08 Target access behavior detection method, system, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111818050A true CN111818050A (en) 2020-10-23
CN111818050B CN111818050B (en) 2024-01-19

Family

ID=72842600

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010652958.4A Active CN111818050B (en) 2020-07-08 2020-07-08 Target access behavior detection method, system, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111818050B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112529708A (en) * 2020-12-25 2021-03-19 深圳前海微众银行股份有限公司 Client identification method and device and electronic equipment
CN113358164A (en) * 2021-06-07 2021-09-07 芯视界(北京)科技有限公司 Flow detection method and device, electronic equipment and storage medium
CN115473789A (en) * 2022-09-16 2022-12-13 深信服科技股份有限公司 Alarm processing method and related equipment
WO2024000904A1 (en) * 2022-06-30 2024-01-04 方未科技(荷兰) Traffic detection method and apparatus, and device and readable storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106375345A (en) * 2016-10-28 2017-02-01 中国科学院信息工程研究所 Malware domain name detection method and system based on periodic detection
WO2017084529A1 (en) * 2015-11-19 2017-05-26 阿里巴巴集团控股有限公司 Network attacks identifying method and device
US20180234444A1 (en) * 2017-02-15 2018-08-16 Microsoft Technology Licensing, Llc System and method for detecting anomalies associated with network traffic to cloud applications
CN109600398A (en) * 2019-01-28 2019-04-09 杭州数梦工场科技有限公司 A kind of account usage behavior detection method and device
CN110149343A (en) * 2019-05-31 2019-08-20 国家计算机网络与信息安全管理中心 A kind of abnormal communications and liaison behavioral value method and system based on stream
CN110611684A (en) * 2019-09-27 2019-12-24 国网电力科学研究院有限公司 A detection method, system and storage medium for periodic web access behavior
US10645100B1 (en) * 2016-11-21 2020-05-05 Alert Logic, Inc. Systems and methods for attacker temporal behavior fingerprinting and grouping with spectrum interpretation and deep learning
CN111147459A (en) * 2019-12-12 2020-05-12 北京网思科平科技有限公司 C & C domain name detection method and device based on DNS request data

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017084529A1 (en) * 2015-11-19 2017-05-26 阿里巴巴集团控股有限公司 Network attacks identifying method and device
CN106375345A (en) * 2016-10-28 2017-02-01 中国科学院信息工程研究所 Malware domain name detection method and system based on periodic detection
US10645100B1 (en) * 2016-11-21 2020-05-05 Alert Logic, Inc. Systems and methods for attacker temporal behavior fingerprinting and grouping with spectrum interpretation and deep learning
US20180234444A1 (en) * 2017-02-15 2018-08-16 Microsoft Technology Licensing, Llc System and method for detecting anomalies associated with network traffic to cloud applications
CN109600398A (en) * 2019-01-28 2019-04-09 杭州数梦工场科技有限公司 A kind of account usage behavior detection method and device
CN110149343A (en) * 2019-05-31 2019-08-20 国家计算机网络与信息安全管理中心 A kind of abnormal communications and liaison behavioral value method and system based on stream
CN110611684A (en) * 2019-09-27 2019-12-24 国网电力科学研究院有限公司 A detection method, system and storage medium for periodic web access behavior
CN111147459A (en) * 2019-12-12 2020-05-12 北京网思科平科技有限公司 C & C domain name detection method and device based on DNS request data

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112529708A (en) * 2020-12-25 2021-03-19 深圳前海微众银行股份有限公司 Client identification method and device and electronic equipment
CN112529708B (en) * 2020-12-25 2024-06-04 深圳前海微众银行股份有限公司 Customer identification method and device and electronic equipment
CN113358164A (en) * 2021-06-07 2021-09-07 芯视界(北京)科技有限公司 Flow detection method and device, electronic equipment and storage medium
CN113358164B (en) * 2021-06-07 2024-03-05 芯视界(北京)科技有限公司 Flow detection method and device, electronic equipment and storage medium
WO2024000904A1 (en) * 2022-06-30 2024-01-04 方未科技(荷兰) Traffic detection method and apparatus, and device and readable storage medium
EP4322430A4 (en) * 2022-06-30 2024-11-06 Forenova Technologies B.V METHOD AND DEVICE FOR TRAFFIC DETECTION AS WELL AS DEVICE AND READABLE STORAGE MEDIUM
CN115473789A (en) * 2022-09-16 2022-12-13 深信服科技股份有限公司 Alarm processing method and related equipment
CN115473789B (en) * 2022-09-16 2024-02-27 深信服科技股份有限公司 Alarm processing method and related equipment

Also Published As

Publication number Publication date
CN111818050B (en) 2024-01-19

Similar Documents

Publication Publication Date Title
CN108306771B (en) Log reporting method, device and system
CN111262887B (en) Network risk detection method, device, equipment and medium based on object characteristics
CN110222789B (en) Image recognition method and storage medium
CN110674022B (en) Behavior data acquisition method and device and storage medium
CN111818050B (en) Target access behavior detection method, system, device, equipment and storage medium
CN109815150B (en) Application testing method and device, electronic equipment and storage medium
CN108132790B (en) Method, apparatus and computer storage medium for detecting a garbage code
CN111614634A (en) Flow detection method, device, equipment and storage medium
CN110569220B (en) Game resource file display method and device, terminal and storage medium
CN110839128B (en) Photographic behavior detection method, device and storage medium
CN110414232B (en) Malicious program early warning method and device, computer equipment and storage medium
CN111178343A (en) Multimedia resource detection method, device, equipment and medium based on artificial intelligence
CN110969072A (en) Model optimization method and device and image analysis system
CN111416996B (en) Multimedia file detection method, multimedia file playing device, multimedia file equipment and storage medium
CN107944024B (en) Method and device for determining audio file
CN113343709A (en) Method for training intention recognition model, method, device and equipment for intention recognition
CN108537040B (en) Method, device, terminal and storage medium for intercepting telecom fraud Trojan horse program
CN111931712B (en) Face recognition method, device, snapshot machine and system
CN113936240A (en) Method, device and equipment for determining sample image and storage medium
US12111998B2 (en) Touch control method and apparatus, device and storage medium
CN112308104A (en) Abnormity identification method and device and computer storage medium
HK40030768A (en) Method, system and apparatus for detecting target access behavior, device and storage medium
CN110458289B (en) Multimedia classification model construction method, multimedia classification method and device
CN114615520A (en) Subtitle positioning method, subtitle positioning device, computer equipment and medium
CN110837642A (en) Malicious program classification method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40030768

Country of ref document: HK

SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant