TWI706646B - Target equipment prediction method, device, electronic equipment and storage medium - Google Patents

Abstract

The embodiment of this case discloses a prediction method, device, electronic device and storage medium of a target device. The method includes: obtaining a remote login log generated by a preset device in a predetermined time period under a network topology; extracting preset feature attributes from the remote login log; and using a pre-trained device prediction model to analyze the The preset characteristic attributes are processed, and whether the preset device is a target device under the network topology structure is predicted; wherein, the target device is used to manage and control multiple devices under the network topology structure. Through the implementation of this case, relevant features can be extracted from massive remote log-in logs, and the relevant features can be analyzed and processed through the pre-trained device prediction model, and target devices that have control over other devices can be located from the massive devices .

Description

Target equipment prediction method, device, electronic equipment and storage medium

This case involves the field of computer technology, and specifically relates to a prediction method, device, electronic device, and storage medium for a target device.

Under the same network topology, some devices are application devices, and some devices are operation and maintenance management and control devices. Managers or developers can log in to other application devices through some specific devices to perform operation and maintenance management operations. These specific devices usually have the ability to log in to a large number of other devices, which can be called operation and maintenance control devices. Once the operation and maintenance control equipment is compromised by hackers, a large number of application equipment will be compromised directly. Therefore, how to sort out these operation and maintenance control equipment is a major problem that exists in the industry.

The embodiment of this case provides a method, device, electronic device, and computer-readable storage medium for the prediction of the target device and the training of the device prediction model. In the first aspect, an embodiment of this case provides a method for predicting a target device, which includes: obtaining remote login logs generated by a preset device in a network topology within a predetermined time period; extracting from the remote login logs Preset feature attributes; use a pre-trained device prediction model to process the preset feature attributes, and predict whether the preset device is a target device under the network topology; wherein, the target device is Used to control multiple devices under the network topology. Further, the preset characteristic attribute includes the number of times and/or the number of remote logins of other devices in the network topology by the preset device within the predetermined time period. Further, for each of the remote login logs, the preset feature attribute further includes at least one of the following: whether the preset device uses a key to log in remotely to other devices; how the preset device is used Remotely log in to other devices as a user; whether the preset device is successfully logged in. Further, the method further includes: acquiring a plurality of training samples; wherein the training samples include a feature part and a result labeling part, the characteristic part includes the preset feature attribute, and the result labeling part is used to label the Whether the training sample is a positive training sample or a negative training sample; using a plurality of the training samples to train an artificial intelligence model to obtain the equipment prediction model. Further, the acquiring multiple training samples includes: acquiring remote login logs generated by multiple devices in a historical time period under the network topology; and determining from the remote login logs that the multiple devices log in to others The frequency and/or number of devices; generate a positive training sample from the remote login log corresponding to the first device whose frequency and/or number meets the preset condition, and from the frequency and/or number that do not meet the requirements The remote login log corresponding to the second device under the preset condition generates a negative training sample. In the second aspect, the embodiment of the present case provides a method for training a device prediction model, which includes: obtaining remote login logs generated by multiple devices in a historical time period under a network topology; and determining all remote login logs from the remote login logs. The number and/or number of the multiple devices logging in to other devices; generating a positive training sample from the remote login log corresponding to the first device whose number and/or number meets the preset condition, and from the number and/or number Or, the remote login log corresponding to the second device whose number does not meet the preset condition generates negative training samples; using the positive training samples and the negative training samples to train the artificial intelligence model to obtain the device prediction model.

Further, a positive training sample is generated from the remote login log corresponding to the first device whose times and/or the number meets the preset condition, and from the first device whose times and/or number does not meet the preset condition Generating a negative training sample from the remote login log corresponding to the second device includes: extracting a first preset characteristic attribute from the remote login log corresponding to the first device, and generating the positive training sample according to the first preset characteristic attribute Extracting the second preset characteristic attribute from the remote login log corresponding to the second device, and generating the negative training sample according to the second preset characteristic attribute.

Further, the first preset characteristic attribute includes at least the number of times and/or the number of remote logins of other devices by the first device; and/or, the second preset characteristic attribute includes at least the second device The number and/or number of remote logins to other devices.

Further, for each remote login log corresponding to the first device, the first preset characteristic attribute further includes at least one of the following: whether the first device uses a key when remotely logging in to other devices Login; what user identity the first device uses to remotely log in to other devices; the first device Whether the device is successfully logged in; and/or, for each of the remote login logs corresponding to the second device, the second preset characteristic attribute further includes at least one of the following: the second device remotely logs in to other Whether the device uses a key to log in; what user identity the second device uses to remotely log in to other devices; whether the second device is successfully logged in.

In a third aspect, an embodiment of the present case provides a device for predicting a target device, including: a first acquisition module configured to acquire remote login logs generated by a preset device in a network topology within a predetermined time period; and extract; The module is configured to extract preset feature attributes from the remote login log; the prediction module is configured to process the preset feature attributes using a pre-trained device prediction model, and predict the prediction It is assumed that the device is a target device in the network topology; wherein, the target device is used to manage and control multiple devices in the network topology.

Further, the preset characteristic attribute includes the number of times and/or the number of remote logins of other devices in the network topology by the preset device within the predetermined time period.

Further, for each of the remote login logs, the preset feature attribute further includes at least one of the following: whether the preset device uses a key to log in remotely to other devices; how the preset device is used Remotely log in to other devices as a user; whether the preset device is successfully logged in.

Further, the device further includes: a second acquisition module configured to acquire a plurality of training samples; wherein the training samples include a feature part and a result labeling part, and the feature part includes the preset feature attribute, The result labeling part is used to label the training sample as a positive training sample. Is a negative training sample; the first training module is configured to use a plurality of the training samples to train the artificial intelligence model to obtain the equipment prediction model.

Further, the second acquisition module includes: a first acquisition sub-module configured to acquire remote login logs generated by multiple devices in a historical time period under the network topology; a first determining sub-module The module is configured to determine from the remote login log the number and/or the number of times the multiple devices log in to other devices; generating a sub-module configured to satisfy the preset from the number and/or number The remote login log corresponding to the first device of the condition generates a positive training sample, and a negative training sample is generated from the remote login log corresponding to the second device whose number and/or number does not meet the preset condition.

The functions can be realized through hardware, or through hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.

In a possible design, the structure of the prediction device of the target device includes a memory and a processor, and the memory is used to store one or more prediction devices supporting the target device to perform the prediction of the target device in the first aspect. The computer instructions of the method, the processor is configured to execute the computer instructions stored in the memory. The prediction device of the target device may also include a communication interface, and the prediction device of the target device can communicate with other devices or a communication network.

In a fourth aspect, an embodiment of the present case provides a device prediction model training device, including: a third acquisition module configured to acquire remote login logs generated by multiple devices in a historical time period under a network topology; the first The determining module is configured to determine the number and/or number of times the multiple devices log in to other devices from the remote login log; the generating module is configured to determine the number and/or number of times and/or numbers satisfying a preset The remote login log corresponding to the first device of the condition generates a positive training sample, and a negative training sample is generated from the remote login log corresponding to the second device whose number and/or number does not meet the preset condition; second The training module is configured to use the positive training sample and the negative training sample to train the artificial intelligence model to obtain the equipment prediction model.

Further, the generation module includes: a first extraction sub-module configured to extract a first preset characteristic attribute from a remote login log corresponding to the first device, according to the first preset characteristic attribute Generate the positive training sample; a second extraction sub-module configured to extract the second preset feature attribute from the remote login log corresponding to the second device, and generate the second preset feature attribute according to the second preset feature attribute Said negative training sample.

Further, the first preset characteristic attribute includes at least the number of times and/or the number of remote logins of other devices by the first device; and/or, the second preset characteristic attribute includes at least the second device The number and/or number of remote logins to other devices.

Further, for each remote login log corresponding to the first device, the first preset characteristic attribute further includes at least one of the following: whether the first device uses a key when remotely logging in to other devices Login; what user identity the first device uses to remotely log in to other devices; whether the first device is successfully logged in; and/or, for each remote login log corresponding to the second device, the The second preset characteristic attribute also includes at least one of the following: whether the second device uses a key to log in remotely to other devices; what user identity the second device uses to remotely log in to other devices; the second Whether the device is successfully logged in. The functions can be realized through hardware, or through hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions. In a possible design, the structure of the device prediction model training device includes a memory and a processor, and the memory is used to store one or more training devices supporting the device prediction model to perform the device prediction in the first aspect. The computer instructions of the model training method, the processor is configured to execute the computer instructions stored in the memory. The training device for the equipment prediction model may also include a communication interface, and the training device for the equipment prediction model communicates with other equipment or a communication network. In a fifth aspect, an embodiment of the present case provides an electronic device including a memory and a processor; wherein the memory is used to store one or more computer instructions, wherein the one or more computer instructions are The processor executes the method steps described in the first aspect or the second aspect. In the sixth aspect, an embodiment of the present case provides a computer-readable storage medium for storing computer instructions used by the prediction device of the target device or the training device of the device prediction model, which includes instructions for executing the target device in the first aspect. The prediction method or the computer instructions involved in the training method of the equipment prediction model in the second aspect. The technical solutions provided by the embodiments of this case may include the following beneficial effects: The embodiment of this case obtains the remote login log of the device under the network topology and extracts the preset feature attributes from it, then analyzes the preset feature attributes according to the pre-trained device prediction model to predict whether the device is the target equipment. Through the implementation of this case, relevant features can be extracted from massive remote log-in logs, and the relevant features can be analyzed and processed through the pre-trained device prediction model, and target devices that have control over other devices can be located from the massive devices In this case, the equipment training technology was used to greatly improve the accuracy of locating the target device from the remote log-in log, and it solved the problem that the equipment with management and control capabilities under the large-scale network topology is difficult to locate. It should be understood that the above general description and the following detailed description are only exemplary and explanatory, and cannot limit the case.

Hereinafter, exemplary embodiments of the present case will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily implement them. In addition, for the sake of clarity, parts irrelevant to describing the exemplary embodiments are omitted in the drawings. In this case, it should be understood that terms such as "including" or "having" are intended to indicate the existence of the features, numbers, steps, actions, components, parts, or combinations thereof disclosed in this specification, and are not intended to exclude one or The possibility that multiple other features, numbers, steps, actions, components, parts or combinations thereof exist or be added. In addition, it should be noted that the embodiments in this case and the features in the embodiments can be combined with each other if there is no conflict. Hereinafter, this case will be described in detail with reference to the drawings and in conjunction with embodiments. Under a known network topology, there are approximately 10 million system logs in the master station every day. According to the system log, the existing technology counts the devices that log in to other devices more than 100 times a day, and confirms that these devices are target devices with the ability to control other devices, which can also be called operation and maintenance control devices. Although the existing technical solutions are relatively simple to implement, the recall rate is very low, and a large number of operation and maintenance control equipment with less than 100 logins will be missed. Because the login frequency of many operation and maintenance control equipment is not very high, some login times are once an hour, and some even once a day, so simply relying on the login frequency cannot solve the problem well. Fig. 1 shows a flowchart of a method for predicting a target device according to an embodiment of the present case. As shown in Figure 1, the prediction method of the target device includes the following steps S101-S103: In step S101, obtain remote login logs generated by a preset device in a predetermined time period under the network topology; In step S102, extract preset characteristic attributes from the remote login log; In step S103, a pre-trained device prediction model is used to process the preset feature attributes and predict whether the preset device is a target device under the network topology; wherein, the target device is Used to control multiple devices under the network topology. In this embodiment, a network topology may include multiple devices interconnected by transmission media, and network communication can be performed between these devices. Most of the devices in the network topology may be devices that execute corresponding applications. However, a small part of the equipment is used as the target equipment for controlling other equipment, which can be used by managers to remotely log in to other equipment, and then maintain and manage other equipment. The target device is an operation and maintenance control device that can remotely log in to other devices in the network topology and manage other devices, and it has the ability to remotely log in to a large number of other devices. The default device can be any device in the network topology, it can be an operation and maintenance control device, or other application devices. The remote login logs generated by any device under the network topology can be stored in the database in advance. When the target device is located, the remote login generated by the preset device within a predetermined time period can be obtained from the database. Log. Since the frequency of the target device remotely logging into other application devices is not necessarily high, it is possible to determine whether the preset device is the target device by setting a predetermined time period and based on the remote login logs generated within the predetermined time period. The unit of the predetermined time period can be week, month, etc., which can be set according to the actual situation, and there is no restriction on this. In this embodiment, the remote login log may be an SSH login log. An SSH login log records information related to a preset device logging in to other devices, and may include the following fields, for example: 1. Host name of the device being logged in 2. SSH login time 3. SSH login result (success or failure) 4. SSH login method (password or key) 5. SSH login user 6. Source login IP 7. Source login port In order to predict whether the preset device is the target device, the relevant preset feature attributes can be extracted from the above fields in the SSH login log, and then the pre-trained device prediction model can be used to process the extracted preset feature attributes, and Predict whether the preset device is the target device. The commonality of the target device includes: multiple remote logins to other devices within a period of time, and the number of logins to other devices is basically not 1 (because one operation and maintenance control device usually manages and maintains multiple other devices ). In addition, the target device is used as an operation and maintenance management and control device, and the purpose of remotely logging in to other devices is to manage and maintain other devices. It has greater rights and may be more likely to log in to other devices as root users. Therefore, based on these commonalities of the target device, preset feature attributes can be set in advance, and after obtaining the SSH login log within a predetermined period of time, the preset feature attributes can be extracted from the SSH login log, and the pre-trained device prediction model can be used to perform prediction. The device prediction model is also obtained by pre-training through preset feature attributes, and can predict whether the preset device is a target device based on the preset feature attributes extracted from the SSH login log of the preset device. The equipment prediction model can be trained using artificial intelligence models. Artificial intelligence models include, but are not limited to, one or more of logistic regression, convolutional neural networks, deep neural networks, support vector machines, K-means, K-neighbors, decision trees, random forests, and Bayesian networks combination. The embodiment of this case obtains the remote login log of the device under the network topology and extracts the preset feature attributes from it, then analyzes and processes the preset feature attributes according to the pre-trained prediction model to predict whether the device is the target equipment. Through the implementation of this case, relevant features can be extracted from massive remote log-in logs, and the relevant features can be analyzed and processed through the pre-trained device prediction model, and target devices that have control over other devices can be located from the massive devices In this case, the equipment training technology was used to greatly improve the accuracy of locating the target device from the remote log-in log, and solve the problem that the equipment used for management and control under the large-scale network topology is difficult to locate. In an optional implementation of this embodiment, the preset characteristic attribute includes the number and/or number of remote logins of other devices in the network topology by the preset device within the predetermined time period. . In this alternative implementation, the number of times the preset device logs in to other devices can be determined based on the addition of 1 for each remote log in to other devices; and the number of other devices logged in can be based on the total number of logged-in devices within a predetermined time period. For the number of other devices, it can be understood that the same device may have been remotely logged in multiple times, so the number is greater than the number. As the operation and maintenance control device, the target device will log in to other devices remotely at least for a period of time, and usually more than one other device is logged in. In addition, as the operation and maintenance control device, the target device will also log in to other devices remotely at least within a period of time, and the number of times to log in to other devices is more than once. Therefore, it is possible to determine whether the preset device is the target device based on the combination of one or two of the two preset characteristic attributes, that is, the number and number of remote logins of the preset device to other devices. The target device will register several other devices and how many other devices within a period of time, depending on the network topology and application environment where it is located. Therefore, for different network topologies and application environments, at least the default device can be used One or a combination of one or two of the number and number of remote logins to other devices is pre-trained to obtain a device prediction model, and then in practical applications, use the device prediction model to the network topology and the default device in the application environment Make predictions. In this way, a device prediction model with higher accuracy can be obtained, making the prediction of the target device more accurate. In an optional implementation manner of this embodiment, for each remote login log, the preset characteristic attribute further includes at least one of the following: Whether the preset device uses a key to log in when remotely logging in to other devices; What user identity the preset device uses to remotely log in to other devices; Whether the preset device is successfully logged in. In this optional implementation manner, in addition to the above-mentioned preset device remote login times and numbers of other devices, other preset feature attributes may also be included, which can assist in determining whether the preset device is a target device, so as to increase prediction accuracy. Other preset characteristic attributes include, but are not limited to, the login method for the preset device to remotely log in to other devices, user identity, and whether the login is successful. The login method includes whether to log in with a key, and user identities include system users, root users, and ordinary users. Normally, in the process of O&M and control of other devices, the target device may log in to other devices multiple times in a short period of time. If you manually enter the user name and password every time you log in to other devices, it will take up a lot of time for O&M personnel. Therefore, under normal circumstances, the operation and maintenance personnel will generate a key pair for other devices, that is, a pair of public and private keys, and store the public key on other devices, while the private key is stored on the target device. When the target device logs in to other devices , Can automatically pair the private key on the target device with the public key on other devices, and then log in to other devices. In this way, the login authentication process is automatic without manual intervention, so it can save the time of operation and maintenance personnel And energy. In addition, the target device usually logs in to other devices as the root user so that it can control other devices with the maximum authority. Using the above-mentioned preset characteristic attributes to make predictions can exclude some users from remotely logging in to their devices to work. In the training stage of the equipment prediction model, the above-mentioned other preset feature attributes can also be used for training, so that the prediction accuracy of the equipment prediction model is further improved. In an optional implementation of this embodiment, as shown in FIG. 2, the method further includes the following steps S201-S202: In step S201, a plurality of training samples are obtained; wherein, the training sample includes a feature part and a result labeling part, the feature part includes the preset feature attribute, and the result labeling part is used to label the training sample as Positive training sample or negative training sample; In step S202, a plurality of the training samples are used to train an artificial intelligence model to obtain the equipment prediction model. In this optional implementation manner, in the training phase of the equipment prediction model, a suitable artificial intelligence model can be selected first. Artificial intelligence models include, but are not limited to, one or more of logistic regression, convolutional neural networks, deep neural networks, support vector machines, K-means, K-neighbors, decision trees, random forests, and Bayesian networks combination. The type and structure of the corresponding artificial intelligence model can be selected according to the actual situation, and the artificial intelligence model can be established according to the number of preset feature attributes. After that, training samples can be collected. The training sample can include a feature part and a result annotation part. The feature part includes preset feature attributes for training, which can be extracted from the remote login log of the target device (known as the target device) in the past period of time. It can also be extracted from the remote login logs of non-target devices (known as non-target devices) in the past period of time, and the result labeling part is used to label the training samples as positive training samples or negative training samples, positive training The sample corresponds to the target device, and the negative training sample corresponds to the non-target device. After collecting enough training samples, you can use the training samples to train the established artificial intelligence model until the number of training reaches a certain value, or the parameters of the artificial intelligence model converge, stop training, and the training can predict whether it is The equipment prediction model of the target equipment. In an optional implementation of this embodiment, as shown in FIG. 3, the step 201, that is, the step of obtaining multiple training samples, further includes the following steps S301-S303: In step S301, obtain remote login logs generated by multiple devices in the historical time period under the network topology; In step S302, determine the number of times and/or the number of the multiple devices logging in to other devices from the remote login log; In step S303, a positive training sample is generated from the remote login log corresponding to the first device whose times and/or numbers meet the preset condition, and the times and/or numbers do not meet the preset condition The remote login log corresponding to the second device generates negative training samples. In this optional implementation manner, the historical time period may be a certain period of time in the past, which is specifically set according to actual conditions. In one embodiment, the historical time period is similar to the predetermined time period, that is, the difference between the historical time period and the predetermined time period may be less than a preset threshold. This is because the application device prediction model When forecasting, the preset feature attributes include the number and number of other devices logged in by the preset device within a predetermined time period. If the historical time period and the predetermined time period used when training the equipment prediction model are not much different, the prediction accuracy of the equipment prediction model can be made higher. When collecting training samples, this implementation method uses the remote login logs generated by multiple devices in the historical time period under the preset network topology to count the number of times and/or the number (including times) that each device logs in to other devices , Number, or a combination of the two), and based on the number and/or number to determine whether the device is a target device, and then extract preset feature attributes from the remote login log to generate positive training samples and negative training samples. This is because after statistical analysis, it can be found that when the number and/or number of logins of a device to other devices is greater than a larger threshold, it can basically be determined that the device is the target device, and the number and/or number of When the number is less than a small threshold, it can basically be determined that the device is a non-target device. Therefore, in this way, enough positive training samples and negative training samples can be collected when the target device is not certain. The following describes the training process of the equipment prediction model in detail through a specific example. 1. Preset feature attribute extraction: First, for multiple devices under the current network topology, make statistics on the SSH login log data within one month, and perform the following two statistics on the SSH login log data within one month: The number of times a certain IP has logged in to other devices in a month; The number of logins to other different devices from a certain IP within a month; Use the counted times and numbers as the two preset characteristic attribute values (the first preset characteristic attribute and the second preset characteristic attribute) of the device corresponding to the IP; In addition to the above two feature attributes, feature extraction is performed on each SSH login log data. The specific methods are as follows: The extraction of the characteristic attribute of the login result (the third preset characteristic attribute): If the login is successful, the characteristic attribute of the login result is set to 1, and the characteristic attribute of the login result is set to 0 if the login fails. The extraction of the characteristic attribute of the login method (the fourth preset characteristic attribute): If the login is with a public key, the characteristic attribute of the login method is set to 1, and the characteristic attribute of the login method is set to 0 in other methods. Extraction of user identity features: users are divided into three categories, the first category is root users, the second category is system users (admin, log, agent), and the third category is other users; if the logged-in user identity is root user, Then set the root user identity characteristic attribute (the fifth preset characteristic attribute) in the user identity characteristic attribute to 1. If the logged-in user identity is a system user, set the system user identity characteristic attribute (the fifth The six preset characteristic attributes) are set to 1, otherwise the root user identity characteristic attributes and the system user identity characteristic attributes are both set to 0. 2. Generate positive and negative training samples: The sorting of operation and maintenance control equipment is essentially a two-class problem. From the SSH log, it can be determined that a device is an O&M control device or not an O&M control device. Therefore, the generation of positive and negative training samples is the same. Through existing experience, a batch of equipment can be determined as operation and maintenance control equipment, or a batch of equipment can be determined as non-operation and maintenance control equipment. The following explains the logic of generating positive and negative training samples in this example: 1) Positive training sample generation logic: Operation and maintenance management and control equipment usually log in to a large number of different devices, which not only meets the requirements of the number of logins, but also needs to meet the requirements of the number of different devices. Therefore, the generation of positive training samples meets two requirements: Log in to other devices more than 3000 times within a month; There are more than 3 other devices logged in by this device within a month. Therefore, from the SSH login logs generated by multiple devices under the network topology within a month, a total of 1012591 positive training samples can be generated according to the above logic. 2) Logic for generating negative training samples: The logic of generating negative training samples is relatively simple. Either one of the following two conditions is satisfied: The number of logins to other devices in a month is less than 10 times. There is only one other device logged in by this device within a month. Therefore, from the SSH login logs generated by multiple devices under the network topology within a month, a total of 958061 negative training samples can be generated according to the above logic. 3. Establishment and training of artificial intelligence models: In this example, the logistic regression model is selected for training. The logistic regression algorithm needs to specify the feature column and the result column. In this example, the above six preset feature attributes are designated as feature columns. Mark the results of the positive and negative training samples (that is, whether the target device or the non-target device) is the result column. Set the logistic regression model parameters as follows: Maximum number of iterations: 100 Convergence error: 0.000001 Target benchmark value: 1 Use the positive training samples and negative training samples collected above to train the logistic regression model. When the maximum number of iterations reaches 100 or the parameter convergence error is 0.000001, the training is stopped to obtain a trained equipment prediction model. On the other hand, this case also discloses the training method of the equipment prediction model. Fig. 4 shows a flowchart of a training method of a device prediction model according to another embodiment of the present case. As shown in FIG. 4, the training method of the equipment prediction model includes the following steps S401-S404: In step S401, obtain remote login logs generated by multiple devices in the historical time period under the network topology; In step S402, determine the number of times and/or the number of the multiple devices logging in to other devices from the remote login log; In step S403, a positive training sample is generated from the remote login log corresponding to the first device whose times and/or numbers meet the preset condition, and the times and/or numbers do not meet the preset condition The remote login log corresponding to the second device in, generates negative training samples; In step S404, the artificial intelligence model is trained using the positive training sample and the negative training sample to obtain an equipment prediction model. In this embodiment, the target device is a device that can be used to log in to other devices in the network topology, and then to manage and maintain other devices. Most of the network topology is non-target devices, that is, application devices used to execute applications, and a small part are target devices. As the running time of the network topology increases, it becomes increasingly difficult to locate the target device. Therefore, in order to obtain the ability to predict whether a certain device under the network topology is a target device, an artificial intelligence model can be trained through training samples to obtain a device prediction model. In this embodiment, the number of remote login logs generated by multiple devices in the historical period of time under the network topology is calculated to obtain the number of times that one device logs in to other devices, and the number of times that device logs in to other different devices. Whether the number of times and/or the number meets the preset conditions is used to determine whether it is the first device or the second device. If it is the first device, a positive training sample can be generated according to the remote login log corresponding to the first device. The device can generate negative training samples according to the remote login log corresponding to the second device. That is, if the above-mentioned times and/or numbers meet the preset condition, the device can be considered as a target device, and if the preset condition is not satisfied, it is a non-target device. The preset conditions can be set according to the actual conditions of target devices and non-target devices under the network topology. This is because after statistical analysis, when the number and/or number of logins of a device to other devices is greater than a larger threshold, it can basically be determined that the device is the target device, and the number and/or number are less than In the case of a smaller threshold value, it can basically be determined that the device is a non-target device, while the larger threshold value and the smaller threshold value can be set according to actual conditions. In this way, when the target device is not known, positive training samples and negative training samples can still be generated, and the number of positive and negative training samples generated can also be large enough. After the training samples are generated, a suitable artificial intelligence model can be selected for training. Artificial intelligence models include, but are not limited to, one or more of logistic regression, convolutional neural networks, deep neural networks, support vector machines, K-means, K-neighbors, decision trees, random forests, and Bayesian networks combination. The type of the corresponding artificial intelligence model can be selected according to the actual situation, and the artificial intelligence model can be established according to the number of preset feature attributes. After that, training samples can be used to train the established artificial intelligence model until the number of training times reaches a certain value, or the parameters of the artificial intelligence model converge, stop training, and the training obtains a device prediction model that can predict whether it is the target device. The sequence of collection of training samples, selection and establishment of artificial intelligence models can be determined according to actual conditions. Training samples can be collected first, or artificial intelligence models can be selected and established first. For the relevant details of this embodiment, refer to the description of the prediction method of the target device described above, which will not be repeated here. In an optional implementation of this embodiment, as shown in FIG. 5, the step S403 is to generate a positive log from the remote login log corresponding to the first device whose number and/or number meets the preset condition. Training samples, the step of generating negative training samples from remote login logs corresponding to the second device whose times and/or numbers do not meet the preset conditions, further includes the following steps; In step S501, extract a first preset characteristic attribute from the remote login log corresponding to the first device, and generate the positive training sample according to the first preset characteristic attribute; In step S502, the second preset characteristic attribute is extracted from the remote login log corresponding to the second device, and the negative training sample is generated according to the second preset characteristic attribute.

In this optional implementation manner, after the first device (that is, the target device) and the second device (non-target device) are determined, the first device and the second device can be extracted from the remote login logs corresponding to the second device. A preset feature attribute and a second preset feature attribute are used to generate positive training samples and negative training samples. Whether it is a positive training sample or a negative training sample, it includes two parts: a feature part and a result labeling part; the feature part includes the features that can characterize whether the device is the target device, that is, the first preset feature attribute and the second The feature attribute is preset, and the result labeling part is used to label whether the feature part corresponds to the feature of the target device or the feature of the non-target device. The first preset feature attribute and the second preset feature attribute must include at least the number of times the first device and the second device log in to other devices and the number of other devices logged in during the historical time period, except for these two preset characteristics In addition to attributes, other characteristic attributes can also be included.

In an optional implementation of this embodiment, the first preset characteristic attribute includes at least the number of times and/or the number of remote logins by the first device to other devices; and/or, the second preset The characteristic attribute includes at least the number of times and/or the number of remote logins by the second device to other devices.

In an optional implementation of this embodiment, for each remote login log corresponding to the first device, the first preset characteristic attribute further includes at least one of the following: the first device remote Whether to log in with the key when logging in to other devices; What user identity the first device uses to remotely log in to other devices; whether the first device is successfully logged in; and/or, for each remote log in log corresponding to the second device, the second device The preset characteristic attributes also include at least one of the following: whether the second device uses a key to log in remotely to other devices; what user identity the second device uses to remotely log in to other devices; whether the second device login successful.

In this optional implementation manner, the first preset characteristic attribute corresponding to the first device includes, in addition to the number of times and/or the number of remote logins of the first device to other devices, the first device to log in to other devices. Login method, login result, and user identity used for login. The login method can include whether to log in with a key, and the user identity can include system users, root users, and ordinary users. Under normal circumstances, the target device will use the key to log in to other devices, and the target device will usually log in to other devices as the root user, so as to be able to control other devices with maximum rights. Using other preset feature attributes for training can further improve the prediction accuracy of the device prediction model.

For some related details of the training method of the device prediction model, reference may also be made to the description in the above prediction method for the target device, which will not be repeated here.

The following are the device embodiments of this case, which can be used to implement the method embodiments of this case.

FIG. 6 shows a block diagram of the structure of a prediction device for a target device according to an embodiment of the present case. The device can be implemented as part or all of an electronic device through software, hardware or a combination of both. As shown in FIG. 6, the prediction apparatus of the target device includes a first acquisition module 601, an extraction module 602, and a prediction module 603: The first obtaining module 601 is configured to obtain remote login logs generated by a preset device in a predetermined time period under the network topology; The extraction module 602 is configured to extract preset feature attributes from the remote login log; The prediction module 603 is configured to use a pre-trained device prediction model to process the preset feature attributes and predict whether the preset device is a target device under the network topology; wherein, the The target device is used to manage multiple devices under the network topology. In this embodiment, a network topology may include multiple devices interconnected by transmission media, which are in the same production domain. These devices can communicate with each other on the network. Most devices in the network topology It can be the device that executes the corresponding application, and a small part of the device is the target device for controlling other devices, which can be used by the administrator to remotely log in to other devices, and then maintain and manage other devices. The target device is an operation and maintenance control device that can remotely log in to other devices in the network topology and manage other devices, and it has the ability to remotely log in to a large number of other devices. The default device can be any device in the network topology, it can be an operation and maintenance control device, or other application devices. The remote login logs generated by any device under the network topology can be stored in the database in advance. When the target device is located, the remote login generated by the preset device within a predetermined time period can be obtained from the database. Log. Since the frequency of the target device remotely logging into other application devices is not necessarily high, it is possible to determine whether the preset device is the target device by setting a predetermined time period and based on the remote login logs generated within the predetermined time period. The unit of the predetermined time period can be week, month, etc., which can be set according to the actual situation, and there is no restriction on this. In this embodiment, the remote login log may be an SSH login log. An SSH login log records information related to a preset device logging in to other devices, and may include the following fields, for example: 1. Host name of the device being logged in 2. SSH login time 3. SSH login result (success or failure) 4. SSH login method (password or public key) 5. SSH login user 6. Source login IP 7. Source login port In order to predict whether the preset device is the target device, the relevant preset feature attributes can be extracted from the above fields in the SSH login log, and then the pre-trained device prediction model can be used to process the extracted preset feature attributes, and Predict whether the preset device is the target device. The commonality of the target device includes: multiple remote logins to other devices within a period of time, and the number of logins to other devices is basically not 1 (because one operation and maintenance control device usually manages and maintains multiple other devices ). In addition, the target device is used as an operation and maintenance management and control device, and the purpose of remotely logging in to other devices is to manage and maintain other devices. It has greater rights and may be more likely to log in to other devices as root users. Therefore, based on these commonalities of the target device, preset feature attributes can be set in advance, and after obtaining the SSH login log within a predetermined period of time, the preset feature attributes can be extracted from the SSH login log, and the pre-trained device prediction model can be used to perform prediction. The device prediction model is also obtained by pre-training through preset feature attributes, and can predict whether the preset device is a target device based on the preset feature attributes extracted from the SSH login log of the preset device. The equipment prediction model can be trained using artificial intelligence models. Artificial intelligence models include, but are not limited to, one or more of logistic regression, convolutional neural networks, deep neural networks, support vector machines, K-means, K-neighbors, decision trees, random forests, and Bayesian networks combination. In the embodiment of this case, the first acquisition module 601 acquires the remote login log of the device under the network topology, and after the extraction module 602 extracts the preset feature attributes therefrom, the prediction module 603 compares the predictions based on the pre-trained prediction model. Set the characteristic attributes for analysis and processing, and predict whether the device is the target device. Through the implementation of this case, relevant features can be extracted from massive remote log-in logs, and the relevant features can be analyzed and processed through the pre-trained device prediction model, and target devices that have control over other devices can be located from the massive devices In this case, the equipment training technology was used to greatly improve the accuracy of locating the target device from the remote log-in log, and solve the problem that the equipment used for management and control under the large-scale network topology is difficult to locate. In an optional implementation of this embodiment, the preset characteristic attribute includes the number and/or number of remote logins of other devices in the network topology by the preset device within the predetermined time period. . In this alternative implementation, the number of times the preset device logs in to other devices can be determined based on the addition of 1 for each remote log in to other devices; and the number of other devices logged in can be based on the total number of logged-in devices within a predetermined time period. For the number of other devices, it can be understood that the same device may have been remotely logged in multiple times, so the number is greater than the number. As the operation and maintenance control device, the target device will log in to other devices remotely at least for a period of time, and usually more than one other device is logged in. In addition, as the operation and maintenance control device, the target device will also log in to other devices remotely at least within a period of time, and the number of times to log in to other devices is more than once. Therefore, it is possible to determine whether the preset device is the target device based on the combination of one or two of the two preset characteristic attributes, that is, the number and number of remote logins of the preset device to other devices. The target device will register several other devices and how many other devices within a period of time, depending on the network topology and application environment where it is located. Therefore, for different network topologies and application environments, at least the default device can be used One or a combination of one or two of the number and number of remote logins to other devices is pre-trained to obtain a device prediction model, and then in practical applications, use the device prediction model to the network topology and the default device in the application environment Make predictions. In this way, a device prediction model with higher accuracy can be obtained, making the prediction of the target device more accurate. In an optional implementation manner of this embodiment, for each remote login log, the preset characteristic attribute further includes at least one of the following: Whether the preset device uses a key to log in when remotely logging in to other devices; What user identity the preset device uses to remotely log in to other devices; Whether the preset device is successfully logged in. In this optional implementation manner, in addition to the above-mentioned preset device remote login times and numbers of other devices, other preset feature attributes may also be included, which can assist in determining whether the preset device is a target device, so as to increase prediction accuracy. Other preset characteristic attributes include, but are not limited to, the login method for the preset device to remotely log in to other devices, user identity, and whether the login is successful. The login method includes whether to log in with a key, and user identities include system users, root users, and ordinary users. Normally, in the process of O&M and control of other devices, the target device may log in to other devices multiple times in a short period of time. If you manually enter the user name and password every time you log in to other devices, it will take up a lot of time for O&M personnel. Therefore, under normal circumstances, the operation and maintenance personnel will generate a key pair for other devices, that is, a pair of public and private keys, and store the public key on other devices, while the private key is stored on the target device. When the target device logs in to other devices , Can automatically pair the private key on the target device with the public key on other devices, and then log in to other devices. In this way, the login authentication process is automatic without manual intervention, so it can save the time of operation and maintenance personnel And energy. In addition, the target device usually logs in to other devices as the root user so that it can control other devices with the maximum authority. Using the above-mentioned preset characteristic attributes to make predictions can exclude some users from remotely logging in to their devices to work. In the training stage of the equipment prediction model, the above-mentioned other preset feature attributes can also be used for training, so that the prediction accuracy of the equipment prediction model is further improved. In an optional implementation manner of this embodiment, the device further includes: The second acquisition module is configured to acquire a plurality of training samples; wherein the training sample includes a feature part and a result labeling part, the characteristic part includes the preset feature attribute, and the result labeling part is used to label the Whether the training sample is a positive training sample or a negative training sample; The first training module is configured to train an artificial intelligence model by using a plurality of the training samples to obtain the equipment prediction model. In this optional implementation manner, in the training phase of the equipment prediction model, a suitable artificial intelligence model can be selected first. Artificial intelligence models include, but are not limited to, one or more of logistic regression, convolutional neural networks, deep neural networks, support vector machines, K-means, K-neighbors, decision trees, random forests, and Bayesian networks combination. The type and structure of the corresponding artificial intelligence model can be selected according to the actual situation, and the artificial intelligence model can be established according to the number of preset feature attributes. After that, the second acquisition module can collect training samples. The training sample can include a feature part and a result annotation part. The feature part includes preset feature attributes for training, which can be extracted from the remote login log of the target device (known as the target device) in the past period of time. It can also be extracted from the remote login logs of non-target devices (known as non-target devices) in the past period of time, and the result labeling part is used to label the training samples as positive training samples or negative training samples, positive training The sample corresponds to the target device, and the negative training sample corresponds to the non-target device. After collecting enough training samples, the training module can use the training samples to train the established artificial intelligence model until the number of training reaches a certain value, or the parameters of the artificial intelligence model converge, stop training, and the training is able to Predict whether it is the equipment prediction model of the target equipment. In an optional implementation manner of this embodiment, the second acquisition module includes: The first obtaining sub-module is configured to obtain remote login logs generated by multiple devices in the historical time period under the network topology; The first determining submodule is configured to determine the number of times and/or the number of the multiple devices logging in to other devices from the remote login log; The generation sub-module is configured to generate a positive training sample from the remote login log corresponding to the first device whose times and/or numbers meet the preset conditions, and from the times and/or numbers that do not meet the The remote login log corresponding to the second device with the preset condition generates a negative training sample. In this optional implementation manner, the historical time period may be a certain period of time in the past, which is specifically set according to actual conditions. In one embodiment, the historical time period is similar to the predetermined time period, that is, the difference between the historical time period and the predetermined time period may be less than a preset threshold. This is because the application device prediction model When forecasting, the preset feature attributes include the number and number of other devices logged in by the preset device within a predetermined time period. If the historical time period and the predetermined time period used when training the equipment prediction model are not much different, the prediction accuracy of the equipment prediction model can be made higher. When collecting training samples, the first acquisition sub-module in this implementation method collects remote login logs generated by multiple devices in the historical time period under the preset network topology, and the first determining sub-module counts the logins of each device The frequency and/or number of other devices (including frequency, number or a combination of the two), the generation sub-module determines whether the device is the target device based on the frequency and/or number, and then extracts it from the remote login log Generate positive training samples and negative training samples from preset feature attributes. This is because after statistical analysis, it can be found that when the number and/or number of logins of a device to other devices is greater than a larger threshold, it can basically be determined that the device is the target device, and the number and/or number of When the number is less than a small threshold, it can basically be determined that the device is a non-target device. Therefore, in this way, enough positive training samples and negative training samples can be collected when the target device is not certain. On the other hand, this case also discloses a training device for the equipment prediction model. FIG. 7 shows a structural block diagram of a training device for a device prediction model according to an embodiment of the present case. The device can be implemented as part or all of an electronic device through software, hardware, or a combination of both. As shown in FIG. 6, the training of the device prediction model includes a third acquisition module 701, a first determination module 702, a generation module 703, and a training module 704: The third acquisition module 701 is configured to acquire remote login logs generated by multiple devices in a historical time period under the network topology; The first determining module 702 is configured to determine the number and/or number of times the multiple devices log in to other devices from the remote login log; The generating module 703 is configured to generate a positive training sample from the remote login log corresponding to the first device whose times and/or numbers meet the preset conditions, and from the times and/or numbers that do not meet the The remote login log corresponding to the second device with preset conditions generates negative training samples; The second training module 704 is configured to use the positive training samples and the negative training samples to train the artificial intelligence model to obtain a device prediction model. In this embodiment, the target device is a device that can be used to log in to other devices in the network topology, and then to manage and maintain other devices. Most of the network topology is non-target devices, that is, application devices used to execute applications, and a small part are target devices. As the running time of the network topology increases, it becomes increasingly difficult to locate the target device. Therefore, in order to obtain the ability to predict whether a certain device under the network topology is a target device, an artificial intelligence model can be trained through training samples to obtain a device prediction model. In this embodiment, the third obtaining module 701 uses remote login logs generated by multiple devices in a historical period of time under the network topology, and the first determining module 702 counts the number of times that one device logs in to other devices. , And the number of other different devices registered by the device, the generation module 703 then determines whether it is the first device or the second device according to whether the number and/or number meets the preset conditions, and if it is the first device, it generates the module 703 may generate positive training samples according to the remote login log corresponding to the first device, and if it is a second device, the generating module 703 may generate negative training samples according to the remote login log corresponding to the second device. That is, if the above-mentioned times and/or numbers meet the preset condition, the device can be considered as a target device, and if the preset condition is not satisfied, it is a non-target device. The preset conditions can be set according to the actual conditions of target devices and non-target devices under the network topology. This is because after statistical analysis, it can be found that when the number and/or number of logins of a device to other devices is greater than a larger threshold, it can basically be determined that the device is the target device, and the number and/or number of When the number is less than a smaller threshold, it can basically be determined that the device is a non-target device, and the larger and smaller thresholds can be set according to actual conditions. In this way, when the target device is not known, positive training samples and negative training samples can still be generated, and the number of positive and negative training samples generated can also be sufficient. After the training samples are generated, the second training module 704 can select a suitable artificial intelligence model for training. Artificial intelligence models include, but are not limited to, one or more of logistic regression, convolutional neural networks, deep neural networks, support vector machines, K-means, K-neighbors, decision trees, random forests, and Bayesian networks combination. The type of the corresponding artificial intelligence model can be selected according to the actual situation, and the artificial intelligence model can be established according to the number of preset feature attributes. After that, training samples can be used to train the established artificial intelligence model until the number of training reaches a certain value, or the parameters of the artificial intelligence model converge, stop training, and the training obtains a device prediction model that can predict whether it is the target device. The sequence of collection of training samples, selection and establishment of artificial intelligence models can be determined according to actual conditions. Training samples can be collected first, or artificial intelligence models can be selected and established first. For the relevant details of this embodiment, please refer to the description of the prediction apparatus of the target device mentioned above, which will not be repeated here. In an optional implementation of this embodiment, the generating module 703 includes: The first extraction submodule is configured to extract a first preset characteristic attribute from a remote login log corresponding to the first device, and generate the positive training sample according to the first preset characteristic attribute; The second extraction sub-module is configured to extract the second preset feature attribute from the remote login log corresponding to the second device, and generate the negative training sample according to the second preset feature attribute.

In this optional implementation manner, after the first device (that is, the target device) and the second device (non-target device) are determined, the first extraction sub-module and the second extraction sub-module can also obtain data from the first device The remote login log corresponding to the second device extracts the first preset feature attribute and the second preset feature attribute, and then generates a positive training sample and a negative training sample. Whether it is a positive training sample or a negative training sample, it includes two parts: a feature part and a result labeling part; the feature part includes the features that can characterize whether the device is the target device, that is, the first preset feature attribute and the second The feature attribute is preset, and the result labeling part is used to label whether the feature part corresponds to the feature of the target device or the feature of the non-target device. The first preset feature attribute and the second preset feature attribute must include at least the number of times the first device and the second device log in to other devices and the number of other devices logged in during the historical time period, except for these two preset characteristics In addition to attributes, other characteristic attributes can also be included.

In an optional implementation of this embodiment, the first preset characteristic attribute includes at least the number of times and/or the number of remote logins by the first device to other devices; and/or, the second preset The characteristic attribute includes at least the number of times and/or the number of remote logins by the second device to other devices.

In an optional implementation of this embodiment, for each remote login log corresponding to the first device, the first preset characteristic attribute further includes at least one of the following: the first device remote Whether to log in with the key when logging in to other devices; What user identity the first device uses to remotely log in to other devices; whether the first device is successfully logged in; and/or, for each remote log in log corresponding to the second device, the second device The preset characteristic attributes also include at least one of the following: whether the second device uses a key to log in remotely to other devices; what user identity the second device uses to remotely log in to other devices; whether the second device login successful.

In this optional implementation manner, the first preset characteristic attribute corresponding to the first device includes, in addition to the number of times and/or the number of remote logins of the first device to other devices, the first device to log in to other devices. Login method, login result, and user identity used for login. The login method can include whether to log in with a key, and the user identity can include system users, root users, and ordinary users. Under normal circumstances, the target device will use the key to log in to other devices, and the target device will usually log in to other devices as the root user, so as to be able to control other devices with maximum rights. Using other preset feature attributes for training can further improve the prediction accuracy of the device prediction model.

For some related details of the training device of the equipment prediction model, reference can also be made to the description of the above-mentioned prediction device of the target equipment, which will not be repeated here.

FIG. 8 is a schematic structural diagram of an electronic device suitable for implementing the prediction method of the target device according to the embodiment of the present case.

As shown in FIG. 8, the electronic device 800 includes a central processing unit (CPU) 801, which can be loaded into a random access memory (RAM) 803 according to a program stored in a read-only memory (ROM) 802 or from a storage part 808 The program in FIG. 1 executes various processes in the embodiment shown in FIG. 1 above. Various programs and data required for the operation of the electronic device 800 are also stored in the RAM 803. The CPU 801, the ROM 802, and the RAM 803 are connected to each other through a bus 804. The input/output (I/O) interface 805 is also connected to the bus 804. The following components are connected to the I/O interface 805: the input part 806 including keyboard, mouse, etc.; including the output part 807 such as cathode ray tube (CRT), liquid crystal display (LCD), etc., and speakers; including storage of hard disks, etc. Part 808; and a communication part 809 including a network interface card such as a LAN card and a modem. The communication section 809 performs communication processing via a network such as the Internet. The driver 810 is also connected to the I/O interface 805 as needed. Removable media 811, such as magnetic disks, optical disks, magneto-optical disks, semiconductor memory, etc., are installed on the drive 810 as needed, so that the computer programs read from it can be installed into the storage portion 808 as needed. In particular, according to the implementation of this case, the method described above with reference to FIG. 1 can be implemented as a computer software program. For example, the implementation of this case includes a computer program product, which includes a computer program tangibly contained on a readable medium thereof, and the computer program includes a program code for executing the method of FIG. 1. In such an embodiment, the computer program can be downloaded and installed from the Internet through the communication part 809, and/or installed from the removable medium 811. The above-mentioned electronic device shown in FIG. 8 is also suitable for implementing the training method of the device prediction model according to another embodiment of the present case. The flowcharts and block diagrams in the accompanying drawings illustrate the possible implementation of the system architecture, functions, and operations of the system, method, and computer program product according to various embodiments of the present case. In this regard, each block in the route diagram or block diagram can represent a module, program segment, or part of the code, and the module, program segment, or part of the code contains one or more logic for implementing the specified Function executable instructions. It should also be noted that, in some alternative implementations, the functions marked in the block may also occur in a different order from the order marked in the drawings. For example, two blocks shown in succession can actually be executed substantially in parallel, or they can sometimes be executed in the reverse order, depending on the functions involved. It should also be noted that each block in the block diagram and/or flowchart, as well as the combination of blocks in the block diagram and/or flowchart, can be implemented by a dedicated hardware-based system that performs specified functions or operations. It can be realized, or it can be realized by a combination of dedicated hardware and computer instructions. The units or modules involved in the embodiments described in this case can be implemented through software, or through hardware. The described units or modules can also be arranged in the processor, and the names of these units or modules do not constitute a limitation on the unit or module itself under certain circumstances. As another aspect, the present case also provides a computer-readable storage medium. The computer-readable storage medium may be the computer-readable storage medium included in the device described in the above-mentioned embodiment; it may also exist alone without being installed. A computer-readable storage medium inserted into the device. The computer-readable storage medium stores one or more programs, and the programs are used by one or more processors to execute the method described in this case. The above description is only a preferred embodiment of this case and an explanation of the applied technical principles. Those skilled in the art should understand that the scope of the invention involved in this case is not limited to the technical solution formed by the specific combination of the above-mentioned technical features, and should also cover the above-mentioned technical features or technical solutions without departing from the inventive concept. Other technical solutions formed by any combination of its equivalent features. For example, the above-mentioned features and the technical features disclosed in this case (but not limited to) with similar functions are mutually replaced to form a technical solution.

S101‧‧‧Step S102‧‧‧Step S103‧‧‧Step S201‧‧‧Step S202‧‧‧Step S301‧‧‧Step S302‧‧‧Step S303‧‧‧Step S401‧‧‧Step S402‧‧‧Step S403‧‧‧Step S404‧‧‧Step S501‧‧‧Step S502‧‧‧Step 601‧‧‧First acquisition module 602‧‧‧Extraction Module 603‧‧‧Prediction Module 701‧‧‧The third acquisition module 702‧‧‧First Confirmation Module 703‧‧‧Generate Module 704‧‧‧Second Training Module 800‧‧‧Electronic equipment 801‧‧‧Central Processing Unit 802‧‧‧Read only memory 803‧‧‧Random access memory 804‧‧‧Bus 805‧‧‧I/O interface 806‧‧‧input part 807‧‧‧Output section 808‧‧‧Storage section 809‧‧‧Communication part 810‧‧‧Drive 811‧‧‧Removable media

With reference to the accompanying drawings, through the following detailed description of the non-limiting implementation manners, other features, purposes and advantages of this case will become more apparent. In the attached picture: Fig. 1 shows a flowchart of a method for predicting a target device according to an embodiment of the present case; 2 shows a flowchart of the training part of the equipment prediction model in the target equipment prediction method according to an embodiment of the present case; FIG. 3 shows a flowchart of step S201 according to the embodiment shown in FIG. 2; Fig. 4 shows a flowchart of a training method of a device prediction model according to an embodiment of the present case; FIG. 5 shows a flowchart of step S403 according to the embodiment shown in FIG. 4; FIG. 6 shows a block diagram of the structure of a prediction device of a target device according to an embodiment of the present case; FIG. 7 shows a block diagram of the structure of a training device for a device prediction model according to an embodiment of the present case; FIG. 8 is a schematic structural diagram of an electronic device suitable for implementing the prediction method of the target device according to an embodiment of the present case.

Claims (20)

A method for predicting a target device, characterized by comprising: obtaining remote login logs generated by a preset device in a predetermined time period under a network topology; extracting preset feature attributes from the remote login log; The trained device prediction model processes the preset feature attributes and predicts whether the preset device is a target device under the network topology; wherein, the target device is used to control the network Multiple devices under the topology. The method for predicting the target device according to item 1 of the scope of patent application, wherein the preset characteristic attribute includes the remote login of the preset device to other devices in the network topology within the predetermined time period Frequency and/or number. According to the method for predicting the target device according to item 2 of the scope of patent application, wherein, for each remote login log, the preset characteristic attribute further includes at least one of the following: the preset device remotely logs in to others Whether the device uses a key to log in; what user identity the preset device uses to remotely log in to other devices; whether the preset device is successfully logged in. The method for predicting a target device according to item 1 of the scope of patent application, wherein the method further includes: acquiring a plurality of training samples; wherein the training samples include a characteristic part and a result labeling part, and the characteristic part includes all The preset feature attributes, the result labeling part is used to label whether the training sample is a positive training sample or a negative training sample; a plurality of the training samples are used to train an artificial intelligence model to obtain the equipment prediction model. The method for predicting a target device according to item 4 of the scope of patent application, wherein said obtaining multiple training samples includes: obtaining remote login logs generated by multiple devices in a historical time period under the network topology; From the remote login log, determine the number of times and/or the number of the multiple devices logging in to other devices; from the remote login log corresponding to the first device whose times and/or number meet the preset condition, generate a positive Training samples, generating negative training samples from remote login logs corresponding to second devices whose times and/or numbers do not meet the preset conditions. A method for training a device prediction model, characterized in that it comprises: obtaining remote login logs generated by multiple devices in a historical time period under a network topology; and determining from the remote login logs that the multiple devices log in to others equipment The number of times and/or the number; from the remote login log corresponding to the first device whose number and/or number meets the preset condition, a positive training sample is generated, and the number of times and/or number does not meet the The remote login log corresponding to the second device with preset conditions generates negative training samples; the artificial intelligence model is trained by using the positive training samples and the negative training samples to obtain the device prediction model. According to the training method of the device prediction model described in item 6 of the scope of patent application, a positive training sample is generated from the remote login log corresponding to the first device whose number and/or number meets the preset conditions, and The generation of a negative training sample from the remote login log corresponding to the second device whose number and/or number does not satisfy the preset condition includes: extracting a first preset characteristic attribute from the remote login log corresponding to the first device , Generating the positive training sample according to the first preset characteristic attribute; extracting the second preset characteristic attribute from the remote login log corresponding to the second device, and generating all the samples according to the second preset characteristic attribute Said negative training sample. The method for training a device prediction model according to item 7 of the scope of patent application, wherein the first preset characteristic attribute includes at least the number and/or number of remote logins of the first device to other devices; and/or , The second preset characteristic attribute at least includes the remote login of the second device to other devices Frequency and/or number. The method for training a device prediction model according to item 8 of the scope of patent application, wherein, for each remote login log corresponding to the first device, the first preset characteristic attribute further includes at least one of the following : Whether the first device remotely logs in to other devices using a key to log in; what user identity the first device uses to remotely log in to other devices; whether the first device logs in successfully; and/or, for the For each remote login log corresponding to the second device, the second preset characteristic attribute further includes at least one of the following: whether the second device uses a key to log in remotely to other devices; the second What user identity the device uses to remotely log in to other devices; whether the second device is successfully logged in. A predicting device for a target device, characterized by comprising: a first acquisition module configured to acquire remote login logs generated by a preset device in a network topology structure within a predetermined time period; and the extraction module is configured to Extract the preset feature attributes from the remote login log; the prediction module is configured to process the preset feature attributes using a pre-trained device prediction model, and predict whether the preset device is the The target device under the network topology; wherein, the target device It is used to control multiple devices under the network topology. The prediction device of the target device according to item 10 of the scope of patent application, wherein the preset characteristic attribute includes the remote login of the preset device to other devices in the network topology within the predetermined time period Frequency and/or number. The predicting device of the target device according to item 11 of the scope of patent application, wherein, for each of the remote login logs, the preset characteristic attribute further includes at least one of the following: the preset device remotely logs in other Whether the device uses a key to log in; what user identity the preset device uses to remotely log in to other devices; whether the preset device is successfully logged in. The prediction device of the target device according to item 10 of the scope of patent application, wherein the device further includes: a second acquisition module configured to acquire a plurality of training samples; wherein the training samples include characteristic parts and results An annotation part, the feature part includes the preset feature attributes, and the result annotation part is used to annotate whether the training sample is a positive training sample or a negative training sample; the first training module is configured to use a plurality of The training samples train the artificial intelligence model to obtain the equipment prediction model. The prediction device of the target device according to item 13 of the scope of patent application, wherein the second acquisition module includes: a first acquisition sub-module configured to acquire the status of multiple devices in the network topology A remote login log generated in a historical time period; a first determining sub-module configured to determine the number and/or number of the multiple devices logging in to other devices from the remote login log; generating a sub-module, Is configured to generate a positive training sample from the remote login log corresponding to the first device whose times and/or numbers meet the preset condition, and from the first device whose times and/or numbers do not meet the preset condition The remote login log corresponding to the second device generates negative training samples. A device prediction model training device, which is characterized by comprising: a third acquisition module configured to acquire remote login logs generated by multiple devices in a historical time period under a network topology; a first determination module, Is configured to determine from the remote login log the number of times and/or numbers of the multiple devices logging in to other devices; the generating module is configured to determine the number and/or number of the first device that meets the preset condition from the number and/or number The remote login log corresponding to the device generates a positive training sample, and a negative training sample is generated from the remote login log corresponding to the second device whose number and/or number does not meet the preset condition; the second training module, It is configured to use the positive training sample and the negative training sample to train an artificial intelligence model to obtain a device prediction model. Training according to the equipment prediction model described in item 15 of the scope of patent application The device, wherein the generation module includes: a first extraction sub-module configured to extract a first preset feature attribute from a remote login log corresponding to the first device, and according to the first preset feature Attribute to generate the positive training sample; a second extraction sub-module configured to extract the second preset feature attribute from the remote login log corresponding to the second device, and generate it according to the second preset feature attribute The negative training sample. The device for training a device prediction model according to item 16 of the scope of patent application, wherein the first preset characteristic attribute includes at least the number of times and/or the number of remote logins by the first device to other devices; and/or The second preset characteristic attribute includes at least the number of times and/or the number of remote logins by the second device to other devices. The training device for the equipment prediction model according to item 17 of the scope of patent application, wherein, for each remote login log corresponding to the first equipment, the first preset characteristic attribute further includes at least one of the following : Whether the first device remotely logs in to other devices using a key to log in; what user identity the first device uses to remotely log in to other devices; whether the first device logs in successfully; and/or, for the For each remote login log corresponding to the second device, the second preset characteristic attribute further includes at least one of the following: whether the second device uses a key to log in remotely to other devices Record; what user identity the second device uses to remotely log in to other devices; whether the second device logs in successfully. An electronic device, characterized by comprising a memory and a processor; wherein the memory is used to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement the application The method steps described in any one of items 1-9 in the scope of the patent. A computer-readable storage medium having computer instructions stored thereon is characterized in that, when the computer instructions are executed by a processor, the method steps described in any one of items 1-9 of the scope of patent application are realized.

Images