CN114499911A - Attack user identification method, equipment, storage medium and device based on test machine - Google Patents

Attack user identification method, equipment, storage medium and device based on test machine Download PDF

Info

Publication number
CN114499911A
CN114499911A CN202011275564.8A CN202011275564A CN114499911A CN 114499911 A CN114499911 A CN 114499911A CN 202011275564 A CN202011275564 A CN 202011275564A CN 114499911 A CN114499911 A CN 114499911A
Authority
CN
China
Prior art keywords
user
information
behavior
portrait
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011275564.8A
Other languages
Chinese (zh)
Inventor
边亮
陈泽宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
360 Digital Security Technology Group Co Ltd
Original Assignee
360 Digital Security Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 360 Digital Security Technology Group Co Ltd filed Critical 360 Digital Security Technology Group Co Ltd
Priority to CN202011275564.8A priority Critical patent/CN114499911A/en
Publication of CN114499911A publication Critical patent/CN114499911A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to the technical field of network security, and discloses an attack user identification method, equipment, a storage medium and a device based on a testing machine. The invention collects the test behavior information of the current user through the test machine; generating a user behavior portrait according to the test behavior information; matching the user behavior portrait with a preset attack user portrait knowledge base to judge whether the matched user behavior portrait exists in the preset attack user portrait knowledge base or not, wherein the preset attack user portrait knowledge base is obtained by integrating all attack user portrait knowledge bases according to attack types; and when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, determining the current user as an attack user, so that the preset attack user portrait knowledge base with higher identification efficiency is obtained by integrating the attack user portrait knowledge bases, and the attack user is quickly identified.

Description

Attack user identification method, equipment, storage medium and device based on test machine
Technical Field
The invention relates to the technical field of network security, in particular to an attack user identification method, equipment, a storage medium and a device based on a testing machine.
Background
In the process of testing and confronting the high-level threat behavior body and the security terminal product, the high-level threat behavior body mostly installs the terminal product in a virtual environment and tests the capability of a malicious tool of the high-level threat behavior body for confronting the security terminal product, so that the feasibility of next attack launching is evaluated, but in the process, the high-level threat behavior body can continuously expose the habit characteristics of the high-level threat behavior body.
The existing scheme for identifying the advanced threat behavior body mainly depends on the levels of malicious codes, commercial company assets, open source information and the like for correlation, and when the advanced threat behavior body changes the technical strategy or the information is deficient, an emergency response team is difficult to trace and trace the attack attribution, so that the defense lag is caused.
Disclosure of Invention
The invention mainly aims to provide a test machine-based attack user identification method, equipment, a storage medium and a device, and aims to improve the real-time performance of attack user identification.
In order to achieve the above object, the present invention provides a test machine-based attack user identification method, which comprises the following steps:
collecting test behavior information of a current user through a test machine;
generating a user behavior portrait according to the test behavior information;
matching the user behavior portrait with a preset attack user portrait knowledge base to judge whether the matched user behavior portrait exists in the preset attack user portrait knowledge base or not, wherein the preset attack user portrait knowledge base is obtained by integrating all attack user portrait knowledge bases according to attack types;
and when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, determining the current user as an attack user.
Optionally, the generating a user behavior representation according to the test behavior information includes:
extracting preset program keyword information in the test behavior information;
comparing the preset program keyword information with the using program keyword information, and obtaining the using program information of the test behavior information according to the comparison result;
and generating a user behavior portrait according to the using program information.
Optionally, the usage program information includes communication software information;
the generating the user behavior portrait according to the using program information comprises the following steps:
extracting communication software information in the use program information;
and generating a communication software use dimension according to the communication software information, and generating a user behavior portrait according to the communication software use dimension.
Optionally, the usage program information includes input method information;
the generating the user behavior portrait according to the using program information comprises the following steps:
extracting input method information in the use program information;
and generating an input method using dimension according to the input method information, and generating a user behavior portrait according to the input method using dimension.
Optionally, the generating a user behavior representation according to the test behavior information includes:
extracting user event information in the test behavior information;
obtaining file information related to the user event information in the test behavior information according to the user event information;
obtaining corresponding storage address information according to the file information associated with the user event information;
obtaining file path information according to the storage address information;
and generating a user behavior portrait according to the file path information.
Optionally, the file path information includes at least one of program installation path information, search path information, and file marking path information.
Optionally, the generating a user behavior representation according to the test behavior information includes:
comparing the test behavior information with preset access keywords to obtain user access information in the test behavior information;
extracting access domain name information in the user access information;
and generating a user behavior portrait according to the access domain name information.
Optionally, the generating a user behavior representation according to the test behavior information includes:
comparing the test behavior information with preset event keywords to obtain user event information in the test behavior information;
comparing the user event information with preset code information to obtain use code information corresponding to the user event information;
and generating a user behavior portrait according to the user event information and the corresponding use code information.
Optionally, before the matching the user behavior representation with a preset attack user representation knowledge base to determine whether a matched user behavior representation exists in the preset attack user representation knowledge base, the method further includes:
acquiring an attack user portrait knowledge base based on Internet protocol identification, an attack user portrait knowledge base based on local area network address identification, an attack user portrait knowledge base based on threat indexes and an open source attack user portrait knowledge base;
and integrating the attack user portrait knowledge base based on the Internet protocol identification, the attack user portrait knowledge base based on the local area network address identification, the attack user portrait knowledge base based on the threat index and the open source attack user portrait knowledge base according to the attack type to obtain a preset attack user portrait knowledge base.
Optionally, after generating the user behavior representation according to the test behavior information, the method further includes:
extracting user event information in the user behavior portrait;
comparing the user event information with preset event keywords, and obtaining a corresponding event type in the user event information according to a comparison result;
searching a corresponding target language family in a preset terminal language family mapping table according to the event type;
obtaining a current language family according to the user event information, and matching the current language family with the target language family;
and when the current language family is not matched with the target language family, determining the current user as an attack user.
Optionally, after generating the user behavior representation according to the test behavior information, the method further includes:
extracting user use behavior information in the user behavior portrait;
matching the user using behavior information with a preset attack tool keyword to judge whether the preset attack tool keyword exists in the user using behavior information;
and when the preset attack tool keywords are stored in the user using behavior information, determining that the current user is an attack user.
Optionally, when the matched user behavior representation is stored in the preset attack user representation knowledge base, determining that the current user is an attack user includes:
when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, judging whether a preset threat behavior test countermeasure knowledge base stores the user behavior portrait or not;
and when the user behavior portrait is stored in the preset threat behavior body test countermeasure knowledge base, determining that the current user is a preset threat behavior body.
Optionally, the preset attack user portrait knowledge base comprises a preset threat behavior testing countermeasure knowledge base;
when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, determining that the current user is an attack user comprises the following steps:
and when the matched user behavior portrait is stored in the preset threat behavior body test countermeasure knowledge base, determining that the current user is a preset threat behavior body.
Optionally, when the matched user behavior representation is stored in the preset attack user representation knowledge base, determining that the current user is an attack user includes:
acquiring the number of matching types of the matched user behavior portraits;
and when the number of the matching types reaches a preset matching number threshold value, determining that the current user is a preset threat behavior body.
Optionally, when the matched user behavior representation is stored in the preset attack user representation knowledge base, after the current user is determined to be an attack user, the method further includes:
identifying the current user according to the user type of the current user to obtain identified user information;
and performing noise reduction processing on the user behavior portrait according to the identified user information.
In order to achieve the above object, the present invention further provides a tester-based attack user identification device, including:
the acquisition module is used for acquiring the test behavior information of the current user through the test machine;
the generating module is used for generating a user behavior portrait according to the test behavior information;
the matching module is used for matching the user behavior portrait with a preset attack user portrait knowledge base to judge whether the matched user behavior portrait exists in the preset attack user portrait knowledge base or not, wherein the preset attack user portrait knowledge base is obtained by integrating all attack user portrait knowledge bases according to attack types;
and the determining module is used for determining the current user as the attack user when the matched user behavior portrait is stored in the preset attack user portrait knowledge base.
Optionally, the generating module is further configured to extract preset program keyword information in the test behavior information;
comparing the preset program keyword information with the using program keyword information, and obtaining the using program information of the test behavior information according to the comparison result;
and generating a user behavior portrait according to the using program information.
Optionally, the usage program information includes communication software information;
the generating module is further used for extracting communication software information in the using program information;
and generating a communication software use dimension according to the communication software information, and generating a user behavior portrait according to the communication software use dimension.
In addition, in order to achieve the above object, the present invention further provides an attacking user identifying device based on a tester, where the attacking user identifying device based on a tester includes: the test machine based attack user identification program comprises a memory, a processor and a test machine based attack user identification program stored on the memory and running on the processor, wherein the test machine based attack user identification program realizes the steps of the test machine based attack user identification method when being executed by the processor.
In addition, in order to achieve the above object, the present invention further provides a storage medium, on which a tester-based attack user identification program is stored, and when being executed by a processor, the storage medium implements the steps of the tester-based attack user identification method as described above.
According to the technical scheme provided by the invention, the test behavior information of the current user is collected through the test machine; generating a user behavior portrait according to the test behavior information; matching the user behavior portrait with a preset attack user portrait knowledge base to judge whether the matched user behavior portrait exists in the preset attack user portrait knowledge base or not, wherein the preset attack user portrait knowledge base is obtained by integrating all attack user portrait knowledge bases according to attack types; and when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, determining the current user as an attack user, so that the preset attack user portrait knowledge base with higher identification efficiency is obtained by integrating the attack user portrait knowledge bases, and the attack user is quickly identified.
Drawings
FIG. 1 is a schematic diagram of a tester-based attack user identification device for a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of a test machine-based attack user identification method according to the present invention;
FIG. 3 is a schematic diagram illustrating a relationship among a terminal user, a virtual machine user, and a tester user according to an embodiment of the method for identifying an attack user based on a tester;
FIG. 4 is a flowchart illustrating a second embodiment of the method for identifying an attacking user based on a testing machine according to the present invention;
FIG. 5 is a schematic view of language family analysis of an embodiment of the test machine-based attack user identification method of the present invention;
FIG. 6 is a flowchart illustrating a third embodiment of the method for identifying an attacking user based on a testing machine according to the present invention;
fig. 7 is a block diagram of a first embodiment of the attack subscriber identification apparatus based on a tester according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a tester-based attack user identification device in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the tester-based attack user identification device may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), the optional user interface 1003 may also include a standard wired interface and a wireless interface, and the wired interface of the user interface 1003 may be a Universal Serial Bus (USB) interface in the present invention. The network interface 1004 may optionally include a standard wired interface as well as a wireless interface (e.g., WI-FI interface). The Memory 1005 may be a high speed Random Access Memory (RAM); or a stable Memory, such as a Non-volatile Memory (Non-volatile Memory), and may be a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in FIG. 1 does not constitute a limitation of tester-based attack user identification devices, and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a tester-based attack user identification program.
In the attack user identification device based on the tester shown in fig. 1, the network interface 1004 is mainly used for connecting to a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting peripheral equipment; the attack user identification device based on the tester calls the attack user identification program based on the tester stored in the memory 1005 through the processor 1001 and executes the attack user identification method based on the tester provided by the embodiment of the invention.
Based on the hardware structure, the embodiment of the attack user identification method based on the tester is provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating a first embodiment of the attack user identification method based on a tester according to the present invention.
In a first embodiment, the test machine-based attack user identification method includes the following steps:
step S10: and collecting the test behavior information of the current user through a test machine.
It should be noted that, the execution main body of this embodiment may be a monitoring device, for example, a monitoring device provided with an attack user identification program based on a testing machine, and may also be other devices that can implement the same or similar functions, for example, a server, and the like.
It can be understood that the user who installs the product is an end user, the end user who installs the product in the virtual environment is a virtual machine user, which is referred to as a virtual machine user for short, and the end user who targets the test countermeasure is referred to as a tester user, which is referred to as a tester for short, as shown in fig. 3, which is a schematic diagram of the relationship among the end user, the virtual machine user, and the tester user.
In this embodiment, the test behavior information includes user access information, user file classification information, behavior identification information, information about using a data processing tool, and the like, and may further include other behavior information, which is not limited in this embodiment.
In the specific implementation, when an attacking user tests the product through the virtual machine, a preset monitoring script is set, and the test behavior information of the current user can be obtained through the preset monitoring script, so that the test behavior information of the current user can be effectively identified, and whether the current user is the attacking user or not is determined.
Step S20: and generating a user behavior portrait according to the test behavior information.
In this embodiment, the test behavior information may be subjected to multi-dimensional analysis, for example, based on a keyword matching dimension, a language family identification dimension, a file installation path dimension, and other dimensions, which are not limited in this embodiment, a corresponding feature vector is generated based on the above dimensions, and a user behavior portrait is generated according to the feature vector, the corresponding dimension, and the tag information.
The user behavior portrait includes all the label information of the user behavior, so that the user behavior portrait obtained by performing feature extraction on the user behavior information can be comprehensively analyzed, and the accuracy of user identification can be more accurately improved.
Step S30: and matching the user behavior portrait with a preset attack user portrait knowledge base to judge whether the matched user behavior portrait exists in the preset attack user portrait knowledge base, wherein the preset attack user portrait knowledge base is obtained by integrating all attack user portrait knowledge bases according to attack types.
In this embodiment, in a general situation, when user behavior recognition is performed, user recognition may be performed based on an IP hacker knowledge base, or user recognition may be performed based on MAC, so that a recognition manner is too single, and thus comprehensive recognition of user behavior cannot be achieved, but in this embodiment, the preset attack user portrait knowledge base is obtained by integrating attack user portrait knowledge bases according to attack types, so as to achieve comprehensive user recognition, for example, IP access information of a user is obtained, a recognition result 1 is obtained according to the IP access information, MAC information of the user is obtained, a recognition result 2 is obtained according to the MAC information, and then weighting processing is performed based on the recognition result 1 and the recognition result 2, so as to achieve behavior recognition of the user.
In the specific implementation, an attack user portrait knowledge base based on Internet protocol identification, an attack user portrait knowledge base based on local area network address identification, an attack user portrait knowledge base based on threat indexes and an open source attack user portrait knowledge base are obtained; and integrating the attack user portrait knowledge base based on the Internet protocol identification, the attack user portrait knowledge base based on the local area network address identification, the attack user portrait knowledge base based on the threat index and the open source attack user portrait knowledge base according to the attack types to obtain a preset attack user portrait knowledge base, thereby realizing linkage of all the attack user portrait knowledge bases and improving the comprehensiveness of identification.
Step S40: and when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, determining the current user as an attack user.
In this embodiment, the attacking user may be a high-level threatening action user or a general hacking user, and thus, when the current user is determined to be the attacking user, it may be further determined that the current attacking user is the high-level threatening action user or the general hacking user.
In a specific implementation, the recognition result may be quantized, for example, in the form of a score, to obtain a recognition result, where the recognition result includes a first recognition threshold and a second recognition threshold, where the first recognition threshold and the second recognition threshold are sequentially increased, for example, the first recognition threshold may be 60, the second recognition threshold may be 80, and other parameter information.
In the embodiment, the test behavior information of the current user is collected through a test machine; generating a user behavior portrait according to the test behavior information; matching the user behavior portrait with a preset attack user portrait knowledge base to judge whether the matched user behavior portrait exists in the preset attack user portrait knowledge base or not, wherein the preset attack user portrait knowledge base is obtained by integrating all attack user portrait knowledge bases according to attack types; and when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, determining the current user as an attack user, so that the preset attack user portrait knowledge base with higher identification efficiency is obtained by integrating the attack user portrait knowledge bases, and the attack user is quickly identified.
Referring to fig. 4, fig. 4 is a flowchart illustrating a second embodiment of the method for identifying an attacking user based on a testing machine according to the present invention, and the second embodiment of the method for identifying an attacking user based on a testing machine according to the present invention is proposed based on the first embodiment illustrated in fig. 2.
In the second embodiment, the step S20 includes:
step S201, extracting preset program keyword information in the test behavior information.
In this embodiment, feature extraction is performed based on keyword information, where the preset program keyword information includes common communication software information, input method information, and the like, and may further include other common software information, which is not limited in this embodiment.
Step S202, comparing the preset program keyword information with the using program keyword information, and obtaining the using program information of the test behavior information according to the comparison result.
It should be noted that the user program keyword information is keyword information obtained by statistics according to big data, for example, the EMAIL is EMAIL, and the INPUT method is INPUT, so as to obtain user program information corresponding to user behavior information, compare the user behavior data with preset keywords, obtain user EMAIL usage information and INPUT method usage information, and implement behavior identification of the user according to the user EMAIL usage information and the INPUT method usage information.
Step S203, generating a user behavior portrait according to the using program information.
In a specific implementation, the corresponding label information can be labeled according to the extracted user behavior feature information, and the corresponding user behavior portrait can be generated according to the label information.
In one embodiment, the using program information comprises communication software information, and the communication software information in the using program information is extracted; and generating a communication software use dimension according to the communication software information, and generating a user behavior portrait according to the communication software use dimension.
In this embodiment, the communication software information may be chat software such as QQ and wechat, or mail software such as foxmail, which is not limited in this embodiment, and the user behavior representation is generated by using the communication software information dimension.
In a specific implementation, the communication software information in the use program information is extracted, for example, chat software information of the user is obtained, and a communication software use dimension is generated according to the chat software information, so that a user behavior portrait is obtained according to the communication software dimension used by the user.
In one embodiment, the use program information comprises input method information, and the input method information in the use program information is extracted; and generating an input method using dimension according to the input method information, and generating a user behavior portrait according to the input method using dimension.
In this embodiment, the input method information may be input method software such as five strokes, pinyin, or handwriting, or may also be other input method software, which is not limited in this embodiment, and the user behavior portrait is generated by the input method dimension in this embodiment.
In a specific implementation, the input method information in the use program information is extracted, for example, pinyin input method information of a user is obtained, and the use dimension of the communication software is generated according to the pinyin input method information, so that the user behavior portrait is obtained according to the input method dimension used by the user.
In one embodiment, the step S20 includes:
extracting user event information in the test behavior information; obtaining file information related to the user event information in the test behavior information according to the user event information; obtaining corresponding storage address information according to the file information associated with the user event information; obtaining file path information according to the storage address information; and generating a user behavior portrait according to the file path information.
In this embodiment, the user event information may be a common program installation directory, a custom search engine, and an automatic marker tag, that is, an identifier is quickly queried for an unfamiliar program by using the custom search engine, and may further include other event information.
In the specific implementation, file information associated with the user event information is acquired, corresponding storage address information is acquired according to the file information associated with the user event information, file path information is acquired according to the storage address information, a user behavior portrait is generated according to the file path information, for example, when a file is installed, an installation directory is obtained as E \ A \ B \ C, and file path information can be acquired according to the installation directory, so that the user behavior portrait is generated based on the file path, and the generation of the multi-dimensional user behavior portrait is realized.
In one embodiment, the step S20 includes:
comparing the test behavior information with preset access keywords to obtain user access information in the test behavior information; extracting access domain name information in the user access information; and generating a user behavior portrait according to the access domain name information.
In this embodiment, for generating a user behavior portrait based on a user access domain name information dimension, a preset access keyword may be a user access domain name keyword, and the test behavior information is compared with the preset access keyword to obtain user access information, for example, the preset access keyword may be http and the like, and may also be other keyword information.
In one embodiment, the step S20 includes:
comparing the test behavior information with preset event keywords to obtain user event information in the test behavior information; comparing the user event information with preset code information to obtain use code information corresponding to the user event information; and generating a user behavior portrait according to the user event information and the corresponding use code information.
In this embodiment, to generate a user behavior sketch based on a user event information dimension, the preset event keywords may be sample collection keywords, network asset classification keywords, MAC association expansion keywords, and the like, and may also be other event keyword information, which is not limited in this embodiment, and the test behavior information is compared with the preset event keywords to obtain user event information, for example, the preset event keywords may be user behavior identification classification and the like, and may also be other keyword information.
As shown in fig. 5, the user uses the code information to obtain the language family of the user, for example, the network behavior recognition classification is realized by URL, the network asset classification is realized by CLIENT IP, and the corresponding language family is obtained according to the user event.
In this embodiment, the user behavior feature extraction is implemented based on the feature file keywords, such as the common national communication software and the input method, the feature file path, the access domain name information, the multidimensional language system verification, and the like, so that the user behavior feature is obtained through multidimensional extraction, and a more accurate user behavior portrait is implemented.
Referring to fig. 6, fig. 6 is a flowchart illustrating a third embodiment of the method for identifying an attacking user based on a testing machine according to the present invention, and the third embodiment of the method for identifying an attacking user based on a testing machine according to the present invention is proposed based on the first embodiment illustrated in fig. 2.
In an embodiment, after the step S20, the method further includes:
step S201, extracting user event information in the user behavior portrait.
In this embodiment, a description is given by taking a language family matching based on a terminal as an example, where the user event information includes network behavior recognition classification event information, network asset classification event information, and the like, and may further include other event information, which is not limited in this embodiment.
Step S202, comparing the user event information with preset event keywords, and obtaining the corresponding event type in the user event information according to the comparison result.
It should be noted that the preset event keyword may be a network behavior identification category or a network asset category, and the user event information is compared with the preset event keyword to obtain type information corresponding to the user event information, such as a network behavior identification category or a network asset collection type.
Step S203, searching a corresponding target language family in a preset terminal language family mapping table according to the event type.
It should be noted that the network behavior recognition category event is implemented by a URL, and the network asset collection event is implemented by a CLIENT IP, so that corresponding language family information is obtained according to the user event, and whether the language family of the current event is consistent with the target language family is determined, when the language family of the current event is not consistent with the target language family, it is indicated that the current event is processed abnormally, and the user corresponding to the event is an attack user, otherwise, when the language family of the current event is consistent with the target language family, it is indicated that the current event is processed normally, and the user corresponding to the event is a normal user.
In a specific implementation, a language family corresponding to an event type can be learned through big data, where the language family is a processing code corresponding to the event, for example, a network behavior recognition category event is realized through a URL, a network asset collection event is realized through a CLIENT IP, and the like, so as to generate a preset terminal language family mapping table according to a history event, and recognize a user according to the user language family.
Step S204, obtaining a current language family according to the user event information, and matching the current language family with the target language family.
In this embodiment, the current language is a language family corresponding to the current event, and the target language is a normally used language family corresponding to the current time, for example, when the current event is a network behavior recognition type event, the corresponding target language family is realized by a URL, and if the language family used by the current event, that is, the current language family is an HTML implementation, it is an abnormal language family indicating that the current user is used, so that the current user is determined to be an attack user, and correspondingly, if the language family used by the current event, that is, the current language family is an HTML implementation, it is a normal language family indicating that the current user is used, the current user is determined to be a normal user, thereby implementing a finer user recognition mode.
Step S205, when the current language family is not matched with the target language family, determining that the current user is an attack user.
It can be understood that, in this embodiment, a language family knowledge base may be further set in the preset knowledge base of the attack user portrait, and the user behavior portrait is identified according to the language family knowledge base, so as to determine whether the current user is the attack user, for example, when a language family used in the user behavior information conforms to a normal language family, the current user is determined to be a normal user, and when the language family used in the user behavior information does not conform to the normal language family, the current user is determined to be the attack user.
In an embodiment, after the step S20, the method further includes:
extracting user use behavior information in the user behavior portrait; matching the user using behavior information with a preset attack tool keyword to judge whether the preset attack tool keyword exists in the user using behavior information; and when the preset attack tool keywords are stored in the user using behavior information, determining that the current user is an attack user.
In this embodiment, the identification is mainly performed based on a preset attack tool keyword, specifically, a feature file key system is obtained according to user usage behavior information, that is, the user tool information is compared with the preset attack tool keyword, whether the user tool information is the preset attack tool keyword is judged, and when the user tool information is the preset attack tool keyword, the current user is determined to be an attack user.
In an embodiment, the step S40 includes:
when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, judging whether a preset threat behavior test countermeasure knowledge base stores the user behavior portrait or not; and when the user behavior portrait is stored in the preset threat behavior body test countermeasure knowledge base, determining that the current user is a preset threat behavior body.
In this embodiment, after matching the preset attack user portrait knowledge base, the preset threat behavior test countermeasure knowledge base may be further used, based on identification of whether the user is a high-level threat behavior, where the preset threat behavior test countermeasure knowledge base is generated according to feature information of the high-level threat behavior learned through big data.
In a specific implementation, when a matched user behavior portrait is stored in the preset attacking user portrait knowledge base, it is indicated that a current user is an attacking user, then the current user behavior portrait is compared with a preset Threat behavior body testing countermeasure knowledge base, and according to a comparison result, whether the current user is a high-level Threat behavior body, that is, a preset Threat behavior body is determined, wherein the high-level Threat behavior body is a user with high-level Persistent Threat (APT), when the current user behavior portrait is successfully matched with the preset Threat behavior body testing countermeasure knowledge base, it is indicated that the current user is the high-level Threat behavior body, and when the current user behavior portrait is not successfully matched with the preset Threat behavior body testing countermeasure knowledge base, it is indicated that the current user is not the high-level Threat behavior body, but is a general attacking user.
In one embodiment, the preset attack user portrait knowledge base comprises a preset threat behavior testing countermeasure knowledge base; the step S40 includes:
and when the matched user behavior portrait is stored in the preset threat behavior body test countermeasure knowledge base, determining that the current user is a preset threat behavior body.
In the embodiment, when the preset threat behavior testing countermeasure knowledge base is stored in the preset attack user portrait knowledge base, and the matched user behavior portrait does not need to be stored in the preset attack user portrait knowledge base, whether the user behavior portrait exists in the preset threat behavior testing countermeasure knowledge base is judged, and whether the matched user behavior portrait exists in the preset threat behavior testing countermeasure knowledge base is directly obtained through the preset attack user portrait knowledge base, so that the user identification efficiency is improved, and the comprehensiveness of prediction of the preset attack user portrait knowledge base is also improved.
In one embodiment, the step S40 includes:
acquiring the number of matching types of the matched user behavior portraits; and when the number of the matching types reaches a preset matching number threshold value, determining that the current user is a preset threat behavior body.
In this embodiment, the preset matching number threshold may be 1000, and may also be other number parameters, which is not limited in this embodiment, the preset matching number threshold is 1000, and when the number of the matching types reaches more than 1000, it indicates that the current user is a persistent attack user, and in this case, it may be further determined that the current user is a preset threat behavior body, that is, a high-level threat behavior body, so that on the basis of the hacker user identification, the high-level threat behavior body is further identified from the hacker user, thereby implementing more refined identification of the hacker user.
In an embodiment, after the step S40, the method further includes:
identifying the current user according to the user type of the current user to obtain identified user information; and performing noise reduction processing on the user behavior portrait according to the identified user information.
It should be noted that the identifier of the current user may be identified by an identifier in the form of an ID, and may also be identified by other forms.
In the specific implementation, after the current user is an attack user, the identification result of the current user is identified, so that data can be processed according to the identified user information, and compared with the user information which is not identified, the user information can be processed more pertinently, therefore, the effect of reducing noise on the processed information is achieved, and the efficiency of data processing is realized.
In this embodiment, after the current user is identified as the attacking user, the advanced threat behavior can be further identified from the attacking user, that is, the preset attacking user portrait knowledge base includes a preset threat behavior test countermeasure knowledge base for performing matching identification, and the preset threat behavior test countermeasure knowledge base additionally provided for performing matching identification, so that more refined identification of the user is realized.
In addition, an embodiment of the present invention further provides a storage medium, where the storage medium stores a tester-based attack user identification program, and the tester-based attack user identification program, when executed by a processor, implements the steps of the terminal network access method described above.
Since the storage medium adopts all technical solutions of all the embodiments, at least all the beneficial effects brought by the technical solutions of the embodiments are achieved, and no further description is given here.
In addition, referring to fig. 7, an embodiment of the present invention further provides a tester-based attack user identification apparatus, where the tester-based attack user identification apparatus includes:
and the acquisition module 10 is used for acquiring the test behavior information of the current user through the test machine.
It can be understood that a user who installs a product is an end user, an end user who installs a product in a virtual environment is a virtual machine user, which is referred to as a virtual machine user for short, an end user who targets a test countermeasure is referred to as a tester user, which is referred to as a tester for short, and a relationship diagram among the end user, the virtual machine user, and the tester user is shown in fig. 3.
In this embodiment, the test behavior information includes user access information, user file classification information, behavior identification information, information about using a data processing tool, and the like, and may further include other behavior information, which is not limited in this embodiment.
In the specific implementation, when an attacking user tests the product through the virtual machine, a preset monitoring script is set, and the test behavior information of the current user can be obtained through the preset monitoring script, so that the test behavior information of the current user can be effectively identified, and whether the current user is the attacking user or not is determined.
And the generating module 20 is used for generating the user behavior portrait according to the test behavior information.
In this embodiment, the test behavior information may be subjected to multi-dimensional analysis, for example, based on a keyword matching dimension, a language family identification dimension, a file installation path dimension, and other dimensions, which are not limited in this embodiment, a corresponding feature vector is generated based on the above dimensions, and a user behavior portrait is generated according to the feature vector, the corresponding dimension, and the tag information.
The user behavior representation includes all the label information of the user behavior, so that the user behavior representation obtained by performing feature extraction on the user behavior information can be comprehensively analyzed, and the accuracy of user identification can be more accurately improved.
And the matching module 30 is used for matching the user behavior portrait with a preset attack user portrait knowledge base so as to judge whether the matched user behavior portrait exists in the preset attack user portrait knowledge base or not, wherein the preset attack user portrait knowledge base is obtained by integrating all attack user portrait knowledge bases according to attack types.
In this embodiment, in a general situation, when user behavior identification is performed, user identification may be performed based on an IP hacker knowledge base, or user identification may be performed based on MAC, so that an identification manner is too single, and thus comprehensive identification of user behavior cannot be achieved, but in this embodiment, the preset attack user portrait knowledge base is obtained by integrating knowledge bases of various attack user portraits according to attack types, so as to achieve comprehensive user identification, for example, IP access information of a user is obtained, an identification result 1 is obtained according to the IP access information, MAC information of the user is obtained, an identification result 2 is obtained according to the MAC information, and then weighting processing is performed based on the identification result 1 and the identification result 2, so as to achieve behavior identification of the user.
In the specific implementation, an attack user portrait knowledge base based on Internet protocol identification, an attack user portrait knowledge base based on local area network address identification, an attack user portrait knowledge base based on threat indexes and an open source attack user portrait knowledge base are obtained; and integrating the attack user portrait knowledge base based on the Internet protocol identification, the attack user portrait knowledge base based on the local area network address identification, the attack user portrait knowledge base based on the threat index and the open source attack user portrait knowledge base according to the attack type to obtain a preset attack user portrait knowledge base.
And the determining module 40 is configured to determine that the current user is an attack user when the matched user behavior representation is stored in the preset attack user representation knowledge base.
In this embodiment, the attacking user may be a high-level threatening action user or a general hacking user, and thus, when the current user is determined to be the attacking user, it may be further determined that the current attacking user is the high-level threatening action user or the general hacking user.
In a specific implementation, the recognition result may be quantized, for example, in the form of a score, to obtain a recognition result, where the recognition result includes a first recognition threshold and a second recognition threshold, where the first recognition threshold and the second recognition threshold are sequentially increased, for example, the first recognition threshold may be 60, the second recognition threshold may be 80, and other parameter information.
In the embodiment, the test behavior information of the current user is collected through a test machine; generating a user behavior portrait according to the test behavior information; matching the user behavior portrait with a preset attack user portrait knowledge base to judge whether the matched user behavior portrait exists in the preset attack user portrait knowledge base or not, wherein the preset attack user portrait knowledge base is obtained by integrating all attack user portrait knowledge bases according to attack types; and when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, determining the current user as an attack user, so that the preset attack user portrait knowledge base with higher identification efficiency is obtained by integrating the attack user portrait knowledge bases, and the attack user is quickly identified.
In an embodiment, the generating module 20 is further configured to extract preset program keyword information in the test behavior information;
comparing the preset program keyword information with the using program keyword information, and obtaining the using program information of the test behavior information according to the comparison result;
and generating a user behavior portrait according to the using program information.
In one embodiment, the usage program information includes communication software information; the generating module 20 is further configured to extract communication software information in the using program information;
and generating a communication software use dimension according to the communication software information, and generating a user behavior portrait according to the communication software use dimension.
In one embodiment, the usage program information includes input method information; the generating module 20 is further configured to extract input method information in the using program information;
and generating an input method using dimension according to the input method information, and generating a user behavior portrait according to the input method using dimension.
In an embodiment, the generating module 20 is further configured to extract user event information in the test behavior information;
obtaining file information related to the user event information in the test behavior information according to the user event information;
obtaining corresponding storage address information according to the file information associated with the user event information;
obtaining file path information according to the storage address information;
and generating a user behavior portrait according to the file path information.
In one embodiment, the file path information includes at least one of program installation path information, search path information, and file markup path information.
In an embodiment, the generating module 20 is further configured to compare the test behavior information with a preset access keyword, so as to obtain user access information in the test behavior information;
extracting access domain name information in the user access information;
and generating a user behavior portrait according to the access domain name information.
In an embodiment, the generating module 20 is further configured to compare the test behavior information with a preset event keyword to obtain user event information in the test behavior information;
comparing the user event information with preset code information to obtain use code information corresponding to the user event information;
and generating a user behavior portrait according to the user event information and the corresponding use code information.
In an embodiment, the matching module 30 is further configured to obtain an attack user portrait knowledge base based on an internet protocol identifier, an attack user portrait knowledge base based on a local area network address identifier, an attack user portrait knowledge base based on a threat indicator, and an open source attack user portrait knowledge base;
and integrating the attack user portrait knowledge base based on the Internet protocol identification, the attack user portrait knowledge base based on the local area network address identification, the attack user portrait knowledge base based on the threat index and the open source attack user portrait knowledge base according to the attack type to obtain a preset attack user portrait knowledge base.
In an embodiment, the determining module 40 is further configured to extract user event information in the user behavior representation;
comparing the user event information with preset event keywords, and obtaining the user event information according to the comparison result
The corresponding event type in the user event information;
searching a corresponding target language family in a preset terminal language family mapping table according to the event type;
obtaining a current language family according to the user event information, and matching the current language family with the target language family;
and when the current language family is not matched with the target language family, determining the current user as an attack user.
In an embodiment, the determining module 40 is further configured to extract user usage behavior information in the user behavior representation;
matching the user using behavior information with a preset attack tool keyword to judge whether the preset attack tool keyword exists in the user using behavior information;
and when the preset attack tool keywords are stored in the user using behavior information, determining that the current user is an attack user.
In an embodiment, the determining module 40 is further configured to, when a matching user behavior representation is stored in the preset attack user representation knowledge base, determine whether the user behavior representation is stored in a preset threat behavior test countermeasure knowledge base;
and when the user behavior portrait is stored in the preset threat behavior body test countermeasure knowledge base, determining that the current user is a preset threat behavior body.
In one embodiment, the preset attack user portrait knowledge base comprises a preset threat behavior testing countermeasure knowledge base; the determining module 40 is further configured to determine that the current user is a preset threat behavior object when the matched user behavior portrait is stored in the preset threat behavior object testing confrontation knowledge base.
In an embodiment, the determining module 40 is further configured to obtain the number of matching types storing the matching user behavior representation;
and when the number of the matching types reaches a preset matching number threshold value, determining that the current user is a preset threat behavior body.
In an embodiment, the determining module 40 is further configured to identify the current user according to the user type of the current user, so as to obtain identified user information;
and performing noise reduction processing on the user behavior portrait according to the identified user information.
The attack user identification device based on the tester adopts all the technical schemes of all the embodiments, so that the attack user identification device at least has all the beneficial effects brought by the technical schemes of the embodiments, and the details are not repeated.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
The invention discloses A1 and an attack user identification method based on a testing machine, wherein the attack user identification method based on the testing machine comprises the following steps:
collecting test behavior information of a current user through a test machine;
generating a user behavior portrait according to the test behavior information;
matching the user behavior portrait with a preset attack user portrait knowledge base to judge whether the matched user behavior portrait exists in the preset attack user portrait knowledge base or not, wherein the preset attack user portrait knowledge base is obtained by integrating all attack user portrait knowledge bases according to attack types;
and when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, determining the current user as an attack user.
A2, the method for testing machine based attack user identification of claim a1, the generating a user behavior representation from the test behavior information comprising:
extracting preset program keyword information in the test behavior information;
comparing the preset program keyword information with the using program keyword information, and obtaining the using program information of the test behavior information according to the comparison result;
and generating a user behavior portrait according to the using program information.
A3, a tester-based attack user recognition method as claimed in claim a2, said usage program information including communication software information;
the generating the user behavior portrait according to the using program information comprises the following steps:
extracting communication software information in the use program information;
and generating a communication software use dimension according to the communication software information, and generating a user behavior portrait according to the communication software use dimension.
A4, a tester-based attack user recognition method as claimed in claim a2, said usage program information including input method information;
the generating the user behavior portrait according to the using program information comprises the following steps:
extracting input method information in the using program information;
and generating an input method using dimension according to the input method information, and generating a user behavior portrait according to the input method using dimension.
A5, the method for testing machine based attack user identification of claim a1, the generating a user behavior representation from the test behavior information comprising:
extracting user event information in the test behavior information;
obtaining file information related to the user event information in the test behavior information according to the user event information;
obtaining corresponding storage address information according to the file information associated with the user event information;
obtaining file path information according to the storage address information;
and generating a user behavior portrait according to the file path information.
A6, a tester-based attack user identification method as claimed in claim a5, said file path information including at least one of program installation path information, search path information and file marker path information.
A7, the method for testing machine based attack user identification of claim a1, the generating a user behavior representation from the test behavior information comprising:
comparing the test behavior information with preset access keywords to obtain user access information in the test behavior information;
extracting access domain name information in the user access information;
and generating a user behavior portrait according to the access domain name information.
A8, the method for testing machine based attack user identification of claim a1, the generating a user behavior representation from the test behavior information comprising:
comparing the test behavior information with preset event keywords to obtain user event information in the test behavior information;
comparing the user event information with preset code information to obtain use code information corresponding to the user event information;
and generating a user behavior portrait according to the user event information and the corresponding use code information.
A9, the method of any one of claims a1 to A8, before matching the user behavior representation with a knowledge base of preset attack user profiles to determine whether there is a matching user behavior representation in the knowledge base of preset attack user profiles, the method further comprising:
acquiring an attack user portrait knowledge base based on Internet protocol identification, an attack user portrait knowledge base based on local area network address identification, an attack user portrait knowledge base based on threat indexes and an open source attack user portrait knowledge base;
and integrating the attack user portrait knowledge base based on the Internet protocol identification, the attack user portrait knowledge base based on the local area network address identification, the attack user portrait knowledge base based on the threat index and the open source attack user portrait knowledge base according to the attack type to obtain a preset attack user portrait knowledge base.
A10, the method of any one of claims a1 to A8 for testing machine-based attack user identification, the method further comprising, after generating a representation of user behavior from the test behavior information:
extracting user event information in the user behavior portrait;
comparing the user event information with preset event keywords, and obtaining a corresponding event type in the user event information according to a comparison result;
searching a corresponding target language family in a preset terminal language family mapping table according to the event type;
obtaining a current language family according to the user event information, and matching the current language family with the target language family;
and when the current language family is not matched with the target language family, determining the current user as an attack user.
A11, the method of any one of claims A1 to A8, after generating a representation of user behavior from the test behavior information, the method further comprising:
extracting user use behavior information in the user behavior portrait;
matching the user using behavior information with a preset attack tool keyword to judge whether the preset attack tool keyword exists in the user using behavior information or not;
and when the preset attack tool keywords are stored in the user using behavior information, determining that the current user is an attack user.
A12, the method for identifying a tester-based attacking user as recited in any one of claims a1 to A8, wherein when a matching user behavior profile exists in the preset attacking user profile knowledge base, the determining that the current user is an attacking user comprises:
when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, judging whether a preset threat behavior test countermeasure knowledge base stores the user behavior portrait or not;
and when the user behavior portrait is stored in the preset threat behavior body test countermeasure knowledge base, determining that the current user is a preset threat behavior body.
A13, the test machine based attack user recognition method of any one of claims A1 to A8, the preset attack user profile knowledge base including a preset threat behavioral testing countermeasure knowledge base;
when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, determining that the current user is an attack user comprises the following steps:
and when the matched user behavior portrait is stored in the preset threat behavior body test countermeasure knowledge base, determining that the current user is a preset threat behavior body.
A14, the method for identifying a tester-based attacking user as recited in any one of claims a1 to A8, wherein when a matching user behavior profile exists in the preset attacking user profile knowledge base, the determining that the current user is an attacking user comprises:
acquiring the number of matching types of the matched user behavior portraits;
and when the number of the matching types reaches a preset matching number threshold value, determining that the current user is a preset threat behavior body.
A15, the method for testing machine based attack user identification as claimed in any one of claims a1 to A8, wherein after determining that the current user is an attack user when there is a matching user behavior profile in the preset attack user profile knowledge base, the method further comprises:
identifying the current user according to the user type of the current user to obtain identified user information;
and performing noise reduction processing on the user behavior portrait according to the identified user information.
B16, a tester-based attack user identification apparatus, comprising:
the acquisition module is used for acquiring the test behavior information of the current user through the test machine;
the generating module is used for generating a user behavior portrait according to the test behavior information;
the matching module is used for matching the user behavior portrait with a preset attack user portrait knowledge base to judge whether the matched user behavior portrait exists in the preset attack user portrait knowledge base or not, wherein the preset attack user portrait knowledge base is obtained by integrating all attack user portrait knowledge bases according to attack types;
and the determining module is used for determining the current user as the attack user when the matched user behavior portrait is stored in the preset attack user portrait knowledge base.
B17, the apparatus according to claim B16, the generating module is further configured to extract preset program keyword information in the test behavior information;
comparing the preset program keyword information with the using program keyword information, and obtaining the using program information of the testing behavior information according to the comparison result;
and generating a user behavior portrait according to the using program information.
B18, a tester-based attacking user identifying apparatus of claim B17, the usage program information comprising communication software information;
the generating module is further used for extracting communication software information in the using program information;
and generating a communication software use dimension according to the communication software information, and generating a user behavior portrait according to the communication software use dimension.

Claims (10)

1. An attack user identification method based on a tester is characterized by comprising the following steps:
collecting test behavior information of a current user through a test machine;
generating a user behavior portrait according to the test behavior information;
matching the user behavior portrait with a preset attack user portrait knowledge base to judge whether the matched user behavior portrait exists in the preset attack user portrait knowledge base or not, wherein the preset attack user portrait knowledge base is obtained by integrating all attack user portrait knowledge bases according to attack types;
and when the matched user behavior portrait is stored in the preset attack user portrait knowledge base, determining the current user as an attack user.
2. The method for identifying attacking users based on the testing machine according to claim 1, wherein the generating the user behavior representation according to the testing behavior information comprises:
extracting preset program keyword information in the test behavior information;
comparing the preset program keyword information with the using program keyword information, and obtaining the using program information of the test behavior information according to the comparison result;
and generating a user behavior portrait according to the using program information.
3. The tester-based attacking user identifying method according to claim 2, wherein said usage program information includes communication software information;
the generating the user behavior portrait according to the using program information comprises the following steps:
extracting communication software information in the use program information;
and generating a communication software use dimension according to the communication software information, and generating a user behavior portrait according to the communication software use dimension.
4. The tester-based attacking user identifying method according to claim 2, wherein said usage program information includes input method information;
the generating the user behavior portrait according to the using program information comprises the following steps:
extracting input method information in the use program information;
and generating an input method using dimension according to the input method information, and generating a user behavior portrait according to the input method using dimension.
5. The method for identifying attacking users based on the testing machine according to claim 1, wherein the generating the user behavior representation according to the testing behavior information comprises:
extracting user event information in the test behavior information;
obtaining file information related to the user event information in the test behavior information according to the user event information;
obtaining corresponding storage address information according to the file information associated with the user event information;
obtaining file path information according to the storage address information;
and generating a user behavior portrait according to the file path information.
6. The tester-based attack user identification method according to claim 5, wherein the file path information includes at least one of program installation path information, search path information, and file marker path information.
7. The method for identifying attacking users based on the testing machine according to claim 1, wherein the generating the user behavior representation according to the testing behavior information comprises:
comparing the test behavior information with preset access keywords to obtain user access information in the test behavior information;
extracting access domain name information in the user access information;
and generating a user behavior portrait according to the access domain name information.
8. A tester-based attack user identification apparatus, comprising:
the acquisition module is used for acquiring the test behavior information of the current user through the test machine;
the generating module is used for generating a user behavior portrait according to the test behavior information;
the matching module is used for matching the user behavior portrait with a preset attack user portrait knowledge base to judge whether the matched user behavior portrait exists in the preset attack user portrait knowledge base or not, wherein the preset attack user portrait knowledge base is obtained by integrating all attack user portrait knowledge bases according to attack types;
and the determining module is used for determining the current user as the attack user when the matched user behavior portrait is stored in the preset attack user portrait knowledge base.
9. A tester-based attack user identification device, the tester-based attack user identification device comprising: a memory, a processor and a tester-based attack user identification program stored on the memory and running on the processor, the tester-based attack user identification program when executed by the processor implementing the steps of the tester-based attack user identification method as claimed in any one of claims 1 to 7.
10. A storage medium having stored thereon a tester-based attack user identification program that, when executed by a processor, implements the steps of the tester-based attack user identification method according to any one of claims 1 to 7.
CN202011275564.8A 2020-11-13 2020-11-13 Attack user identification method, equipment, storage medium and device based on test machine Pending CN114499911A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011275564.8A CN114499911A (en) 2020-11-13 2020-11-13 Attack user identification method, equipment, storage medium and device based on test machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011275564.8A CN114499911A (en) 2020-11-13 2020-11-13 Attack user identification method, equipment, storage medium and device based on test machine

Publications (1)

Publication Number Publication Date
CN114499911A true CN114499911A (en) 2022-05-13

Family

ID=81490991

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011275564.8A Pending CN114499911A (en) 2020-11-13 2020-11-13 Attack user identification method, equipment, storage medium and device based on test machine

Country Status (1)

Country Link
CN (1) CN114499911A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115470905A (en) * 2022-09-27 2022-12-13 高强 Big data analysis processing method and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115470905A (en) * 2022-09-27 2022-12-13 高强 Big data analysis processing method and system

Similar Documents

Publication Publication Date Title
CN111125695B (en) Account risk assessment method, device, equipment and storage medium
CN107888606B (en) Domain name credit assessment method and system
CN109670931B (en) Loan user behavior detection method, loan user behavior detection device, loan user behavior detection equipment and loan user behavior detection storage medium
CN111404949A (en) Flow detection method, device, equipment and storage medium
CN106998336B (en) Method and device for detecting user in channel
CN116015703A (en) Model training method, attack detection method and related devices
CN114499911A (en) Attack user identification method, equipment, storage medium and device based on test machine
CN113949525A (en) Method and device for detecting abnormal access behavior, storage medium and electronic equipment
CN111835781B (en) Method and system for discovering host of same source attack based on lost host
CN110691090B (en) Website detection method, device, equipment and storage medium
CN112632528A (en) Threat information generation method, equipment, storage medium and device
CN112395603A (en) Vulnerability attack identification method and device based on instruction execution sequence characteristics and computer equipment
CN111556042B (en) Malicious URL detection method and device, computer equipment and storage medium
CN115643044A (en) Data processing method, device, server and storage medium
CN113361597B (en) Training method and device for URL detection model, electronic equipment and storage medium
CN113962218A (en) Illegal application identification method, device and equipment and readable storage medium
CN110401639B (en) Method and device for judging abnormality of network access, server and storage medium thereof
CN113128538A (en) Network behavior classification method, equipment, storage medium and device
CN113132340A (en) Phishing website identification method based on vision and host characteristics and electronic device
CN113055396B (en) Cross-terminal traceability analysis method, device, system and storage medium
CN114567449A (en) APT attack test behavior identification method, device, storage medium and device
CN114490538A (en) Test machine data storage method, platform, equipment and storage medium
CN113407450B (en) Interface testing method, device, equipment and medium based on parameter automatic identification
CN115935359B (en) File processing method, device, computer equipment and storage medium
CN109460783B (en) Fake browser identification method, fake browser identification system, server and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination