CN114329454A - Threat analysis method and system based on application software big data - Google Patents
Threat analysis method and system based on application software big data Download PDFInfo
- Publication number
- CN114329454A CN114329454A CN202210029324.2A CN202210029324A CN114329454A CN 114329454 A CN114329454 A CN 114329454A CN 202210029324 A CN202210029324 A CN 202210029324A CN 114329454 A CN114329454 A CN 114329454A
- Authority
- CN
- China
- Prior art keywords
- description
- abnormal operation
- operation item
- application software
- software running
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a threat analysis method and system based on application software big data, which obtains the relation between each abnormal interaction event description based on differentiation description analysis, obtains the local focusing attention index of abnormal operation item description based on differentiation description analysis record, so as to ensure the attention degree among different abnormal operation item descriptions, so that the more significant operation threat information in the abnormal operation item descriptions can be quickly and accurately identified, the vulnerability security threat detection is carried out on the intrusion attack preference description mined based on the optimized abnormal operation item description, so that the resource waste and precision damage caused by the connection between interactive operation threats with low analysis attention (such as some non-key operation threats or operation threats which can not cause great data information loss) are avoided, and the accuracy and the reliability of vulnerability security threat detection are guaranteed to a certain extent.
Description
Technical Field
The invention relates to the technical field of big data and software analysis, in particular to a threat analysis method and system based on application software big data.
Background
Application software (application software) refers to a variety of programming languages that a user can use, as well as a collection of applications programmed in a variety of programming languages. The application software is part of software provided for meeting application requirements of users in different fields and different problems, and application programs can widen the application field of the computer system and amplify the functions of hardware.
With the continuous development of information technology, the challenges faced by application software are more and more, such as some vulnerability threats that may threaten the information security of users. In order to improve the problem and avoid the security of the user information, a common method is to update the vulnerability of the application software, however, the method still has certain implementation defects, one of which is that the precision and the credibility of the vulnerability update are low, and after the inventor finds out through intensive research, the cause of the defects appears in the vulnerability detection link.
Disclosure of Invention
The invention provides a threat analysis method and system based on application software big data, and the following technical scheme is adopted in the application to achieve the technical purpose.
The first aspect is a threat analysis method based on application software big data, applied to a threat analysis service system, the method at least comprising: collecting the uploaded application software running logs, and mining abnormal running item descriptions in the application software running logs; performing differential description analysis on a plurality of abnormal operation item descriptions in the application software operation log to obtain a differential description analysis record; determining a local focusing attention index of abnormal operation item description in the application software operation log according to the differentiation description analysis record; optimizing the abnormal operation item description according to the local focusing attention index; excavating an intrusion attack preference description according to the optimized abnormal operation item description; and according to the intrusion attack preference description, carrying out vulnerability security threat detection on the application software running log to obtain a threat detection record.
In one possible embodiment, the mining of the abnormal operation item description in the application software operation log comprises:
detecting APP interaction events in the application software running logs to obtain target detection results of various abnormal running items;
and mining the significance content in the application software running log, and pairing the significance content in the application software running log to obtain corresponding abnormal running item description by means of the target detection result in the application software running log.
In one possible embodiment, the determining a local focus attention index of an abnormal operation item description in the application software operation log according to the differentiation description analysis record includes:
and determining a local focusing attention index between the abnormal operation item descriptions according to the correlation evaluation between the abnormal operation item descriptions in the differentiation description analysis record.
In one possible embodiment, the determining a local focus attention index between the abnormal operation item descriptions according to the evaluation of the correlation between the abnormal operation item descriptions in the differentiation description analysis record includes:
determining a first quantitative common index between abnormal operation item descriptions under the same category obtained by differential description analysis; the method for determining the first quantitative common index between the abnormal operation item descriptions under the same category obtained by the differentiation description analysis comprises the following steps: decomposing the visual description expression of the abnormal operation item description into i groups; sequentially and correspondingly determining quantitative commonality indexes for i groups of description vectors described by different abnormal operation matters to obtain i first quantitative commonality indexes; determining a first local focus attention index between intra-class abnormal operation item descriptions according to the first quantitative commonality index, comprising: determining i first local focusing attention indexes among abnormal operation item descriptions in the class according to the i first quantitative commonality indexes;
and determining a first local focusing attention index between abnormal operation item descriptions in the class according to the first quantitative commonality index.
In one possible embodiment, the determining a local focus attention index between the abnormal operation item descriptions according to the evaluation of the correlation between the abnormal operation item descriptions in the differentiation description analysis record includes:
determining the integral description vector of each category obtained by differential description analysis;
determining a second quantitative commonality index between the overall description vectors of each category obtained by the differentiation description analysis;
and determining a second local focusing attention index between the abnormal operation item descriptions according to the second quantitative commonality index.
In one possible embodiment, said optimizing said abnormal operation item description according to said local focus attention index comprises:
and for the target abnormal operation item description in each type of abnormal operation item description, merging the target abnormal operation item description and the first local focusing attention index of each abnormal operation item description in the class to obtain an intra-class optimization description vector corresponding to each abnormal operation item in the class, wherein the intra-class optimization description vector is used as the optimized abnormal operation item description.
In one possible embodiment, said optimizing said abnormal operation item description according to said local focus attention index comprises:
for the target overall description vector of the target category in each type, obtaining an inter-category optimized description vector corresponding to each category by means of the target overall description vector and the second local focusing attention index of the overall description vector of each category;
and respectively adding the inter-class optimization description vectors to the intra-class optimization description vectors corresponding to the abnormal operation items in the target type to obtain the optimized abnormal operation item description.
In a possible embodiment, the mining intrusion attack preference description according to the optimized abnormal operation item description includes: carrying out attack intention mining processing on the optimized abnormal operation item description to obtain an intrusion attack preference description; the method comprises the following steps of carrying out attack intention mining processing on the optimized abnormal operation item description to obtain intrusion attack preference description, wherein the attack intention mining processing comprises the following steps: carrying out attack intention mining processing on the optimized abnormal operation item description to obtain a program attack intention scene description; performing operation stage feature processing on the abnormal operation item descriptions of the application software operation logs to obtain abnormal operation item stage descriptions; splicing the program attack intention scene description and the abnormal operation item phase description to obtain an intrusion attack preference description;
wherein, the performing operation stage feature processing on the abnormal operation item description of the plurality of application software operation logs to obtain the abnormal operation item stage description comprises: extracting description contents of the abnormal operation item descriptions of the application software operation logs based on an active local focusing strategy to obtain a staged description vector; performing item description translation on the staged description vector based on an active local focusing strategy, and/or performing item description translation on the staged description vector based on a scene description vector to obtain abnormal operation item stage description; wherein the scene description vector is the optimized abnormal operation item description;
wherein, the mining of the attack intention is carried out on the optimized abnormal operation item description to obtain the scene description of the program attack intention, and the method comprises the following steps: and performing item description translation on the scene description vector based on an active local focusing strategy, and/or performing item description translation on the scene description vector according to the stage description vector to obtain a program attack intention scene description.
In one possible embodiment, the method further comprises: mining the software running state description of the application software running log; determining a third local focus attention index in the software running state description by means of the intrusion attack preference description; optimizing the software operating state description by means of the third local focus attention index;
according to the intrusion attack preference description, vulnerability security threat detection is carried out on the application software running log to obtain a threat detection record, and the method comprises the following steps: based on the optimized software running state description, carrying out privacy vulnerability security threat detection on the application software running log to obtain a threat detection record aiming at the privacy vulnerability security threat;
wherein after optimizing the software operating state description by means of the third local focus attention index, the method further comprises: the optimized software running state description is used as the current software running state description, the intrusion attack preference description is used as the current abnormal running item description, and the software running state description and the intrusion attack preference description are circularly optimized until the requirement of circulation expectation is met to obtain the circularly optimized software running state description and the intrusion attack preference description;
according to the intrusion attack preference description, vulnerability security threat detection is carried out on the application software running log to obtain a threat detection record, and the method comprises the following steps: based on the software running state description after the loop optimization, carrying out privacy vulnerability security threat detection on the application software running log to obtain a threat detection record aiming at the privacy vulnerability security threat;
after the software running state description and the intrusion attack preference description after the loop optimization are obtained, the method further comprises the following steps: and detecting the item vulnerability security threat based on the intrusion attack preference description after the loop optimization to obtain a threat detection record of the abnormal operation item vulnerability security threat.
A second aspect is a threat analysis service system comprising a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the threat analysis service system to perform the method of the first aspect.
According to one embodiment of the invention, after the uploaded application software running logs are collected, abnormal running item descriptions in the application software running logs are mined, a plurality of abnormal running item descriptions in the application software running logs are subjected to differential description analysis to obtain differential description analysis records, local focusing attention indexes of the abnormal running item descriptions in the application software running logs are determined based on the differential description analysis records, the abnormal running item descriptions are optimized based on the local focusing attention indexes, intrusion attack preference descriptions are mined based on the optimized abnormal running item descriptions, vulnerability security threat detection is performed on the application software running logs based on the intrusion attack preference descriptions, and threat detection record records are obtained
In this way, the relation between each abnormal interaction event description (operation threat) is obtained based on the differential description analysis, the local focusing attention index of the abnormal operation item description is obtained based on the differential description analysis record, so as to ensure the attention degree among different abnormal operation item descriptions, so that the more significant operation threat information in the abnormal operation item descriptions can be quickly and accurately identified, the vulnerability security threat detection is carried out on the intrusion attack preference description mined based on the optimized abnormal operation item description, so that the resource waste and precision damage caused by the connection between interactive operation threats with low analysis attention (such as some non-key operation threats or operation threats which can not cause great data information loss) are avoided, and the accuracy and the reliability of vulnerability security threat detection are guaranteed to a certain extent.
Drawings
Fig. 1 is a schematic flowchart of a threat analysis method based on application software big data according to an embodiment of the present invention.
Fig. 2 is a block diagram of a threat analysis apparatus based on application software big data according to an embodiment of the present invention.
Detailed Description
In the following, the terms "first", "second" and "third", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first," "second," or "third," etc., may explicitly or implicitly include one or more of that feature.
Fig. 1 is a schematic flowchart illustrating an application big data-based threat analysis method according to an embodiment of the present invention, where the application big data-based threat analysis method may be implemented by a threat analysis service system, and the threat analysis service system may include a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the threat analysis service system to perform the aspects described in the following steps.
And step S11, collecting the uploaded application software running log, and mining the abnormal running item description in the application software running log.
In the embodiment of the present application, the application software running log may be understood as a group of application software running logs in the application software running log set, or may also be understood as several application software running logs in the application software running log set. The application software running log can be understood as uploaded in a mode of an application software running log set, and the log content volume of a single application software running log set can be set in advance.
It can be understood that the application software running log may be an application software running log recorded in a cloud server, and the application software running log may be downloaded from the relevant cloud server to collect the application software running log.
For example, the application software running log may be a text log or an image log, and the abnormal running item description may be a related feature of the abnormal running item in the application software running log, and its expression form may be a feature vector or a feature map.
In a possible embodiment, the mining of the abnormal operation item description in the application software operation log recorded in step S11 may include, for example: detecting APP interaction events in the application software running logs to obtain target detection results of various abnormal running items; and mining the significance content in the application software running log, and pairing the significance content in the application software running log to obtain corresponding abnormal running item description by means of the target detection result in the application software running log.
In actual implementation, for an abnormal operation event in the application software operation log, an event tag corresponding to the abnormal operation event in the application software operation log may be detected by using an APP interactive event detection technology, where the event tag is usually expressed by a range-type detection result, and the event tag marked by the detection result may be an event tag corresponding to the determined abnormal operation event. Considering that when the same abnormal operation items are detected, a plurality of detection results may be obtained, and then, the plurality of detection results may be subjected to redundant cleaning processing through a related policy algorithm (such as a suppression algorithm), and one detection result is reserved for one abnormal operation item in a single application software operation log and serves as an item label corresponding to the detected abnormal operation item. Further, for multiple groups of application software running logs in the application software running log set, the item labels corresponding to the abnormal running items in the multiple groups of application software running logs can be obtained through the above method.
In the embodiment of the present invention, the software running state description of the application software running log may be mined to obtain the software running state description of the global application software running log, for example, the software running state description of the application software running log may be mined through an extended model (an expanded convolutional network), and the content output by the last unit of the extended model is used as the software running state description. And then, carrying out description vector mining on the transitional description contents output by the middle unit of the extended model to obtain each abnormal operation item description, wherein in actual implementation, the distribution condition of the abnormal operation items in the application software operation log is the distribution condition of a plurality of detection results obtained after the redundancy cleaning processing is carried out on the related strategies, the distribution condition of the detection results in the application software operation log corresponds to the transitional description contents mined by the extended model, and the description vectors corresponding to the distribution condition of the detection results in the transitional description contents (middle characteristics) are mined by means of the related mining strategies, so that the abnormal operation item description in the application software operation log can be obtained. In addition, the mining method for the abnormal operation item description can be in other modes, and the related mining method for the abnormal operation item description is not further limited by the invention.
Step S12, performing differential description analysis on the plurality of abnormal operation item descriptions in the application software operation log to obtain a differential description analysis record.
In the embodiment of the present application, during the differential description analysis (e.g., K-means clustering), a plurality of abnormal operation item descriptions are generally divided into different categories according to preset indexes (e.g., quantitative commonality indexes, similarity), so that the quantitative commonality indexes of the abnormal operation item descriptions in the same category are as large as possible, and the differences between the abnormal operation item descriptions not in the same category are as obvious as possible. After the differentiation description analysis, the abnormal operation item descriptions in the same group are divided as much as possible, and the abnormal operation item descriptions in different groups are not divided as much as possible.
In the embodiment of the present invention, differential description analysis may be performed on abnormal operation item descriptions according to a related clustering method (K-means clustering), when actual implementation is performed, the abnormal operation item descriptions to be partitioned may be grouped into a description set and a preset classification number m (for example, may be 5), m abnormal operation item descriptions are arbitrarily selected from the description set to serve as m types of basic differential description analysis nodes, for each abnormal operation item description except for m basic differential description analysis nodes in the description set, a comparison result (for example, cosine similarity may be used, the comparison result is used to characterize a quantitative commonality index between descriptions) between the abnormal operation item description and description contents of each basic differential description analysis node in the m basic differential description analysis nodes is respectively determined, and the abnormal operation item descriptions are partitioned into comparison results corresponding to the abnormal operation item descriptions And in the types corresponding to the basic differentiation description analysis node with the highest relevance, determining the current differentiation description analysis nodes of the m types again according to the abnormal operation item description included in the m types, and dividing the abnormal operation item description in the description set again until the comparison result between the differentiation description analysis nodes of the adjacent two rounds of differentiation description analysis of each type in the m types is in the set comparison result.
It can be understood that after performing the differential description analysis on the abnormal operation item description, the obtained differential description analysis records that a plurality of abnormal operation item descriptions are divided into a plurality of categories, and finally, the differential description analysis node of each category is also determined after being optimized (updated) for a plurality of times.
Step S13, determining a local focus attention index of the abnormal operation item description in the application software operation log according to the differentiation description analysis record.
In the embodiment of the application, the differential description analysis records can be used for representing the hidden relation among a plurality of abnormal operation item descriptions, so that the hidden contents with higher values can be obtained, the hidden contents are divided into one type, the identification degree and the potential value of the descriptions are highlighted as much as possible, the accuracy and the abundance of vulnerability security threat detection on the application software operation logs can be improved, therefore, the local focusing (local features) of the abnormal operation item descriptions in the application software operation logs can be concerned (distributed) based on the differential description analysis records, and the feature value of the description contents with higher attention can be deeply shown.
It can be understood that there are various ways for determining the local focus attention index in a relevant manner, for example, the local focus attention index may be determined according to a quantitative commonality index between the intra-class abnormal operation item descriptions, or according to a quantitative commonality index of the inter-class description contents, and further, the local focus attention index may be implemented in combination with possible embodiments provided by the present invention, which are not described herein in detail.
And step S14, optimizing the abnormal operation item description according to the local focusing attention index.
In the embodiment of the present application, after determining the local focus attention index (attention distribution weight), the abnormal operation item description may be optimized to mark local focus information in the abnormal operation item description. In practical implementation, the local focusing attention index can be used for merging the abnormal operation item descriptions to optimize the abnormal operation item descriptions, for example, in the related field, the visual description expression is used for representing the abnormal operation item descriptions, so that the local focusing attention index and the visual description expression can be multiplied to realize local focusing attention index configuration on the abnormal operation item descriptions, and the optimization on the abnormal operation item descriptions is realized.
In the embodiment of the invention, a first local focusing attention index can be obtained based on a first quantization common index (similarity) of the intra-class abnormal operation item description obtained by differentiation description analysis, and a second local focusing attention index can be obtained based on a quantization common index of the inter-class overall description vector. The process of performing the abnormal operation event description optimization by means of the first local focus attention index and the second local focus index may be combined with the exemplary embodiments provided by the present invention, and the present invention will not be described herein too much.
And step S15, mining the intrusion attack preference description according to the optimized abnormal operation item description.
In the embodiment of the present application, the intrusion attack preference description may be understood as a preference description of the abnormal operation event at a scene level and a stage level. And describing abnormal operation event state information capable of representing the characteristics of the abnormal operation items for the abnormal operation items in the same application software operation log, and obtaining the scene description of the program attack intention based on the optimized abnormal operation item description. The program attack intention scene description (focusing on event distribution) may be spliced with the abnormal operation item phase description (focusing on event timing) to obtain the intrusion attack preference description, and the relevant splicing process may be combined with the exemplary embodiment provided by the present invention, which is not described herein too much.
And step S16, according to the intrusion attack preference description, carrying out vulnerability security threat detection on the application software running log to obtain a threat detection record.
In the embodiment of the application, the feature value of the description content with higher attention is deeply shown based on the abnormal operation item description after the local focusing attention index optimization, and then the feature value of the description content with higher attention is also deeply shown in the intrusion attack preference description mined based on the abnormal operation item description. Therefore, vulnerability security threat detection is carried out on the application software running log based on the excavated intrusion attack preference description, and the accuracy and the credibility of threat detection records can be improved.
The vulnerability security threat detection in the embodiment of the invention can comprise item vulnerability security threat detection of abnormal interaction events and/or privacy vulnerability security threat detection of privacy, and the vulnerability security threat detection of application software running logs based on intrusion attack preference description can be carried out in various ways, for example, vulnerability security threat detection of abnormal running items of abnormal interaction events can be directly carried out on the excavated intrusion attack preference description; for another example, local focusing and merging can be performed on the software running state description of the application software running log by means of the intrusion attack preference description, and privacy vulnerability security threat detection can be performed by means of the software running state description after local focusing and merging. Further illustrative embodiments may be provided in connection with the present invention, which are not set forth herein in any greater detail.
In the embodiment of the invention, after the uploaded application software running logs are collected, abnormal running item descriptions in the application software running logs are mined, a plurality of abnormal running item descriptions in the application software running logs are subjected to differential description analysis to obtain differential description analysis records, then local focusing attention indexes of the abnormal running item descriptions in the application software running logs are determined based on the differential description analysis records, the abnormal running item descriptions are optimized based on the local focusing attention indexes, then intrusion attack preference descriptions are mined based on the optimized abnormal running item descriptions, and security threat detection is performed on the application software running logs based on the intrusion attack preference descriptions to obtain threat detection records. Therefore, the relation between each abnormal interaction event description (operation threat) is obtained based on the differential description analysis, the local focusing attention index of the abnormal operation item description is obtained based on the differential description analysis record, so that the attention degree between different abnormal operation item descriptions is ensured, the more obvious operation threat information in the abnormal operation item description can be quickly and accurately identified, then, the vulnerability security threat detection is carried out on the intrusion attack preference description mined based on the optimized abnormal operation item description, the resource waste and the precision damage caused by the relation between the interactive operation threats with lower analysis attention degree are avoided, and the accuracy and the reliability of the vulnerability security threat detection are ensured to a certain extent.
In a possible embodiment, the step S13 of determining the local focus attention index of the abnormal operation item description in the application software operation log according to the differentiation description analysis record may include: and determining a local focusing attention index between the abnormal operation item descriptions according to the correlation evaluation between the abnormal operation item descriptions in the differentiation description analysis record.
In the embodiment of the present application, the correlation evaluation (correlation) may be used to characterize a correlation between the abnormal operation item descriptions, for example, a quantitative commonality index between the abnormal operation item descriptions may be used, and then, the local focus attention index between the abnormal operation item descriptions may be determined based on the quantitative commonality index between the abnormal operation item descriptions.
In the embodiment of the present invention, two embodiments are provided for determining a local focus attention index based on a correlation evaluation between abnormal operation item descriptions in a differential description analysis record, in which a first local focus attention index is determined based on a quantization common index of the abnormal operation item descriptions within a class, and a second local focus attention index is determined based on a quantization common index between overall description vectors of each class between the classes, respectively. These two examples are further illustrated.
In a possible embodiment, the above-mentioned determining a local focus attention index between the abnormal operation item descriptions according to the evaluation of the correlation between the abnormal operation item descriptions in the differentiation description analysis record may include: determining a first quantitative common index between abnormal operation item descriptions under the same category obtained by differential description analysis; and determining a first local focusing attention index between abnormal operation item descriptions in the class according to the first quantitative commonality index.
In this embodiment of the present application, the first quantization common indicator between the abnormal operation item descriptions in the same category may be a quantization common indicator between every two abnormal operation item descriptions in the same category, and there may be multiple ways for determining the feature quantization common indicator in a related manner, and the ways for determining the feature quantization common indicator in a related manner may be determined by combining with the prior art, which is not described herein again.
It is understood that after determining the quantified commonality indicator between the abnormal operation event descriptions, the quantified commonality indicator may be normalized (normalized), and for example, by a simplified model (e.g., softmax model), the first local focus attention index of the abnormal operation event descriptions may be obtained by the normalization operation. The first local focusing attention index can be applied to the abnormal operation item description, the abnormal operation item description is optimized to mark local focusing information in the abnormal operation item description, after the abnormal operation item description is optimized by means of the first local focusing attention index, the optimized abnormal operation item description can be obtained, the feature value of description content with high attention is deeply shown on the basis of the abnormal operation item description optimized by the local focusing attention index, therefore, the vulnerability detection is carried out on the application software operation log on the basis of the optimized abnormal operation item description, and the precision and the reliability of the threat detection record can be improved.
In the embodiment of the invention, a first quantitative common index between abnormal operation item descriptions in the same category obtained by differential description analysis is determined; and determining a first local focusing attention index between abnormal operation item descriptions in the class according to the first quantitative commonality index. In this way, based on the quantitative commonality index between the abnormal operation item descriptions in the same category, the relevance evaluation between the abnormal operation item descriptions in the category can be determined, so that the first local focus attention index determined according to the quantitative commonality index can significantly improve the characteristic value of the description content with higher attention in the abnormal operation item descriptions, and therefore, based on the optimized abnormal operation item descriptions, the vulnerability security threat detection is performed on the application software operation log, and the precision and the reliability of the threat detection record can be improved.
In a possible embodiment, the above-mentioned recorded first quantitative commonality indicator for determining abnormal operation item descriptions under the same category obtained by analyzing the differential description may exemplarily include: decomposing the visual description expression of the abnormal operation item description into i groups; and sequentially and correspondingly determining the quantization common indexes for the i groups of description vectors described by different abnormal operation items to obtain i first quantization common indexes. The determining a first local focus attention index between the abnormal operation item descriptions in the class according to the first quantitative commonality index may include: and determining i first local focusing attention indexes among the abnormal operation item descriptions in the class according to the i first quantitative commonality indexes.
After the i first quantized commonality indexes are obtained, i first local focus attention indexes between the abnormal operation item descriptions in the class can be determined based on the i first quantized commonality indexes, and the manner of determining the local focus attention indexes in a relevant manner can be combined with relevant contents of the embodiment of the present invention, which is not described herein.
In the embodiment of the invention, visual description expressions of abnormal operation item descriptions are decomposed into i groups, then quantized common indicators are sequentially and correspondingly determined for i groups of description vectors of different abnormal operation item descriptions to obtain i first quantized common indicators, and i first local focusing attention indexes between the abnormal operation item descriptions in the class are determined according to the i first quantized common indicators. Therefore, the abundance of the relation between the abnormal operation item descriptions can be deeply shown, so that the relation between the abnormal operation item descriptions can be more accurately described, and the precision and the reliability of vulnerability security threat detection based on the abnormal operation item descriptions can be further improved.
In a possible embodiment, the determining a local focus attention index between the abnormal operation item descriptions according to the evaluation of the correlation between the abnormal operation item descriptions in the differentiation description analysis record may include: determining the integral description vector of each category obtained by differential description analysis; determining a second quantitative commonality index between the overall description vectors of each category obtained by the differentiation description analysis; and determining a second local focusing attention index between the abnormal operation item descriptions according to the second quantitative commonality index.
In this embodiment of the present application, an overall description vector of a certain category of a differential description analysis record (which may be understood as a clustering result) can characterize abnormal operation item descriptions of the category from a global level, where the overall description vector is obtained by calculation based on the abnormal operation item descriptions in the category, for example, the overall description vector may be obtained by performing overall reduction processing on the abnormal operation item descriptions in the category, or may also be obtained by performing arbitrary reduction processing on the abnormal operation item descriptions in the category, and as for a mode of determining the overall description vector exemplarily, the embodiment of the present invention is not further limited.
In addition, the global description vector of each category may also be a feature of the differentiation description analysis node of each category in the differentiation description analysis record, and then, in a possible embodiment, the determining the global description vector of each category obtained by differentiation description analysis includes: and taking the characteristics of the differentiation description analysis nodes of each category in the differentiation description analysis record as the overall description vector of each category. In the differential description analysis process, whether other APP interaction event characteristics are matched with the type is determined by calculating a comparison result (quantitative commonality index) with the differential description analysis node, so that the matching index between the characteristics of the differential description analysis node and all the APP interaction event characteristics in the type is high, and the characteristics of the differential description analysis node can be used for accurately representing the overall description vector of the type.
It is to be understood that the second quantization commonality indicator of the global description vector between different categories may be a quantization commonality indicator between every two global description vectors of each category, and there may be various ways to calculate the second quantization commonality indicator of the global description vector in association, which may be referred to in the related art.
After determining the second quantized commonality index between the overall description vectors of each category, the second quantized commonality index may be normalized (normalized), and after performing normalization operation, a simplified model (e.g., softmax model) may be used, for example, to obtain a second local focus attention index of the abnormal operation item description. The second local focusing attention index can be used in the abnormal operation item description to optimize the abnormal operation item description so as to mark local focusing information in the abnormal operation item description, and after the plurality of abnormal operation item descriptions are optimized by means of the second local focusing attention index, the optimized abnormal operation item description can be obtained.
In the embodiment of the invention, the overall description vector of each category is obtained by describing the abnormal operation items in each category; determining a second quantitative commonality index between the overall description vectors of each category obtained by the differentiation description analysis; a second local focus attention index between the abnormal operation item descriptions is determined based on the second quantitative commonality indicator. Therefore, based on the quantitative commonality indexes among different groups of overall description vectors, the relevance evaluation among various abnormal operation item descriptions among classes can be determined, the second local focusing attention index determined according to the second quantitative commonality index of the overall description vector can be used for deeply showing the characteristic value of description contents with higher attention in the abnormal operation item descriptions, and therefore, based on the optimized abnormal operation item descriptions, the vulnerability security threat detection is carried out on the application software operation log, and the accuracy of threat detection records can be improved.
In the embodiment of the present application, after the local focus attention index is determined, the abnormal operation item description may be optimized to mark the local focus information in the abnormal operation item description, and based on the above-mentioned related contents, the first local focus attention index and the second local focus attention index may be obtained in the present invention. The following describes the process of performing the abnormal operation event description optimization by means of the first local focus attention index and the second local focus index, respectively.
In one possible embodiment, the optimizing the abnormal operation item description according to the local focus attention index may include: and for the target abnormal operation item description in each type of abnormal operation item description, merging the target abnormal operation item description and the first local focusing attention index of each abnormal operation item description in the class to obtain an intra-class optimization description vector corresponding to each abnormal operation item in the class, wherein the intra-class optimization description vector is used as the optimized abnormal operation item description.
In the embodiment of the present application, for a target abnormal operation item description in an abnormal operation item description of a certain class, a merging operation is performed on each abnormal operation item description in the class by using a first local focused attention index of the target abnormal operation item description and each abnormal operation item description in the class, so as to obtain an intra-class optimized description vector corresponding to each abnormal operation item in the class, which is used as the optimized abnormal operation item description.
Therefore, the optimized target abnormal operation item description is combined with and analyzes the matching indexes of all the abnormal operation item descriptions in the class, and the characteristic value of the description content with higher attention can be deeply shown on the premise of higher matching indexes of all the characteristics in the class, so that the vulnerability security threat detection is performed on the application software operation log based on the optimized abnormal operation item description, and the precision and the reliability of the threat detection record can be improved.
In one possible embodiment, the optimizing the abnormal operation item description according to the local focus attention index may include: for the target overall description vector of the target category in each type, obtaining an inter-category optimized description vector corresponding to each category by means of the target overall description vector and the second local focusing attention index of the overall description vector of each category; and respectively adding the inter-class optimization description vectors to the intra-class optimization description vectors corresponding to the abnormal operation items in the target type to obtain the optimized abnormal operation item description.
In the embodiment of the present application, the inter-class optimized description vector of the target class may be obtained by performing a merge operation on the overall description vectors of the classes by using the second local focus attention index, and then adding the merge operation result to each abnormal operation item description in the target type.
Therefore, after the abnormal operation item descriptions are optimized by means of the second local focusing attention index, the optimized abnormal operation item descriptions can be obtained, and the feature value of the description content with higher attention is deeply shown on the basis of the abnormal operation item descriptions optimized by the second local focusing attention index, so that the vulnerability security threat detection is performed on the application software operation log on the basis of the optimized abnormal operation item descriptions, and the precision and the reliability of the threat detection record can be improved.
In a possible embodiment, the mining intrusion attack preference description according to the optimized abnormal operation item description may include: and carrying out attack intention mining processing on the optimized abnormal operation item description to obtain an intrusion attack preference description.
In the embodiment of the application, the intrusion attack preference description comprises a program attack intention scene description, and the abnormal operation item description in the same application software operation log can represent the scene description state in the application software operation log, so that the attack intention mining processing is performed on the abnormal operation item description optimized based on the local focusing attention index, the program attack intention scene description can be obtained, and the program attack intention scene description can represent the abnormal operation event state information of the abnormal operation item description in the application software operation log. The manner of performing attack intention mining processing on the optimized abnormal operation item description may be combined with the exemplary embodiment provided by the present invention, and the present invention is not described herein too much.
In addition, the intrusion attack preference description further includes a program attack intention scene description, and in a possible embodiment, the optimized abnormal operation item description is subjected to attack intention mining processing to obtain the intrusion attack preference description, which exemplarily may include: carrying out attack intention mining processing on the optimized abnormal operation item description to obtain a program attack intention scene description; performing operation stage feature processing on the abnormal operation item descriptions of the application software operation logs to obtain abnormal operation item stage descriptions; and splicing the program attack intention scene description and the abnormal operation item phase description to obtain the intrusion attack preference description.
In the embodiment of the present invention, an abnormal operation item phase description may also be determined, where in one application software operation log set, the abnormal operation item description of the same item may change in different application software operation logs, and it may be understood that the abnormal operation item phase description may represent information that the abnormal operation item description of the same abnormal operation item changes with different phases in different application software operation logs. Therefore, the abnormal operation item description of the same abnormal operation item in different application software operation logs can be subjected to operation stage feature processing to obtain the abnormal operation item stage description.
It can be understood that the abnormal operation item phase description may be spliced with the program attack intention scene description to obtain the intrusion attack preference description, and the relevant splicing manner is, for example: the abnormal operation item phase description and the program attack intention scene description can be merged. And then, based on the intrusion attack preference description, vulnerability security threat detection is carried out on the application software operation log, so that not only the scene description of abnormal operation items but also the stage description of the abnormal operation items are considered during vulnerability security threat detection, and the precision and the reliability of threat detection records can be improved.
In a possible embodiment, the performing, by performing a running phase feature process on the abnormal running item descriptions of the application software running logs to obtain the abnormal running item phase description may exemplarily include: extracting description contents of the abnormal operation item descriptions of the application software operation logs based on an active local focusing strategy to obtain a staged description vector; performing item description translation on the staged description vector based on an active local focusing strategy, and/or performing item description translation on the staged description vector based on a scene description vector to obtain abnormal operation item stage description; and the scene description vector is the optimized abnormal operation item description.
In the embodiment of the application, after the abnormal operation item descriptions of the application software operation logs are mined, the abnormal operation item descriptions of the application software operation logs can be transmitted into the feature mining layer, and the description content is extracted based on the active local focusing strategy to obtain the periodic description vector. In the feature mining process, the matching possibility of the abnormal operation item description in each application software operation log and the APP interaction event features of other stages can be respectively determined by means of an active local focusing strategy, and then the matching possibility and the APP interaction event features of the corresponding stage are combined (weighted summation) to serve as a stage description vector.
It can be understood that, in the process of performing item description translation on the stepwise description vector, the stepwise description vector may be subjected to item description translation based on an active local focusing strategy to obtain a first-stage description, and the stepwise description vector may also be subjected to item description translation based on the scenario description vector to obtain a second-stage description, and then the first-stage description and the second-stage description are spliced to obtain an abnormal-operation item-stage description.
It can be understood that, in the process of translating the item description of the periodic description vector based on the scenario description vector, a quantization common indicator between the scenario description vector and the periodic description vector may be determined, and the second-stage description is obtained by merging the periodic description vectors with the quantization common indicator. And performing item description translation on the periodic description vector based on the scene description vector, so that scene associated information is spliced in the obtained second-stage description, the significance content value in the second-stage description is deeply shown, and the precision and the reliability of the threat detection record of the final vulnerability security threat can be improved.
In addition, there may be multiple ways of performing item description translation on the scenario description vector, in a possible embodiment, the performing attack intention mining processing on the optimized abnormal operation item description to obtain a program attack intention scenario description may exemplarily include: and performing item description translation on the scene description vector based on an active local focusing strategy, and/or performing item description translation on the scene description vector according to the stage description vector to obtain a program attack intention scene description.
It can be understood that, in the process of performing item description translation on the scenario description, the scenario description vector may be subjected to item description translation based on an active local focusing strategy (which may be understood as a self-attention mechanism) to obtain a first scenario description, and the scenario description vector may also be subjected to item description translation based on a phased description vector to obtain a second scenario description, and then the first scenario description and the second scenario description are spliced to obtain a scenario description of the program attack intention. In the process of item description translation of scenario description vectors based on an active local focusing strategy, the correlation (for example, may be a quantitative commonality index) between scenario description vectors of different abnormal operation items may be determined, and then the scenario description vectors are combined by means of the correlation to obtain a first scenario description.
In the process of performing item description translation on the scenario description vector based on the stage description vector, a quantization common indicator of the stage description vector and the scenario description vector may be determined, and then the scenario description vector is merged by the quantization common indicator to obtain a second scenario description. And performing item description translation on the scene description vector based on the stage description vector, so that the obtained second scene description is spliced with stage associated information, the significance content representation in the second scene description is deeply shown, and the precision and the reliability of the threat detection record of the final vulnerability security threat can be improved.
In the embodiment of the invention, the staged description vector is subjected to item description translation based on the staged description vector to obtain abnormal operation item phase description, the staged description vector is subjected to item description translation based on the staged description vector to obtain program attack intention scene description, the program attack intention scene description and the abnormal operation item phase description are spliced, and the threat detection value of the abnormal operation item is deeply shown in the obtained intrusion attack preference description by means of a comprehensive analysis thought based on scene association and stage association, so that the vulnerability security threat detection is carried out based on the intrusion attack preference description, and the precision and the reliability of the threat detection record of the vulnerability security threat can be improved.
In a possible embodiment, the method further comprises: mining the software running state description of the application software running log; determining a third local focus attention index in the software running state description by means of the intrusion attack preference description; optimizing the software operating state description by means of the third local focus attention index; according to the intrusion attack preference description, performing vulnerability security threat detection on the application software running log to obtain a threat detection record, which exemplarily comprises: and based on the optimized software running state description, carrying out privacy vulnerability security threat detection on the application software running log to obtain a threat detection record aiming at the privacy vulnerability security threat.
It can be understood that the software running state description of the application software running log may be obtained by performing description vector mining on the whole application software running item of the application software running log, and may also be referred to as a log description of the application software running log, where the related mining manner is, for example: mining may be through extended models.
It is understood that, for the mined software running state description, local focusing attention may be given to the software running state description, and an exemplary case may be that local focusing attention is given to the software running state description by means of an intrusion attack preference description, so that a third local focusing attention index in the software running state description may be determined by means of the intrusion attack preference description, and then the software running state description is optimized by means of the third local focusing attention index.
In this way, the optimized software running state description can be understood as the description content after local focusing attention is performed on the software running state description through the intrusion attack preference description, so that the description content with higher attention in the software running state description can be ensured, and the description content with lower attention in the software running state description can be further reduced. And then, based on the optimized software running state description, vulnerability security threat detection is carried out on the application software running log, so that the precision and the reliability of threat detection records can be improved.
In the embodiment of the application, in the process of detecting the privacy vulnerability security threat of the application software running log, the optimized software running state description can be input into a feature classification unit (which can be understood as a full connection layer) of a deep learning model, classification is performed by means of the feature classification unit, a plurality of privacy vulnerability security threat attributes are set in the feature classification unit, according to the software running state description, the feature classification unit can output the reliability coefficient of the software running state description into each privacy vulnerability security threat category, and the privacy security threat category with the highest reliability coefficient can be used as a threat detection record aiming at the privacy vulnerability security threat.
In a possible embodiment, after optimizing the software operating state description by means of the third local focus attention index, the method may further comprise: the optimized software running state description is used as the current software running state description, the intrusion attack preference description is used as the current abnormal running item description, and the software running state description and the intrusion attack preference description are circularly optimized until the requirement of circulation expectation is met to obtain the circularly optimized software running state description and the intrusion attack preference description; according to the intrusion attack preference description, performing vulnerability security threat detection on the application software running log to obtain a threat detection record, which exemplarily comprises: and based on the software running state description after the loop optimization, carrying out privacy vulnerability security threat detection on the application software running log to obtain a threat detection record aiming at the privacy vulnerability security threat.
In the embodiment of the present application, the intrusion attack preference description is used as a current abnormal operation item description, and the current abnormal operation item description is cyclically optimized, and in actual implementation, the loop operation step S12 to step S15 may be performed to obtain the intrusion attack preference description after loop optimization, and of course, the loop process may also be one or more possible embodiments of the present invention, such as an embodiment in which the abnormal operation item description is optimized based on a first local focus attention index between the abnormal operation item descriptions in a class, of the operation steps S12 to step S15; an embodiment that optimizes the abnormal operation item description based on a second local focus attention index between the inter-class description contents; the optimized abnormal operation item description is subjected to attack intention mining processing to obtain an embodiment of intrusion attack preference description, and the like, which are not expanded in detail herein, and further possible embodiments of steps S12 to S15 provided by the present invention can be combined.
Similarly, the optimized software running state description can be used as the current software running state description, the software running state description is subjected to loop optimization, when the loop expectation requirement is met, a loop can be terminated, and the loop-optimized software running state description and the intrusion attack preference description are obtained, wherein the conditions of the loop termination include: may be cycled a specified number of times.
After the loop optimization is carried out, the privacy vulnerability security threat detection can be carried out on the application software running log based on the software running state description after the loop optimization, so that threat detection records aiming at the privacy vulnerability security threat are obtained, and the description content with higher attention is highlighted in the software running state description after the loop optimization, so that the description content with lower attention in the software running state description is reduced, and the precision and the reliability of the privacy vulnerability security threat detection are improved.
In a possible embodiment, after obtaining the loop-optimized software running state description and the intrusion attack preference description, the method may further include: and detecting the item vulnerability security threat based on the intrusion attack preference description after the loop optimization to obtain a threat detection record of the abnormal operation item vulnerability security threat.
The intrusion attack preference description is input into a feature classification unit of the deep learning model, classification is carried out by means of the feature classification unit, a plurality of visual operation threats are preset in the feature classification unit, according to the intrusion attack preference description, the feature classification unit can output the intrusion attack preference description as a reliability coefficient of each operation threat, and the visual operation threat with the highest reliability coefficient can be used as a threat detection record of the abnormal operation item vulnerability security threat.
In the embodiment of the invention, the intrusion attack preference description can be understood as the feature focused locally, so that the description content with higher attention in the software running state description can be ensured, and the description content with lower attention in the software running state description is reduced, so that the abnormal running event operation threat detection is carried out based on the intrusion attack preference description, and the accuracy of the threat detection record of the abnormal running event operation threat is higher.
Based on the same inventive concept, fig. 2 shows a block diagram of a threat analysis apparatus based on application software big data provided by an embodiment of the present invention, and the threat analysis apparatus based on application software big data may include the following modules for implementing the relevant method steps shown in fig. 1.
And the log collection module 21 is configured to collect the uploaded application software running logs, and mine abnormal running item descriptions in the application software running logs.
And the item analysis module 22 is configured to perform differential description analysis on a plurality of abnormal operation item descriptions in the application software operation log to obtain a differential description analysis record.
And an index determining module 23, configured to determine, according to the differentiation description analysis record, a local focusing attention index of the abnormal operation item description in the application software operation log.
And the description optimization module 24 is used for optimizing the abnormal operation item description according to the local focusing attention index.
And the preference mining module 25 is used for mining the intrusion attack preference description according to the optimized abnormal operation item description.
And the vulnerability detection module 26 is used for carrying out vulnerability security threat detection on the application software running log according to the intrusion attack preference description to obtain a threat detection record.
The related embodiment applied to the invention can achieve the following technical effects: the method comprises the steps of obtaining the relation between each abnormal interaction event description (operation threat) based on differential description analysis, obtaining a local focusing attention index of the abnormal operation item description based on the differential description analysis record to ensure the attention degree between different abnormal operation item descriptions, enabling the obvious operation threat information in the abnormal operation item description to be quickly and accurately identified, then carrying out vulnerability security threat detection on the intrusion attack preference description mined based on the optimized abnormal operation item description, and avoiding resource waste and precision damage caused by the relation between interactive operation threats with low analysis attention degree (such as some non-critical operation threats or operation threats which can not cause significant data information loss), thereby ensuring the accuracy and reliability of vulnerability security threat detection to a certain extent.
The foregoing is only illustrative of the present application. Those skilled in the art can conceive of changes or substitutions based on the specific embodiments provided in the present application, and all such changes or substitutions are intended to be included within the scope of the present application.
Claims (10)
1. A threat analysis method based on application software big data is applied to a threat analysis service system, and the method at least comprises the following steps:
collecting the uploaded application software running logs, and mining abnormal running item descriptions in the application software running logs; performing differential description analysis on a plurality of abnormal operation item descriptions in the application software operation log to obtain a differential description analysis record;
determining a local focusing attention index of abnormal operation item description in the application software operation log according to the differentiation description analysis record; optimizing the abnormal operation item description according to the local focusing attention index; excavating an intrusion attack preference description according to the optimized abnormal operation item description; and according to the intrusion attack preference description, carrying out vulnerability security threat detection on the application software running log to obtain a threat detection record.
2. The method of claim 1, wherein said mining abnormal operation item descriptions in said application software operation log comprises:
detecting APP interaction events in the application software running logs to obtain target detection results of various abnormal running items;
and mining the significance content in the application software running log, and pairing the significance content in the application software running log to obtain corresponding abnormal running item description by means of the target detection result in the application software running log.
3. The method of claim 1, wherein determining the local focus attention index of the abnormal operation item description in the application software operation log according to the differential description analysis record comprises:
and determining a local focusing attention index between the abnormal operation item descriptions according to the correlation evaluation between the abnormal operation item descriptions in the differentiation description analysis record.
4. The method of claim 3, wherein determining the local focus attention index between the abnormal operation item descriptions according to the evaluation of the correlation between the abnormal operation item descriptions in the differentiation description analysis record comprises:
determining a first quantitative common index between abnormal operation item descriptions under the same category obtained by differential description analysis; the method for determining the first quantitative common index between the abnormal operation item descriptions under the same category obtained by the differentiation description analysis comprises the following steps: decomposing the visual description expression of the abnormal operation item description into i groups; sequentially and correspondingly determining quantitative commonality indexes for i groups of description vectors described by different abnormal operation matters to obtain i first quantitative commonality indexes; determining a first local focus attention index between intra-class abnormal operation item descriptions according to the first quantitative commonality index, comprising: determining i first local focusing attention indexes among abnormal operation item descriptions in the class according to the i first quantitative commonality indexes;
and determining a first local focusing attention index between abnormal operation item descriptions in the class according to the first quantitative commonality index.
5. The method according to any one of claims 3 or 4, wherein the determining the local focus attention index between the abnormal operation item descriptions according to the evaluation of the correlation between the abnormal operation item descriptions in the differentiation description analysis record comprises:
determining the integral description vector of each category obtained by differential description analysis;
determining a second quantitative commonality index between the overall description vectors of each category obtained by the differentiation description analysis;
and determining a second local focusing attention index between the abnormal operation item descriptions according to the second quantitative commonality index.
6. The method of claim 1, wherein said optimizing said abnormal operation item description in accordance with said local focus attention index comprises:
and for the target abnormal operation item description in each type of abnormal operation item description, merging the target abnormal operation item description and the first local focusing attention index of each abnormal operation item description in the class to obtain an intra-class optimization description vector corresponding to each abnormal operation item in the class, wherein the intra-class optimization description vector is used as the optimized abnormal operation item description.
7. The method of claim 6, wherein said optimizing said abnormal operation item description in accordance with said local focus attention index comprises:
for the target overall description vector of the target category in each type, obtaining an inter-category optimized description vector corresponding to each category by means of the target overall description vector and the second local focusing attention index of the overall description vector of each category;
and respectively adding the inter-class optimization description vectors to the intra-class optimization description vectors corresponding to the abnormal operation items in the target type to obtain the optimized abnormal operation item description.
8. The method of claim 7, wherein mining intrusion attack preference descriptions based on the optimized abnormal operation item description comprises: carrying out attack intention mining processing on the optimized abnormal operation item description to obtain an intrusion attack preference description; the method comprises the following steps of carrying out attack intention mining processing on the optimized abnormal operation item description to obtain intrusion attack preference description, wherein the attack intention mining processing comprises the following steps: carrying out attack intention mining processing on the optimized abnormal operation item description to obtain a program attack intention scene description; performing operation stage feature processing on the abnormal operation item descriptions of the application software operation logs to obtain abnormal operation item stage descriptions; splicing the program attack intention scene description and the abnormal operation item phase description to obtain an intrusion attack preference description;
wherein, the performing operation stage feature processing on the abnormal operation item description of the plurality of application software operation logs to obtain the abnormal operation item stage description comprises: extracting description contents of the abnormal operation item descriptions of the application software operation logs based on an active local focusing strategy to obtain a staged description vector; performing item description translation on the staged description vector based on an active local focusing strategy, and/or performing item description translation on the staged description vector based on a scene description vector to obtain abnormal operation item stage description; wherein the scene description vector is the optimized abnormal operation item description;
wherein, the mining of the attack intention is carried out on the optimized abnormal operation item description to obtain the scene description of the program attack intention, and the method comprises the following steps: and performing item description translation on the scene description vector based on an active local focusing strategy, and/or performing item description translation on the scene description vector according to the stage description vector to obtain a program attack intention scene description.
9. The method of claim 8, wherein the method further comprises: mining the software running state description of the application software running log; determining a third local focus attention index in the software running state description by means of the intrusion attack preference description; optimizing the software operating state description by means of the third local focus attention index;
according to the intrusion attack preference description, vulnerability security threat detection is carried out on the application software running log to obtain a threat detection record, and the method comprises the following steps: based on the optimized software running state description, carrying out privacy vulnerability security threat detection on the application software running log to obtain a threat detection record aiming at the privacy vulnerability security threat;
wherein after optimizing the software operating state description by means of the third local focus attention index, the method further comprises: the optimized software running state description is used as the current software running state description, the intrusion attack preference description is used as the current abnormal running item description, and the software running state description and the intrusion attack preference description are circularly optimized until the requirement of circulation expectation is met to obtain the circularly optimized software running state description and the intrusion attack preference description;
according to the intrusion attack preference description, vulnerability security threat detection is carried out on the application software running log to obtain a threat detection record, and the method comprises the following steps: based on the software running state description after the loop optimization, carrying out privacy vulnerability security threat detection on the application software running log to obtain a threat detection record aiming at the privacy vulnerability security threat;
after the software running state description and the intrusion attack preference description after the loop optimization are obtained, the method further comprises the following steps: and detecting the item vulnerability security threat based on the intrusion attack preference description after the loop optimization to obtain a threat detection record of the abnormal operation item vulnerability security threat.
10. A threat analysis service system, comprising: a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the threat analysis service system to perform the method of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210029324.2A CN114329454B (en) | 2022-01-12 | 2022-01-12 | Threat analysis method and system based on application software big data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210029324.2A CN114329454B (en) | 2022-01-12 | 2022-01-12 | Threat analysis method and system based on application software big data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114329454A true CN114329454A (en) | 2022-04-12 |
| CN114329454B CN114329454B (en) | 2022-07-19 |
Family
ID=81025976
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210029324.2A Active CN114329454B (en) | 2022-01-12 | 2022-01-12 | Threat analysis method and system based on application software big data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114329454B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116578073A (en) * | 2023-07-13 | 2023-08-11 | 深圳市创银科技股份有限公司 | Anomaly analysis method and system of sensor signal calibration control system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070192344A1 (en) * | 2005-12-29 | 2007-08-16 | Microsoft Corporation | Threats and countermeasures schema |
| CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
| CN109344913A (en) * | 2018-10-31 | 2019-02-15 | 中国刑事警察学院 | A kind of network intrusions behavioral value method based on improvement MajorClust cluster |
| CN113691557A (en) * | 2021-09-02 | 2021-11-23 | 朱刚 | Information security threat processing method based on artificial intelligence and server |
-
2022
- 2022-01-12 CN CN202210029324.2A patent/CN114329454B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070192344A1 (en) * | 2005-12-29 | 2007-08-16 | Microsoft Corporation | Threats and countermeasures schema |
| CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
| CN109344913A (en) * | 2018-10-31 | 2019-02-15 | 中国刑事警察学院 | A kind of network intrusions behavioral value method based on improvement MajorClust cluster |
| CN113691557A (en) * | 2021-09-02 | 2021-11-23 | 朱刚 | Information security threat processing method based on artificial intelligence and server |
Non-Patent Citations (1)
| Title |
|---|
| 江佳希: ""基于Hadoop的安全态势感知系统的研究与实现"", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116578073A (en) * | 2023-07-13 | 2023-08-11 | 深圳市创银科技股份有限公司 | Anomaly analysis method and system of sensor signal calibration control system |
| CN116578073B (en) * | 2023-07-13 | 2023-10-03 | 深圳市创银科技股份有限公司 | Anomaly analysis method and system of sensor signal calibration control system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114329454B (en) | 2022-07-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109347801B (en) | Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph | |
| CN113011889B (en) | Account anomaly identification method, system, device, equipment and medium | |
| CN112232524B (en) | Multi-label information identification method and device, electronic equipment and readable storage medium | |
| CN116305168B (en) | Multi-dimensional information security risk assessment method, system and storage medium | |
| CN114491282B (en) | Abnormal user behavior analysis method and system based on cloud computing | |
| CN111612037A (en) | Abnormal user detection method, device, medium and electronic equipment | |
| CN114386421A (en) | Similar news detection method and device, computer equipment and storage medium | |
| CN113722719A (en) | Information generation method and artificial intelligence system for security interception big data analysis | |
| CN115174231A (en) | AI-Knowledge-Base-based network fraud analysis method and server | |
| CN113918993A (en) | User privacy protection method and system based on artificial intelligence | |
| CN114418021A (en) | Model optimization method, device and computer program product | |
| CN114329454B (en) | Threat analysis method and system based on application software big data | |
| CN117351334A (en) | Image auditing method and related equipment | |
| CN113691556A (en) | Big data processing method and server applied to information protection detection | |
| CN115719126A (en) | File retrieval method and device based on service chain and electronic equipment | |
| CN113434857A (en) | User behavior safety analysis method and system applying deep learning | |
| CN115065545A (en) | Big data threat perception-based security protection construction method and AI (Artificial Intelligence) protection system | |
| CN118069885B (en) | Dynamic video content coding and retrieving method and system | |
| CN114417405A (en) | Privacy service data analysis method based on artificial intelligence and server | |
| CN116384370B (en) | Big data security analysis method and system for online service session interaction | |
| CN114722081B (en) | Streaming data time sequence transmission method and system based on transfer library mode | |
| CN114338187B (en) | Terminal safety detection method and device based on decision tree | |
| CN116739605A (en) | Transaction data detection method, device, equipment and storage medium | |
| CN116701752A (en) | News recommendation method and device based on artificial intelligence, electronic equipment and medium | |
| CN112541548B (en) | Method, device, computer equipment and storage medium for generating relational network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220601 Address after: Room 501, unit 3, building 2, No. 138, Sanzhong Road, Liubei District, Liuzhou City, Guangxi Zhuang Autonomous Region 545000 Applicant after: Wu Di Address before: 650000 block B, 9 / F, building B, Guangye building, No. 2-4 Huguo Road, Wuhua District, Kunming, Yunnan Province Applicant before: Yunnan cloud data Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220701 Address after: 750000 room 01, floor 1, office building 17, block B, Greenland 21 mall, No. 1, Xingshui Road, Xingqing District, Yinchuan City, Ningxia Hui Autonomous Region (duplex) Applicant after: Ningxia Wangxin chuang'an Information Technology Service Co.,Ltd. Address before: Room 501, unit 3, building 2, No. 138, Sanzhong Road, Liubei District, Liuzhou City, Guangxi Zhuang Autonomous Region 545000 Applicant before: Wu Di |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |