CN101902366B - Method and system for detecting abnormal service behaviors - Google Patents
Method and system for detecting abnormal service behaviors Download PDFInfo
- Publication number
- CN101902366B CN101902366B CN200910085032.5A CN200910085032A CN101902366B CN 101902366 B CN101902366 B CN 101902366B CN 200910085032 A CN200910085032 A CN 200910085032A CN 101902366 B CN101902366 B CN 101902366B
- Authority
- CN
- China
- Prior art keywords
- monitored object
- setting
- occurrences
- frequency
- monitoring type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Alarm Systems (AREA)
Abstract
The invention provides a method for detecting abnormal service behaviors, which comprises the following steps of: establishing a model of normal service system access behaviors of users according to historical audit records prior to a current detection point of safety audit equipment; and analyzing real-time audit records of the safety audit equipment, comparing the real-time audit records with the normal behavior model, and judging whether the service access behaviors of the users are abnormal or not. The invention also provides a system for detecting abnormal service behaviors. The method and the system for detecting abnormal service behaviors can detect attack behaviors, which are legal in terms of service flow, but still bring about destruction to a service system actually, according to audit records of the safety audit equipment.
Description
Technical field
The present invention relates to information security field, relate in particular to a kind of business conduct method for detecting abnormality and system.
Background technology
Along with the development of information technology, take database server as core, the operation system of Internet has obtained increasingly extensive application, as bank system of web, electronics seat reservation system etc.Owing to having stored the critical data of operation system in database server, closely related with whole operation flow again, ensure that the information security of database server is particularly important.For better, to database server implementation protection, network security audit equipment is widely used.It can Real-Time Monitoring and the visit information of recording user to server, for example, once find that there is access behavior (access of unauthenticated, unauthorized access) in violation of rules and regulations, can block unlawful practice.
Although utilize security audit equipment to detect in time and to block violating the behavior of operation flow, exist in actual applications a large amount of in operation flow not in violation of rules and regulations, in fact still to operation system, bring the attack of destruction.For example, in certain operation system, once occurred that internal staff usurped other staff's account information registering service system, the information security events that repeatedly record in Update Table storehouse is made profit.Because the implementation process of this attack pattern meets operation flow completely, existing security audit product cannot detect and report to the police or block.
In current prior art, some solutions are according to security configuration rule, database Visitor Logs to be analyzed, and database access are recorded to report to the police/non-alarm triage.This scheme can detect partial service abnormal behavior, but have the following disadvantages: first, rely on administrative staff to formulate a set of complete security configuration rule too loaded down with trivial details, once there is the attack that rule does not comprise, will cause failing to report such attack; Secondly, some attack cannot be from finding database access behavior record once or several times, the Modification Frequency in 24 hours for certain Visitor Logs for example, for such attack, just cannot formulate rational security configuration rule, by the analysis of one or several database access record is detected.
Summary of the invention
Technical problem to be solved by this invention is to be to provide a kind of business conduct abnormality detection system and method, for according to the record of the audit of security audit equipment, detect in operation flow not in violation of rules and regulations, in fact still to operation system, bring the attack of destruction.
In order to address the above problem, the invention provides a kind of business conduct method for detecting abnormality, comprising:
According to the historical auditing record before security audit equipment current detection point, set up the normal behaviour model of user's access service system;
Real-time auditing record to security audit equipment is analyzed, and compares with described normal behaviour model, judges that whether the behavior of user's access service system is abnormal.
Further, said method also can have following characteristics, and the described step of setting up the normal behaviour model of user's access service system, comprising:
Set monitored object and corresponding monitoring type thereof;
Set the beginning and ending time in self study stage;
Historical auditing record in the beginning and ending time of setting is carried out to self study, according to its corresponding monitoring type of monitored object, the information of this monitored object is added up, thereby set up normal behaviour model.
Further, said method also can have following characteristics,
While setting monitored object, set the database table name that needs monitoring, and corresponding action type and field name; Setting monitoring type is span and/or the frequency of occurrences;
When the historical auditing record in the beginning and ending time of setting is learnt, historical auditing record is resolved, extract database table name, action type, field name and operating value;
Judge whether described historical auditing record comprises the monitored object of setting, for the described historical auditing record that comprises described monitored object, according to its corresponding monitoring type of monitored object, the operating value of this monitored object is added up, if the corresponding monitoring type of this monitored object is the frequency of occurrences, calculate the average frequency of occurrences of its assigned operation value in the fixed time; If the corresponding monitoring type of this monitored object is span, calculate average and the variance of its operating value.
Further, said method also can have following characteristics, if the field of monitored object character type by name, only allowing to set monitoring type is the frequency of occurrences; If the field of monitored object is called numeric type, setting monitoring type is span and/or the frequency of occurrences.
Further, said method also can have following characteristics, and the described current record of the audit that security audit equipment is obtained is analyzed, and compares with described normal behaviour model, judges whether the behavior of user's access service system extremely specifically comprises:
Real-time auditing record is resolved, extract database table name, action type, field name and operating value, judge whether described real-time auditing record comprises the monitored object of setting;
For the described real-time auditing record that comprises described monitored object, according to the corresponding monitoring type of monitored object, the operating value of monitored object is processed, judge whether to have departed from normal behaviour model, if departed from, the abnormal behavior of user's access service system;
Wherein, describedly judge whether to have departed from normal behaviour model and refer to, when the corresponding monitoring type of described monitored object is the frequency of occurrences, add up the described monitored object frequency of occurrences at the appointed time, relatively whether the frequency of occurrences of its assigned operation value of monitored object and the departure degree of normal behaviour model have surpassed setting threshold; When the monitoring type of described monitored object is span, whether the operating value of more described monitored object, surpassed setting threshold with the departure degree of normal behaviour model.
The present invention also proposes a kind of business conduct abnormality detection system, comprising:
Memory module, for storing the record of the audit of described security audit equipment, comprises the real-time auditing record of current observation station, and the historical auditing record before described current detection point;
Model building module, is connected with evaluation module with described memory module, according to described historical auditing record, sets up the normal behaviour model of user's access service system;
Evaluation module, is connected with model building module with described memory module, for the real-time auditing record to described security audit equipment, analyzes, and compares with described normal behaviour model, judges that whether the behavior of user's access service system is abnormal.
Further, said system also can have following characteristics, and described system also comprises:
Module is set, is connected with described model building module and evaluation module, for setting monitored object and monitoring type; Also for setting the beginning and ending time in self study stage;
Described model building module, for carrying out self study according to the historical auditing record arranging in the beginning and ending time that module sets, adds up the information of this monitored object according to its corresponding monitoring type of monitored object, thereby sets up normal behaviour model.
Further, said system also can have following characteristics,
The described module that arranges, while setting monitored object, sets the database table name that needs monitoring, and corresponding action type and field name, and also setting monitoring type is span and/or the frequency of occurrences;
Described model building module comprises resolution unit and statistic unit:
Resolution unit, when the historical auditing record in the beginning and ending time of setting is learnt, historical auditing record is resolved, extract database table name, action type, field name and operating value, judge whether described historical auditing record comprises the monitored object of setting;
Statistic unit, be used for comprising the described historical auditing record of described monitored object, when the information of this monitored object is added up according to its corresponding monitoring type of monitored object, if the corresponding monitoring type of this monitored object is the frequency of occurrences, calculate the average frequency of occurrences of its assigned operation value in the fixed time; If the corresponding monitoring type of this monitored object is span, calculate average and the variance of its operating value.
Further, said system also can have following characteristics, and described when module being set setting monitoring type, if the field of monitored object character type by name, only allowing to set a monitoring type is the frequency of occurrences; If the field of monitored object is called numeric type, setting monitoring type is span and/or the frequency of occurrences.
Further, said system also can have following characteristics, and described evaluation module comprises:
Resolution unit, for real-time auditing record is resolved, extracts database table name, action type, field name and operating value, judges whether described real-time auditing record comprises the monitored object of setting;
Judging unit, for to comprising the described real-time auditing record of described monitored object, according to the corresponding monitoring type of monitored object, the information of monitored object is processed, judge whether to have departed from normal behaviour model, if departed from, the abnormal behavior of user's access service system;
Wherein, describedly judge whether to have departed from normal behaviour model and refer to, when the corresponding monitoring type of described monitored object is the frequency of occurrences, add up the described monitored object frequency of occurrences at the appointed time, relatively whether the frequency of occurrences of monitored object and the departure degree of normal behaviour model have surpassed setting threshold; When the monitoring type of described monitored object is span, whether the operating value of more described monitored object, surpassed setting threshold with the departure degree of normal behaviour model.
Business conduct abnormality detection system and method that the present invention proposes, can be according to the record of the audit of security audit equipment, detects in operation flow not in violation of rules and regulations, in fact still to operation system, brings the attack of destruction.Compared with prior art, the present invention sets up the normal behaviour model of user's access service system by the mode of self study, has avoided relying on the complicated processes that administrative staff set security configuration rule, also more can reflect the truth of operation system.The present invention is by setting monitoring type, can be to extremely the detecting of frequency of occurrences type, again can be to extremely the detecting of span type, and make for cannot also accurately detecting by the service exception that simple security configuration rule detects is set.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of business conduct method for detecting abnormality embodiment in the present invention.
Fig. 2 is that in the present invention, business conduct abnormality detection system embodiment forms schematic diagram.
Embodiment
Below with reference to drawings and Examples, describe embodiments of the present invention in detail, to the present invention, how application technology means solve technical problem whereby, and the implementation procedure of reaching technique effect can fully understand and implement according to this.
Fig. 1 is the schematic flow sheet of business conduct method for detecting abnormality embodiment in the present invention.As shown in Figure 1, the method embodiment mainly comprises the steps:
Step S110, the record of the audit of storage security audit equipment, comprises the real-time auditing record of current observation station and the historical auditing record before current observation station;
Step S120, the monitored object that setting need to be monitored, and the corresponding monitoring type of monitored object;
Monitored object comprises database table name, and corresponding action type, field name;
Monitoring type is span and/or the frequency of occurrences, if the field of monitored object character type by name only allows the monitoring frequency of occurrences; If the field of monitored object is called numeric type, can select to monitor span and/or the frequency of occurrences;
Step S130, learns by the historical auditing record to security audit equipment, sets up the normal behaviour model of user's access service system;
Concrete method for building up is:
Set the beginning and ending time in self study stage;
According to the monitoring type of setting, the historical auditing record of setting in the beginning and ending time is learnt; Historical auditing record is carried out to SQL statement parsing, extract database table name, action type, field name, operating value;
Judge whether described historical auditing record comprises the monitored object of setting;
Concrete determination methods is: database table name, action type and field name and monitored object are compared, if identical, in historical auditing record, comprise described monitored object.
For the described historical auditing record that comprises described monitored object, according to its corresponding monitoring type of monitored object, the information of this monitored object is added up, set up normal behaviour model, wherein:
If the monitoring type of monitored object is the frequency of occurrences, calculate its fixed time the average frequency of occurrences of its assigned operation value in (such as 24 hours, also can be other fixed times, the present invention is not construed as limiting this); If the monitoring type of monitored object is span, calculate average and the variance of its each operating value.
Step S140, analyzes the real-time auditing record of security audit equipment, compares with normal behaviour model, judges that whether the behavior of user's access service system is abnormal, specifically comprises:
Real-time auditing record is carried out to SQL statement parsing, extract database table name, action type, field name and operating value;
Judge whether described real-time auditing record comprises the monitored object of setting;
Concrete determination methods is: database table name, action type and field name and monitored object are compared, if identical, in historical auditing record, comprise described monitored object.
For the described real-time auditing record that comprises described monitored object, according to the corresponding monitoring type of monitored object, the information of monitored object is processed, judge whether to have departed from normal behaviour model, assess whether the operation of monitored object has been departed to normal behaviour model; If departed from, the abnormal behavior of user's access service system;
Wherein, judging whether to have departed from normal behaviour model specifically refers to, if the frequency of occurrences of monitored object is monitored to (being that the corresponding monitoring type of monitored object is the frequency of occurrences), whether the frequency of occurrences of more described monitored object at the appointed time, surpassed setting threshold with the departure degree of normal behaviour model; If the span of monitored object is monitored to (being that the corresponding monitoring type of monitored object is span), whether the operating value of more described monitored object, surpassed setting threshold with the departure degree of normal behaviour model.
Step S150, if detect the abnormal behavior of user's access service system, to extremely reporting to the police.Also alert if can be set, when arriving alert if, just report to the police, such as after repeatedly abnormal, just report to the police.Can also will extremely carry out record, generate abnormal log, to carry out follow-up statistical management.
It should be noted that, whole evaluation process is divided into two stages, self study stage and detection-phase.First carry out the self study stage, by the self study stage, set up the normal behaviour model of user's access service system, recycle this normal behaviour model and carry out the abnormal detection of business conduct, carry out second stage.After the self study stage completes, testing process during practical application, has carried out self study again with regard to not needing, and directly utilizes the normal behaviour model of the operation system that the self study stage sets up to detect, without repetition learning and set up normal behaviour model.Certainly due to change, user's increase or the minimizing etc. of user's operation behavior, also can upgrade at set intervals as required normal behaviour model.
Below an application example of business conduct abnormality detection system, so as to more clearly describing embodiments of the present invention.
Suppose in certain business conduct of user, need to sign in to a certain data of modification oneself in operation system.Suppose this business conduct of user Bob, can cause carrying out in database server following SQL (Structured Query Language, SQL) statement:
update?userscore?set?score=2000where?username=‘Bob’;
In above-mentioned SQL statement, " userscore " is database table name, and " socre ", " username " are Database field name, and " update " is action type, and " 2000 ", " Bob " are operating value.
Suppose that monitored object and monitoring type that administrative staff set are respectively:
Monitored object 1: action type " update ", database table name " userscore ", Database field name " username ", monitoring type: the frequency of occurrences.
Monitored object 2: action type " update ", database table name " userscore ", Database field name " socre ", monitoring type: span.
The beginning and ending time of supposing the self study stage of setting is 2009.1.10:0:0 to 2009.1.3124:0:0, in the self study stage, described business conduct abnormality detection system will be learnt the historical record in this time period, calculate average and the variance of monitored object 1 frequency of occurrences of its assigned operation value in 24 hours, and the average of the span of the operating value of monitored object 2 and variance.
Suppose that the business conduct normal model that the self study stage obtains is: the average of monitored object 1 is 10, and variance is 2; The average of monitored object 2 is 3000, and variance is 100.Its practical significance is: user Bob is used this business conduct 10 times average every day, and average each operating value is 3000.Suppose that the threshold value that administrative staff set is: when the deviation of customer service behavior and normal model is greater than 2 times of variances, report to the police.
Suppose after completing self study, described business conduct abnormality detection system detects a business conduct, causes carrying out in database server following SQL statement:
update?userscore?set?score=4000where?username=‘Bob’;
By this SQL statement is carried out to SQL parsing, can find that the behavior has comprised monitored object 1 and the monitored object 2 set.Suppose further to detect and find, in monitored object 1, " Bob " reached 12 times the frequency of occurrences of 24 hours.Because the deviation with normal model is 2, and 2 times of variance yields are 2 * 2=4, so monitored object 1 does not depart from normal model.
For monitored object 2, its value is 4000, with the deviation of normal model be 1000, and 2 times of variance yields are 100 * 2=200, so monitored object 2 departed from normal model, described business conduct abnormality detection system will be reported to the police to this behavior.
Fig. 2 is that in the present invention, business conduct abnormality detection system one embodiment forms schematic diagram.As shown in Figure 2, this business conduct abnormality detection system comprises memory module 210, module 220 is set, model building module 230 and evaluation module 240, wherein:
Further, described model building module 230 comprises resolution unit and statistic unit:
Resolution unit, when the historical auditing record in the beginning and ending time of setting is learnt, historical auditing record is resolved, extract database table name, action type, field name and operating value, judge whether described historical auditing record comprises the monitored object of setting;
Statistic unit, be used for comprising the described historical auditing record of described monitored object, when the information of this monitored object is added up according to its corresponding monitoring type of monitored object, if the corresponding monitoring type of this monitored object is the frequency of occurrences, calculate the average frequency of occurrences of its assigned operation value in the fixed time; If the corresponding monitoring type of this monitored object is span, calculate average and the variance of its operating value.
Further, described evaluation module 240 comprises:
Resolution unit, for real-time auditing record is resolved, extracts database table name, action type, field name and operating value, judges whether described real-time auditing record comprises the monitored object of setting;
Judging unit, for to comprising the described real-time auditing record of described monitored object, according to the corresponding monitoring type of monitored object, the information of monitored object is processed, judge whether to have departed from normal behaviour model, if departed from, the abnormal behavior of user's access service system;
Wherein, describedly judge whether to have departed from normal behaviour model and refer to, when the corresponding monitoring type of described monitored object is the frequency of occurrences, add up the described monitored object frequency of occurrences at the appointed time, relatively whether the frequency of occurrences of monitored object and the departure degree of normal behaviour model have surpassed setting threshold; When the monitoring type of described monitored object is span, whether the operating value of more described monitored object, surpassed setting threshold with the departure degree of normal behaviour model.
Although the disclosed execution mode of the present invention as above, the execution mode that described content just adopts for the ease of understanding the present invention, not in order to limit the present invention.Technical staff in any the technical field of the invention; do not departing under the prerequisite of the disclosed spirit and scope of the present invention; can do any modification and variation what implement in form and in details; but scope of patent protection of the present invention, still must be as the criterion with the scope that appending claims was defined.
Claims (6)
1. a business conduct method for detecting abnormality, is characterized in that, comprising:
According to the historical auditing record before security audit equipment current detection point, set up the normal behaviour model of user's access service system;
Real-time auditing record to security audit equipment is analyzed, and compares with described normal behaviour model, judges that whether the behavior of user's access service system is abnormal;
Wherein, the described step of setting up the normal behaviour model of user's access service system, comprising:
Set monitored object and corresponding monitoring type thereof;
Set the beginning and ending time in self study stage;
Historical auditing record in the beginning and ending time of setting is carried out to self study, according to its corresponding monitoring type of monitored object, the information of this monitored object is added up, thereby set up normal behaviour model;
Wherein, while setting monitored object, set the database table name that needs monitoring, and corresponding action type and field name; Setting monitoring type is span and/or the frequency of occurrences;
When the historical auditing record in the beginning and ending time of setting is learnt, historical auditing record is resolved, extract database table name, action type, field name and operating value;
Judge whether described historical auditing record comprises the monitored object of setting, for the described historical auditing record that comprises described monitored object, according to its corresponding monitoring type of monitored object, the operating value of this monitored object is added up, if the corresponding monitoring type of this monitored object is the frequency of occurrences, calculate the average frequency of occurrences of its assigned operation value in the fixed time; If the corresponding monitoring type of this monitored object is span, calculate average and the variance of its operating value.
2. the method for claim 1, is characterized in that, if the field of monitored object character type by name, only allowing to set monitoring type is the frequency of occurrences; If the field of monitored object is called numeric type, setting monitoring type is span and/or the frequency of occurrences.
3. method as claimed in claim 1 or 2, is characterized in that, the described real-time auditing record that security audit equipment is obtained is analyzed, and compares with described normal behaviour model, judges whether the behavior of user's access service system extremely specifically comprises:
Real-time auditing record is resolved, extract database table name, action type, field name and operating value, judge whether described real-time auditing record comprises the monitored object of setting;
For the described real-time auditing record that comprises described monitored object, according to the corresponding monitoring type of monitored object, the operating value of monitored object is processed, judge whether to have departed from normal behaviour model, if departed from, the abnormal behavior of user's access service system;
Wherein, describedly judge whether to have departed from normal behaviour model and refer to, when the corresponding monitoring type of described monitored object is the frequency of occurrences, add up the described monitored object frequency of occurrences at the appointed time, relatively whether the frequency of occurrences of its assigned operation value of monitored object and the departure degree of normal behaviour model have surpassed setting threshold; When the monitoring type of described monitored object is span, whether the operating value of more described monitored object, surpassed setting threshold with the departure degree of normal behaviour model.
4. a business conduct abnormality detection system, is characterized in that, comprising:
Memory module, for the record of the audit of storage security audit equipment, comprises the real-time auditing record of current detection point, and the historical auditing record before described current detection point;
Module is set, for setting monitored object and monitoring type; Also for setting the beginning and ending time in self study stage;
Model building module, with described memory module, module be set be connected with evaluation module, for carrying out self study according to the historical auditing record arranging in the beginning and ending time that module sets, according to its corresponding monitoring type of monitored object, the information of this monitored object is added up, thereby set up normal behaviour model;
Evaluation module, with described memory module, module be set be connected with model building module, for the real-time auditing record to described security audit equipment, analyze, compare with described normal behaviour model, judge that whether the behavior of user's access service system is abnormal;
The described module that arranges, while setting monitored object, sets the database table name that needs monitoring, and corresponding action type and field name, and also setting monitoring type is span and/or the frequency of occurrences;
Described model building module comprises resolution unit and statistic unit:
Resolution unit, when the historical auditing record in the beginning and ending time of setting is learnt, historical auditing record is resolved, extract database table name, action type, field name and operating value, judge whether described historical auditing record comprises the monitored object of setting;
Statistic unit, be used for comprising the described historical auditing record of described monitored object, when the information of this monitored object is added up according to its corresponding monitoring type of monitored object, if the corresponding monitoring type of this monitored object is the frequency of occurrences, calculate the average frequency of occurrences of its assigned operation value in the fixed time; If the corresponding monitoring type of this monitored object is span, calculate average and the variance of its operating value.
5. system as claimed in claim 4, is characterized in that, described when module being set setting monitoring type, if the field of monitored object character type by name, only allowing to set a monitoring type is the frequency of occurrences; If the field of monitored object is called numeric type, setting monitoring type is span and/or the frequency of occurrences.
6. the system as described in claim 4 or 5, is characterized in that, described evaluation module comprises:
Resolution unit, for real-time auditing record is resolved, extracts database table name, action type, field name and operating value, judges whether described real-time auditing record comprises the monitored object of setting;
Judging unit, for to comprising the described real-time auditing record of described monitored object, according to the corresponding monitoring type of monitored object, the information of monitored object is processed, judge whether to have departed from normal behaviour model, if departed from, the abnormal behavior of user's access service system;
Wherein, describedly judge whether to have departed from normal behaviour model and refer to, when the corresponding monitoring type of described monitored object is the frequency of occurrences, add up the described monitored object frequency of occurrences at the appointed time, relatively whether the frequency of occurrences of monitored object and the departure degree of normal behaviour model have surpassed setting threshold; When the monitoring type of described monitored object is span, whether the operating value of more described monitored object, surpassed setting threshold with the departure degree of normal behaviour model.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910085032.5A CN101902366B (en) | 2009-05-27 | 2009-05-27 | Method and system for detecting abnormal service behaviors |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910085032.5A CN101902366B (en) | 2009-05-27 | 2009-05-27 | Method and system for detecting abnormal service behaviors |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101902366A CN101902366A (en) | 2010-12-01 |
CN101902366B true CN101902366B (en) | 2014-03-12 |
Family
ID=43227585
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200910085032.5A Expired - Fee Related CN101902366B (en) | 2009-05-27 | 2009-05-27 | Method and system for detecting abnormal service behaviors |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101902366B (en) |
Families Citing this family (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102609346B (en) * | 2012-01-16 | 2014-12-03 | 深信服网络科技(深圳)有限公司 | Monitoring method and monitoring device on basis of service operation |
CN103685161A (en) * | 2012-09-03 | 2014-03-26 | 北京千橡网景科技发展有限公司 | Abnormal user behavior processing method and equipment |
CN102945254B (en) * | 2012-10-18 | 2015-12-16 | 福建省海峡信息技术有限公司 | The method of the data that note abnormalities in TB level magnanimity Audit data |
CN104468466B (en) * | 2013-09-12 | 2019-01-29 | 深圳市腾讯计算机***有限公司 | The operation management method and device of network account |
CN104731816A (en) * | 2013-12-23 | 2015-06-24 | 阿里巴巴集团控股有限公司 | Method and device for processing abnormal business data |
CN105407112B (en) * | 2014-08-19 | 2020-06-05 | 中兴通讯股份有限公司 | Equipment capability learning method, device and system |
CN105577608B (en) * | 2014-10-08 | 2020-02-07 | 腾讯科技(深圳)有限公司 | Network attack behavior detection method and device |
CN104392297A (en) * | 2014-10-27 | 2015-03-04 | 普元信息技术股份有限公司 | Method and system for realizing non-business process irregularity detection in large data environment |
CN104636874B (en) * | 2015-02-12 | 2019-04-16 | 北京嘀嘀无限科技发展有限公司 | Detect the method and apparatus of service exception |
CN104767640B (en) * | 2015-03-25 | 2019-03-12 | 亚信科技(南京)有限公司 | Method for early warning and early warning system |
CN106803815B (en) * | 2015-11-26 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Flow control method and device |
CN105357216A (en) * | 2015-11-30 | 2016-02-24 | 上海斐讯数据通信技术有限公司 | Secure access method and system |
CN107220530B (en) * | 2016-03-21 | 2020-03-06 | 北大方正集团有限公司 | Turing test method and system based on user service behavior analysis |
CN107783942B (en) * | 2016-08-25 | 2021-04-13 | ***通信集团上海有限公司 | Abnormal behavior detection method and device |
CN106548471B (en) * | 2016-10-18 | 2019-04-05 | 安庆师范大学 | The medical microscopic images clarity evaluation method of coarse-fine focusing |
WO2018095192A1 (en) | 2016-11-23 | 2018-05-31 | 腾讯科技(深圳)有限公司 | Method and system for website attack detection and prevention |
CN107743113A (en) * | 2016-11-23 | 2018-02-27 | 腾讯科技(深圳)有限公司 | A kind of detection method and system of website attack |
CN108306846B (en) * | 2017-01-13 | 2020-11-24 | ***通信集团公司 | Network access abnormity detection method and system |
CN107276980A (en) * | 2017-05-02 | 2017-10-20 | 广东电网有限责任公司信息中心 | A kind of user's anomaly detection method and system based on association analysis |
CN108880841A (en) * | 2017-05-11 | 2018-11-23 | 上海宏时数据***有限公司 | A kind of threshold values setting, abnormality detection system and the method for service monitoring system |
CN107402957B (en) * | 2017-06-09 | 2023-02-07 | 全球能源互联网研究院 | Method and system for constructing user behavior pattern library and detecting user behavior abnormity |
CN107888574B (en) * | 2017-10-27 | 2020-08-14 | 深信服科技股份有限公司 | Method, server and storage medium for detecting database risk |
CN107707433B (en) * | 2017-11-14 | 2020-12-11 | 北京思特奇信息技术股份有限公司 | Method for testing business process from network platform and computer equipment |
CN108600258A (en) * | 2018-05-09 | 2018-09-28 | 华东师范大学 | A kind of method for auditing safely towards Integrated Electronic System self-generating white list |
CN108632097B (en) * | 2018-05-14 | 2019-12-13 | 平安科技(深圳)有限公司 | Abnormal behavior object identification method, terminal device and medium |
CN108712284B (en) * | 2018-05-18 | 2020-11-24 | 创新先进技术有限公司 | Fault service positioning method and device and service server |
CN109120629B (en) * | 2018-08-31 | 2021-07-30 | 新华三信息安全技术有限公司 | Abnormal user identification method and device |
CN109450869B (en) * | 2018-10-22 | 2022-02-08 | 杭州安恒信息技术股份有限公司 | Service safety protection method based on user feedback |
CN111385126B (en) * | 2018-12-29 | 2021-08-13 | 华为技术有限公司 | Equipment behavior control method, device, system and storage medium |
CN110502895A (en) * | 2019-08-27 | 2019-11-26 | 中国工商银行股份有限公司 | Interface exception call determines method and device |
CN110675228B (en) * | 2019-09-27 | 2021-05-28 | 支付宝(杭州)信息技术有限公司 | User ticket buying behavior detection method and device |
CN112054989B (en) * | 2020-07-13 | 2023-03-24 | 北京天融信网络安全技术有限公司 | Construction method of detection model and detection method of batch operation abnormity |
CN112565271B (en) * | 2020-12-07 | 2022-09-02 | 瑞数信息技术(上海)有限公司 | Web attack detection method and device |
CN113595972A (en) * | 2021-06-08 | 2021-11-02 | 贵州电网有限责任公司 | Web service behavior logic detection method based on middleware flow analysis technology |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1649311A (en) * | 2005-03-23 | 2005-08-03 | 北京首信科技有限公司 | Detecting system and method for user behaviour abnormal based on machine study |
CN1794675A (en) * | 2005-08-10 | 2006-06-28 | 华为技术有限公司 | Method of establishing instant data transmission channel to realize instant message transmission |
CN101075256A (en) * | 2007-06-08 | 2007-11-21 | 北京神舟航天软件技术有限公司 | System and method for real-time auditing and analyzing database |
-
2009
- 2009-05-27 CN CN200910085032.5A patent/CN101902366B/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1649311A (en) * | 2005-03-23 | 2005-08-03 | 北京首信科技有限公司 | Detecting system and method for user behaviour abnormal based on machine study |
CN1794675A (en) * | 2005-08-10 | 2006-06-28 | 华为技术有限公司 | Method of establishing instant data transmission channel to realize instant message transmission |
CN101075256A (en) * | 2007-06-08 | 2007-11-21 | 北京神舟航天软件技术有限公司 | System and method for real-time auditing and analyzing database |
Non-Patent Citations (1)
Title |
---|
罗隽 等.安全审计中频率敏感的异常检测算法.《计算机工程》.2008,第34卷(第8期),138-141. * |
Also Published As
Publication number | Publication date |
---|---|
CN101902366A (en) | 2010-12-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101902366B (en) | Method and system for detecting abnormal service behaviors | |
US10931511B2 (en) | Predicting computer network equipment failure | |
CN111475804B (en) | Alarm prediction method and system | |
US9292408B2 (en) | Automated detection of a system anomaly | |
CN108989150B (en) | Login abnormity detection method and device | |
CN109688188A (en) | Monitoring alarm method, apparatus, equipment and computer readable storage medium | |
US11250043B2 (en) | Classification of log data | |
US11153144B2 (en) | System and method of automated fault correction in a network environment | |
Costante et al. | A white-box anomaly-based framework for database leakage detection | |
Singh et al. | Sql injection detection and correction using machine learning techniques | |
WO2023108833A1 (en) | Terminal anomalous behavior detection method and apparatus, device, and storage medium | |
KR101444250B1 (en) | System for monitoring access to personal information and method therefor | |
US20160162348A1 (en) | Automated detection of a system anomaly | |
CN112039907A (en) | Automatic testing method and system based on Internet of things terminal evaluation platform | |
KR20060058186A (en) | Information technology risk management system and method the same | |
KR101973728B1 (en) | Integration security anomaly symptom monitoring system | |
CN115706669A (en) | Network security situation prediction method and system | |
US20230011129A1 (en) | Log analyzer for fault detection | |
US20150154498A1 (en) | Methods for identifying silent failures in an application and devices thereof | |
CN112035315A (en) | Webpage data monitoring method and device, computer equipment and storage medium | |
CN116401714B (en) | Security information acquisition method, device, equipment and medium | |
CN111131248B (en) | Website application security defect detection model modeling method and defect detection method | |
CN110633311B (en) | Data processing method, device and storage medium | |
CN116189399A (en) | Alarm information management method and device, storage medium and electronic equipment | |
CN117435577A (en) | Big data supervision method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140312 Termination date: 20180527 |