[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN111865999A - Access behavior recognition method and device, computing equipment and medium - Google Patents

Access behavior recognition method and device, computing equipment and medium Download PDF

Info

Publication number
CN111865999A
CN111865999A CN202010727441.7A CN202010727441A CN111865999A CN 111865999 A CN111865999 A CN 111865999A CN 202010727441 A CN202010727441 A CN 202010727441A CN 111865999 A CN111865999 A CN 111865999A
Authority
CN
China
Prior art keywords
data
access behavior
model
sample data
behavior data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010727441.7A
Other languages
Chinese (zh)
Inventor
吴伟旺
苏建明
蒋家堂
王金希
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202010727441.7A priority Critical patent/CN111865999A/en
Publication of CN111865999A publication Critical patent/CN111865999A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Physics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computational Linguistics (AREA)
  • Artificial Intelligence (AREA)
  • General Health & Medical Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Biophysics (AREA)
  • Software Systems (AREA)
  • Biomedical Technology (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Molecular Biology (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Algebra (AREA)
  • Computer Hardware Design (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present disclosure provides an access behavior identification method, including: acquiring first access behavior data generated when a current user accesses a server within a first time period; processing the first access behavior data by using the trained prediction model to predict second access behavior data generated by a current user about to access the server in a second time period, wherein the second time period is after the first time period; determining complete access behavior data generated by the current user accessing the server based on the first access behavior data and the second access behavior data; and processing the complete access behavior data by using the trained recognition model to recognize whether the access behavior of the current user is an attack behavior. The disclosure also provides an access behavior recognition apparatus, a computing device and a medium.

Description

Access behavior recognition method and device, computing equipment and medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an access behavior identification method, an access behavior identification apparatus, a computing device, and a computer-readable storage medium.
Background
With the rapid development of the internet, the network security becomes more and more important, and the internet has penetrated into the aspects of our lives. The internet brings convenience to our lives and also poses great threat to our network security.
With the continuous emergence of more and more novel attack methods, higher requirements are put on the recognition capability of the security situation perception system. The traditional security situation awareness system generally identifies an attack behavior by acquiring complete access behavior data and identifying the attack behavior based on the complete access behavior data so as to effectively identify and block the attack behavior, wherein the complete access behavior data can be complete attack chain data generated by a user completing a service process in a short time.
In carrying out the presently disclosed concept, the inventors have found that there are at least the following problems in the related art.
For the attack modes of the fragment attack and the ultra-long latent period, the complete access behavior data cannot be acquired in a short time, so that the security situation awareness system is difficult to identify the attack behavior through the fragment access behavior data generated by the attack modes of the fragment attack and the ultra-long latent period, and the attack behavior cannot be blocked in time.
Disclosure of Invention
In view of the above, the present disclosure provides an optimized access behavior identification method, an access behavior identification apparatus, a computing device, and a computer-readable storage medium.
One aspect of the present disclosure provides an access behavior identification method, including: the method comprises the steps of obtaining first access behavior data generated when a current user accesses a server in a first time period, processing the first access behavior data by using a trained prediction model to predict second access behavior data generated when the current user will access the server in a second time period, determining complete access behavior data generated when the current user accesses the server based on the first access behavior data and the second access behavior data after the first time period in the second time period, and processing the complete access behavior data by using a trained recognition model to recognize whether the access behavior of the current user is an attack behavior.
According to an embodiment of the present disclosure, prior to processing the first access behavior data with the trained predictive model, the method further comprises: and acquiring sample data of a plurality of historical users, and training the prediction model by using the sample data. The sample data of each historical user is divided into a first category and a second category, the sample data belonging to the first category comprises third access behavior data, and the sample data belonging to the second category comprises the third access behavior data and fourth access behavior data. The third access behavior data is data generated by historical users accessing the server in a third time period, the fourth access behavior data is data generated by historical users accessing the server in a fourth time period, and the fourth time period is after the third time period.
According to an embodiment of the present disclosure, the predictive model includes a generative confrontation network model including a generative model and a discriminative model. Wherein said training said predictive model with said sample data comprises: and inputting the sample data into the generated model for processing, wherein when the sample data belongs to a first category, fourth access behavior data generated by the historical user accessing the server in a fourth time period is predicted and obtained through the generated model based on the third access behavior data, the sample data from the generated model is input into the discriminant model to determine that the sample data belongs to the first category or the second category through the discriminant model to obtain a determination result, and based on the determination result, model parameters of the generated model and/or model parameters of the discriminant model are adjusted.
According to the embodiment of the disclosure, the discriminant model includes N submodels, where N is an integer greater than 1. Wherein said inputting sample data from said generative model into said discriminant model to determine, by said discriminant model, whether said sample data belongs to said first class or to said second class comprises: dividing sample data of each historical user from the generated model into N pieces of sub data, inputting the N pieces of sub data into the N pieces of sub models in a one-to-one correspondence manner, processing the N pieces of sub data through the N pieces of sub models in a one-to-one correspondence manner to obtain N processing results, and determining that the sample data belongs to the first category or the second category based on the N processing results.
According to an embodiment of the present disclosure, before the sample data is input into the generative model for processing, the method further includes: and under the condition that the sample data belongs to the first class, the sample data is cut so that the data length of the cut sample data is a preset data length, and under the condition that the sample data belongs to the second class, the sample data is filled so that the data length of the filled sample data is the preset data length.
According to the embodiment of the present disclosure, when the sample data belongs to the first class, the obtaining, by the generative model prediction, fourth access behavior data generated by the historical user accessing the server in the fourth time period based on the third access behavior data prediction includes: modifying the data filled in the sample data based on the third access behavior data in the sample data, and determining the modified filled data as fourth access behavior data generated by the historical user accessing the server in the fourth time period.
According to an embodiment of the present disclosure, the determining, based on the first access behavior data and the second access behavior data, the complete access behavior data generated by the current user accessing the server includes: and combining the first access behavior data and the second access behavior data to obtain the complete access behavior data.
Another aspect of the present disclosure provides an apparatus for identifying an access behavior, including: the device comprises a first obtaining module, a predicting module, a determining module and an identifying module. The first obtaining module obtains first access behavior data generated when a current user accesses the server within a first time period. A prediction module to process the first access behavior data using a trained prediction model to predict second access behavior data generated by the server to be accessed by the current user within a second time period, wherein the second time period is subsequent to the first time period. And the determining module is used for determining complete access behavior data generated by the current user accessing the server based on the first access behavior data and the second access behavior data. And the recognition module is used for processing the complete access behavior data by utilizing the trained recognition model so as to recognize whether the access behavior of the current user is an attack behavior.
According to an embodiment of the present disclosure, prior to processing the first access behavior data with the trained predictive model, the apparatus further comprises: a second acquisition module and a training module. The second acquisition module acquires sample data of a plurality of historical users. And the training module is used for training the prediction model by utilizing the sample data. The sample data of each historical user is divided into a first category and a second category, the sample data belonging to the first category comprises third access behavior data, and the sample data belonging to the second category comprises the third access behavior data and fourth access behavior data. The third access behavior data is data generated by historical users accessing the server in a third time period, the fourth access behavior data is data generated by historical users accessing the server in a fourth time period, and the fourth time period is after the third time period.
According to an embodiment of the present disclosure, the above prediction model includes a generative confrontation network model, and the generative confrontation network model includes a generative model and a discriminant model. Wherein the training module comprises: the device comprises a processing submodule, a determining submodule and an adjusting submodule. And the processing submodule inputs the sample data into the generation model for processing aiming at the sample data of each historical user, wherein under the condition that the sample data belongs to a first class, fourth access behavior data generated by the historical user accessing the server in the fourth time period is predicted and obtained through the generation model based on the third access behavior data. And the determining submodule inputs the sample data from the generated model into the discriminant model so as to determine whether the sample data belongs to the first category or the second category through the discriminant model to obtain a determination result. And the adjusting sub-module is used for adjusting the model parameters of the generated model and/or the model parameters of the discriminant model based on the determination result.
According to the embodiment of the present disclosure, the discriminant model includes N sub-models, where N is an integer greater than 1. Wherein the determining sub-module includes: the device comprises a dividing unit, a processing unit and a first determining unit. The dividing unit divides the sample data of each historical user from the generated model into N pieces of sub data. And the processing unit is used for inputting the N pieces of sub data into the N pieces of sub models in a one-to-one correspondence manner so as to process the N pieces of sub data through the N pieces of sub models in a one-to-one correspondence manner to obtain N processing results. A first determination unit that determines whether the sample data belongs to the first category or the second category based on the N processing results.
According to an embodiment of the present disclosure, before the sample data is input into the generative model for processing, the apparatus further includes: a cutting module and a filling module. And the cutting module is used for cutting the sample data under the condition that the sample data belongs to the first class so as to enable the data length of the cut sample data to be a preset data length. And the filling module is used for filling the sample data under the condition that the sample data belongs to the second category so as to enable the data length of the filled sample data to be the preset data length.
According to an embodiment of the present disclosure, the processing sub-module includes: a modification unit and a second determination unit. And the modification unit modifies the data filled in the sample data based on the third access behavior data in the sample data. And the second determining unit is used for determining the modified filled data as fourth access behavior data generated by the historical user accessing the server in the fourth time period.
According to an embodiment of the present disclosure, the determining module is further configured to: and combining the first access behavior data and the second access behavior data to obtain the complete access behavior data.
Another aspect of the present disclosure provides a computing device comprising: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the disclosure provides a non-transitory readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
According to the embodiment of the disclosure, by using the method for identifying the access behavior, the technical problem that the attack behavior is difficult to identify through the fragmented access behavior data generated by the fragmented attack and the ultra-long latent period attack mode in the related art, so that the attack behavior cannot be blocked in time can be at least partially solved. Therefore, the method and the device can realize the technical effect of predicting the later behaviors of the user by analyzing the earlier behaviors of the user so as to judge whether the behaviors of the user are attack behaviors in advance and further prevent or warn the abnormal behaviors of the user earlier.
Drawings
For a more complete understanding of the present disclosure and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
fig. 1 schematically illustrates an identification method of an access behavior and a system architecture of an identification apparatus of an access behavior according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow diagram of a method of identification of access behavior according to an embodiment of the disclosure;
FIG. 3 schematically illustrates a flow diagram of a method of identification of access behavior according to another embodiment of the present disclosure;
FIG. 4 schematically illustrates a model structure diagram of a generative model according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a model structure diagram of a predictive model according to an embodiment of the disclosure;
FIG. 6 schematically shows a block diagram of an apparatus for identification of access behavior according to an embodiment of the present disclosure; and
FIG. 7 schematically illustrates a block diagram of a computer system for implementing identification of access behaviors in accordance with an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Some block diagrams and/or flow diagrams are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations thereof, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable control apparatus to produce a machine, such that the instructions, which execute via the processor, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks.
Accordingly, the techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). In addition, the techniques of this disclosure may take the form of a computer program product on a computer-readable storage medium having instructions stored thereon for use by or in connection with an instruction execution system. In the context of this disclosure, a computer-readable storage medium may be any medium that can contain, store, communicate, propagate, or transport the instructions. For example, a computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. Specific examples of the computer-readable storage medium include: magnetic storage devices, such as magnetic tape or Hard Disk Drives (HDDs); optical storage devices, such as compact disks (CD-ROMs); a memory, such as a Random Access Memory (RAM) or a flash memory; and/or wired/wireless communication links.
The embodiment of the disclosure provides an identification method of an access behavior, which includes: the method comprises the steps of obtaining first access behavior data generated when a current user accesses a server in a first time period, and processing the first access behavior data by using a trained prediction model to predict second access behavior data generated when the current user will access the server in a second time period, wherein the second time period is after the first time period. Then, based on the first access behavior data and the second access behavior data, complete access behavior data generated by the current user for accessing the server is determined. Next, the trained recognition model is utilized to process the complete access behavior data so as to recognize whether the access behavior of the current user is an attack behavior.
Fig. 1 schematically shows an identification method of an access behavior and a system architecture of an identification apparatus of an access behavior according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the system architecture 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104 and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the identification method of the access behavior provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the access behavior recognition apparatus provided by the embodiments of the present disclosure may be generally disposed in the server 105. The identification method of the access behavior provided by the embodiment of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the identification device of the access behavior provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
According to the embodiment of the disclosure, the access behavior data of the user accessing the server, which is collected in a short time, is generally divided into two types, namely complete access behavior data and fragmented access behavior data. The collected data may include characteristic information such as protocol type, connection status, number of bytes of data, etc. The collected data includes data of normal access processes and some attack data of hackers.
For the complete access behavior data, whether the access behavior of the user is an attack behavior can be identified based on the complete access behavior data by using a machine learning identification model such as a support vector machine. The complete access behavior data may be complete attack chain data generated when a user completes a service process in a short time.
For the fragmented access behavior data, the future behavior of the user is predicted by using a generative model and a discriminant model in the generative countermeasure network model to predict the complete access behavior data of the generative user. And then, identifying the complete access behavior data generated by prediction by using a machine identification model such as a support vector machine and the like so as to determine whether the access behavior of the user is an attack behavior.
A method of identifying access behavior according to an exemplary embodiment of the present disclosure is described below with reference to fig. 2 to 5 in conjunction with the system architecture of fig. 1. It should be noted that the above-described system architecture is shown merely for the purpose of facilitating understanding of the spirit and principles of the present disclosure, and embodiments of the present disclosure are not limited in any way in this respect.
Fig. 2 schematically shows a flow chart of an identification method of an access behavior according to an embodiment of the present disclosure.
As shown in fig. 2, the method for identifying an access behavior according to the embodiment of the present disclosure may include, for example, operations S210 to S240.
In operation S210, first access behavior data generated by a current user accessing a server within a first time period is obtained.
According to the embodiment of the disclosure, for example, the access behavior of the current user accessing the server may be monitored by the network monitoring device to obtain the access behavior data of the current user through monitoring. The acquired first access behavior data generated by the current user accessing the server within the first time period is, for example, fragmented access behavior data, that is, the first access behavior data is part of access behavior data generated before the current user completes a business process.
In operation S220, the first access behavior data is processed using the trained predictive model to predict second access behavior data generated by the current user that will access the server within a second time period, wherein the second time period is subsequent to the first time period.
In the embodiment of the disclosure, after the first access behavior data of the current user is acquired, the trained prediction model is utilized to process the first access behavior data so as to predict second access behavior data generated by a server, which will be accessed by the user in a second time period later.
In operation S230, complete access behavior data generated by the current user accessing the server is determined based on the first access behavior data and the second access behavior data.
In one example, after obtaining the first access behavior data and the second access behavior data, the first access behavior data and the second access behavior data can be combined to obtain the complete access behavior data. Specifically, the first access behavior data may be a first data segment having a first data length, the second access behavior data may be a second data segment having a second data length, the first data segment and the second data segment may be subjected to a splicing process to obtain a third data segment, the third data segment may be regarded as complete access behavior data, and the data length of the third data segment may be a sum of the first data length and the second data length.
In another example, the first access behavior data may be populated, and the second access behavior data may be obtained, for example, by modifying the populated data. After obtaining the first access behavior data and the second access behavior data obtained by modifying the populated data, the first access behavior data and the modified data may be determined as complete access behavior data. A specific implementation of this example will be described below in fig. 3.
Next, in operation S240, the entire access behavior data is processed using the trained recognition model to recognize whether the access behavior of the current user is an attack behavior.
According to an embodiment of the present disclosure, the trained recognition model may be a machine learning model. In particular, the recognition model may include, but is not limited to, a support vector machine model, a decision tree model, a random forest model, and the like. The identification model is used for processing the complete access behavior data of the user, so that whether the access behavior of the current user is an attack behavior can be determined, and blocking and alarming aiming at the attack behavior can be performed in advance.
It can be understood that the embodiment of the present disclosure processes the first access behavior data of the current user through the prediction model to predict and obtain the complete access behavior data of the current user. And then, processing the complete access behavior data of the current user based on the identification model to identify whether the access behavior of the current user is an attack behavior. Under the condition that the access behavior of the current user is determined to be an attack behavior, blocking and alarming measures can be taken in advance to protect the safety of the server and reduce the risk of the server.
Fig. 3 schematically shows a flow chart of an identification method of an access behavior according to another embodiment of the present disclosure.
As shown in fig. 3, the method for identifying an access behavior according to the embodiment of the present disclosure may include operations S210 to S240 and operations S310 to S340, for example. Operation S320 includes, for example, operations S321 to S323. Operations S210 to S240 are, for example, the same as or similar to the operations described in fig. 2, and are not described again here.
According to an embodiment of the present disclosure, operations S310 to S320 may be performed before processing the first access behavior data with the trained predictive model in operation S220 is performed.
In operation S310, sample data of a plurality of history users is acquired.
According to the embodiment of the disclosure, for sample data of each historical user, the sample data is divided into a first category and a second category, the sample data belonging to the first category includes third access behavior data, and the sample data belonging to the second category includes third access behavior data and fourth access behavior data.
The third access behavior data is data generated by the historical user accessing the server in a third time period, the fourth access behavior data is data generated by the historical user accessing the server in a fourth time period, and the fourth time period is after the third time period.
For example, the sample data of each historical user is fragmented access behavior data or complete access behavior data. The fragmented access behavior data is of a first category, and only third access behavior data generated by the historical user accessing the server in a third time period is included in the fragmented access behavior data. And the complete access behavior data is of a second category, the complete access behavior data comprises third access behavior data generated by the historical user accessing the server within a third time period and fourth access behavior data generated by the historical user accessing the server within a fourth time period, and the third access behavior data and the fourth access behavior data are combined into complete access behavior data.
In operation S320, a prediction model is trained using the sample data.
According to an embodiment of the present disclosure, the prediction model may include a generative network model, which may also be referred to as a generative network, and a discriminant model, which may also be referred to as a countermeasure network.
According to an embodiment of the present disclosure, generating a countermeasure network model is an unsupervised network model. The generative model and the discriminant model are in mutual confrontation. The generative model is used to construct the spurious data, and the discriminative model is used to discriminate whether the data received from the generative model is spurious data or real data. In the training process of generating the confrontation network model, the discrimination model receives data and judges whether the received data is real data or false data. If the judgment of the discrimination model is correct, the model parameters of the generated model need to be adjusted so as to ensure that the false data of the generated model structure is more vivid; if the judgment of the discrimination model is wrong, the model parameters of the discrimination model need to be adjusted, so that the next similar judgment error is avoided. Training is continued until the generating model and the discriminant model enter a balanced state, that is, the false data of the generating model structure is closer to the true data, so that the discriminant model is difficult to judge whether the data is true or false.
Therefore, the embodiment of the present disclosure may predict the complete access behavior data of the user by using the trained generative model in the generative countermeasure network model, so that the predicted complete access behavior data is closer to the real data, i.e., the predicted complete access behavior data is closer to the future behavior data of the user.
According to the embodiment of the present disclosure, training the prediction model with the sample data in operation S320 includes, for example, operations S321 to S323.
In operation S321, for sample data of each historical user, the sample data is input into the generative model for processing, where in a case that the sample data belongs to the first class, fourth access behavior data generated by the historical user accessing the server in a fourth time period is predicted by the generative model based on the third access behavior data.
Specifically, for one sample data, when the sample data is fragmented access behavior data, the complete access behavior data of the historical user is predicted based on the fragmented access behavior data through the generation model, and the predicted complete access behavior data is input into the discrimination model as false data. If the sample data is complete access behavior data, the generation model can input the complete access behavior data into the discrimination model as real data originally generated by the user without processing the complete access behavior data.
Wherein, as the sample data is data generated in a period of time, a plurality of features in the sample data have more correlation in a time dimension. Therefore, the generative model of the embodiments of the present disclosure may employ a long-term memory network model. The model structure of the generative model will be described in fig. 4, among others.
In operation S322, the sample data from the generated model is input into the discriminant model to determine whether the sample data belongs to the first category or the second category through the discriminant model to obtain a determination result.
Wherein the determination result may include that the sample data belongs to the first category, i.e., the sample data is dummy data constructed by the generative model. The determination result may further include that the sample data belongs to the second category, i.e., the sample data is real data of the user.
Wherein the determination result may be a result of correct judgment or a result of wrong judgment. For example, if the sample data from the generated model is constructed false data, if the judgment result of the discriminant model is that the class of the sample data is a first class, the judgment is correct; and if the judgment result of the discriminant model indicates that the sample data is of the second type, judging that the sample data is wrong.
In operation S323, the model parameters of the generative model and/or the model parameters of the discriminative model are adjusted based on the determination result.
If the judgment of the discrimination model is correct, the determination result can be fed back to the generation model, so that the generation model adjusts the model parameters of the generation model according to the determination result, and the false data constructed after the generation model is more vivid; if the judgment of the discrimination model is wrong, the model parameters of the discrimination model need to be adjusted, so that the situation of similar judgment errors in the next time is avoided.
According to an embodiment of the present disclosure, the discriminant model may include N submodels, where N is an integer greater than 1.
Wherein, the inputting of the sample data from the generated model into the discriminant model in operation S322 to determine whether the sample data belongs to the first category or the second category through the discriminant model may include:
first, sample data from each historical user of the generative model is divided into N sub-data.
Then, the N pieces of sub data are input to the N pieces of sub models in a one-to-one correspondence manner, so that the N pieces of sub data are processed through the N pieces of sub models in a one-to-one correspondence manner to obtain N processing results. For example, the 1 st sub-data is input to the 1 st sub-model, the 2 nd sub-data is input to the 2 nd sub-model, the 3 rd sub-data is input to the 3 rd sub-model, and so on. Each submodel may, for example, output a processing result.
Next, based on the N processing results, it is determined whether the sample data belongs to the first category or belongs to the second category. For example, other network hierarchies may be included in the generative countermeasure network in addition to the generative model and the N sub-models. In one embodiment, the other network hierarchy may be part of a discriminant model. The N processing results are input into other network hierarchical structures to be processed to obtain output results, and the output results can represent that the sample data belongs to the first category or the second category. The model structure of the discriminant model is described in fig. 5.
According to the embodiment of the present disclosure, before performing the processing regarding inputting the sample data into the generative model in operation S321, the method of the embodiment of the present disclosure may further include operations S330 to S340. The operations S330 to S340 are, for example, operations for preprocessing sample data.
In operation S330, in a case that the sample data belongs to the first category, the sample data is clipped so that the data length of the clipped sample data is a preset data length. For example, superfluous or duplicate data in the sample data is removed.
In operation S340, in a case that the sample data belongs to the second category, the sample data is padded such that the data length of the padded sample data is a preset data length. In one embodiment, the predetermined data length is 1024, for example. If the data length of the sample data of the second category is 512, zero is filled after the sample data, so that the data length of the sample data after the zero filling is 1024, and data of 1024 th bits of the sample data after the filling is all zero.
According to the embodiment of the present disclosure, in operation S321, in regard to, in a case that the sample data belongs to the first category, predicting, by the generative model, fourth access behavior data generated by the historical user accessing the server within a fourth time period based on the third access behavior data may include:
first, data filled in the sample data is modified based on third access behavior data in the sample data. E.g., modifying data in the sample data that is padded to zeros. For example, when the data of the 513 th and 1024 th bits of the sample data after filling are all zero, the data of the 513 th and 1024 th bits of the sample data after filling may be modified.
The modified populated data is then determined as fourth access behavior data generated by historical users accessing the server over a fourth time period. For example, the modified data with the 513 th and 1024 th bits in the sample data is used as the fourth access behavior data.
Similarly, the processing the first access behavior data by using the trained prediction model in operation S220 to predict that the current user will access the second access behavior data generated by the server in the second time period may specifically include: the first access behavior data is populated with generative models in the trained predictive model. When the first access behavior data is processed by using the rehearsal prediction model, data filled with zeros in the first access behavior data can be modified, and the modified filled data can be used as second access behavior data.
In the embodiment of the present disclosure, the preprocessing is performed on the fragmented access behavior data or the complete access behavior data, and may further include converting the data of the character string type in the data into data of the number type for facilitating classification, so as to facilitate later use of the data and training of the model. It should be noted that, since there are many features in the collected user data and there are different attributes and units of each feature, normalization processing needs to be performed on the data in order to better train the model. Through the data after normalization processing, the data of each characteristic can be limited within a certain numerical range, so that the influence on the model caused by different characteristic units can be avoided. It can be seen that the collected data can be processed into a data form that is consistent with the data form required for generating the confrontation network model through a data preprocessing process.
Fig. 4 schematically shows a model structure diagram of a generative model according to an embodiment of the present disclosure.
As shown in fig. 4, the generative model of the embodiment of the present disclosure is, for example, a long-and-short memory network model of a double layer in a recurrent neural network.
In one embodiment, the model parameters of the generative model are, for example: the initial value of the learning rate is 1.0, the maximum norm of the gradient is set to 5, the number of superimposed layers is 2, and the decay rate of the learning rate is 0.5. The number of input nodes is 1020, the number of hidden layer nodes is 200, and the number of output nodes is 1020. In order to avoid the over-fitting phenomenon, a dropout mechanism is introduced, and the dropout mechanism can omit part of neurons in the model so as to avoid the over-fitting phenomenon.
Fig. 5 schematically shows a model structure diagram of a prediction model according to an embodiment of the present disclosure.
As shown in fig. 5, the predictive model includes a generative model 510 and a discriminant model 520. The generative model 510 is, for example, the same as or similar to the generative model described in fig. 4, and is not described herein again.
According to the embodiment of the present disclosure, the discriminant model 520 includes, for example, N-10 sub-models, and each sub-model is a discriminant model. The sample data processed by the generative model 510 includes 1020 features, for example. The sample data processed by the generative model 510 includes, for example, original complete access behavior data and complete access behavior data obtained by predicting fragmented access behavior data.
Since the processed sample number has 1020 features, the dimensionality of the data features is very unfavorable for the training of the model. In order to improve the training accuracy of the discrimination model 520, the processed sample data may be discriminated by using a plurality of submodels.
For example, the processed sample number having 1020 features is sliced into 10 sub-data, and each sub-data includes 102 features. For example, the 1 st sub-data includes the 1 st to 102 th features, the 2 nd sub-data includes the 103 th to 204 th features, the 3 rd sub-data includes the 205 th to 306 th features, and so on.
Then, discriminant models are respectively established for 10 pieces of the sub-data, and the 10 discriminant models are expressed as D1~D10. Discrimination model D1(submodels) for example for processing the 1 st sub-data, discriminating model D2(submodels) for example for processing the 2 nd sub-data, discriminating model D3(submodel) is used, for example, to process the 3 rd sub-data, and so on. By establishing a plurality of discriminant models, the training speed of the whole generated countermeasure network can be increased, and the data generated by the generated models are closer to real data.
For example, the parameter information of the discriminant model in the embodiment of the present disclosure includes an input layer, a hidden layer, and an output layer. For example, the input layer of each discriminant model (each submodel) includes 102 nodes; the hidden layer comprises 64 nodes, and the activation function used by the hidden layer is a relu function; the output layer comprises 1 node, and the activation function used by the output layer is a sigmoid function. And transmitting the original complete access behavior data of the user from the generated model and the complete access behavior data predicted based on the fragmented access behavior data into a discrimination model, discriminating whether the data is predicted generated data or not through the discrimination model, feeding back a discrimination result to the generated model, adjusting model parameters in a metric line of the generated antagonistic network through the antagonistic process of two networks, and finally finishing the training of the generated antagonistic network model.
Through the technical scheme of the embodiment of the disclosure, the fragment attack and the network attack with an ultra-long latent period can be identified. With the trained generative confrontation network model, the generative overall access behavior data of the user can be predicted and generated based on the fragmented access behavior data of the user. And then, inputting the overall access behavior data of the user into an abnormal behavior identification model for identification, and finally judging whether the behavior of the user is an attack behavior.
According to the method, the original generation countermeasure network model is improved into the generation countermeasure network model with a plurality of judgment networks, and through the improvement of the model, the training speed of the whole meter line of the generation countermeasure network can be accelerated, and the prediction data generated by the generation network is closer to the real data.
By the technical scheme of the embodiment of the disclosure, the behavior of the user after the user can be predicted by analyzing the early-stage behavior of the user, so that whether the behavior of the user is an attack behavior or not can be judged in advance, and further, the abnormal behavior of the user can be prevented or warned earlier.
Fig. 6 schematically shows a block diagram of an identification apparatus of access behavior according to an embodiment of the present disclosure.
As shown in fig. 6, the identifying means 600 of the access behavior may include, for example, a first obtaining module 610, a predicting module 620, a determining module 630, and an identifying module 640.
The first obtaining module 610 may be configured to obtain first access behavior data generated by a current user accessing the server within a first time period. According to an embodiment of the present disclosure, the first obtaining module 610 may, for example, perform operation S210 described above with reference to fig. 2, which is not described herein again.
The prediction module 620 may be configured to process the first access behavior data using a trained prediction model to predict second access behavior data that is to be generated by the server for a second time period that is subsequent to the first time period. According to an embodiment of the present disclosure, the prediction module 620 may perform, for example, the operation S220 described above with reference to fig. 2, which is not described herein again.
The determining module 630 may be configured to determine complete access behavior data generated by the current user accessing the server based on the first access behavior data and the second access behavior data. According to the embodiment of the present disclosure, the determining module 630 may, for example, perform operation S230 described above with reference to fig. 2, which is not described herein again.
The recognition module 640 may be configured to process the complete access behavior data using the trained recognition model to recognize whether the access behavior of the current user is an attack behavior. According to the embodiment of the present disclosure, the identifying module 640 may perform, for example, the operation S240 described above with reference to fig. 2, which is not described herein again.
According to the method and the device, the first access behavior data of the current user are processed through the prediction model to predict and obtain the complete access behavior data of the current user, and whether the access behavior of the current user is an attack behavior is identified based on the complete access behavior data, so that blocking and warning measures are taken in advance for the attack behavior, and server risks are reduced.
According to an embodiment of the present disclosure, before processing the first access behavior data using the trained predictive model, the apparatus 600 may further include: a second acquisition module and a training module. The second acquisition module acquires sample data of a plurality of historical users. And the training module is used for training the prediction model by using the sample data. The sample data of each historical user is divided into a first category and a second category, the sample data belonging to the first category comprises third access behavior data, and the sample data belonging to the second category comprises the third access behavior data and fourth access behavior data. The third access behavior data is data generated by the historical user accessing the server in a third time period, the fourth access behavior data is data generated by the historical user accessing the server in a fourth time period, and the fourth time period is after the third time period.
According to the embodiment of the disclosure, the prediction model comprises a generation confrontation network model, and the generation of the confrontation network model comprises a generation model and a discrimination model. Wherein, the training module includes: the device comprises a processing submodule, a determining submodule and an adjusting submodule. And the processing submodule inputs the sample data into the generation model for processing according to the sample data of each historical user, wherein under the condition that the sample data belongs to the first class, fourth access behavior data generated by the historical user accessing the server in a fourth time period is predicted and obtained through the generation model based on the third access behavior data. And the determining submodule inputs the sample data from the generated model into the discrimination model so as to determine whether the sample data belongs to the first category or the second category through the discrimination model to obtain a determination result. And the adjusting submodule adjusts the model parameters of the generated model and/or the model parameters of the discriminant model based on the determination result.
According to the embodiment of the present disclosure, the discriminant model includes N sub-models, where N is an integer greater than 1. Wherein the determining sub-module comprises: the device comprises a dividing unit, a processing unit and a first determining unit. The dividing unit divides the sample data of each historical user from the generated model into N pieces of sub data. And the processing unit inputs the N pieces of sub data into the N pieces of sub models in a one-to-one correspondence manner so as to process the N pieces of sub data through the N pieces of sub models in a one-to-one correspondence manner to obtain N processing results. And a first determination unit which determines that the sample data belongs to the first category or the second category based on the N processing results.
According to an embodiment of the present disclosure, before inputting sample data into the generative model for processing, the apparatus 600 may further include: a cutting module and a filling module. And the cutting module is used for cutting the sample data under the condition that the sample data belongs to the first category so that the data length of the cut sample data is the preset data length. And the filling module is used for filling the sample data under the condition that the sample data belongs to the second category so that the data length of the filled sample data is the preset data length.
According to an embodiment of the present disclosure, the processing sub-module includes: a modification unit and a second determination unit. And the modification unit modifies the data filled in the sample data based on the third access behavior data in the sample data. And the second determining unit is used for determining the modified filled data as fourth access behavior data generated by the historical user accessing the server in a fourth time period.
According to an embodiment of the present disclosure, the determining module is further configured to: and combining the first access behavior data and the second access behavior data to obtain complete access behavior data.
The present disclosure also provides a computing device that may include: one or more processors and a memory device. The storage device may be used to store one or more programs. Wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the above-mentioned methods.
Another aspect of the disclosure provides a non-transitory readable storage medium storing computer-executable instructions that, when executed, implement the above-mentioned method.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the above mentioned method when executed.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any of the first obtaining module 610, the predicting module 620, the determining module 630, and the identifying module 640 may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the first obtaining module 610, the predicting module 620, the determining module 630, and the identifying module 640 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of three implementations of software, hardware, and firmware, or in any suitable combination of any of them. Alternatively, at least one of the first obtaining module 610, the predicting module 620, the determining module 630 and the identifying module 640 may be at least partially implemented as a computer program module, which when executed may perform a corresponding function.
FIG. 7 schematically illustrates a block diagram of a computer system for implementing identification of access behaviors in accordance with an embodiment of the present disclosure. The computer system illustrated in FIG. 7 is only one example and should not impose any limitations on the scope of use or functionality of embodiments of the disclosure.
As shown in fig. 7, computer system 700 includes a processor 701, a computer-readable storage medium 702. The system 700 may perform a method according to an embodiment of the present disclosure.
In particular, the processor 701 may include, for example, a general purpose microprocessor, an instruction set processor and/or related chip set and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), and/or the like. The processor 701 may also include on-board memory for caching purposes. The processor 701 may be a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
Computer-readable storage medium 702 may be, for example, any medium that can contain, store, communicate, propagate, or transport the instructions. For example, a readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. Specific examples of the readable storage medium include: magnetic storage devices, such as magnetic tape or Hard Disk Drives (HDDs); optical storage devices, such as compact disks (CD-ROMs); a memory, such as a Random Access Memory (RAM) or a flash memory; and/or wired/wireless communication links.
The computer-readable storage medium 702 may comprise a computer program 703, which computer program 703 may comprise code/computer-executable instructions that, when executed by the processor 701, cause the processor 701 to perform a method according to an embodiment of the disclosure, or any variant thereof.
The computer program 703 may be configured with, for example, computer program code comprising computer program modules. For example, in an example embodiment, code in computer program 703 may include one or more program modules, including for example 703A, modules 703B, … …. It should be noted that the division and number of the modules are not fixed, and those skilled in the art may use suitable program modules or program module combinations according to actual situations, so that the processor 701 may execute the method according to the embodiment of the present disclosure or any variation thereof when the program modules are executed by the processor 701.
According to an embodiment of the present disclosure, at least one of the first obtaining module 610, the predicting module 620, the determining module 630 and the identifying module 640 may be implemented as a computer program module described with reference to fig. 7, which, when executed by the processor 701, may implement the respective operations described above.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method.
According to embodiments of the present disclosure, a computer-readable storage medium may be a computer-readable signal medium or a computer-readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer-readable signal medium may include a propagated data signal with computer-readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable storage medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, optical fiber cable, radio frequency signals, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
While the disclosure has been shown and described with reference to certain exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the disclosure as defined by the appended claims and their equivalents. Accordingly, the scope of the present disclosure should not be limited to the above-described embodiments, but should be defined not only by the appended claims, but also by equivalents thereof.

Claims (14)

1. An identification method of access behavior, comprising:
acquiring first access behavior data generated when a current user accesses a server within a first time period;
processing the first access behavior data using a trained predictive model to predict that the current user will access second access behavior data generated by the server for a second time period, wherein the second time period is subsequent to the first time period;
determining complete access behavior data generated by the current user accessing the server based on the first access behavior data and the second access behavior data; and
and processing the complete access behavior data by utilizing the trained recognition model to recognize whether the access behavior of the current user is an attack behavior.
2. The method of claim 1, wherein prior to processing the first access behavior data with the trained predictive model, the method further comprises:
acquiring sample data of a plurality of historical users; and
training the predictive model using the sample data,
wherein, for sample data of each historical user, the sample data is divided into a first category and a second category, the sample data belonging to the first category comprises third access behavior data, the sample data belonging to the second category comprises the third access behavior data and fourth access behavior data,
the third access behavior data is data generated by historical users accessing the server in a third time period, the fourth access behavior data is data generated by historical users accessing the server in a fourth time period, and the fourth time period is after the third time period.
3. The method of claim 2, wherein the predictive model comprises a generative confrontation network model comprising a generative model and a discriminant model;
wherein said training said predictive model with said sample data comprises:
inputting the sample data into the generative model for processing aiming at the sample data of each historical user, wherein when the sample data belongs to a first class, fourth access behavior data generated by the historical user accessing the server in the fourth time period is predicted and obtained through the generative model based on the third access behavior data;
inputting the sample data from the generated model into the discriminant model, so as to determine whether the sample data belongs to the first category or the second category through the discriminant model to obtain a determination result; and
and adjusting the model parameters of the generated model and/or the model parameters of the discriminant model based on the determination result.
4. The method of claim 3, wherein the discriminative model comprises N submodels, N being an integer greater than 1;
wherein said inputting sample data from said generative model into said discriminant model to determine, by said discriminant model, whether said sample data belongs to said first class or to said second class comprises:
dividing sample data of each historical user from the generated model into N pieces of sub data;
inputting the N pieces of sub data into the N pieces of sub models in a one-to-one correspondence manner, and processing the N pieces of sub data through the N pieces of sub models in a one-to-one correspondence manner to obtain N processing results; and
determining, based on the N processing results, that the sample data belongs to the first category or to the second category.
5. The method of claim 3, wherein prior to inputting the sample data into the generative model for processing, the method further comprises:
when the sample data belongs to the first class, the sample data is cut, so that the data length of the cut sample data is a preset data length; and
and under the condition that the sample data belongs to the second category, performing filling processing on the sample data to enable the data length of the filled sample data to be the preset data length.
6. The method of claim 5, wherein said predicting, based on the third access behavior data, fourth access behavior data generated by the historical user accessing the server for the fourth time period by the generative model to predict, if the sample data belongs to the first class, the third access behavior data comprises:
modifying data filled in the sample data based on third access behavior data in the sample data; and
determining the modified populated data as fourth access behavior data generated by the historical user accessing the server over the fourth time period.
7. An apparatus for identifying access behavior, comprising:
the first acquisition module is used for acquiring first access behavior data generated by a current user accessing the server within a first time period;
a prediction module to process the first access behavior data using a trained prediction model to predict second access behavior data generated by the server to be accessed by the current user within a second time period, wherein the second time period is subsequent to the first time period;
the determining module is used for determining complete access behavior data generated by the current user accessing the server based on the first access behavior data and the second access behavior data; and
and the recognition module is used for processing the complete access behavior data by utilizing the trained recognition model so as to recognize whether the access behavior of the current user is an attack behavior.
8. The apparatus of claim 7, wherein prior to processing the first access behavior data with the trained predictive model, the apparatus further comprises:
the second acquisition module is used for acquiring sample data of a plurality of historical users; and
a training module for training the predictive model using the sample data,
wherein, for sample data of each historical user, the sample data is divided into a first category and a second category, the sample data belonging to the first category comprises third access behavior data, the sample data belonging to the second category comprises the third access behavior data and fourth access behavior data,
the third access behavior data is data generated by historical users accessing the server in a third time period, the fourth access behavior data is data generated by historical users accessing the server in a fourth time period, and the fourth time period is after the third time period.
9. The apparatus of claim 8, wherein the predictive model comprises a generative confrontation network model comprising a generative model and a discriminant model;
wherein the training module comprises:
the processing submodule inputs the sample data into the generation model for processing aiming at the sample data of each historical user, wherein under the condition that the sample data belongs to a first class, fourth access behavior data generated by the historical user accessing the server in the fourth time period is obtained through the generation model based on the third access behavior data in a prediction mode;
the determining submodule inputs the sample data from the generated model into the discriminant model so as to determine whether the sample data belongs to the first category or the second category through the discriminant model to obtain a determination result; and
and the adjusting sub-module is used for adjusting the model parameters of the generated model and/or the model parameters of the discriminant model based on the determination result.
10. The apparatus of claim 9, wherein the discriminant model comprises N sub-models, N being an integer greater than 1;
wherein the determining sub-module includes:
the dividing unit is used for dividing the sample data of each historical user from the generated model into N pieces of sub data;
the processing unit is used for inputting the N pieces of sub data into the N pieces of sub models in a one-to-one correspondence manner so as to process the N pieces of sub data through the N pieces of sub models in a one-to-one correspondence manner to obtain N processing results; and
a first determination unit that determines whether the sample data belongs to the first category or the second category based on the N processing results.
11. The apparatus of claim 9, wherein prior to inputting the sample data into the generative model for processing, the apparatus further comprises:
the cutting module is used for cutting the sample data under the condition that the sample data belongs to the first class, so that the data length of the cut sample data is a preset data length; and
and the filling module is used for filling the sample data under the condition that the sample data belongs to the second category so as to enable the data length of the filled sample data to be the preset data length.
12. The apparatus of claim 11, wherein the processing submodule comprises:
the modification unit is used for modifying the data filled in the sample data based on the third access behavior data in the sample data; and
and the second determining unit is used for determining the modified filled data as fourth access behavior data generated by the historical user accessing the server in the fourth time period.
13. A computing device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-6.
14. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 6.
CN202010727441.7A 2020-07-24 2020-07-24 Access behavior recognition method and device, computing equipment and medium Pending CN111865999A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010727441.7A CN111865999A (en) 2020-07-24 2020-07-24 Access behavior recognition method and device, computing equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010727441.7A CN111865999A (en) 2020-07-24 2020-07-24 Access behavior recognition method and device, computing equipment and medium

Publications (1)

Publication Number Publication Date
CN111865999A true CN111865999A (en) 2020-10-30

Family

ID=72950209

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010727441.7A Pending CN111865999A (en) 2020-07-24 2020-07-24 Access behavior recognition method and device, computing equipment and medium

Country Status (1)

Country Link
CN (1) CN111865999A (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102469103A (en) * 2011-07-01 2012-05-23 中国人民解放军国防科学技术大学 Trojan Horse Event Prediction Method Based on BP Neural Network
CN106992994A (en) * 2017-05-24 2017-07-28 腾讯科技(深圳)有限公司 A kind of automatically-monitored method and system of cloud service
CN107426199A (en) * 2017-07-05 2017-12-01 浙江鹏信信息科技股份有限公司 A kind of method and system of Network anomalous behaviors detection and analysis
CN108334774A (en) * 2018-01-24 2018-07-27 中国银联股份有限公司 A kind of method, first server and the second server of detection attack
CN109274639A (en) * 2018-07-03 2019-01-25 阿里巴巴集团控股有限公司 The recognition methods of open platform abnormal data access and device
CN109729094A (en) * 2019-01-24 2019-05-07 中国平安人寿保险股份有限公司 Malicious attack detection method, system, computer installation and readable storage medium storing program for executing
US20190260780A1 (en) * 2018-02-20 2019-08-22 Darktrace Limited Cyber threat defense system protecting email networks with machine learning models
US20190289025A1 (en) * 2018-03-14 2019-09-19 Bank Of America Corporation Cross-channel detection system with real-time dynamic notification processing
CN110365674A (en) * 2019-07-11 2019-10-22 武汉思普崚技术有限公司 A kind of method, server and system for predicting network attack face
CN110532773A (en) * 2018-05-25 2019-12-03 阿里巴巴集团控股有限公司 Malicious access Activity recognition method, data processing method, device and equipment

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102469103A (en) * 2011-07-01 2012-05-23 中国人民解放军国防科学技术大学 Trojan Horse Event Prediction Method Based on BP Neural Network
CN106992994A (en) * 2017-05-24 2017-07-28 腾讯科技(深圳)有限公司 A kind of automatically-monitored method and system of cloud service
CN107426199A (en) * 2017-07-05 2017-12-01 浙江鹏信信息科技股份有限公司 A kind of method and system of Network anomalous behaviors detection and analysis
CN108334774A (en) * 2018-01-24 2018-07-27 中国银联股份有限公司 A kind of method, first server and the second server of detection attack
US20190260780A1 (en) * 2018-02-20 2019-08-22 Darktrace Limited Cyber threat defense system protecting email networks with machine learning models
US20190289025A1 (en) * 2018-03-14 2019-09-19 Bank Of America Corporation Cross-channel detection system with real-time dynamic notification processing
CN110532773A (en) * 2018-05-25 2019-12-03 阿里巴巴集团控股有限公司 Malicious access Activity recognition method, data processing method, device and equipment
CN109274639A (en) * 2018-07-03 2019-01-25 阿里巴巴集团控股有限公司 The recognition methods of open platform abnormal data access and device
CN109729094A (en) * 2019-01-24 2019-05-07 中国平安人寿保险股份有限公司 Malicious attack detection method, system, computer installation and readable storage medium storing program for executing
CN110365674A (en) * 2019-07-11 2019-10-22 武汉思普崚技术有限公司 A kind of method, server and system for predicting network attack face

Similar Documents

Publication Publication Date Title
KR102480204B1 (en) Continuous learning for intrusion detection
US11544380B2 (en) Methods and apparatus for detecting whether a string of characters represents malicious activity using machine learning
CA2933423C (en) Data acceleration
CN109922032B (en) Method, device, equipment and storage medium for determining risk of logging in account
US11004012B2 (en) Assessment of machine learning performance with limited test data
CN110855648B (en) Early warning control method and device for network attack
KR20230028746A (en) Printed circuit board assembly defect detection
CN110929799B (en) Method, electronic device, and computer-readable medium for detecting abnormal user
US11968224B2 (en) Shift-left security risk analysis
CN111371778A (en) Attack group identification method, device, computing equipment and medium
CN111316272A (en) Advanced cyber-security threat mitigation using behavioral and deep analytics
JP2023539222A (en) Deterministic learning video scene detection
KR20220167314A (en) Firewall Insights Processing and Machine Learning
EP4435649A1 (en) Apparatus and method for automatically analyzing malicious event log
US20200380405A1 (en) Data exposure for transparency in artificial intelligence
US20210357207A1 (en) Predicting code vulnerabilities using machine learning classifier models trained on internal analysis states
CN117176417A (en) Network traffic abnormality determination method, device, electronic equipment and readable storage medium
CN111865999A (en) Access behavior recognition method and device, computing equipment and medium
CN117254946A (en) Abnormal flow detection method and device and related equipment
US20240160542A1 (en) System and method of adaptively assigning scenario-based tests to test assets
US20230319062A1 (en) System and method for predicting investigation queries based on prior investigations
CN117149569A (en) Board running state early warning method and device and electronic equipment
WO2020239234A1 (en) Apparatuses and methods for detecting malware
CN115809466A (en) Security requirement generation method and device based on STRIDE model, electronic equipment and medium
US11012463B2 (en) Predicting condition of a host for cybersecurity applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201030

RJ01 Rejection of invention patent application after publication