CN114726654B - Data analysis method and server for coping with cloud computing network attack - Google Patents

Data analysis method and server for coping with cloud computing network attack Download PDF

Info

Publication number
CN114726654B
CN114726654B CN202210572275.7A CN202210572275A CN114726654B CN 114726654 B CN114726654 B CN 114726654B CN 202210572275 A CN202210572275 A CN 202210572275A CN 114726654 B CN114726654 B CN 114726654B
Authority
CN
China
Prior art keywords
big data
online service
service interaction
attack behavior
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210572275.7A
Other languages
Chinese (zh)
Other versions
CN114726654A (en
Inventor
龚良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huixiang Technology Co ltd
Original Assignee
Beijing Huixiang Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huixiang Technology Co ltd filed Critical Beijing Huixiang Technology Co ltd
Priority to CN202210572275.7A priority Critical patent/CN114726654B/en
Priority to CN202211394916.0A priority patent/CN115801369A/en
Publication of CN114726654A publication Critical patent/CN114726654A/en
Application granted granted Critical
Publication of CN114726654B publication Critical patent/CN114726654B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a data analysis method and a server for dealing with cloud computing network attacks, which can intelligently respond to a network attack analysis instruction, acquire a potential abnormal session information set in cloud service activity big data triggering an information security response mechanism, and then can be used for guiding a big data attack analysis network to identify the cloud service activity big data triggering the information security response mechanism based on the potential abnormal session information set, so that the attack identification computation amount of the big data attack analysis network is reduced, the identification precision and timeliness of the potential abnormal session information set aiming at a selected intrusion attack behavior are improved, compared with the traditional thought of manually positioning the potential abnormal session information set for the big data attack analysis network, the intelligentization degree of network attack identification aiming at the cloud service activity big data can be improved, and unnecessary resource overhead is reduced.

Description

Data analysis method and server for coping with cloud computing network attack
Technical Field
The invention relates to the technical field of cloud computing, in particular to a data analysis method and a server for dealing with cloud computing network attacks.
Background
The continuous expansion of the scale and application fields of the cloud computing services increases the possibility of the cloud computing services suffering from network attacks to some extent, which easily results in the loss of important data assets in the cloud computing services and may also cause a series of negative chain reactions. Therefore, network attack protection against cloud computing is crucial. Related network attack protection processing is usually realized based on a detection result of network attack, but in practical application, the complexity of cloud computing service generally limits most detection technologies, so that the detection technologies are difficult to effectively develop a fist, and the network attack detection and positioning are difficult to accurately and efficiently realize.
Disclosure of Invention
The invention provides a data analysis method and a server for dealing with cloud computing network attacks, and adopts the following technical scheme in order to achieve the technical purpose.
The first aspect is a data analysis method for dealing with cloud computing network attacks, which is applied to a big data analysis server, and the method at least comprises the following steps:
responding to a network attack analysis instruction, and collecting cloud service activity big data of a triggering information security response mechanism;
carrying out intrusion attack behavior identification on the cloud service activity big data of the trigger information security response mechanism to obtain an identification result of the intrusion attack behavior in each online service interaction record of the cloud service activity big data of the trigger information security response mechanism;
determining the selected intrusion attack behavior in each online service interaction record by using the identification result of the intrusion attack behavior in each online service interaction record;
and determining at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism by using the identification result of the selected intrusion attack behavior in each online service interaction record.
In some optional embodiments, the identification result comprises an intrusion attack behavior classification label; the determining the selected intrusion attack behavior in each online service interaction record by using the identification result of the intrusion attack behavior in each online service interaction record comprises the following steps:
and determining that the intrusion attack behavior classification label in each online service interaction record points to the selected intrusion attack behavior of the target classification label by using the intrusion attack behavior classification label of the intrusion attack behavior in each online service interaction record.
In some optional embodiments, the identification result includes an interaction record timing tag and an identification unit distribution tag; the determining, by using the identification result of the selected intrusion attack behavior in each online service interaction record, at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism includes:
determining at least one online service interaction log to be analyzed by using an interaction record timing sequence label of a selected intrusion attack behavior in each online service interaction record, wherein the online service interaction log to be analyzed comprises at least two online service interaction records with a precedence relationship, and each online service interaction record in the online service interaction log to be analyzed carries the selected intrusion attack behavior;
and determining the distribution label of at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism by using the identification unit distribution label of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed.
In some optional embodiments, after determining at least one online service interaction log to be analyzed by using an interaction record timing sequence tag of a selected intrusion attack behavior in each online service interaction record, and before determining at least one distribution tag of a potential abnormal session information set carrying the selected intrusion attack behavior in cloud service activity big data of the triggered information security response mechanism by using an identification unit distribution tag in each online service interaction record of the online service interaction log to be analyzed by using the selected intrusion attack behavior, the method further includes: and positioning the online service interaction logs to be analyzed, wherein the effective session time interval of the online service interaction logs to be analyzed reaches a time interval judgment value.
In some optional embodiments, the method further comprises: and determining the time period judgment value by using the state triggering moment of the big data attack analysis network in advance.
In some optional embodiments, the determining, by using the identification unit distribution tag of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed, a distribution tag of at least one potentially abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism includes:
and utilizing the identification unit distribution label of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed, integrating the identification unit of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed, and acquiring the distribution label of at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism.
In some optional embodiments, the obtaining, by using the identification unit distribution tag of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed, the identification unit of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed, and the distribution tag of at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism includes:
sorting the identification units of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed according to a rule of assigning distribution label index descending order to obtain a sorted identification unit set;
positioning the recognition units one by one from the sorted recognition unit set to serve as first recognition units until the positioning of all the recognition units is completed;
for a first identification unit positioned at each time, determining distribution association indexes of the first identification units and second identification units one by one from second identification units with the positioning sequence priority lower than that of the first identification units in the sorted identification unit set;
optimizing the first recognition unit on the basis of determining that the distribution association index of the first recognition unit and the second recognition unit reaches a set judgment value, wherein the optimized first recognition unit comprises the first recognition unit and the second recognition unit before optimization, and the second recognition unit is filtered from the sorted recognition unit set;
on the basis that the distribution association index of the first identification unit and each reserved second identification unit is lower than the set judgment value, positioning a next identification unit from the sorted identification unit set as a first identification unit;
and determining at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the triggering information security response mechanism, wherein the potential abnormal session information set comprises the identification units in the sorted identification unit set.
In some optional embodiments, after determining, by using the identification result of the selected intrusion attack behavior in each online service interaction record, at least one potentially abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the triggered information security response mechanism, the method further includes:
creating a raw material pairing indication by using the session characteristics of the at least one potential abnormal session information set; the session features of the potentially abnormal session information set comprise distribution tags of the potentially abnormal session information set; the material pairing indication is used for guiding data materials required by big data attack analysis network evaluation;
and evaluating a big data attack analysis network by using the raw material pairing indication and the cloud service activity big data of the trigger information security response mechanism.
In some optional embodiments, the session characteristics of the potentially abnormal set of session information further include: the selected intrusion attack behavior is active within a time period range of the set of potentially abnormal session information;
before creating the material pairing indication by using the session features of the at least one potentially abnormal session information set, the method further includes: and determining the time period range of the selected intrusion attack behavior which is active in the potential abnormal session information set by utilizing the interaction record time sequence label of the selected intrusion attack behavior.
In some optional embodiments, the creating a material pairing instruction by using the session characteristics of the at least one potentially abnormal session information set includes:
acquiring session characteristics of the big data attack analysis network;
determining an indication sample corresponding to the big data attack analysis network deployed in advance by using the session characteristics of the big data attack analysis network;
and creating the raw material pairing indication by using the indication sample and the session characteristics of the at least one potentially abnormal session information set.
A second aspect is a big data analytics server, comprising a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the big data analytics server to perform the method of the first aspect.
A third aspect is a computer-readable storage medium having stored thereon a computer program which, when executed, performs the method of the first aspect.
According to the invention, the cloud service activity big data analysis server of the trigger information security response mechanism identifies the intrusion attack behavior by carrying out on the cloud service activity big data of the trigger information security response mechanism, and obtains the identification result of the intrusion attack behavior in each online service interaction record of the cloud service activity big data of the trigger information security response mechanism. And determining the selected intrusion attack behavior in each online service interaction record by combining the identification result of the intrusion attack behavior. And determining at least one potential abnormal session information set from the cloud service activity big data triggering the information security response mechanism by combining the identification result of the selected intrusion attack behavior in each online service interaction record. The method can intelligently respond to the network attack analysis instruction, acquire the potential abnormal session information set in the cloud service activity big data of the trigger information security response mechanism, and then can be used for guiding the big data attack analysis network to identify the cloud service activity big data of the trigger information security response mechanism based on the potential abnormal session information set, so that the attack identification computation amount of the big data attack analysis network is reduced, the identification precision and the timeliness of the potential abnormal session information set aiming at the selected intrusion attack behavior are improved, compared with the traditional idea of manually positioning the potential abnormal session information set for the big data attack analysis network, the intelligent degree of the network attack identification aiming at the cloud service activity big data can be improved, and the unnecessary resource overhead is reduced.
Drawings
Fig. 1 is a schematic flowchart of a data analysis method for dealing with cloud computing network attacks according to an embodiment of the present invention.
Fig. 2 is a block diagram of a data analysis apparatus for handling a cloud computing network attack according to an embodiment of the present invention.
Detailed Description
In the following, the terms "first", "second" and "third", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first," "second," or "third," etc., may explicitly or implicitly include one or more of that feature.
Fig. 1 is a schematic flowchart illustrating a data analysis method for coping with a cloud computing network attack according to an embodiment of the present invention, where the data analysis method for coping with a cloud computing network attack may be implemented by a big data analysis server, and the big data analysis server may include a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein, when the processor executes the computer instructions, the big data analysis server is caused to execute the technical solution described in the following steps.
Step 21: and responding to the network attack analysis instruction, and collecting cloud service activity big data triggering an information security response mechanism.
For the embodiment of the invention, the cloud business activity big data triggering the information security response mechanism can be the remote business activity big data and can also be the local business activity big data. The remote business activity big data can be business activity big data acquired through a data acquisition thread or a data sharing thread. The local business activity big data can be business activity big data obtained by a data acquisition thread in real time, for example, a big data analysis server of cloud business activity big data triggering an information security response mechanism can communicate with at least one data acquisition thread, and the big data analysis server of cloud business activity big data triggering the information security response mechanism can use the real-time business activity big data obtained by the data acquisition thread as the cloud business activity big data triggering the information security response mechanism. Further, the manner of triggering the information security response mechanism may be based on an activity period mechanism trigger, a business type mechanism trigger, an activity participant mechanism trigger, and the like, which is not limited herein. The business activity big data can be cross-border electricity business big data, digital office business big data, virtual reality business big data and the like.
In some possible embodiments, the big data analysis server for triggering the cloud business activity big data of the information security response mechanism takes the externally input business activity big data as the cloud business activity big data of the information security response mechanism. In other possible embodiments, the big data analysis server for cloud business activity big data triggering the information security response mechanism receives the business activity big data sent by the collaboration server as the cloud business activity big data triggering the information security response mechanism.
Step 22: and carrying out intrusion attack behavior identification on the cloud service activity big data of the trigger information security response mechanism, and obtaining an identification result of the intrusion attack behavior in each online service interaction record of the cloud service activity big data of the trigger information security response mechanism.
For the embodiment of the invention, the intrusion attack behavior identification is used for sequentially identifying the intrusion attack behavior in the online service interaction record of the cloud service activity big data triggering the information security response mechanism. For example, the intrusion attack behavior is DDOS attack, and the intrusion attack behavior identification is used to identify DDOS attack items in each group of online service interaction records and distribution conditions of the DDOS attack items in the online service interaction records.
For the embodiment of the invention, the identification result comprises the distribution condition of the intrusion attack behavior in each online service interaction record. Illustratively, the identification result comprises the distribution condition of the identification unit of the intrusion attack behavior in each online service interaction record. The visual presentation of the recognition unit may be any visual presentation. For example, the visual presentation of the recognition unit may be a table or a knowledge graph.
Regarding some exemplary technical solutions, identifying intrusion attack behavior on online service interaction records may be implemented by an AI machine learning model. The method comprises the steps of configuring an AI machine learning model by taking an online service interaction record carrying prior knowledge as a configuration basis, so that the configured AI machine learning model can complete intrusion attack behavior identification on the online service interaction record, wherein the prior knowledge comprises distribution condition information of an identification unit, and the identification unit comprises intrusion attack behaviors.
Viewed from other exemplary aspects, intrusion attack behavior recognition may be implemented by one of the following models: CNN model, GCN model, RNN model, etc.
Regarding other exemplary technical solutions, the intrusion attack behavior identification may be implemented by a plurality of AI machine learning models, and each AI machine learning model is respectively used for sequentially identifying different intrusion attack behaviors from the online service interaction record.
Step 23: and determining the selected intrusion attack behavior in each online service interaction record by using the identification result of the intrusion attack behavior in each online service interaction record.
Viewed in some example technical solutions, the recognition result contains intrusion attack behavior classification labels. For example, by performing intrusion attack behavior identification on the online service interaction record, it is determined that the online service interaction record includes an intrusion attack behavior attack _ a and an intrusion attack behavior attack _ b, where an intrusion attack behavior classification tag of the intrusion attack behavior attack _ a is DDOS attack items, and an intrusion attack behavior classification tag of the intrusion attack behavior attack _ b is a trojan attack item.
And the big data analysis server of the cloud service activity big data triggering the information security response mechanism determines the selected intrusion attack behavior of the target classification label pointed by the intrusion attack behavior classification label in each online service interaction record by utilizing the intrusion attack behavior classification label of the intrusion attack behavior in each online service interaction record.
For example, the online service interaction record includes an intrusion attack behavior attack _ a and an intrusion attack behavior attack _ b, wherein, the intrusion attack behavior classification label of the intrusion attack behavior attack _ a is DDOS attack items, and the intrusion attack behavior classification label of the intrusion attack behavior attack _ b is Trojan horse attack items. And if the target classification label is the DDOS attack item, the big data analysis server of the cloud service activity big data triggering the information security response mechanism determines that the attack behavior _ a is the selected attack behavior. For another example, the online service interaction records include intrusion attack behavior attack _ a and intrusion attack behavior attack _ b, where an intrusion attack behavior classification label of the intrusion attack behavior attack _ a is DDOS attack details, an intrusion attack behavior classification label of the intrusion attack behavior attack _ b is Trojan attack details, and a selected intrusion attack behavior recognized by the big data attack analysis network is Trojan attack details, and then all selected intrusion attack behaviors including the intrusion attack behavior attack _ b are determined from each online service interaction record.
And step 24: and determining at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism by using the identification result of the selected intrusion attack behavior in each online service interaction record.
For the embodiment of the invention, the potential abnormal session information set is an active data set of the session risk warning report, wherein an executing party of the session risk warning report comprises the selected intrusion attack behavior. Based on this, the big data analysis server of the cloud business activity big data triggering the information security response mechanism can determine an active data set (such as a potential abnormal session information set) of the session risk alert report through the data information set comprising the selected intrusion attack behavior.
For the embodiments of the present invention, the number of the potentially abnormal session information sets may be one or more than one. For example, the big data analysis server of the cloud service activity big data triggering the information security response mechanism obtains a potential abnormal session information set session _ a, a potential abnormal session information set session _ b, and a potential abnormal session information set session _ c by executing step 24. The potential abnormal session information set session _ a and the potential abnormal session information set session _ B are active data sets of the intrusion attack behavior case _ a, wherein the potential abnormal session information set session _ a is an active data set of the intrusion attack behavior case _ a when the intrusion attack behavior case _ a is active in the period from T1 to T2, the potential abnormal session information set session _ B is an active data set of the intrusion attack behavior case _ a when the intrusion attack behavior case _ a is active in the period from T3 to T4, and the potential abnormal session information set session _ c is an active data set of the intrusion attack behavior case _ B.
Regarding some exemplary technical solutions, the big data analysis server for triggering the cloud service activity big data of the information security response mechanism determines the identification unit in each online service interaction record for triggering the cloud service activity big data of the information security response mechanism according to the identification result. And integrating the data information sets covered by all the identification units to obtain a potential abnormal session information set.
Regarding other exemplary technical solutions, the big data analysis server for triggering the cloud service activity big data of the information security response mechanism determines the identification unit in each online service interaction record according to the identification result. And taking the data information set covered by the identification unit with the largest text capture scale as a potential abnormal conversation information set.
For example, the cloud service activity big data triggering the information security response mechanism includes an online service interaction record _ a and an online service interaction record _ B, where the online service interaction record _ a and the online service interaction record _ B both carry a selected intrusion attack behavior, the identification unit containing the selected intrusion attack behavior in the online service interaction record _ a is an identification unit window unit _ a, and the identification unit containing the selected intrusion attack behavior in the online service interaction record _ B is an identification unit window unit _ B. And if the content scale of the data information set covered by the identification unit window unit _ A is larger than that of the data information set covered by the identification unit window unit _ B, taking the data information set covered by the identification unit window unit _ A as the potential abnormal session information set.
For some further examples, a big data analytics server that triggers cloud traffic activity big data of the information security response mechanism determines a data information set that includes the selected intrusion attack behavior as a potentially anomalous session information set.
For example, the cloud service activity big data triggering the information security response mechanism includes an online service interaction record _ a, an online service interaction record _ b and an online service interaction record _ c, the online service interaction record _ a does not contain the selected intrusion attack behavior, and the online service interaction record _ b and the online service interaction record _ c both carry the selected intrusion attack behavior. The cloud service activity big data analysis server triggering the information security response mechanism can determine a data information set comprising the selected intrusion attack behavior from the online service interaction record _ b as a potential abnormal session information set, and the cloud service activity big data analysis server triggering the information security response mechanism can also determine a data information set comprising the selected intrusion attack behavior from the online service interaction record _ c as a potential abnormal session information set.
The cloud business activity big data analysis server triggering the information security response mechanism identifies the intrusion attack behavior by the cloud business activity big data triggering the information security response mechanism, and obtains the identification result of the intrusion attack behavior in each online business interaction record of the cloud business activity big data triggering the information security response mechanism. And determining the selected intrusion attack behavior in each online service interaction record by combining the identification result of the intrusion attack behavior. And determining at least one potential abnormal session information set from the cloud service activity big data of the trigger information security response mechanism by combining the identification result of the selected intrusion attack behavior in each online service interaction record, so that the overhead of manually annotating the cloud service activity big data of the trigger information security response mechanism for the potential abnormal session information set during evaluation can be reduced, and the attack identification precision can be improved to a certain extent.
Under some independent design ideas, the identification result comprises an interaction record time sequence label and an identification unit distribution label. When step 23 is implemented, the following related technical solutions may be referred to by the big data analysis server of the cloud service activity big data that triggers the information security response mechanism.
Step 31: and determining at least one online service interaction log to be analyzed by using the interaction record time sequence label of the selected intrusion attack behavior in each online service interaction record.
For the embodiment of the invention, the online service interaction log to be analyzed comprises at least two online service interaction records with precedence relationship, and each online service interaction record in the online service interaction log to be analyzed carries the selected intrusion attack behavior. For example, the interaction record timing labels (e.g., timing sequence order) of the selected intrusion attack behavior include a label 1, a label 2, a label 3, a label 7, a label 8, and a label 15, and it can be understood that the first group of online service interaction records, the second group of online service interaction records, the third group of online service interaction records, the seventh group of online service interaction records, the eighth group of online service interaction records, and the fifteenth group of online service interaction records in the cloud service activity big data triggering the information security response mechanism all include the selected intrusion attack behavior. At this time, the first group of online service interaction records, the second group of online service interaction records and the third group of online service interaction records are an online service interaction log to be analyzed, and the seventh group of online service interaction records and the eighth group of online service interaction records are an online service interaction log to be analyzed.
Step 32: and determining the distribution label of at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism by using the identification unit distribution label of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed.
Regarding to some exemplary technical solutions, a big data analysis server for triggering cloud service activity big data of an information security response mechanism determines an identification unit in each online service interaction record according to an identification unit distribution label (for example, position information of an identification window) in each online service interaction record of the online service interaction record to be analyzed of a selected intrusion attack behavior. And taking the data information set covered by the identification unit with the largest text capture scale as a potential abnormal conversation information set, and further determining a distribution label of the potential abnormal conversation information set. The big data analysis server of the cloud service activity big data triggering the information security response mechanism can determine the distribution label of at least one potential abnormal session information set according to the identification unit distribution label in each online service interaction record of at least one online service interaction log to be analyzed.
In view of the fact that the session risk warning report is not suddenly generated but needs to be kept for a certain period of time, the big data analysis server of the cloud service activity big data triggering the information security response mechanism obtains at least one potential abnormal session information set by determining the data information set containing the selected intrusion attack behavior from the online service interaction log to be analyzed, and therefore the accuracy and the reliability of the potential abnormal session information set can be improved.
For example, the session risk alert is reported as a trojan attack event transaction. The judgment of the abnormal behavior of the Trojan attack events is based on the fact that the continuous time period of the Trojan attack events in the abnormal behavior information set satisfies the time sequence value (for example: 4S).
If the cloud service activity big data triggering the information security response mechanism comprises an online service interaction record _ a and an online service interaction record _ b, an online service interaction record c and an online service interaction record d, wherein the online service interaction record a is a first set of online service interaction records, the online service interaction record _ b is a second group of online service interaction records, the online service interaction record _ c is a third group of online service interaction records, and the online service interaction record _ d is a fourth frame of online service interaction records. In the online service interaction record _ a, the Trojan attack event is in the transaction information set. In the online service interaction record _ b and the online service interaction record _ c, the trojan attack event is not in the transaction information set. In the online service interaction record _ d, the Trojan attack event is in the transaction information set. Obviously, it cannot be judged that the Trojan attack event is abnormal only through the online service interaction record _ a or the online service interaction record _ d, and if not less than one potential abnormal session information set is obtained according to the data information set containing the Trojan attack event in the online service interaction record _ a or the data information set containing the Trojan attack event in the online service interaction record _ d, a great deviation is caused to a certain extent.
Under some independent design ideas, the following related technical schemes can be referred to before the step 32 is implemented and after the step 31 is implemented by the big data analysis server for the cloud business activity big data triggering the information security response mechanism.
Step 33: and positioning the online service interaction logs to be analyzed, wherein the effective session time period of the online service interaction logs to be analyzed reaches a time period judgment value.
For the embodiment of the invention, the effective session time period of the online service interaction log to be analyzed should reach the maintenance time period required for confirming the generation of the session risk warning report. The cloud service activity big data analysis server of the trigger information security response mechanism cleans off the online service interaction logs to be analyzed, the effective session time period of which is lower than the time period judgment value, before determining the distribution tags of the potential abnormal session information sets according to the online service interaction logs to be analyzed, stores the online service interaction logs to be analyzed, the effective session time period of which reaches the time period judgment value, can reduce the resource waste amount of the distribution tags of at least one potential abnormal session information set determined from the cloud service activity big data of the trigger information security response mechanism, avoids that a big data attack analysis network identifies the information sets which do not conform to the maintenance time period required by the generation of the session risk warning report during big data attack analysis, and improves the analysis quality of the cloud service activity big data of the trigger information security response mechanism.
For example, if the intrusion attack behavior is a transaction. The Trojan attack item transaction is determined based on the fact that the maintenance period of the Trojan attack item in the transaction information set is greater than 10seconds. At this time, the period determination value is 10seconds. If the cloud service activity big data triggering the information security response mechanism is 25 groups/second service activity big data, the fact that the effective session time period of the online service interaction log to be analyzed is lower than the time period judgment value means that the number of online service interaction records in the online service interaction log to be analyzed is lower than 125 groups.
Under some independent design ideas, a big data analysis server for triggering cloud service activity big data of an information security response mechanism determines a time period judgment value by using the state triggering moment of a big data attack analysis network in advance. For the embodiment of the invention, the generation of the session risk warning report comprises a risk trigger and a maintenance time interval, and the state trigger moment of the big data attack analysis network can be the minimum maintenance time interval for generating the session risk warning report. For example, the session risk warning report is abnormal, and whether the Trojan attack item is abnormal is judged according to whether the Trojan attack item is in the abnormal information set and the maintenance time period is greater than 2seconds. At this time, the sustain period is 2seconds, and it can be understood that the state trigger time of the big data attack analysis network is 2seconds.
Illustratively, the cloud business activity big data analysis server triggering the information security response mechanism takes the state triggering moment of the big data attack analysis network as a time period judgment value.
Under some independent design considerations, the big data analysis server for online business interaction record can refer to the following related technical solutions in the process of implementing step 32.
Step 41: and utilizing the identification unit distribution label of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed, integrating the identification unit of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed, and acquiring the distribution label of not less than one potential abnormal conversation information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism.
For the embodiment of the invention, the big data analysis server of the cloud service activity big data triggering the information security response mechanism determines the identification unit in each online service interaction record according to the identification unit distribution label of the selected intrusion attack behavior in each online service interaction record of the online service interaction record to be processed. And integrating the data information sets covered by all the identification units to obtain a potential abnormal session information set, and further determining a distribution label of the potential abnormal session information set. The big data analysis server of the cloud service activity big data triggering the information security response mechanism can determine the distribution label of at least one potential abnormal session information set according to the identification unit distribution label in each online service interaction record of at least one online service interaction log to be analyzed.
Under some design considerations that may be independent, the big data analysis server may integrate the recognition units using the nonmax mapping algorithm when implementing step 41. Further, as an example, the following related technical solutions may be referred to in the process of implementing step 41 by the big data analysis server of the cloud business activity big data triggering the information security response mechanism.
Step 51: and sorting (ordering) the identification units of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed according to a rule of assigning a distribution label index descending order to obtain a sorted identification unit set.
For embodiments of the present invention, the assigned distribution label index may be the maximum value among the distribution labels of the identification units. For example, the distribution tags of the four local regions of the recognition unit are (para 1, para 3), (para 1, para 5), (para 4, para 3), (para 4, para 5), respectively, in which case the assigned distribution tag index of the recognition unit is para5. Furthermore, the descending order can be understood as the order from large to small.
Step 52: and positioning the identification units one by one from the sorted identification unit set to serve as first identification units until the positioning of all the identification units is completed.
Step 53: and aiming at a first identification unit positioned at each time, determining distribution association indexes of the first identification units and second identification units one by one from second identification units with the sorted identification unit set positioned and lower priority than the first identification units.
For the embodiment of the present invention, the distribution correlation index of the two recognition units represents the ratio of the content scale of the overlapping portion of the two recognition units to the content scale of the combining portion of the two recognition units. For example, the content size of the overlapping part of the Identification unit _ a and the Identification unit _ b is 20 units, and the content size of the combined part of the Identification unit _ a and the Identification unit _ b is 50 units. At this time, the distribution correlation index of the Identification unit _ a and the Identification unit _ b is 20 units/50unit =0.4.
Step 54: optimizing the first recognition unit on the basis of determining that the distribution association index of the first recognition unit and the second recognition unit reaches a set judgment value, wherein the first recognition unit which completes optimization comprises the first recognition unit and the second recognition unit before optimization, and filtering the second recognition unit from the sorted recognition unit set.
Illustratively, the big data analysis server for cloud business activity big data triggering the information security response mechanism optimizes the first recognition unit in the sorted recognition unit set by integrating the first recognition unit and the second recognition unit and filters the second recognition unit from the sorted recognition unit set on the basis of determining that the distribution correlation index of the first recognition unit and the second recognition unit reaches a set judgment value.
For example, the sorted Identification unit set is an Identification unit _ a, an Identification unit _ b, an Identification unit _ c, and an Identification unit _ d. The big data analysis server of the cloud service activity big data triggering the information security response mechanism takes the Identification unit _ a as a first Identification unit and takes the Identification unit _ b as a second Identification unit. If the distribution correlation index of the first Identification unit and the second Identification unit reaches the set judgment value, optimizing the Identification unit a by integrating the Identification unit a and the Identification unit b, at this time, the data information set contained in the Identification unit _ a after optimization is the combined part of the data information set contained in the Identification unit _ a and the data information set contained in the Identification unit _ b. The big data analysis server of the cloud service activity big data triggering the information security response mechanism also filters the Identification unit _ b from the sorted Identification units in a centralized manner, the Identification units in the sorted set of Identification units are then the Identification unit a, the Identification unit c, the Identification unit d.
The distribution correlation index of the first identification unit and the second identification unit reaches a set judgment value, which indicates that the overlapping degree of the first identification unit and the second identification unit is relatively high, namely, the selected intrusion attack behavior covered by the first identification unit and the selected intrusion attack behavior covered by the second identification unit are the same selected intrusion attack behavior. For example, the intrusion attack behavior is selected as a DDOS attack. If the distribution correlation index between the first identification unit and the second identification unit reaches a set judgment value, the DDOS attack item in the first identification unit and the DDOS attack item in the second identification unit are the same DDOS attack item.
Therefore, on the basis that the data information set contained in the selected intrusion attack behavior is reflected by the data information set contained in the first identification unit and the data information set contained in the second identification unit, the cloud business activity big data analysis server triggering the information security response mechanism optimizes the first identification unit by integrating the first identification unit and the second identification unit on the basis that the distribution correlation index of the first identification unit and the second identification unit reaches the set judgment value, and the accuracy of the data information set contained in the selected intrusion attack behavior can be improved.
Step 55: and on the basis of determining that the distribution association index of the first identification unit and each reserved second identification unit is lower than the set judgment value, positioning the next identification unit from the sorted identification unit set as the first identification unit.
For example, the sorted Identification unit sets are an Identification unit _ a, an Identification unit _ b, and an Identification unit _ c. The big data analysis server of the cloud service activity big data triggering the information security response mechanism takes the Identification unit _ a as a first Identification unit and takes the Identification unit _ b as a second Identification unit. If the distribution association index of the first Identification unit and the second Identification unit is lower than the set judgment value, the big data analysis server of the cloud service activity big data triggering the information security response mechanism determines the distribution association index (such as an aggregation and/or a union) of the Identification unit _ a and the Identification unit _ c.
If the distribution correlation index of the Identification unit a and the Identification unit c reaches a set judgment value, optimizing the Identification unit Identification _ a by integrating the Identification unit a and the Identification unit c, at this time, the data information set included in the Identification unit _ a that has completed the optimization is a combined part of the data information set included in the Identification unit _ a and the data information set included in the Identification unit _ c. The cloud service activity big data analysis server triggering the information security response mechanism also filters the Identification unit _ c from the sorted Identification unit set, so that the Identification units in the sorted Identification unit set are the Identification unit _ a and the Identification unit _ b.
If the distribution correlation index of the Identification unit a and the Identification unit c is lower than the set determination value, the Identification unit b is taken as a first Identification unit and the distribution correlation index of the Identification unit b and the Identification unit c is determined.
If the distribution correlation index of the Identification unit b and the Identification unit c reaches a set judgment value, optimizing the Identification unit b by integrating the Identification unit b and the Identification unit c, at this time, the data information set included in the Identification unit _ b that has completed the optimization is a combined part of the data information set included in the Identification unit _ b and the data information set included in the Identification unit _ c. The cloud service activity big data analysis server triggering the information security response mechanism also filters the Identification unit _ c from the sorted Identification unit set, so that the Identification units in the sorted Identification unit set are the Identification unit _ a and the Identification unit _ b.
And if the distribution correlation index of the Identification unit b and the Identification unit c is lower than a set judgment value, determining the Identification units in the sorted Identification unit set as an Identification unit a, an Identification unit b and an Identification unit c.
The distribution correlation index of the first identification unit and the second identification unit is lower than the set judgment value, and the overlapping degree of the first identification unit and the second identification unit is relatively low, namely the selected intrusion attack behavior covered by the first identification unit and the selected intrusion attack behavior covered by the second identification unit are two different selected intrusion attack behaviors. For example, the intrusion attack behavior is selected as a DDOS attack. If the distribution correlation index between the first recognition unit and the second recognition unit is lower than the set judgment value, it indicates that there is a difference between the DDOS attack items in the first recognition unit and the DDOS attack items in the second recognition unit.
Therefore, on the basis that the data information set contained in the selected intrusion attack behavior is reflected by the data information set contained in the first identification unit and the data information set contained in the second identification unit, the cloud business activity big data analysis server triggering the information security response mechanism respectively reserves the first identification unit and the second identification unit on the basis that the distribution correlation index of the first identification unit and the second identification unit is lower than the set judgment value, and the accuracy of the data information set contained in the selected intrusion attack behavior can be improved.
Step 56: and determining at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the triggering information security response mechanism, wherein the potential abnormal session information set comprises the identification units in the sorted identification unit set.
Illustratively, the big data analysis server of the cloud business activity big data triggering the information security response mechanism takes a data information set included by one identification unit in the sorted identification unit set as a potential abnormal session information set.
Under some independent design considerations, after the step 24 is implemented, the big data analysis server for online business interaction recording may refer to the following related technical solutions.
Step 61: and creating a material pairing indication by using the session characteristics of the at least one potentially abnormal session information set.
For the embodiment of the present invention, the session characteristics of the potentially abnormal session information set include distribution tags of the potentially abnormal session information set. The material pairing indicates data materials required for guiding big data attack analysis network evaluation.
For the embodiment of the invention, the big data attack analysis network is an AI model for identifying the session risk warning report. It is to be appreciated that the AI model can be utilized to identify at least one session risk alert report.
For example, a big data attack analysis network may be used to identify DDOS attack event aggregations; for another example, big data attack analysis networks are used to identify privacy stealing; for another example, a big data attack analysis network may be used to identify privacy stealing as well as transaction.
For the embodiment of the invention, the data raw materials required by the big data attack analysis network evaluation comprise the distribution labels of the potential abnormal session information sets. For example, the session risk alert is reported as a transaction. The basis for judging whether the Trojan attack events are abnormal is to judge whether the Trojan attack events are abnormal in the abnormal information set. At this time, the distribution label of the potential abnormal session information set is the distribution label of the abnormal information set, and the data raw material required by the big data attack analysis network evaluation comprises the distribution label of the abnormal information set.
Illustratively, the data material required for a big data attack analysis network evaluation also includes a state trigger time. For example, the session risk alert is reported as a transaction. The judgment of the Trojan attack item abnormal behavior is based on the judgment of whether the maintenance time interval in the abnormal behavior information set is greater than 2seconds, and if the maintenance time interval is greater than 2seconds, the Trojan attack item abnormal behavior is determined. And if the Trojan attack event does not meet the requirement that the maintaining time period in the transaction information set is greater than 2seconds, determining that the Trojan attack event does not perform the transaction.
Thus, the data raw materials required for big data attack analysis network evaluation include: the distribution label of the transaction information set (which can be understood as the distribution label of the potentially abnormal session information set) and the state trigger time are 2seconds.
Step 62: and evaluating a big data attack analysis network by using the raw material pairing indication and the cloud service activity big data of the trigger information security response mechanism.
For the embodiment of the invention, when the big data analysis server of the cloud service activity big data triggering the information security response mechanism processes the big data attack analysis network, the data raw materials required by the big data attack analysis network evaluation are determined by loading the raw material pairing indication, and the cloud service activity big data triggering the information security response mechanism is used for evaluating the big data attack analysis network according to the data raw materials required by the big data attack analysis network evaluation.
For example, the data raw materials required for analyzing network evaluation by big data attack include: the distribution label of the abnormal information set is identified (which can be understood as the distribution label of the potential abnormal session information set), the state trigger time, the online service interaction record identification degree, the details of the output information and the like.
When the big data analysis server of the cloud business activity big data triggering the information security response mechanism evaluates the big data attack analysis network, the big data attack analysis network is used for processing the cloud business activity big data triggering the information security response mechanism so as to determine whether Trojan attack events meet the index that the maintenance time interval in the transaction information set is larger than 2seconds. If yes, determining that the transaction event exists, and if not, determining that the transaction event does not exist.
For the embodiment of the invention, the big data analysis server of the cloud service activity big data of the trigger information security response mechanism evaluates the big data attack analysis network by utilizing the created code and the cloud service activity big data of the trigger information security response mechanism, and can evaluate the quality of the big data attack analysis network for identifying the intrusion attack behavior by taking the cloud service activity big data of the trigger information security response mechanism as an example on the basis of determining at least one potential abnormal session information set from the cloud service activity big data of the trigger information security response mechanism. And the evaluation of the big data attack analysis network can be completed by loading the raw material pairing indication (input information pairing reference), so that the performance of the big data attack analysis network can be improved.
Under some independent design ideas, the session characteristics of the potentially abnormal session information set further include: the selected intrusion attack behavior is active within a time period range of the set of potentially anomalous session information.
For example, the period of the potentially abnormal session information set ranges from 2seconds to 5seconds. The session risk alert is reported as a transaction. The basis for judging whether the Trojan attack items are abnormal is to judge whether the maintenance time interval in the abnormal information set is greater than 2seconds, and if the maintenance time interval is greater than 2seconds, the Trojan attack items are determined to be abnormal. And if the Trojan attack item does not meet the requirement that the maintaining time interval in the transaction information set is greater than 2seconds, determining that the Trojan attack item does not perform transactions.
When the big data analysis server of the cloud service activity big data triggering the information security response mechanism tests the big data attack analysis network, the big data attack analysis network is used for processing online service interaction logs in 2seconds to 5seconds of the cloud service activity big data triggering the information security response mechanism so as to determine whether Trojan attack events meet the requirement that the maintenance time period in the transaction information set is greater than 2seconds. If yes, determining that the transaction event exists, and if not, determining that the transaction event does not exist.
Under some independent design ideas, the following related technical solutions can be referred to before step 61 is implemented by the big data analysis server for cloud business activity big data triggering the information security response mechanism.
And step 63: and determining the time period range of the selected intrusion attack behavior which is active in the potential abnormal session information set by utilizing the interaction record time sequence label of the selected intrusion attack behavior.
For the embodiment of the invention, the big data analysis server of the cloud service activity big data triggering the information security response mechanism can determine the effective session period of the online service interaction record corresponding to the interaction record time sequence label according to the interaction record time sequence label, and then can determine the period range corresponding to the potential abnormal session information set according to the interaction record time sequence label of the selected intrusion attack behavior.
Therefore, when the big data attack analysis network is processed, the big data attack analysis network can be appointed to identify the potential abnormal session information set and the time period range of the cloud service activity big data of the trigger information security response mechanism, and after the big data attack analysis network outputs the identification result, whether the identification result is accurate or not is analyzed. Or when the big data attack analysis network is processed, the big data attack analysis network is appointed to identify a potential abnormal session information set of the cloud service activity big data triggering the information security response mechanism, and after the big data attack analysis network outputs an identification result, whether a time period of identifying risk items contained in the identification result is consistent with a time period range of the potential abnormal session information set or not is analyzed.
Under some design ideas which can be independent, the following related technical scheme can be referred to in the process of implementing step 61 by the big data analysis server for triggering the cloud business activity big data of the information security response mechanism.
Step 71: and acquiring the session characteristics of the big data attack analysis network.
For the embodiment of the invention, the session characteristics of the big data attack analysis network comprise decision data of the session risk warning report which can be identified by the big data attack analysis network. For example, a big data attack analysis network may be used to identify the transaction. The basis of judging the abnormal movement is to judge whether the Trojan attack items reach the state triggering time in the abnormal time period of the Trojan attack items in the abnormal movement information set. In this case, the decision data of the transaction includes the distribution label of the transaction information set and the state trigger time.
Step 72: and determining an indication sample corresponding to the big data attack analysis network deployed in advance by using the session characteristics of the big data attack analysis network.
For the present embodiment, the instruction sample is used to create a raw material pairing instruction. The disparate instruction sample is used to create a feedstock pairing instruction for evaluating different big data attack analysis networks.
For example, the instruction sample example _ a is used for creating a distribution label with information being a potential abnormal session information set and a raw material pairing instruction of a big data attack analysis network at a state trigger moment.
Illustratively, the storage area of the cloud business activity big data analysis server triggering the information security response mechanism comprises at least one previously deployed indication sample. The big data analysis server of the cloud service activity big data triggering the information security response mechanism determines an indication sample corresponding to the big data attack analysis network by using the session characteristics of the big data attack analysis network.
Step 73: and creating the raw material pairing indication by using the indication sample and the session characteristics of the at least one potentially abnormal session information set.
Based on the related content, annotation of the cloud service activity big data of the trigger information security response mechanism can be completed, and prior knowledge of the cloud service activity big data of the trigger information security response mechanism is obtained.
For example, the information security platform intends to determine a plurality of AI models with better detection transaction quality. Before the performance of AI model recognition transaction is obtained, the distribution labels of potential abnormal session information sets in the cloud service activity big data of a plurality of trigger information security response mechanisms acquired by the data acquisition thread need to be annotated. In view of the fact that the number of the cloud service activity big data of the information security response mechanism is large, the effective session period of the cloud service activity big data of the information security response mechanism is long, the information security platform adopts relevant content to process the cloud service activity big data of the information security response mechanism, and the distribution label of at least one potential abnormal session information set can be determined from the cloud service activity big data of the information security response mechanism. For example, the information security platform can process cloud business activity big data triggering an information security response mechanism, determine a distribution label of at least one potential abnormal session information set from the cloud business activity big data triggering the information security response mechanism, and use the distribution label of at least one potential abnormal session information set as prior knowledge. After the priori knowledge of the cloud service activity big data of the triggering information security response mechanism is obtained, the evaluation processing of the AI model can be completed based on the related content.
For example, the indication sample corresponding to the big data attack analysis network deployed earlier may be determined according to the session characteristics of the big data attack analysis network. And creating a raw material pairing indication by using the indication sample and the session characteristics of the at least one potential abnormal session information set. And then evaluating the cloud service activity big data of the security response mechanism of the information to be triggered by utilizing the raw material pairing indication and the cloud service activity big data of the security response mechanism of the trigger information to obtain evaluation information. The information security platform can then determine the performance of the big data attack analysis network for identifying the abnormal change according to the evaluation information.
In some possible embodiments, after determining that at least one set of potentially abnormal session information carrying the selected intrusion attack behavior in the cloud traffic activity big data of the triggering information security response mechanism, the method may further include: carrying out attack intention analysis on the selected intrusion attack behavior based on the potential abnormal session information set to obtain attack intention characteristics of the selected intrusion attack behavior; generating an attack protection strategy by using the attack intention characteristics; and activating the attack protection strategy.
In the embodiment of the invention, the attack intention analysis can excavate the attack intention or attack preference of the selected intrusion attack behavior, and the adaptability with the artificial intelligent model can be realized through the attack intention characteristic record, so that the network layer addition and deployment can be carried out on the basis of the relevant artificial intelligent model, the efficiency and the precision of excavating the attack intention characteristic are improved, the adaptability of the obtained attack intention characteristic and the whole service environment is improved to a certain extent, the pertinence and the reliability of the generated attack protection strategy can be further ensured, and the effective network attack protection can be carried out by activating the attack protection strategy.
In some possible embodiments, the attack intention analysis is performed on the selected intrusion attack behavior based on the potential abnormal session information set to obtain an attack intention characteristic of the selected intrusion attack behavior, and the attack intention characteristic may be implemented by the following technical solutions: respectively carrying out passive attack intention mining and active attack intention mining on a plurality of pieces of potential abnormal session information in the potential abnormal session information set to obtain a passive attack intention mining knowledge cluster and an active attack intention mining knowledge cluster; performing first noise cleaning on the passive attack intention mining knowledge cluster through a preset knowledge processing layer1 to obtain a knowledge relationship network1 including the passive attack intention; performing second noise cleaning on the initiative attack intention mining knowledge cluster through a preset knowledge processing layer2 to obtain a knowledge relationship network2 including the initiative attack intention; combining the knowledge relationship network1 and the knowledge relationship network2 to obtain a potential abnormal session description matched with the target attack intention in the potential abnormal session information set; the target attack intention comprises at least one of passive attack intention and active attack intention, and attack intention characteristics of the selected intrusion attack behavior are determined based on the potential abnormal session description.
In the embodiment of the invention, the preset knowledge processing layer1 and the preset knowledge processing layer2 can be additionally arranged on the basis of the related artificial intelligence model, so that mining analysis on attack intentions of different types can be realized, the integrity of the description of the potential abnormal session is ensured, and then the attack intention characteristics of the selected intrusion attack behavior are accurately and completely determined.
In some possible embodiments, the performing passive attack intention mining and active attack intention mining on a plurality of pieces of potential abnormal session information in the set of potential abnormal session information to obtain a passive attack intention mining knowledge cluster and an active attack intention mining knowledge cluster respectively includes: respectively carrying out passive attack intention mining on a plurality of pieces of potential abnormal session information in the potential abnormal session information set to obtain passive attack intention mining windows in each piece of potential abnormal session information and intention-based categories corresponding to each passive attack intention mining window; determining a passive attack intention mining knowledge cluster based on the passive attack intention mining window and corresponding intention category in each piece of potential abnormal session information; and respectively carrying out active attack intention mining on a plurality of pieces of potential abnormal session information in the potential abnormal session information set to obtain an active attack intention mining knowledge cluster.
In some possible embodiments, the performing active attack intention mining on a plurality of pieces of potential abnormal session information in the set of potential abnormal session information to obtain an active attack intention mining knowledge cluster includes: respectively carrying out intrusion node mining on a plurality of pieces of potential abnormal session information in the potential abnormal session information to obtain intrusion node mining information corresponding to each piece of potential abnormal session information; respectively carrying out intrusion scene mining on a plurality of pieces of potential abnormal session information in the potential abnormal session information to obtain intrusion scene mining information corresponding to each piece of potential abnormal session information; the intrusion node mining information and the intrusion scene mining information corresponding to the same attack items are correlated; and performing active attack intention mining processing based on intrusion scene mining information associated with target intrusion node mining information in the potential abnormal session information to obtain an active attack intention mining knowledge cluster.
In some possible embodiments, the performing, by a preset knowledge processing layer1, first noise cleaning on the knowledge cluster mined by the passive attack intention to obtain a knowledge relationship network1 including the passive attack intention includes: respectively carrying out intention type processing on each piece of potential abnormal session information in the passive attack intention mining knowledge cluster to obtain an exclusive intention type which is matched with each piece of potential abnormal session information one by one; respectively carrying out attack intention mining window optimization processing based on the scale of the passive attack intention mining window corresponding to the corresponding exclusive intention type in each piece of potential abnormal session information to obtain an updated passive attack intention mining knowledge cluster; cleaning the updated passive attack intention mining knowledge cluster to obtain a plurality of first to-be-determined knowledge relationship networks including the passive attack intention; and according to the passive attack intention types to which the first knowledge relationship networks respectively belong, carrying out relationship network adjustment on the first knowledge relationship networks belonging to the same passive attack intention type to obtain a knowledge relationship network knowledge 1 comprising the passive attack intention.
In some possible embodiments, the respectively performing intent type processing on each piece of potential abnormal session information in the passive attack intent mining knowledge cluster to obtain an exclusive intent type in which each piece of potential abnormal session information is matched one by one includes: aiming at each potential abnormal conversation information in the passive attack intention mining knowledge cluster, when the number of intention-based categories of the potential abnormal conversation information is not less than two, acquiring the intention category weight of each intention-based category; when one intention-based category with the maximum intention category weight is selected, taking the intention-based category with the maximum intention category weight as an exclusive intention category of the corresponding potential abnormal session information; when the intention-based categories with the maximum intention category weight are not less than two, acquiring the window weight of the corresponding passive attack intention mining window aiming at the intention-based category with the maximum intention category weight; and determining an exclusive intention type corresponding to the corresponding potential abnormal session information according to the intention-based type corresponding to the maximum window weight.
Based on the same inventive concept, fig. 2 shows a block diagram of a data analysis device for dealing with cloud computing network attacks provided in the embodiment of the present invention, and the data analysis device for dealing with cloud computing network attacks may include an attack behavior identification module 21 for implementing the relevant method steps shown in fig. 1, and is configured to collect cloud service activity big data for triggering an information security response mechanism in response to a network attack analysis instruction; carrying out intrusion attack behavior identification on the cloud service activity big data of the trigger information security response mechanism to obtain an identification result of the intrusion attack behavior in each online service interaction record of the cloud service activity big data of the trigger information security response mechanism; the abnormal session positioning module 22 is configured to determine a selected intrusion attack behavior in each online service interaction record according to the identification result of the intrusion attack behavior in each online service interaction record; and determining at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism by using the identification result of the selected intrusion attack behavior in each online service interaction record.
The related embodiment applied to the invention can achieve the following technical effects: the big data analysis server of the cloud service activity big data of the trigger information security response mechanism identifies the intrusion attack behavior of the cloud service activity big data of the trigger information security response mechanism, and obtains the identification result of the intrusion attack behavior in each online service interaction record of the cloud service activity big data of the trigger information security response mechanism. And determining the selected intrusion attack behavior in each online service interaction record by combining the identification result of the intrusion attack behavior. And determining at least one potential abnormal session information set from the cloud service activity big data triggering the information security response mechanism by combining the identification result of the selected intrusion attack behavior in each online service interaction record. The cloud service activity big data triggering information security response mechanism can be intelligently responded to a network attack analysis instruction, a potential abnormal session information set in the cloud service activity big data triggering the information security response mechanism is collected, and then the cloud service activity big data triggering the information security response mechanism can be guided to be identified by the big data attack analysis network based on the potential abnormal session information set, so that the attack identification operand of the big data attack analysis network is reduced, the identification precision and timeliness of the potential abnormal session information set aiming at the selected intrusion attack behavior are improved, compared with the traditional thought of manually positioning the potential abnormal session information set for the big data attack analysis network, the intelligent degree of the network attack identification aiming at the cloud service activity big data can be improved, and unnecessary resource overhead is reduced.
The foregoing is only illustrative of the present invention. Those skilled in the art can conceive of changes or substitutions based on the specific embodiments provided by the present invention, and all such changes or substitutions are intended to be included within the scope of the present invention.

Claims (8)

1. A data analysis method for dealing with cloud computing network attacks is applied to a big data analysis server, and the method at least comprises the following steps:
responding to a network attack analysis instruction, and collecting cloud service activity big data of a triggering information security response mechanism;
carrying out intrusion attack behavior identification on the cloud service activity big data of the trigger information security response mechanism to obtain an identification result of the intrusion attack behavior in each online service interaction record of the cloud service activity big data of the trigger information security response mechanism;
determining the selected intrusion attack behavior in each online service interaction record by using the identification result of the intrusion attack behavior in each online service interaction record;
determining at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism by using the identification result of the selected intrusion attack behavior in each online service interaction record;
the identification result comprises an interaction record time sequence label and an identification unit distribution label; the method for determining at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism by using the identification result of the selected intrusion attack behavior in each online service interaction record comprises the following steps: determining at least one online service interaction log to be analyzed by using an interaction record timing sequence label of a selected intrusion attack behavior in each online service interaction record, wherein the online service interaction log to be analyzed comprises at least two online service interaction records with a precedence relationship, and each online service interaction record in the online service interaction log to be analyzed carries the selected intrusion attack behavior; and determining the distribution label of at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism by using the identification unit distribution label of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed.
2. The method of claim 1, wherein after determining at least one online service interaction log to be analyzed by using an interaction record timing sequence tag of a selected intrusion attack behavior in each online service interaction record, and before determining at least one distribution tag of a potential abnormal session information set carrying the selected intrusion attack behavior in cloud service activity big data of the trigger information security response mechanism by using an identification unit distribution tag of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed, the method further comprises: and positioning the online service interaction logs to be analyzed, wherein the effective session time period of the online service interaction logs to be analyzed reaches a time period judgment value.
3. The method of claim 2, wherein the method further comprises: and determining the time period judgment value by utilizing the state triggering moment of the big data attack analysis network in advance.
4. The method of claim 1, wherein the determining, by using the identification unit distribution tag of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed, the distribution tag of not less than one potentially abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism comprises:
and utilizing the identification unit distribution label of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed, integrating the identification unit of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed, and acquiring the distribution label of at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism.
5. The method of claim 4, wherein the obtaining of the distribution label of not less than one potentially abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the trigger information security response mechanism by using the identification unit distribution label of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed and integrating the identification unit of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed comprises:
sorting the identification units of the selected intrusion attack behavior in each online service interaction record of the online service interaction log to be analyzed according to a rule of specifying distribution label index descending order to obtain a sorted identification unit set;
positioning the recognition units one by one from the sorted recognition unit set to serve as first recognition units until the positioning of all the recognition units is completed;
for a first identification unit positioned at each time, determining distribution association indexes of the first identification units and second identification units one by one from second identification units with the sorted identification unit set positioned and lower priority than the first identification units;
optimizing the first recognition unit on the basis of determining that the distribution association index of the first recognition unit and the second recognition unit reaches a set judgment value, wherein the optimized first recognition unit comprises the first recognition unit and the second recognition unit before optimization, and the second recognition unit is filtered from the sorted recognition unit set;
on the basis that the distribution association index of the first identification unit and each reserved second identification unit is lower than the set judgment value, positioning a next identification unit from the sorted identification unit set as a first identification unit;
and determining at least one potential abnormal session information set carrying the selected intrusion attack behavior in the cloud service activity big data of the triggering information security response mechanism, wherein the potential abnormal session information set comprises the identification units in the sorted identification unit set.
6. The method of claim 1, wherein after determining not less than one set of potentially abnormal session information carrying a selected intrusion attack behavior in the cloud traffic activity big data of the trigger information security response mechanism using the identification result of the selected intrusion attack behavior in each online traffic interaction record, the method further comprises:
creating a raw material pairing indication by using the session characteristics of the at least one potential abnormal session information set; the session features of the potentially abnormal session information set comprise distribution tags of the potentially abnormal session information set; the material pairing indication is used for guiding data materials required by big data attack analysis network evaluation;
and evaluating a big data attack analysis network by using the raw material pairing indication and the cloud service activity big data of the trigger information security response mechanism.
7. The method of claim 6, wherein the session characteristics of the potentially anomalous set of session information further comprise: the selected intrusion attack behavior is active within a time period range of the set of potentially abnormal session information;
before creating the material pairing indication by using the session features of the at least one potentially abnormal session information set, the method further includes: determining the time period range of the selected intrusion attack behavior active in the potential abnormal session information set by utilizing the interaction record time sequence label of the selected intrusion attack behavior;
wherein the creating a material pairing indication using the session features of the at least one potentially abnormal session information set comprises: acquiring session characteristics of the big data attack analysis network; determining an indication sample corresponding to the big data attack analysis network deployed in advance by using the session characteristics of the big data attack analysis network; and creating the raw material pairing indication by using the indication sample and the session characteristics of the at least one potentially abnormal session information set.
8. A big data analysis server, comprising: a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the big data analytics server to perform the method of any of claims 1-7.
CN202210572275.7A 2022-05-25 2022-05-25 Data analysis method and server for coping with cloud computing network attack Active CN114726654B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210572275.7A CN114726654B (en) 2022-05-25 2022-05-25 Data analysis method and server for coping with cloud computing network attack
CN202211394916.0A CN115801369A (en) 2022-05-25 2022-05-25 Data processing method and server based on cloud computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210572275.7A CN114726654B (en) 2022-05-25 2022-05-25 Data analysis method and server for coping with cloud computing network attack

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202211394916.0A Division CN115801369A (en) 2022-05-25 2022-05-25 Data processing method and server based on cloud computing

Publications (2)

Publication Number Publication Date
CN114726654A CN114726654A (en) 2022-07-08
CN114726654B true CN114726654B (en) 2022-12-06

Family

ID=82231878

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202210572275.7A Active CN114726654B (en) 2022-05-25 2022-05-25 Data analysis method and server for coping with cloud computing network attack
CN202211394916.0A Pending CN115801369A (en) 2022-05-25 2022-05-25 Data processing method and server based on cloud computing

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202211394916.0A Pending CN115801369A (en) 2022-05-25 2022-05-25 Data processing method and server based on cloud computing

Country Status (1)

Country Link
CN (2) CN114726654B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115203689B (en) * 2022-07-25 2023-05-02 广州正则纬创信息科技有限公司 Data security sharing method and system
CN115344880B (en) * 2022-09-14 2023-04-07 丁跃辉 Information security analysis method and server applied to digital cloud
CN115454781B (en) * 2022-10-08 2023-05-16 杭银消费金融股份有限公司 Data visualization display method and system based on enterprise architecture system
CN116366371B (en) * 2023-05-30 2023-10-27 广东维信智联科技有限公司 Session security assessment system based on computer

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899435A (en) * 2017-02-21 2017-06-27 浙江大学城市学院 A kind of complex attack identification technology towards wireless invasive detecting system
CN110839033A (en) * 2019-11-18 2020-02-25 广州安加互联科技有限公司 Network attack identification method, system and terminal
CN111565205A (en) * 2020-07-16 2020-08-21 腾讯科技(深圳)有限公司 Network attack identification method and device, computer equipment and storage medium
WO2021169293A1 (en) * 2020-02-27 2021-09-02 华为技术有限公司 Attack behavior detection method and apparatus, and attack detection device
WO2021196911A1 (en) * 2020-03-30 2021-10-07 腾讯科技(深圳)有限公司 Network security protection method and apparatus based on artificial intelligence, and electronic device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10965694B2 (en) * 2018-12-11 2021-03-30 Bank Of America Corporation Network security intrusion detection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899435A (en) * 2017-02-21 2017-06-27 浙江大学城市学院 A kind of complex attack identification technology towards wireless invasive detecting system
CN110839033A (en) * 2019-11-18 2020-02-25 广州安加互联科技有限公司 Network attack identification method, system and terminal
WO2021169293A1 (en) * 2020-02-27 2021-09-02 华为技术有限公司 Attack behavior detection method and apparatus, and attack detection device
WO2021196911A1 (en) * 2020-03-30 2021-10-07 腾讯科技(深圳)有限公司 Network security protection method and apparatus based on artificial intelligence, and electronic device
CN111565205A (en) * 2020-07-16 2020-08-21 腾讯科技(深圳)有限公司 Network attack identification method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN115801369A (en) 2023-03-14
CN114726654A (en) 2022-07-08

Similar Documents

Publication Publication Date Title
CN114726654B (en) Data analysis method and server for coping with cloud computing network attack
CN111475804B (en) Alarm prediction method and system
CN116662989B (en) Security data analysis method and system
US7251584B1 (en) Incremental detection and visualization of problem patterns and symptoms based monitored events
CN111178456A (en) Abnormal index detection method and device, computer equipment and storage medium
CN107111625A (en) Realize the method and system of the efficient classification and exploration of data
CN113706177A (en) Threat identification method based on big data security and data security server
Stertz et al. Analyzing process concept drifts based on sensor event streams during runtime
CN111199042A (en) Safe and efficient vulnerability management system
CN113347170B (en) Intelligent analysis platform design method based on big data framework
CN112738040A (en) Network security threat detection method, system and device based on DNS log
CN113949652B (en) User abnormal behavior detection method and device based on artificial intelligence and related equipment
CN111078512A (en) Alarm record generation method and device, alarm equipment and storage medium
CN117061086A (en) Environment-friendly monitoring method and system
CN113409016A (en) Information processing method, server and medium applied to big data cloud office
Pavlov et al. Analysis of IDS alert correlation techniques for attacker group recognition in distributed systems
CN111177311B (en) Data analysis model and analysis method of event processing result
CN116545740B (en) Threat behavior analysis method and server based on big data
CN113961929A (en) Security-specific vulnerability scanning method and system
CN114168408A (en) Inspection method and system based on Internet of things, electronic equipment and storage medium
CN113781068A (en) Online problem solving method and device, electronic equipment and storage medium
CN113037714A (en) Network security analysis method based on network big data and block chain financial cloud system
CN115438979B (en) Expert model decision-fused data risk identification method and server
CN113569879A (en) Training method of abnormal recognition model, abnormal account recognition method and related device
CN116383020B (en) Internet data analysis management system and method based on blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220909

Address after: No. 86, Chunyang Road, Chengyang District, Qingdao City, Shandong Province, 266000

Applicant after: Gong Liang

Address before: 266000 No. 436, Huacheng Road, Chengyang District, Qingdao, Shandong Province

Applicant before: Qingdao Zhongxin Chuanglian Electronic Technology Co.,Ltd.

TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20221111

Address after: 100000 Room 406, Floor 4, Building B, No. 12, East Yard, No. 10, Northwest Wangdong Road, Haidian District, Beijing

Applicant after: Beijing Huixiang Technology Co.,Ltd.

Address before: No. 86, Chunyang Road, Chengyang District, Qingdao City, Shandong Province, 266000

Applicant before: Gong Liang

GR01 Patent grant
GR01 Patent grant