CN109714342B - Protection method and device for electronic equipment - Google Patents
Protection method and device for electronic equipment Download PDFInfo
- Publication number
- CN109714342B CN109714342B CN201811620782.3A CN201811620782A CN109714342B CN 109714342 B CN109714342 B CN 109714342B CN 201811620782 A CN201811620782 A CN 201811620782A CN 109714342 B CN109714342 B CN 109714342B
- Authority
- CN
- China
- Prior art keywords
- user request
- unconventional
- attack
- alarm information
- responding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012545 processing Methods 0.000 claims description 25
- 238000012423 maintenance Methods 0.000 claims description 20
- 230000008569 process Effects 0.000 claims description 7
- 230000006870 function Effects 0.000 description 17
- 238000004891 communication Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 238000003062 neural network model Methods 0.000 description 9
- 238000012549 training Methods 0.000 description 9
- 230000003993 interaction Effects 0.000 description 6
- 210000002569 neuron Anatomy 0.000 description 6
- 230000001788 irregular Effects 0.000 description 5
- 230000004044 response Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 210000004027 cell Anatomy 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 102100033186 CST complex subunit TEN1 Human genes 0.000 description 1
- 101000800624 Homo sapiens CST complex subunit TEN1 Proteins 0.000 description 1
- 101000800639 Homo sapiens Teneurin-1 Proteins 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 210000002364 input neuron Anatomy 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 210000004205 output neuron Anatomy 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides a method and a device for protecting electronic equipment. When the user request does not contain the attack characteristics, whether the user request contains the unconventional characteristics or not is analyzed, the unconventional characteristics are sent to the management server, whether suspected attack characteristics exist or not is analyzed by the management server in a mode of receiving a first judgment result fed back by the unconventional characteristics, the safety of the electronic equipment is improved in a double judgment mode, and a safer network environment is provided for application programs in the electronic equipment.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for protecting electronic equipment.
Background
Application firewall filtering techniques are typically deployed at the entrance of the application for intercepting and analyzing user requests of all users in advance. And if the user request comprises an attack characteristic corresponding to a certain attack event, forbidding the user request to enter the application program and responding. However, limited by the identification capability of the firewall, the existing firewall filtering technology can miss some parts with some unconventional attack characteristics, and a security risk is left for the device.
Disclosure of Invention
In view of the above, the present invention provides a method and an apparatus for protecting an electronic device.
In order to achieve the above purpose, the embodiment of the present invention adopts the following technical solutions:
in a first aspect, an embodiment of the present invention provides a method for protecting an electronic device, including:
acquiring a user request;
when the user request does not contain the attack characteristics, analyzing whether the user request contains unconventional characteristics or not;
if yes, the unconventional features are sent to a management server;
receiving a first judgment result fed back by the management server according to the unconventional characteristics;
when the first judgment result is that the unconventional characteristics do not comprise suspected attack characteristics, responding to the user request and executing operation associated with the user request;
and when the first judgment result shows that the unconventional features comprise suspected attack features, generating alarm information and sending the alarm information to an operation and maintenance end.
In a second aspect, an embodiment of the present invention further provides a protection device for an electronic device, including:
an acquisition module: for obtaining a user request;
a processing module: when the user request does not contain the attack characteristics, analyzing whether the user request contains unconventional characteristics or not;
a transceiver module: if yes, sending the unconventional characteristics to a management server;
the transceiver module is further used for receiving a first judgment result fed back by the management server according to the unconventional characteristic;
the processing module is used for responding to the user request and executing operation associated with the user request when the first judgment result shows that the unconventional characteristic does not comprise a suspected attack characteristic; and when the first judgment result shows that the unconventional features comprise suspected attack features, generating alarm information and sending the alarm information to an operation and maintenance end.
The method and the device for protecting the electronic equipment have the advantages that: when the user request does not contain the attack characteristics, whether the user request contains the unconventional characteristics or not is analyzed, the unconventional characteristics are sent to the management server, whether suspected attack characteristics exist or not is analyzed by the management server in a mode of receiving a first judgment result fed back by the unconventional characteristics, the safety of the electronic equipment is improved in a double judgment mode, and a safer network environment is provided for application programs in the electronic equipment.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 shows a block diagram of an electronic device provided by an embodiment of the present invention;
FIG. 2 is a schematic diagram of a communication environment provided by an embodiment of the invention;
fig. 3 is a flowchart illustrating a method for protecting an electronic device according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating another method for protecting an electronic device according to an embodiment of the present invention;
fig. 5 is a flowchart illustrating a protection method for a third electronic device according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating functional units of a protection apparatus for an electronic device according to an embodiment of the present invention.
Icon: 100-an electronic device; 101-a processor; 102-a memory; 103-a bus; 104-a communication interface; 105-a human-computer interaction device; 200-a management server; 300-operation and maintenance end; 401-an acquisition module; 402-a processing module; 403-a transceiver module; 404-update module.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The embodiment of the invention provides a method for protecting electronic equipment, which is applied to the electronic equipment 100. Fig. 1 is a block diagram of an electronic device 100. The electronic device 100 comprises a processor 101, a memory 102, a bus 103, a communication interface 104 and a human interaction device 105. The processor 101, the memory 102, the communication interface 104, and the human-computer interaction device 105 are connected via the bus 103, and the processor 101 is configured to execute an executable module, such as a computer program, stored in the memory 102. In one possible implementation manner, as shown in fig. 2, the electronic device 100 is communicatively connected to the management server 200 and the operation and maintenance terminal 300 through a wired or wireless network, respectively.
The processor 101 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the protection method of the electronic device may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 101. The Processor 101 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
The Memory 102 may comprise a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory.
The bus 103 may be an ISA (Industry Standard architecture) bus, a PCI (peripheral Component interconnect) bus, an EISA (extended Industry Standard architecture) bus, or the like. Only one bi-directional arrow is shown in fig. 1, but this does not indicate only one bus 103 or one type of bus 103.
The electronic device 100 is communicatively connected to other external devices via at least one communication interface 104 (which may be wired or wireless). The memory 102 is used for storing programs, such as protection devices of electronic equipment. The protection device of the electronic device includes at least one software function module which may be stored in the memory 102 in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the electronic device 100. The processor 101 executes the program to implement the protection method of the electronic device after receiving the execution instruction.
The human-computer interaction device 105 may be a keyboard, a mouse or a touch display screen, which is not limited herein. The human-computer interaction device 105 is used for collecting user requests input by users and transmitting the user requests to the processor 101.
It should be understood that the configuration shown in fig. 1 is merely a schematic application of the configuration of the electronic device 100, and that the electronic device 100 may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
The protection method for an electronic device provided in the embodiment of the present invention is applied to the electronic device 100, and please refer to fig. 3 for a specific flow:
s10: a user request is obtained.
Specifically, in a possible implementation manner, after the human-computer interaction device 105 collects a user request input by a user, the collected user request is sent to the processor 101, and the processor 101 receives the user request. In another possible implementation, the other device transmits a user request corresponding to an application to the electronic device 100 through the communication interface 104. The processor 101 intercepts the user request through a Runtime application self-protection (RASP).
S11: when the user request does not contain the attack signature, analyzing whether the user request contains the unconventional signature. If yes, go to S12; if not, S16 is executed.
In particular, when the processor 101 analyzes that the user request does not contain the attack signature, in one possible implementation, the user request contains some unconventional signature information that the processor 101 cannot identify, such as encrypted information. By further analyzing whether the user request contains the non-conventional feature, it is determined whether there is a security implication, for example, when the non-conventional feature is contained, S12 is executed to promote the security information of the electronic device 100.
S12: the non-conventional features are sent to a management server.
Specifically, the analyzed irregular features are transmitted to the management server 200 through the communication interface 104.
S13: and receiving a first judgment result fed back by the management server according to the unconventional characteristics.
Specifically, when receiving the abnormal feature, the management server 200 analyzes whether the abnormal feature contains a suspected attack feature according to a preset feature library or a preset decryption model, forms a first determination result according to the analysis result, and feeds back the first determination result to the electronic device 100. The electronic device 100 thus receives the first determination result fed back by the management server according to the irregular characteristic. The suspected attack features may cause damage to the electronic device 100, and the electronic device 100 fails to recognize the feature information.
S14: and analyzing whether the first judgment result is that the unconventional features comprise suspected attack features. If yes, go to S15; if not, S16 is executed.
Specifically, when it is analyzed that the first determination result is that the irregular feature includes the suspected attack feature, the electronic device 100 may be compromised, and then S15 is executed; otherwise, S16 is executed.
S15: stopping responding to the user request, generating alarm information, and sending the alarm information to the operation and maintenance terminal.
Specifically, the response to the user request is stopped, for example, an application is stopped from detailing the user request. The method generates alarm information, which is, for example, "dangerous", "attacked", or "risky", and is not limited herein. And the alarm information is sent to the operation and maintenance terminal 300 through the communication interface 104 to remind the operation and maintenance personnel to check in time, thereby avoiding unnecessary loss. In a possible implementation manner, when a response instruction transmitted by the operation and maintenance terminal 300 is received, the electronic device 100 may respond to the user request, so as to avoid misrecognition and improve the operation efficiency of the electronic device 100.
S16: responding to the user request and executing the operation associated with the user request.
Specifically, a user request is responded, and an operation associated with the user request is performed. The associated operation is, for example, modifying a user name or the like.
The embodiment of the invention provides a method for protecting electronic equipment, which comprises the following steps: when the user request does not contain the attack characteristics, the processor analyzes whether the user request contains the unconventional characteristics or not, sends the unconventional characteristics to the management server, and analyzes whether suspected attack characteristics exist or not in a mode of receiving a first judgment result fed back by the management server according to the unconventional characteristics, so that the safety of the electronic equipment is improved in a double judgment mode, and a safer network environment is provided for an application program in the electronic equipment.
On the basis of fig. 3, an embodiment of the present invention further provides a method for protecting an electronic device, and the specific flow steps are shown in fig. 4:
s17: operational data generated in response to a user request is obtained.
Specifically, the processor 101 generates the operation data in the course of a corresponding user request. In one possible implementation, the processor 101 obtains the operational data through Integrated airborne electronic System training (IAST).
S18: and analyzing whether the operating data has the vulnerability data or not according to a preset vulnerability database. If yes, go to S15; if not, S19 is executed.
Specifically, a vulnerability database is set in the memory 102 in advance. The processor 101 analyzes whether the operating data has vulnerability data by calling the vulnerability database, and if yes, the electronic device 100 and the application program therein may be damaged, and then S15 is executed; otherwise, S19 is executed to further check the operation data and improve the security of the electronic device 100.
S19: and transmitting the operation data to the management server in real time.
Specifically, the operation data is transmitted to the management server 200 in real time through the communication interface 104 to further check the operation data.
S20: and receiving a second judgment result fed back by the management server according to the operation data.
Specifically, when the management server 200 receives the operation data, the operation data is further checked, whether the operation data includes suspected attack features is determined, a second determination result is generated according to the operation data, and the second determination result is fed back to the electronic device 100.
S21: and when the second judgment result is that the operation data comprises suspected attack characteristics, stopping responding to the user request, generating alarm information and sending the alarm information to the operation and maintenance terminal.
Specifically, when the second determination result is that the operation data includes the suspected attack feature, the electronic device 100 and the application therein may be damaged by continuing to operate, and at this time, the stopping response to the user request is provided to protect the electronic device 100 and the application therein.
On the basis of fig. 3, for the content of "when the user request does not include the attack feature, and whether the user request includes the non-conventional feature" in S11, an implementation manner is given in another protection method for an electronic device provided in the embodiment of the present invention, specifically, please refer to fig. 5:
s111: and analyzing whether the user request contains attack characteristics or not according to the attack judgment model. If yes, go to S15; if not, go to S112.
Specifically, the attack determination model is a preset neural network model. In one possible implementation the neural network model steps are as follows:
non-conventional features and/or encrypted features requested by a user are extracted as input, and text data and/or control data of an abnormal event are extracted as output.
And establishing a neural network model consisting of an input layer, a hidden layer and an output layer.
The input layer includes non-regular features and/or encrypted features, i.e., one or two input neurons; the output layer comprises text data and/or control data, i.e. one or two output neurons. The selection of the number of hidden layer neurons is determined by the formula n1 ═ n + m + a, where n1 is the number of hidden layer cells, m is the number of output cells, and a is a constant between 1 and 10.
The number range of one hidden layer neuron can be determined by the formula, then a plurality of neural network models are established by respectively selecting different numbers of hidden layer neurons, pre-training is carried out according to the neural network model establishment, and the most appropriate number of hidden layer neurons is determined by comparing the convergence accuracy and the convergence speed of the neural network.
The pre-training process can be realized by a preset training function train; setting a training target, such as convergence accuracy of 0.001, respectively training neural network models with different hidden layer neurons, and determining the number of hidden layer neurons according to the result convergence accuracy and speed.
Further, a neural network model is created in MATLAB by adopting a function newff, and the calling format is as follows: net — newff (PR, [ S1S2 … SN1], { TF1TF2 … TEN1}, BTF, BLF, PF);
net-newff: creating a neural network in a dialog box;
PR: an R × 2-dimensional matrix composed of maximum and minimum values of each set of input (total R sets of inputs) elements; si: length of ith layer, N1 layers total;
TFi: the transfer function of the ith layer is default to "tansig"; BTF: the training function of the BP network is default to 'rainlm';
BLF: a BP learning function of the weight and the threshold is defaulted to be 'leanngdm';
PF: the performance function of the network is default to "mse".
After the neural network is established, a proper transfer function, a proper training function and a proper learning function are selected so as to realize the learning, feedback and prediction functions of the neural network model. According to the convergence accuracy analysis, a transfer function in the form of logsig-purelin (linear-logarithmic), a Levenberg-Marguart training function and a gradient descent momentum learning function, lerngdm, are respectively selected.
In one possible implementation, the step of analyzing whether the user request includes the attack feature according to the attack decision model is as follows.
After the neural network model is established, the existing unconventional features and/or encryption features and text data and/or control data are respectively used as input to obtain whether the output contains attack features.
S112: it is analyzed whether the user request contains an irregular characteristic. If yes, go to S12; if not, S16 is executed.
In executing S15, in the method corresponding to fig. 5, S22 is also executed.
S22: and updating the attack judgment model according to the user request.
Specifically, the attack judgment model is updated according to the user request to enrich the attack judgment model, so that whether the user request contains the attack features or not can be identified more accurately and quickly in the future, and the accuracy and efficiency of identifying the attack features of the electronic device 100 are improved.
Referring to fig. 6, fig. 6 is a schematic diagram illustrating a protection device for an electronic device according to a preferred embodiment of the invention. It should be noted that the protection device for electronic equipment provided in this embodiment has the same basic principle and technical effect as those of the above embodiments, and for the sake of brief description, no part of this embodiment is mentioned, and reference may be made to the corresponding contents in the above embodiments.
The protection device of the electronic equipment comprises: an acquisition module 401, a processing module 402, a transceiver module 403, and an update module 404.
The acquisition module 401: for obtaining a user request. It is to be understood that the obtaining module 401 may execute S10 in the above embodiment.
The processing module 402: and the method is used for analyzing whether the user request contains the unconventional characteristics or not when the user request does not contain the attack characteristics. It is to be understood that the processing module 402 may execute S11 in the above embodiments.
The transceiving module 403: and if so, sending the unconventional characteristics to the management server. It is understood that the transceiver module 403 may execute S12 in the above embodiments.
The transceiver module 403 is further configured to receive a first determination result fed back by the management server according to the irregular characteristic. It is understood that the transceiver module 403 may execute S13 in the above embodiments.
The processing module 402 is configured to respond to the user request and perform an operation associated with the user request when the first determination result is that the non-conventional feature does not include the suspected attack feature. It is understood that the processing module 402 may perform S14 and S16 in the above embodiments.
The processing module 402 is further configured to generate alarm information and send the alarm information to the operation and maintenance terminal when the first determination result indicates that the unconventional feature includes a suspected attack feature. It is understood that the processing module 402 may perform S14 and S15 in the above embodiments.
The obtaining module 401 is further configured to obtain the operation data generated in the process of responding to the user request after responding to the user request and performing the operation associated with the user request. It is to be understood that the obtaining module 401 may execute S17 in the above embodiment.
The transceiver module 403 is configured to transmit the operation data to the management server in real time, and receive a second determination result fed back by the management server according to the operation data. It is understood that the transceiving module 403 may perform S19 and S20 in the above-described embodiment.
The processing module 402 is configured to stop responding to the user request when the second determination result is that the operation data includes the suspected attack feature, generate alarm information, and send the alarm information to the operation and maintenance terminal. It is to be understood that the processing module 402 may execute S21 in the above embodiments.
Before transmitting the operation data to the management server in real time,
the processing module 402 is further configured to analyze whether vulnerability data exists in the operating data according to a preset vulnerability database. It is to be understood that the processing module 402 may execute S18 in the above embodiments.
The processing module 402 is configured to analyze whether the user request includes an attack feature according to the attack determination model; if so, stopping responding to the user request, generating alarm information, and sending the alarm information to the operation and maintenance end; if not, whether the user request contains the unconventional features is analyzed. It is understood that the processing module 402 can execute S111 and S112 in the above embodiments.
The update module 404: and updating the attack judgment model according to the user request when the first judgment result shows that the unconventional characteristics comprise suspected attack characteristics. It is to be appreciated that the update module 404 may execute S22 in the above embodiments.
In summary, the protection method and apparatus for electronic devices provided in the embodiments of the present invention include: firstly, when a user request does not contain the attack characteristics, analyzing whether the user request contains the unconventional characteristics or not, sending the unconventional characteristics to a management server, and receiving a first judgment result fed back by the management server according to the unconventional characteristics to analyze whether suspected attack characteristics exist or not, so that the safety of the electronic equipment is improved in a double judgment mode, and a safer network environment is provided for an application program in the electronic equipment; secondly, analyzing the operation data and sending the operation data to a management server to further detect whether the operation is safe or not; and finally, the verification efficiency and accuracy are improved by updating the attack model in time.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (6)
1. A method for protecting an electronic device, comprising:
acquiring a user request;
when the user request does not contain the attack characteristics, analyzing whether the user request contains unconventional characteristics or not;
if yes, the unconventional features are sent to a management server;
receiving a first judgment result fed back by the management server according to the unconventional characteristics;
when the first judgment result is that the unconventional characteristics do not comprise suspected attack characteristics, responding to the user request and executing operation associated with the user request;
after responding to the user request and executing the operation associated with the user request, acquiring operation data generated in the process of responding to the user request;
analyzing whether the operating data has vulnerability data or not according to a preset vulnerability database;
if so, stopping responding to the user request, generating alarm information, and sending the alarm information to an operation and maintenance end;
if not, transmitting the operation data to the management server in real time, and receiving a second judgment result fed back by the management server according to the operation data;
when the second determination result is that the operating data includes suspected attack features, stopping responding to the user request, generating the alarm information, and sending the alarm information to the operation and maintenance terminal;
and when the first judgment result shows that the unconventional features comprise suspected attack features, generating alarm information and sending the alarm information to an operation and maintenance end.
2. The method for protecting an electronic device according to claim 1, wherein the step of analyzing whether the user request contains an unconventional signature when the user request does not contain an attack signature comprises:
analyzing whether the user request contains the attack characteristics or not according to an attack judgment model;
if yes, stopping responding to the user request, generating the alarm information, sending the alarm information to the operation and maintenance terminal,
if not, analyzing whether the user request contains unconventional characteristics.
3. The method for protecting an electronic device according to claim 2, further comprising:
and when the first judgment result shows that the unconventional features comprise suspected attack features, updating the attack judgment model according to the user request.
4. A protection device for an electronic device, comprising:
an acquisition module: for obtaining a user request;
a processing module: when the user request does not contain the attack characteristics, analyzing whether the user request contains unconventional characteristics or not;
a transceiver module: if yes, sending the unconventional characteristics to a management server;
the transceiver module is further used for receiving a first judgment result fed back by the management server according to the unconventional characteristic;
the processing module is used for responding to the user request and executing operation associated with the user request when the first judgment result shows that the unconventional characteristic does not comprise a suspected attack characteristic;
the acquisition module is also used for acquiring the running data generated in the process of responding to the user request after responding to the user request and executing the operation associated with the user request;
the processing module is also used for analyzing whether the operating data has the vulnerability data according to a preset vulnerability database;
the processing module is also used for stopping responding to the user request, generating alarm information and sending the alarm information to an operation and maintenance end if the user request is yes;
the transceiver module is used for transmitting the operation data to the management server in real time if the operation data is not received, and receiving a second judgment result fed back by the management server according to the operation data;
when the second determination result is that the operating data includes suspected attack features, the processing module is configured to stop responding to the user request, generate the alarm information, and send the alarm information to the operation and maintenance terminal;
the processing module is further configured to generate alarm information and send the alarm information to an operation and maintenance end when the first determination result indicates that the unconventional feature includes a suspected attack feature.
5. The electronic device protection apparatus according to claim 4,
the processing module is used for analyzing whether the user request contains the attack characteristics according to an attack judgment model; if yes, stopping responding to the user request, generating the alarm information, and sending the alarm information to the operation and maintenance terminal; if not, analyzing whether the user request contains unconventional characteristics.
6. The electronic device protection apparatus according to claim 5, further comprising:
an update module: and the attack judgment module is used for updating the attack judgment model according to the user request when the first judgment result shows that the unconventional characteristics comprise suspected attack characteristics.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811620782.3A CN109714342B (en) | 2018-12-28 | 2018-12-28 | Protection method and device for electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811620782.3A CN109714342B (en) | 2018-12-28 | 2018-12-28 | Protection method and device for electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109714342A CN109714342A (en) | 2019-05-03 |
| CN109714342B true CN109714342B (en) | 2021-07-20 |
Family
ID=66257878
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811620782.3A Active CN109714342B (en) | 2018-12-28 | 2018-12-28 | Protection method and device for electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109714342B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110266669B (en) * | 2019-06-06 | 2021-08-17 | 武汉大学 | Method and system for universal detection and positioning of Java Web framework vulnerability attack |
| CN112637205A (en) * | 2020-12-22 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Web attack recognition method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103532944A (en) * | 2013-10-08 | 2014-01-22 | 百度在线网络技术(北京)有限公司 | Method and device for capturing unknown attack |
| CN107995179A (en) * | 2017-11-27 | 2018-05-04 | 深信服科技股份有限公司 | A kind of unknown threat cognitive method, device, equipment and system |
| CN108460279A (en) * | 2018-03-12 | 2018-08-28 | 北京知道创宇信息技术有限公司 | Attack recognition method, apparatus and computer readable storage medium |
| CN108881265A (en) * | 2018-06-29 | 2018-11-23 | 北京奇虎科技有限公司 | A kind of network attack detecting method and system based on artificial intelligence |
-
2018
- 2018-12-28 CN CN201811620782.3A patent/CN109714342B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103532944A (en) * | 2013-10-08 | 2014-01-22 | 百度在线网络技术(北京)有限公司 | Method and device for capturing unknown attack |
| CN107995179A (en) * | 2017-11-27 | 2018-05-04 | 深信服科技股份有限公司 | A kind of unknown threat cognitive method, device, equipment and system |
| CN108460279A (en) * | 2018-03-12 | 2018-08-28 | 北京知道创宇信息技术有限公司 | Attack recognition method, apparatus and computer readable storage medium |
| CN108881265A (en) * | 2018-06-29 | 2018-11-23 | 北京奇虎科技有限公司 | A kind of network attack detecting method and system based on artificial intelligence |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109714342A (en) | 2019-05-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230231875A1 (en) | Detecting and mitigating poison attacks using data provenance | |
| CN106656981B (en) | Network intrusion detection method and device | |
| CN110249331A (en) | For the successive learning of intrusion detection | |
| CN108520180B (en) | Multi-dimension-based firmware Web vulnerability detection method and system | |
| EP4089972A1 (en) | Method and apparatus for detecting network attack | |
| Chen et al. | An anti-phishing system employing diffused information | |
| CN112602081A (en) | Enhancing network security and operational monitoring with alarm confidence assignment | |
| US11956264B2 (en) | Method and system for verifying validity of detection result | |
| CN109344611B (en) | Application access control method, terminal equipment and medium | |
| KR101858620B1 (en) | Device and method for analyzing javascript using machine learning | |
| CN109145030B (en) | Abnormal data access detection method and device | |
| CN109714342B (en) | Protection method and device for electronic equipment | |
| CN113726784A (en) | Network data security monitoring method, device, equipment and storage medium | |
| Snehi et al. | Global intrusion detection environments and platform for anomaly-based intrusion detection systems | |
| CN111935134A (en) | Complex network security risk monitoring method and system | |
| Yoo et al. | The image game: exploit kit detection based on recursive convolutional neural networks | |
| CN105827611A (en) | Distributed rejection service network attack detection method and system based on fuzzy inference | |
| CN117478433B (en) | Network and information security dynamic early warning system | |
| KR20200001453A (en) | Risk management system for information cecurity | |
| US20230325651A1 (en) | Information processing apparatus for improving robustness of deep neural network by using adversarial training and formal method | |
| KR102578290B1 (en) | Security compliance automation method | |
| CN114866338B (en) | Network security detection method and device and electronic equipment | |
| CN113114679B (en) | Message identification method and device, electronic equipment and medium | |
| CN115603995A (en) | Information processing method, device, equipment and computer readable storage medium | |
| CN117391214A (en) | Model training method and device and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |