CN114500099A - Big data attack processing method and server for cloud service - Google Patents
Big data attack processing method and server for cloud service Download PDFInfo
- Publication number
- CN114500099A CN114500099A CN202210207127.5A CN202210207127A CN114500099A CN 114500099 A CN114500099 A CN 114500099A CN 202210207127 A CN202210207127 A CN 202210207127A CN 114500099 A CN114500099 A CN 114500099A
- Authority
- CN
- China
- Prior art keywords
- log
- cloud
- cloud session
- attack intention
- session message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Molecular Biology (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a big data attack processing method and a server for cloud service, which can be used for mining and identifying a big data attack intention through a big data attack intention mining model aiming at a service interaction log obtained by a preset log obtaining thread, reducing the complexity and resource overhead of the attack intention mining and identifying to a certain extent, and accurately and timely determining a global attack intention keyword of an abnormal activity event, thereby realizing the attack intention mining and identifying of different abnormal activity events and facilitating the subsequent targeted big data attack defense processing according to the global attack intention keyword.
Description
Technical Field
The invention relates to the technical field of cloud computing, in particular to a big data attack processing method and a server for cloud service.
Background
In a big data environment, the security requirements of various industries and fields are changing, and a new complete chain is formed in the process from data acquisition, data integration, data extraction and data mining to data distribution. As data is further centralized and the amount of data increases, it becomes more difficult to secure data in a cloud service process. The traditional information security means can not meet the information security requirements of the big data era, and the security threat gradually becomes a bottleneck restricting the big data technology development. The traditional information security means has the defects of high complexity, high resource overhead and difficulty in ensuring the identification precision in the attack identification link.
Disclosure of Invention
The invention provides a big data attack processing method and a server for cloud service, and the following technical scheme is adopted in the application to achieve the technical purpose.
The first aspect is a big data attack processing method for cloud services, which is applied to a cloud server, and the method comprises the following steps: determining a service interaction log of an abnormal activity event in a cloud service process; performing dynamic adjustment processing by combining the service interaction log, and determining diversified expression contents of a plurality of cloud session messages in the service interaction log, wherein the diversified expression contents reflect the transmission condition among key descriptions of the cloud session messages in the service interaction log; performing big data attack intention mining and identification on the diversified expression contents of the plurality of cloud session messages through a big data attack intention mining model to obtain attack intention keywords of each cloud session message; and based on the attack intention keywords of each cloud session message, sorting the attack intention keywords of different cloud session messages pointing to the same abnormal activity event to obtain the global attack intention keywords of the abnormal activity event.
In some possible embodiments, the dynamically adjusting, in combination with the service interaction log, to determine diversified expression contents of a plurality of cloud session messages in the service interaction log includes:
excavating the content of the obvious log of the service interaction log to obtain the content of the obvious log of the service interaction log; determining log label data of the service interaction log; performing dynamic adjustment processing by combining the contents of the remarkable log, and determining the relative distribution identifiers of a plurality of cloud session messages in the adjusted interactive log;
determining diversified expression content of each cloud session message in the plurality of cloud session messages by combining the significant log content, the relative distribution identifiers of the plurality of cloud session messages and the log tag data;
wherein the determining the diversified expression content of each cloud session message in the plurality of cloud session messages in combination with the prominent log content, the relative distribution identifiers of the plurality of cloud session messages, and the log tag data comprises: combining the significant log content of each state type interaction log, the log label data of each state type interaction log and the relative distribution identification of the plurality of cloud session messages of each state type interaction log to obtain the attention expression content of each cloud session message of the plurality of cloud session messages of each state type interaction log; and splicing the attention expression contents pointing to the same cloud session message in each state type interaction log based on the cloud session message binding result to obtain the diversified expression contents of each cloud session message in the plurality of cloud session messages.
In some possible embodiments, the service interaction log comprises: a plurality of state-type interaction logs; and dynamically adjusting the contents of the significant log to determine the relative distribution identifiers of the cloud session messages in the adjusted interactive log, wherein the relative distribution identifiers comprise:
based on the significant log content of each state type interaction log in the state type interaction logs, performing cloud session message binding on the state type interaction logs to obtain a plurality of cloud session message binding results, wherein one cloud session message binding result reflects the same cloud session message existing between different state type interaction logs;
performing log dynamic adjustment on a cloud service process corresponding to a reference type interactive log in the state type interactive logs based on the cloud session message binding results to obtain relative distribution identifiers of cloud session messages corresponding to the cloud session message binding results; wherein the reference-type interaction log is one of the plurality of state-type interaction logs.
In some possible embodiments, the dynamically adjusting, in combination with the service interaction log, to determine diversified expression contents of a plurality of cloud session messages in the service interaction log includes:
clustering a plurality of cloud session messages in the service interaction log to obtain a plurality of session message clusters corresponding to different abnormal activity events; the session message cluster is matched with the abnormal activity events one by one;
and combining a plurality of session message clusters corresponding to different abnormal activity events in the service interaction log, performing dynamic adjustment processing, and determining diversified expression contents of a plurality of cloud session messages corresponding to different abnormal activity events in the service interaction log.
In some possible embodiments, the mining and identifying big data attack intention on diversified expression contents of the plurality of cloud session messages through a big data attack intention mining model to obtain an attack intention keyword of each cloud session message includes:
mining the interactive log thermodynamic content of the diversified expression content of the plurality of cloud session messages through a mining submodel of the big data attack intention mining model to obtain the interactive log thermodynamic content of each cloud session message;
identifying the thermal content of the interaction log of each cloud session message through an identifier model of the big data attack intention mining model to obtain an attack intention keyword of each cloud session message; wherein the big data attack intention mining model is determined via the following steps: determining an authenticated business interaction log paradigm, wherein the authenticated business interaction log paradigm comprises a plurality of stateful interaction log paradigms of an abnormal activity event paradigm and a global attack intention keyword paradigms of the abnormal activity event paradigms; loading the authentication type service interaction log example to a basic big data attack intention mining model to obtain undetermined global attack intention keywords of an abnormal activity event example; obtaining quantitative cost data based on the undetermined global attack intention keywords of the abnormal activity event example and preset cost indexes; debugging the basic big data attack intention mining model based on the quantitative cost data to obtain the big data attack intention mining model;
wherein, the determining an authentication-type service interaction log example comprises one of the following items:
performing interactive log acquisition on an abnormal activity event example through a log acquisition thread to obtain a plurality of state type interactive log examples of the abnormal activity event example; determining a global attack intention keyword example of the abnormal activity event example obtained after the global attack intention keyword of the abnormal activity event example is subjected to significance processing;
determining a plurality of state type interactive log example sets; and carrying out attack intention identification on the state type interaction log example sets based on a preset identification strategy of attack intention to obtain a global attack intention keyword example of the abnormal activity event example.
In some possible embodiments, the big data attack intent mining model includes a specified number of network model nodes; the mining submodel based on the big data attack intention mining model is used for mining the interactive log thermodynamic content of the diversified expression content of the plurality of cloud session messages to obtain the interactive log thermodynamic content of each cloud session message, and comprises the following steps:
determining diversified expression contents of the specified number of cloud session messages in diversified expression contents of the number of cloud session messages;
and mining the diversified expression contents of the specified number of cloud session messages based on the mining submodel of the big data attack intention mining model to obtain the interactive log thermodynamic content of each cloud session message.
In some possible embodiments, the service interaction log comprises: an independent interaction log; and dynamically adjusting the contents of the significant log to determine the relative distribution identifiers of the cloud session messages in the adjusted interactive log, wherein the relative distribution identifiers comprise:
based on the obvious log content, carrying out constraint adjustment on the cloud service process corresponding to the independent interaction log, and determining the relative distribution identification of a plurality of cloud session messages in the independent interaction log.
In some possible embodiments, the performing significant log content mining on the service interaction log to obtain significant log content of the service interaction log includes:
performing at least one of feature recognition degree optimization and interference reduction on the service interaction log to obtain a target interaction log for completing the pre-operation;
and excavating the contents of the significant logs of the target interaction logs which finish the pre-operation through a significant log content excavating model to obtain the contents of the significant logs.
In some possible embodiments, the sorting, based on the attack intention keyword of each cloud session message, the attack intention keywords of different cloud session messages pointing to the same abnormal activity event to obtain a global attack intention keyword of the abnormal activity event includes:
clustering a plurality of cloud session messages in the service interaction log to obtain a plurality of session message clusters corresponding to different abnormal activity events; the session message cluster is matched with the abnormal activity events one by one;
for each session message cluster, combining the big data attack intention of each cloud session message in the service interaction log to obtain an attack intention keyword of each cloud session message in each session message cluster;
the attack intention keywords of each cloud session message in each session message cluster are sorted to obtain global attack intention keywords pointing to the same abnormal activity event, and the global attack intention keywords of different abnormal activity events in the service interaction log are obtained until a plurality of session message clusters are sorted respectively;
wherein the service interaction log comprises: a plurality of state-type interaction logs; clustering a plurality of cloud session messages in the service interaction log to obtain a plurality of session message clusters corresponding to different abnormal activity events, including:
clustering a plurality of cloud session messages in a reference type interaction log of the state type interaction logs to obtain a plurality of session message clusters corresponding to different abnormal activity events; the reference type interaction log is one of the state type interaction logs;
the step of sorting attack intention keywords of each cloud session message in each session message cluster to obtain global attack intention keywords pointing to the same abnormal activity event includes:
summarizing the same attack intention keywords of each cloud session message in each session message cluster to obtain a summarized result of each attack intention keyword;
and determining global attack intention keywords corresponding to the same abnormal activity event by combining the summary result and the specified summary condition.
A second aspect is a cloud server comprising a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the cloud server to perform the method of the first aspect.
According to one embodiment of the invention, a service interaction log of an abnormal activity event in a cloud service process is determined, wherein the service interaction log is a local interaction log obtained by a preset log obtaining thread; and performing dynamic adjustment processing by combining the service interaction log, and determining diversified expression contents of a plurality of cloud session messages in the service interaction log, wherein the diversified expression contents reflect the transmission condition among key descriptions of the cloud session messages in the service interaction log. In view of the fact that the key descriptions of the cloud session messages of different abnormal activity events are different, transfer connection exists between the key descriptions of the cloud session messages of the same abnormal activity event, therefore, through a big data attack intention mining model, big data attack intention mining and identification are carried out on diversified expression contents of a plurality of cloud session messages, the key description of each cloud session message in the diversified expression contents can be adjusted to be the key description which has transfer connection with the attack intention, and therefore the attack intention keyword of each cloud session message is determined. Based on the attack intention keywords of each cloud session message, the attack intention keywords of different cloud session messages pointing to the same abnormal activity event are sorted to obtain the global attack intention keywords of the abnormal activity event.
According to the technical scheme, the service interaction logs acquired by the preset log acquisition thread can be mined and identified through the big data attack intention mining model, the complexity and the resource overhead of the attack intention mining identification are reduced to a certain extent, and the global attack intention keywords of the abnormal activity events can be accurately and timely determined, so that the attack intention mining identification of different abnormal activity events is realized, and the targeted big data attack defense processing is performed according to the global attack intention keywords in the subsequent process.
Drawings
Fig. 1 is a schematic flowchart of a big data attack processing method for cloud services according to an embodiment of the present invention.
Fig. 2 is a block diagram of a big data attack processing apparatus for cloud services according to an embodiment of the present invention.
Detailed Description
In the following, the terms "first", "second" and "third", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, features defined as "first", "second" or "third", etc., may explicitly or implicitly include one or more of the features.
Fig. 1 is a flowchart illustrating a big data attack processing method for cloud services according to an embodiment of the present invention, where the big data attack processing method for cloud services may be implemented by a cloud server, and the cloud server may include a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the cloud server to perform the following steps.
Step 101, determining a service interaction log of an abnormal activity event in a cloud service process.
For the embodiment of the invention, the abnormal activity event can be understood as a business item with information safety hidden danger (such as information leakage risk and data attack risk) in a cloud service scene. The service interaction log is a local interaction log obtained by the preset log obtaining thread, and compared with other types of logs, the determining means of the service interaction log is simpler, so that unnecessary resource waste during obtaining of the interaction log can be reduced.
For the embodiment of the invention, the cloud service process can be understood as an application scene during service interaction. Further, the cloud service process may be different types of cloud service processes, such as an online payment service process, or a remote office service process, such as an intelligent medical service process. The number of the abnormal activity events in the cloud service process can be one or several. The abnormal activity event may be an abnormal activity event corresponding to a single attack mode or an abnormal activity event corresponding to a mixed attack mode, and the attack intention keyword may include, but is not limited to, privacy stealing, data tampering, malicious deletion, and the like. The service interaction log may be an independent interaction log (such as a single interaction log) or a hybrid interaction log, where the hybrid interaction log may be an interaction log of an abnormal activity event in different interaction states, and the interaction logs are related to each other, such as a time sequence relation or a service scenario relation. In addition, the presentation form of the service interaction log includes but is not limited to text, audio and video, and the like. Interaction logs of abnormal activity events in a plurality of different interaction states correspond to the same cloud service process, so that the cloud service process can be integrally attacked and analyzed through a big data attack intention mining model in the later period.
102, dynamically adjusting and processing the service interaction log to determine diversified expression contents of a plurality of cloud session messages in the service interaction log; the diversified expression content reflects the transfer condition between the key descriptions of the cloud session messages in the service interaction log.
For the embodiment of the invention, the identification device of the global attack intention corresponding to the abnormal activity event can adjust and process the acquired service interaction log, so that diversified expression contents of a plurality of cloud session messages in the service interaction log can be acquired.
It can be understood that the plurality of cloud session messages may be all the cloud session messages in the service interaction log, so that the comprehensiveness of the diversified expression content may be ensured. The number of cloud session messages may also be individual cloud session messages in the business interaction log. Further, taking an example that the service interaction log covers Q state-type interaction logs, performing dynamic adjustment processing in combination with the service interaction log to determine diversified expression contents of the cloud session messages existing in the Q state-type interaction logs, where the diversified expression contents (feature information) of the cloud session messages can reflect transfer conditions (such as association between features) between key descriptions of the cloud session messages in the Q state-type interaction logs, so that accuracy of obtaining the diversified expression contents can be improved.
For the embodiment of the invention, the dynamic adjustment processing is to perform conversion and adjustment of data information on feature dimensions by means of an artificial intelligence technology according to the processes of feature identification description determination, pre-operation, information matching and sorting, determination of global attacks corresponding to abnormal activity events and the like in combination with a dynamic adjustment thought. The dynamic adjustment processing may include selection of a feature space and a neural network model, feature mining processing, and the like, and determines diversified expression contents of a plurality of cloud session messages in the service interaction log.
For the embodiment of the invention, the diversified expression content can reflect the content obtained by integrating the key description contents such as the prominent log content (characteristic content), the relative distribution identification (for example, the spatial position information) and the log label data (for example, the log attribute information) and the association between the two.
For the embodiment of the invention, the identification device of the global attack intention corresponding to the abnormal activity event performs dynamic adjustment processing by combining the service interaction log to obtain the relative distribution identification of the cloud session message, and determines the diversified expression content of the cloud session message based on the key description content reflecting the relative distribution indication, the obvious log content and the log label data corresponding to a plurality of cloud session messages and the incidence relation among the key description contents, thereby improving the precision and the reliability of the diversified expression content.
103, mining and identifying the big data attack intention of the diversified expression contents of the cloud session messages through a big data attack intention mining model, and obtaining an attack intention keyword of each cloud session message.
For the embodiment of the present invention, the big data attack intention mining model may be a differentiated classification network, and the architecture of the classification network is not further limited in the embodiment of the present invention, as long as the big data attack intention mining and identification can be performed on diversified expression contents, the model may include, but is not limited to, CNN, GCN, RNN, LSTM, and the like.
For example, the intention mining model of big data attack is a GCN model, and the model architecture of the GCN can be flexibly adjusted according to the actual requirements of the embodiments of the present invention, which is not limited herein.
For the embodiment of the invention, the diversified expression content can comprise key description contents such as obvious log content, relative distribution identifiers of a plurality of cloud session messages, log label data and the like, and the diversified expression content is loaded to the big data attack intention mining model for mining and identifying the big data attack intention, so that the attack intention keyword of each cloud session message is obtained.
For example, the attack intention keyword may be understood as an attack category of the cloud session message obtained by loading the diversified expression content of the plurality of cloud session messages into the big data attack intention mining model for mining and recognition, and the attack intention keyword may be represented by a text tag or may be recorded by a feature value, which is not limited herein.
And step 104, based on the attack intention keywords of each cloud session message, sorting the attack intention keywords of different cloud session messages pointing to the same abnormal activity event to obtain the global attack intention keywords of the abnormal activity event.
For the embodiment of the invention, a plurality of groups of attack intention keywords of a plurality of cloud session messages derived by a big data attack intention mining model are provided. The service interaction log can cover one or more abnormal activity events, and if one abnormal activity event exists, the attack intention keywords of a plurality of cloud session messages of the abnormal activity event need to be sorted to obtain the global attack intention keywords of the abnormal activity event. If the abnormal activity event has a plurality of abnormal activity events, the cloud session messages of the abnormal activity event with difference need to be distinguished, and the attack intention keywords of the cloud session messages are sorted one by one aiming at the cloud session messages pointing to the same abnormal activity event, so that the global attack intention keywords of the abnormal activity event are obtained. The distinct cloud session messages may be understood as distinct cloud session messages.
For the embodiment of the invention, when the attack intention keywords of a plurality of cloud session messages are collated to obtain the global attack intention keywords of the abnormal activity event, the method can be realized through the following steps. The attack intention keywords of a plurality of cloud session messages are collated, the possibility (such as probability) of each group of attack intention keywords is determined, for one implementation step, the attack intention keyword corresponding to the maximum possibility is used as the global attack intention keyword of the abnormal activity event, and only one group of attack intention keywords is derived on the basis, such as: if the possibility that the attack intention keyword of an abnormal activity event is "malicious deletion" is 0.7, the possibility that the attack intention keyword is "privacy stealing" is 0.2, and the possibility that the attack intention keyword is "information leakage" is 0.1, the global attack intention keyword of the abnormal activity event is "malicious deletion".
For another implementation step, the attack intention keywords with the possibility values larger than the set value are used as global attack intention keywords of the abnormal activity event, and on the basis, a plurality of groups of attack intention keywords can be derived, for example: the possibility that the attack intention keyword of a certain abnormal activity event is 'malicious deletion' is 0.6, the possibility that the attack intention keyword is 'traffic attack' is 0.4, and the setting value is set to be 0.2, then the global attack intention keyword of the abnormal activity event is a fusion result of 'malicious deletion' and 'traffic attack', in other words, the abnormal activity event comprises a plurality of groups of attack intention keywords. The embodiment of the invention does not further limit the export mode of the global attack intention keywords of the abnormal activity event.
For the embodiment of the invention, a global attack intention recognition device corresponding to an abnormal activity event determines a service interaction log of the abnormal activity event in a cloud service process, wherein the service interaction log is a local interaction log obtained by a preset log obtaining thread; and performing dynamic adjustment processing by combining the service interaction log, and determining diversified expression contents of a plurality of cloud session messages in the service interaction log, wherein the diversified expression contents reflect the transmission condition among key descriptions of the cloud session messages in the service interaction log. Since the key descriptions of cloud session messages of different abnormal activity events are different, a transfer connection exists between the key descriptions of cloud session messages of the same abnormal activity event. Therefore, the big data attack intention mining model is used for mining and identifying the big data attack intention of the diversified expression contents of the cloud session messages, the key description of each cloud session message in the diversified expression contents can be adjusted to be the key description which is in transmission connection with the attack intention, and therefore the attack intention keyword of each cloud session message is determined. The global attack intention recognition device corresponding to the abnormal activity event sorts the attack intention keywords of the different cloud session messages pointing to the same abnormal activity event based on the attack intention keywords of each cloud session message to obtain the global attack intention keywords of the abnormal activity event. According to the technical scheme, the service interaction logs acquired by the preset log acquisition thread can be mined and identified through the big data attack intention mining model, the complexity and the resource overhead of the attack intention mining identification are reduced to a certain extent, and the global attack intention keywords of the abnormal activity events can be accurately and timely determined, so that the attack intention mining identification of different abnormal activity events is realized, and the targeted big data attack defense processing is performed according to the global attack intention keywords in the subsequent process.
For a possible technical solution, the step 102 may be implemented by mining the significant log content of the service interaction log by the global attack intention recognition device corresponding to the abnormal activity event, to obtain the significant log content of the service interaction log; determining log label data of a service interaction log; performing dynamic adjustment processing by combining the contents of the remarkable logs, and determining the relative distribution identifiers of a plurality of cloud session messages in the adjusted interactive logs; and determining the diversified expression content of each cloud session message in the plurality of cloud session messages by combining the remarkable log content, the relative distribution identification of the plurality of cloud session messages and the log label data.
For the embodiment of the invention, the significant log content may include the tag content, the heat content, the architecture content and the relative distribution content of the log, the significant log content reflects the key descriptions of several layers and the relation between different layers in the log, and the identification device of the global attack intention corresponding to the abnormal activity event may perform dynamic adjustment processing in combination with the significant log content, thereby determining the relative distribution identifier of several cloud session messages in the adjusted interactive log. The significant log content, the relative distribution identifier and the log label data of the cloud session message can be key description contents, the key description contents are spliced into a key description content, and the spliced key description content is determined as diversified expression content of the cloud session message.
For the embodiment of the invention, the service interaction log carries the log label data, and the identification device of the global attack intention corresponding to the abnormal activity event can determine the log label data of the service interaction log.
For the embodiments of the present invention, the log label data is used for log classification and differentiation processing. A recognition device (which can be understood as a cloud server) of a global attack intention corresponding to the abnormal activity event determines log label data of a business interaction log; the identification device of the global attack intention corresponding to the abnormal activity event carries out significant log content mining on the service interaction log to obtain significant log content of the service interaction log; performing dynamic adjustment processing by combining the contents of the remarkable logs, and determining the relative distribution identifiers of a plurality of cloud session messages in the adjusted interactive logs; and determining the diversified expression content of each cloud session message in the plurality of cloud session messages by combining the remarkable log content, the relative distribution identification of the plurality of cloud session messages and the log label data. The diversified expression content records the key description content and the association between the key description contents from a plurality of layers, so that the precision of acquiring the diversified expression content can be improved.
For a possible technical solution, when significant log content mining is performed on the service interaction log to obtain significant log content of the service interaction log, the following steps may be implemented. The identification device of the global attack intention corresponding to the abnormal activity event carries out pre-operation (preprocessing) of at least one of feature identification degree optimization and interference attenuation on the service interaction log to obtain a target interaction log which finishes the pre-operation; and (4) performing significant log content mining on the target interaction log after the pre-operation is completed through a significant log content mining model to obtain significant log content.
For the embodiment of the invention, the identification device of the global attack intention corresponding to the abnormal activity event can optimize the feature identification degree of the service interaction log through different cleaning strategies (for example, denoising treatment can be performed), and can also perform interference weakening on the service interaction log (for example, screening information with poor quality can be understood).
For the embodiment of the invention, the identification device of the global attack intention corresponding to the abnormal activity event carries out at least one preposed operation such as feature identification degree optimization, interference attenuation and the like through the service interaction log, and then carries out significant log content mining, so that the reliability of the significant log content can be improved.
For a possible technical solution, the service interaction log includes several state type interaction logs, and may also include an independent type interaction log. The embodiment of the invention can explain a plurality of state type interactive logs and independent type interactive logs one by one through the following two embodiments.
Embodiment 1, when the service interaction log includes a plurality of state-type interaction logs, performing dynamic adjustment processing by combining with the content of the significant log, and determining the relative distribution identifier of a plurality of cloud session messages in the adjusted interaction log, may be implemented through the following steps. The identification device of the global attack intention corresponding to the abnormal activity event binds the state type interaction logs (for example, cloud session message matching) based on the obvious log content of each state type interaction log in the state type interaction logs to obtain a plurality of cloud session message binding results, wherein one cloud session message binding result reflects the same cloud session message existing between different state type interaction logs; performing log dynamic adjustment on a cloud service process corresponding to a reference type interactive log in a plurality of state type interactive logs based on a plurality of cloud session message binding results to obtain relative distribution identifiers of a plurality of cloud session messages corresponding to the plurality of cloud session message binding results; the reference type interaction log is one of a plurality of state type interaction logs.
For the embodiment of the present invention, because a plurality of state-type interaction logs (which may be understood as interaction logs under a plurality of states or a plurality of layers) are logs of abnormal activity events in the same cloud service process, and cloud session messages in different state-type interaction logs are consistent, the same cloud session messages existing in different state-type interaction logs are merged into one cloud session message binding result, so that a plurality of cloud session message binding results can be obtained. The reference-type interaction log may be understood as a benchmark interaction log.
In some embodiments of the present invention, cloud session message binding is performed on a plurality of state type interaction logs, and when a plurality of cloud session message binding results are obtained, the cloud session message binding can be implemented through the following steps: randomly determining one log in the plurality of state type interaction logs as a reference type interaction log; matching the residual interactive logs in the state type interactive logs except the reference type interactive logs with the reference type interactive logs, so that log obtaining threads in the state type interactive logs are compatible with each other; and then binding the cloud session messages based on the matched state type interaction logs to obtain a plurality of cloud session message binding results.
For example, since each stateful interaction log covers a plurality of cloud session messages, when the cloud session messages are combined into the cloud session message binding result, some cloud session messages may not be bound. Taking Q (Q is an integer greater than 1) state-type interaction logs (for example, interaction logs in different service states can be represented), the following two concepts are introduced. In the idea 1, if the Cloud session message _ a exists in Q state-type interaction logs, the Cloud session message _ a may form a Cloud session message binding result, and on this basis, if the Cloud session message _ b exists only in W (W is an integer smaller than Q) state-type interaction logs, the Cloud session message may not form a Cloud session message binding result, and the Cloud session message _ b is deleted. Because each cloud session message binding result comprises the obvious log content of the Q state type interactive logs, the obvious log content is respectively derived from the Q state type interactive logs, and the credibility of the cloud session message binding result can be improved. In the idea 2, if the state type interaction logs of the Cloud session message _ c in the setting level all exist, the Cloud session message _ c may form a Cloud session message binding result, and the setting level may be set by a person skilled in the art according to the real situation, for example, 0.7, 0.8, and 0.9, which does not further limit the embodiment of the present invention. In other words, the Cloud session message _ c may exist in Q state-type interaction logs, or may exist in set level × Q state-type interaction logs. The idea 1 forms a cloud session message binding result, and the reliability of the cloud session message binding result is improved. And the idea 2 forms a cloud session message binding result mode, so that the comprehensiveness of the cloud session message binding result is improved. According to the embodiment of the invention, a plurality of cloud session message binding results can be obtained based on the way of thought 1 or thought 2, and one cloud session message binding result reflects the same cloud session message existing between different state type interaction logs.
It can be understood that whether the binding results of the cloud session messages obtained by the idea 1 or the idea 2 are obtained, there may be a case that the cloud session messages are not bound. The relative distribution identification of the plurality of cloud session messages in the embodiment of the invention belongs to the cloud session messages in the binding result of the plurality of cloud session messages. In other words, the cloud session messages that cannot form the cloud session message binding result are deleted, and compared with the idea of obtaining the relative distribution identifiers of all the cloud session messages, the unnecessary resource overhead existing in the computing process can be reduced. In addition, because the relative distribution identification of the plurality of cloud session messages belongs to the cloud session messages in the binding result of the plurality of cloud session messages, when the diversified expression content of each cloud session message is obtained at the later stage, the obvious log content comes from the plurality of state type interaction logs, so that the precision of obtaining the diversified expression content can be improved.
For the embodiment of the invention, each state type interaction log covers a plurality of cloud session messages, and because the state type interaction logs are logs aiming at abnormal activity events in the same cloud service process, the cloud session messages in different state type interaction logs are consistent, so that the relative distribution identifiers of the cloud session messages are non-exclusive. According to the embodiment of the invention, one log can be determined from a plurality of state type interactive logs as a reference type interactive log, the dynamic log adjustment is carried out on the cloud service process corresponding to the reference type interactive log in the plurality of state type interactive logs based on the binding result of the plurality of cloud session messages, the relative distribution identification of the plurality of cloud session messages corresponding to the binding result of the plurality of cloud session messages is obtained, and the relative distribution identification of the plurality of cloud session messages in the plurality of state type interactive logs can be obtained.
For a possible technical solution, the device for recognizing the global attack intention corresponding to the abnormal activity event may perform, on the basis of the binding results of the plurality of cloud session messages, artificial intelligence level adjustment processing (for example, static feature modeling processing) on a cloud service process corresponding to a reference type interaction log in the plurality of state type interaction logs, and obtain the relative distribution identifiers of the plurality of cloud session messages corresponding to the binding results of the plurality of cloud session messages.
The embodiment of the invention can also perform artificial intelligence level adjustment processing (such as dynamic characteristic modeling processing) on the cloud service process corresponding to the reference type interactive log in the state type interactive logs based on the binding results of the cloud session messages, and obtain the relative distribution identifiers of the cloud session messages corresponding to the binding results of the cloud session messages, thereby improving the accuracy and the reliability of the cloud session messages.
For a possible technical solution, when the service interaction log includes a plurality of state type interaction logs, and the cloud session message binding result in embodiment 1 is combined, and when the diversified expression content of each cloud session message in the plurality of cloud session messages is determined by combining the significant log content, the relative distribution identifier of the plurality of cloud session messages, and the log tag data, the following steps may be implemented. The identification device of the global attack intention corresponding to the abnormal activity event is combined with the significant log content of each state type interaction log, the log label data of each state type interaction log and the relative distribution identification of a plurality of cloud session messages of each state type interaction log to obtain the attention expression content of each cloud session message of the plurality of cloud session messages of each state type interaction log; based on the cloud session message binding result, the attention expression contents pointing to the same cloud session message in each state type interaction log are spliced to obtain the diversified expression contents of each cloud session message in the plurality of cloud session messages.
It can be understood that, when the service interaction log includes a plurality of state-type interaction logs, and the above-mentioned excavating of the content of the significant log of the service interaction log is to excavate the content of the significant log of each state-type interaction log in the plurality of state-type interaction logs, so as to obtain the content of the locally significant log of each state-type interaction log, where the content of the significant log includes the content of the locally significant log of the plurality of state-type interaction logs. For ease of understanding, the locally significant log content of each state-type interaction log is understood as significant log content without distinguishing between the locally significant log content and the significant log content.
For the embodiment of the invention, for each state type interaction log, the significant log content, the log label data and the relative distribution identifiers of a plurality of cloud session messages are spliced, so as to obtain the attention expression content (such as independent characteristic information) of each cloud session message in the state type interaction log. Aiming at the cloud session messages in the cloud session message binding result, the cloud session message binding result reflects the same cloud session messages existing among different state type interaction logs, and the attention expression contents of the same cloud session message from the different state type interaction logs are spliced to obtain the diversified expression contents of the cloud session message. In this way, diversified expression content of each cloud session message can be obtained.
For the embodiment of the invention, the diversified expression content of the cloud session message comprises a plurality of attention expression contents, and the attention expression contents comprise the remarkable log content of the state type interaction log, the log label data and the relative distribution identification of a plurality of cloud session messages, so that the integrity of the diversified expression contents can be improved.
Embodiment 2, when the service interaction log includes an independent interaction log, performing dynamic adjustment processing in combination with the significant log content, and determining a relative distribution identifier of a plurality of cloud session messages in the adjusted interaction log, which may be implemented through the following steps. And the identification device of the global attack intention corresponding to the abnormal activity event performs constraint adjustment on the cloud service process corresponding to the independent interaction log based on the obvious log content, and determines the relative distribution identification of a plurality of cloud session messages in the independent interaction log.
For the embodiment of the invention, when the service interaction log is an independent interaction log (which can be understood as a single interaction log), the independent interaction log comprises a plurality of cloud session messages, and then the cloud service process corresponding to the independent interaction log is subjected to constraint adjustment by combining with the obvious log content, so as to obtain the relative distribution identifier of the plurality of cloud session messages in the independent interaction log. It is understood that the constraint adjustment may be understood as performing adjustment processing on the independent interaction log based on the set prediction model, so as to obtain the location tag of the cloud session message.
For the embodiment of the invention, based on the obvious log content, the cloud service process corresponding to the independent interactive log is subjected to constraint adjustment, the relative distribution identification of a plurality of cloud session messages in the independent interactive log is determined, the cloud session message binding is not required, and the log dynamic adjustment is carried out on the cloud service process corresponding to the reference interactive log in a plurality of state interactive logs, so that the unnecessary resource waste can be weakened, the working efficiency can be improved, and the quality of log dynamic adjustment processing can be further ensured.
For the embodiment of the invention, the identification device of the global attack intention corresponding to the abnormal activity event also determines the diversified expression content of each cloud session message of the cloud session messages of the independent interaction log by combining the obvious log content of the independent interaction log, the log label data of the independent interaction log and the relative distribution identification of the cloud session messages in the independent interaction log. Compared with the situation that the intention keywords are difficult to be divided by adopting the service interaction logs in the traditional thought, the embodiment of the invention determines the diversified expression content of each cloud session message by performing constrained adjustment on the independent interaction logs, further performs big data attack intention mining and identification through the big data attack intention mining model, obtains the attack intention keywords of each cloud session message, collects and sorts the attack intention keywords to obtain the global attack intention keywords of the abnormal activity event, and thus the mining precision of the global attack intention keywords corresponding to the abnormal activity event can be improved.
For a possible technical solution, the step 103 may be implemented by mining, by the identification device of the global attack intention corresponding to the abnormal activity event, interactive log thermodynamic content of diversified expression content of the plurality of cloud session messages through a mining submodel of the big data attack intention mining model, to obtain interactive log thermodynamic content of each cloud session message; and identifying the thermal content of the interactive log of each cloud session message through an identification submodel of the big data attack intention mining model to obtain the attack intention keywords of each cloud session message.
For the embodiment of the invention, diversified expression contents of a plurality of cloud session messages are loaded to the big data attack intention mining model, the big data attack intention mining model carries out big data attack intention mining on the diversified expression contents of the plurality of cloud session messages, and attack intention keywords of each cloud session message are derived. In order to facilitate understanding of the big data attack intention mining process, the big data attack intention mining model is divided into a mining submodel (which can be understood as a preprocessing layer) and an identification submodel (which can be understood as a trigger layer), the mining submodel is used for mining the thermodynamic content of the interaction log, and the identification submodel is used for identifying the thermodynamic content of the interaction log to obtain the attack intention keywords of each cloud session message.
For example, the big data attack intention mining model is a GCN model for explanation, and diversified expression contents of a plurality of cloud session messages are loaded to the GCN model to mine interactive log thermodynamic contents. The embodiment of the invention is carried out on the upper half part of the GCN model, and the upper half part is expressed by a GCN mining submodel. The mining sub-model is used for mining and analyzing the interactive log thermodynamic content of the diversified expression content of the cloud session messages, so that a continuous key description content set and the interactive log thermodynamic content of each cloud session message are derived. It can be understood here that, as a global attack analysis, the diversified expression content is adjusted to the interaction log thermal content through the GCN mining submodel, the interaction log thermal content obtained by different abnormal activity events in different states is different, and the interaction log thermal content obtained by the same abnormal activity event in different states is in transfer connection.
For one possible solution, the big data attack intention mining model includes a specified number of network model nodes. Through a mining submodel of the big data attack intention mining model, interactive log thermodynamic content mining is carried out on diversified expression contents of a plurality of cloud session messages, the interactive log thermodynamic content of each cloud session message is obtained, and the method can be realized through the following steps. Determining diversified expression contents of a specified number of cloud session messages in the diversified expression contents of the plurality of cloud session messages; and mining the diversified expression contents of the specified number of cloud session messages based on a mining submodel of the big data attack intention mining model to obtain the interactive log thermodynamic content of each cloud session message.
For the embodiment of the present invention, the GCN model includes a continuous classification network, and the designated number of network model nodes may be set by a person skilled in the art based on a real situation, for example, the designated number may be determined based on link quantity of diversified expression contents, and the embodiment of the present invention is not further limited.
For example, if the number of network model nodes is set to be 2000, 2000 diversified expressions of all cloud session messages are arbitrarily determined to be loaded into the GCN model. Generally speaking, the more the number of network model nodes is, the more the number of diversified expression contents which can be mined by big data attack intention is, the more complete the acquired thermal contents of the interaction log is, and thus the reliability of the attack intention keywords is improved.
For the embodiment of the invention, the number of diversified expression contents of the cloud session message in the service interaction log is large, and the identification device of the global attack intention corresponding to the abnormal activity event carries out big data attack intention mining on part of the diversified expression contents, so that unnecessary resource waste can be weakened, and the quality of the big data attack intention mining can be further ensured.
For the embodiment of the invention, the interaction log thermal content of each cloud session message can be understood as a continuous key description content set, the lower half part of a GCN model is used for classifying and identifying the interaction log thermal content of a plurality of cloud session messages, and the lower half part is represented by a GCN identification submodel. The GCN identification submodel is used for sorting and identifying the thermal contents of the interaction logs of different layers of the same cloud session message into attack intention keywords of the cloud session message, namely the attack intention keywords derived by the GCN model are of the session message dimension, so that the attack intention keywords derived by the GCN model have higher precision.
For the embodiment of the invention, in view of that the service environment descriptions of different abnormal activity events in different states are different and the service environment description of the same abnormal activity event in different states has transmission connection, the key description of each cloud session message in the diversified expression content can be changed into the key description having transmission connection with the service environment description through the big data attack intention mining model, so that the key description after the cloud service process is subjected to overall attack analysis can be identified, and the attack intention keyword of each cloud session message in the service interaction log can be determined. Compared with the strategy of distinguishing the intention keywords through other types of logs, the method and the device for analyzing the global attack intention corresponding to the abnormal activity event reduce the complexity and resource overhead of the attack intention mining and identification to a certain extent and improve the analysis efficiency.
For a possible technical scheme, before inputting diversified expression contents of a plurality of cloud session messages into a big data attack intention mining model, the method also comprises the process of debugging the big data attack intention mining model, and the big data attack intention mining model is debugged by using a verification type service interaction log paradigm. The big data attack intention mining model is determined through the following steps: determining an authentication type business interaction log example, wherein the authentication type business interaction log example comprises a plurality of state type interaction log examples of the abnormal activity event example and a global attack intention keyword example of the abnormal activity event example; loading an authentication type service interaction log example to a basic big data attack intention mining model to obtain undetermined global attack intention keywords of an abnormal activity event example; based on the undetermined global attack intention keywords of the abnormal activity event example and preset cost indexes, obtaining quantitative cost data; and debugging the basic big data attack intention mining model based on the quantitative cost data to obtain the big data attack intention mining model.
For the embodiment of the invention, the undetermined global attack intention keywords of the abnormal activity event paradigm are debugged and optimized by adopting the preset cost indexes, the quantitative cost data is calculated, then the basic big data attack intention mining model is debugged based on the quantitative cost data, and the big data attack intention mining model is obtained until the debugging end requirement is met, for example, the debugging round number meets the set round number, or the quantitative cost data (such as being understood as a loss value) meets the set judgment value and the like.
For the embodiment of the present invention, the cost index (loss function) set in advance can be set by those skilled in the art according to the actual situation, including but not limited to the cross entropy cost index, etc.
For one possible solution, when determining the authentication-type service interaction log paradigm, the following steps can be implemented. Performing interactive log acquisition on the abnormal activity event example through a log acquisition thread to obtain a plurality of state type interactive log examples of the abnormal activity event example; determining a global attack intention keyword example of the abnormal activity event example obtained after the global attack intention keyword of the abnormal activity event example is subjected to significance processing; or determining a plurality of state type interactive log example sets; and carrying out attack intention identification on a plurality of state type interactive log example sets based on a preset identification strategy of attack intention to obtain a global attack intention keyword example of the abnormal activity event example.
For the embodiment of the present invention, the certification-type service interaction log paradigm (which may be understood as a training sample) in the debugging process includes several state-type interaction log paradigms of the abnormal activity event paradigms and a global attack intention keyword paradigms of the abnormal activity event paradigms. The collection of the state type interaction log examples can be determined by a common log obtaining thread, and a priori state type interaction log example sets can also be directly referred to.
For the embodiment of the present invention, the global attack intention keyword examples of the abnormal activity event examples can be determined one by one based on the types of the state type interaction log examples, and it can be understood that the global attack intention keywords corresponding to the abnormal activity events in the obtained state type interaction log examples can be manually marked; the global attack intention keywords corresponding to the abnormal activity events obtained through a plurality of state type interactive log example sets in a priori can be obtained after the global attack intention keywords are identified through a preset identification strategy of high-integrity attack intentions.
For the embodiment of the present invention, the identification strategy of the attack intention set in advance can be determined by those skilled in the art based on the real situation, including but not limited to the global attack intention mining idea related to the artificial intelligence technology (the specific application of the neural network in the field of big data attack intention identification), as long as the attack intention identification can be performed on a plurality of state type interactive log example sets to determine the global attack intention keyword of the abnormal activity event.
For the embodiment of the invention, the identification device of the global attack intention corresponding to the abnormal activity event can determine the authentication type service interaction log example through different strategies, so that the completeness of determining the debugging example set is improved.
For one possible solution, the step 104 can be implemented as follows. Clustering a plurality of cloud session messages in the service interaction log by using the identification device of the global attack intention corresponding to the abnormal activity event to obtain a plurality of session message clusters corresponding to different abnormal activity events; wherein, the conversation message cluster is matched with the abnormal activity event one by one; for each session message cluster, combining the big data attack intention of each cloud session message in the service interaction log to obtain an attack intention keyword of each cloud session message in each session message cluster; and sorting the attack intention keywords of each cloud session message in each session message cluster to obtain global attack intention keywords pointing to the same abnormal activity event, and obtaining the global attack intention keywords of different abnormal activity events in the service interaction log until the sorting of a plurality of session message clusters is finished respectively.
For the embodiment of the present invention, the number of the abnormal activity events in the service interaction log may be one or several, and when the number of the abnormal activity events is several, several cloud session messages in the service interaction log belong to several abnormal activity events, so that clustering (such as grouping) is also required to be performed on several cloud session messages, and one member may be understood as one abnormal activity event, so as to distinguish cloud session messages corresponding to different members (i.e., abnormal activity events), and obtain several session message clusters (which may be understood as session message sets) corresponding to different abnormal activity events.
For the embodiment of the invention, the clustering process is performed on the cloud session messages in the log, and when the service interaction log comprises the independent interaction log, the clustering process is performed on a plurality of cloud session messages in the service interaction log to obtain a plurality of session message clusters belonging to each abnormal activity event. The clustering process may be implemented by using a K-means algorithm, and the clustering process is used to obtain cloud session messages pointing to the same abnormal activity event, for example, a group of logs includes two groups of events, and the clustering process is used to distinguish which cloud session messages belong to event a and which cloud session messages belong to event B.
For a possible technical scheme, clustering processing can be performed on a plurality of cloud session messages in a service interaction log through a clustering processing thread, so that a plurality of session message clusters corresponding to different abnormal activity events are obtained. The clustering thread may be a support vector machine with differences, and the embodiment of the present invention does not further limit the model architecture of the support vector machine, as long as the clustering process can be performed on the cloud session message.
For the embodiment of the invention, the identification device of the global attack intention corresponding to the abnormal activity event carries out clustering processing on a plurality of cloud session messages in the service interaction log to obtain a plurality of session message clusters corresponding to different abnormal activity events; one abnormal activity event corresponds to one session message cluster; for each session message cluster, determining an attack intention keyword of each cloud session message in each session message cluster by combining the big data attack intention of each cloud session message in the service interaction log; and sorting the attack intention keywords of each cloud session message in each session message cluster to obtain global attack intention keywords pointing to the same abnormal activity event. Through the session message cluster, the idea of clustering attack intention keywords of a plurality of cloud session messages can be helpful for improving the clustering accuracy.
For a possible technical solution, when the service interaction log includes a plurality of state type interaction logs, clustering a plurality of cloud session messages in the service interaction log to obtain a plurality of session message clusters corresponding to different abnormal activity events, which can be implemented through the following steps. The identification device of the global attack intention corresponding to the abnormal activity event clusters a plurality of cloud session messages in a reference type interactive log of a plurality of state type interactive logs to obtain a plurality of session message clusters corresponding to different abnormal activity events; the reference type interaction log is one of a plurality of state type interaction logs.
For the embodiment of the present invention, when the service interaction log includes a plurality of state type interaction logs, because the plurality of state type interaction logs are all logs for abnormal activity events in the same cloud service process, a reference type interaction log is determined in the plurality of state type interaction logs, and the abnormal activity events covered in the reference type interaction log are the same as the abnormal activity events covered in the plurality of state type interaction logs. The embodiment of the invention clusters a plurality of cloud session messages in the reference type interactive log to obtain a plurality of session message clusters belonging to each abnormal activity event, thereby improving the quality of clustering.
The embodiment of the invention can also perform clustering processing on a plurality of cloud session messages in each state type interaction log respectively to obtain a plurality of session message clusters belonging to a plurality of abnormal activity events in each state type interaction log, and then perform simplification arrangement on the plurality of session message clusters belonging to the plurality of abnormal activity events in each state type interaction log to obtain a plurality of session message clusters corresponding to different abnormal activity events. By the method for clustering the plurality of cloud session messages in each state type interaction log respectively, abnormal activity events caused by interaction state factors can be effectively avoided from being omitted, and the integrity of clustering results is improved.
It can be understood that the reference-type interactive log used for dynamically adjusting the log based on the binding result of the plurality of cloud session messages is the same as the reference-type interactive log in the embodiment. And performing log dynamic adjustment by combining the reference type interactive logs, performing clustering processing by subsequently combining the reference type interactive logs, wherein the logs applied before and after are the same, and further ensuring the synchronization of the log dynamic adjustment.
For the embodiment of the present invention, each cloud session message includes description contents such as a relative distribution identifier (e.g., a positioning tag), log tag data (e.g., a tag feature value), and the like, and a big data attack intention of the cloud session message also includes description contents such as a relative distribution identifier, log tag data, and the like. The cloud session message set comprises a plurality of cloud session messages, each cloud session message carries description contents such as relative distribution identifiers and log tag data, and the corresponding cloud session message can be determined in the big data attack intention set by means of the description contents, so that the big data attack intention of the cloud session message is determined. By identifying the cloud session messages in the whole session message cluster, the big data attack intention of each cloud session message in the session message cluster can be obtained.
For the embodiment of the invention, the attack intention keywords derived by the GCN model are session message dimensions, and the attack intention keywords of the cloud session messages need to be sorted. Because the session message cluster comprises a plurality of cloud session messages pointing to the same abnormal activity event, the attack intention keywords of each cloud session message in each session message cluster are sorted, and the global attack intention keywords pointing to the same abnormal activity event can be obtained.
For the embodiment of the invention, the identification device of the global attack intention corresponding to the abnormal activity event carries out clustering processing on a plurality of cloud session messages in the service interaction log to obtain a plurality of session message clusters corresponding to different abnormal activity events; for each session message cluster, combining the big data attack intention of each cloud session message in the service interaction log to obtain an attack intention keyword of each cloud session message in each session message cluster; and sorting the attack intention keywords of each cloud session message in each session message cluster to obtain global attack intention keywords pointing to the same abnormal activity event, and obtaining the global attack intention keywords of different abnormal activity events in the service interaction log until the sorting of a plurality of session message clusters is finished respectively. Complexity and resource overhead of attack intention mining and identification are reduced to a certain extent, and then analysis accuracy of the global attack intention corresponding to the abnormal activity event can be improved.
For a possible technical solution, the attack intention keywords of each cloud session message in each session message cluster are sorted to obtain global attack intention keywords pointing to the same abnormal activity event, and the method can be implemented through the following steps. The identification device of the global attack intention corresponding to the abnormal activity event collects the same attack intention keywords of each cloud session message in each session message cluster to obtain the collected result of each attack intention keyword; and determining global attack intention keywords pointing to the same abnormal activity event by combining the summary result and the specified summary condition.
For the embodiment of the invention, because the session message cluster comprises a plurality of cloud session messages pointing to the same abnormal activity event, and the attack intention keywords of the cloud session messages have different problems, each attack intention keyword in each session message cluster needs to be summarized, and the global attack intention keyword of the abnormal activity event is determined from the attack intention keywords.
For the embodiment of the present invention, the specified summarizing condition may be set by a person skilled in the art according to a real situation, for example, the specified summarizing condition may be related to the number of the plurality of cloud session messages, for example: the specified aggregation condition may be set to 0.5, 0.4, 0.3 of the number of the cloud session messages. With the specified summary condition being 0.4 of the number of the cloud session messages, the summary results of the attack intention keywords include: the summary result of the malicious deletion is 44% of the number of the cloud session messages, the summary result of the traffic attack is 15% of the number of the cloud session messages, and the malicious deletion is used as a global attack intention keyword of the abnormal activity event. According to the embodiment of the invention, the global attack intention keywords of the abnormal activity event corresponding to the session message cluster are determined according to the summary results of the attack intention keywords which are larger than the attack intention keywords corresponding to the specified summary conditions, so that the precision and the reliability of the global attack intention keywords are improved.
The above-mentioned determination of the global attack intention keyword pointing to the same abnormal activity event by combining the summary result and the specified summary condition can also be implemented through the following steps. Determining a summary result of each attack intention keyword and a calculation result of the number of the plurality of cloud session messages, obtaining the summary possibility of each attack intention keyword, summarizing the plurality of attack intention keywords, and determining an attack intention keyword corresponding to the maximum possibility as a global attack intention keyword of an abnormal activity event corresponding to the session message cluster.
For one possible solution, the step 102 can be implemented as follows. The identification device of the global attack intention corresponding to the abnormal activity event carries out clustering processing on a plurality of cloud session messages in the service interaction log to obtain a plurality of session message clusters corresponding to different abnormal activity events; wherein, the conversation message cluster is matched with the abnormal activity event one by one; and combining a plurality of session message clusters corresponding to different abnormal activity events in the service interaction log, performing dynamic adjustment processing, and determining diversified expression contents of a plurality of cloud session messages corresponding to different abnormal activity events in the service interaction log.
For the embodiment of the present invention, the clustering process is performed on the cloud session messages in the log, and the big data attack processing method for the cloud service provided in the embodiment of the present invention may also perform clustering process on a plurality of cloud session messages in the service interaction log to identify the cloud session message sets belonging to different abnormal activity events. And aiming at the cloud session message set of the same abnormal activity event, dynamically adjusting the cloud service process corresponding to the abnormal activity event, thereby obtaining the diversified expression content of a plurality of cloud session messages of the abnormal activity event. And then, according to the big data attack intention mining model, carrying out big data attack intention mining and identification on the diversified expression contents of the plurality of cloud session messages of the abnormal activity event, so as to obtain an attack intention keyword of each cloud session message of the abnormal activity event.
For the embodiment of the invention, the global attack intention recognition device corresponding to the abnormal activity event can perform clustering processing on the cloud session messages of the service interaction log, and then perform dynamic adjustment processing and big data attack intention mining on the service interaction log. The steps of dynamic adjustment processing and big data attack intention mining of the service interaction log can be combined, and then clustering processing is carried out on cloud session messages of the service interaction log. For example, if the transaction interaction log is a log of a single abnormal activity event in a single cloud service process, no clustering step is required. The embodiment of the invention does not further limit the sequence steps of the clustering implementation.
It is to be appreciated that one of the application scenarios of the embodiments of the present invention can be set forth in accordance with the following implementation.
Before the global attack intention keyword corresponding to the abnormal activity event is mined for the service interaction log, the embodiment of the invention also comprises a debugging link for the GCN model. It can be understood that several state-type interaction log paradigms and global attack intention keyword paradigms of the cloud service process are determined; several stateful interaction log paradigms and global attack intent keyword paradigms are used to determine the set of debugging information. The collection of the state type interaction log examples can be determined through a log collection thread, and a priori state type interaction log example sets can also be directly referred to. The global attack intent keyword paradigm may be determined according to the type of several state-type interaction log paradigms, such as: global attack intention keywords corresponding to abnormal activity events in a plurality of state type interactive log paradigms acquired by using a log acquisition thread can be manually marked; the global attack intention keywords corresponding to the abnormal activity events obtained through a plurality of state type interactive log example sets in a priori can be obtained after mining through a preset identification strategy of the attack intention with relatively high accuracy. And debugging the GCN model by combining the prepared debugging information set and recording the debugged GCN model.
The embodiment of the invention explains the cases that a GCN model represents a big data attack intention mining model, a service interaction log comprises Q (Q is an integer larger than 1) state type interaction logs, a log acquisition device represents a log acquisition thread, adjustment processing at an artificial intelligence level represents log dynamic adjustment, quantized positioning data represents a relative distribution identifier, and a label characteristic value represents log label data. In the undetermined link of the global attack intention keyword corresponding to the abnormal activity event, a plurality of groups of logs in different states in a single cloud service process are loaded into a GCN model which is debugged, and the global attack intention keyword corresponding to the abnormal activity event in the cloud service process is obtained.
For a possible technical solution, the embodiment of the present invention shows operation steps of another big data attack processing method for cloud services.
Step 301, determining Q state type interaction logs.
And step 302, performing dynamic adjustment processing by combining the Q state type interaction logs to obtain diversified expression contents of the plurality of cloud session messages.
And 303, inputting diversified expression contents of the plurality of cloud session messages into a GCN model, and mining and identifying big data attack intention to obtain an attack intention keyword of each cloud session message.
And step 304, determining a global attack intention keyword of the abnormal activity event based on the attack intention keyword of each cloud session message.
It can be understood that the mining manner of the global attack intention keyword corresponding to the abnormal activity event can cover two links: the method comprises a diversified expression process combined with a service interaction log and an attack intention keyword mining process combined with a GCN model. The above two links are explained by the following contents, respectively.
It is understood that the diversified expression process of the service interaction log is first explained, such as the content recorded in the above steps 301 and 302.
It is understood that the diversified expression process of the service interaction log includes the recorded contents of steps 401 to 406.
Step 401, determining Q state type interaction logs.
And step 402, performing pre-operation on the Q state type interactive logs to obtain Q state type interactive logs completing the pre-operation. The pre-operation comprises the modes of feature identification degree optimization, interference attenuation and the like.
And 403, respectively mining the significant log contents of the Q state type interactive logs which finish the pre-operation, and obtaining the significant log contents of the Q state type interactive logs.
For example, the salient log contents can be mined for the Q state-type interaction logs respectively according to a neural network model.
And step 404, performing message pairing and binding on the plurality of state type interaction logs based on the remarkable log contents of the Q state type interaction logs to obtain a plurality of cloud session message binding results.
And selecting one group of logs from the Q state type interaction logs as reference type interaction logs, and matching the residual logs except the reference type interaction logs in the Q state type interaction logs with the reference type interaction logs to enable the threads corresponding to the Q state type interaction logs to be compatible as much as possible. And then carrying out cloud session message binding based on the Q state type interaction logs after matching is finished, and obtaining a plurality of cloud session message binding results, wherein one cloud session message binding result comprises the remarkable log contents of the Q state type interaction logs and the remarkable log contents are respectively from the Q state type interaction logs. Further, during clustering, clustering is also performed on the reference type interaction logs, and global attack intention keywords of the abnormal activity event are derived by combining attack intention keywords of the plurality of cloud session messages.
Step 405, based on the binding results of the plurality of cloud session messages, performing artificial intelligence level adjustment processing on the cloud service process, and determining feature location data of the plurality of cloud session messages corresponding to the binding results of the plurality of cloud session messages.
It can be understood that the purpose of log dynamic adjustment is to determine feature location data of the cloud session message in the cloud session message binding result, so that unnecessary resource overhead can be reduced.
Step 406, for each state type interaction log, sorting the significant log content, the tag characteristic value, the characteristic positioning data and the characteristic identification degree corresponding to the characteristic positioning data of the state type interaction log into a key description content; and splicing the key description contents on the different state type interaction logs into a key description content set based on the cloud session message binding result to obtain the key description content set of each cloud session message. The key description content is attention expression content of a cloud session message, and the key description content set is diversified expression content.
It is understood that the attack intention keyword mining process of the GCN model will be explained next, referring to the contents recorded in step 303 and step 304 above.
Illustratively, the attack intention keyword mining process of the GCN model includes steps 407-409.
And 407, respectively loading the diversified expression content sets of the plurality of cloud session messages into a GCN model, and performing significant log content mining and identification on the diversified expression content sets of the plurality of cloud session messages in the GCN model to obtain the interactive log thermodynamic content of each cloud session message.
For the embodiment of the invention, the GCN model can be formed by a series of classified networks, and the number of the introduced nodes of the network model can be set according to the actual situation and is usually determined according to the link quantity of the cloud session message binding result. For example, if the number of network model nodes is set to 2000, 2000 diversified expression contents are arbitrarily determined to be loaded into the GCN model from the diversified expression contents of the cloud session messages.
The embodiment of the invention is carried out on the upper half part of the GCN model and is regarded as the GCN mining submodel. Since the diversified expression contents of the plurality of cloud session messages are respectively subjected to significant log content mining and recognition in the mining submodel, a continuous key description content set, namely the interactive log thermodynamic content of each cloud session message, is derived. The attack analysis can be regarded as a global attack analysis, the diversified expression content is changed into the interaction log thermal content through the GCN mining submodel, the interaction log thermal content obtained by different abnormal activity events in different states is different, and the interaction log thermal content obtained by the same abnormal activity event in different states is in transfer connection.
And 408, carrying out description content classification and description content identification on the interaction log thermal content of each cloud session message in the GCN model to obtain an attack intention keyword of each cloud session message.
After obtaining the continuous interaction log thermal content in step 407, the interaction log thermal content is spliced and identified through the lower half of the GCN, which is called a GCN identification submodel, and functions to collate the interaction log thermal content of different states of the same cloud session message and identify the same as an attack intention keyword.
Step 409, sorting the attack intention keywords of the same abnormal activity event based on the attack intention keywords of each cloud session message, and deriving a global attack intention keyword of each abnormal activity event in reference type interaction logs of Q state type interaction logs, wherein the reference type interaction log is one of the Q state type interaction logs.
It will be appreciated that the GCN-derived attack intention keywords are of the session message dimension, and thus there is also a need to collate the attack intention keywords of these cloud session messages. The embodiment of the invention can perform clustering processing on the reference type interaction log through the clustering processing thread, arrange the attributes of the abnormal activity events corresponding to each session message cluster, and derive the global attack intention keywords of each abnormal activity event.
According to the big data attack processing method for the cloud service, the business service environment description of the cloud service process corresponding to the state type interactive logs is determined through the GCN, the global attack intention corresponding to the abnormal activity event is identified through the business service environment description, complexity and resource overhead of attack intention mining identification are reduced to a certain extent, the global attack intention corresponding to the abnormal activity event can be identified only by introducing a group of the state type interactive logs, and the global attack intention keyword corresponding to the abnormal activity event is obtained.
For a possible technical scheme, the embodiment of the invention can also identify the global attack intention corresponding to the abnormal activity event of the independent interaction log to obtain the global attack intention keyword corresponding to the abnormal activity event. For example, the identification device of the global attack intention corresponding to the abnormal activity event performs significant log content mining on the imported independent interaction log to obtain significant log content; based on the obvious log content, carrying out constraint adjustment on a cloud service process corresponding to the independent interaction log, and determining a relative distribution identifier of a plurality of cloud session messages in the independent interaction log; and sorting the significant log content, the relative distribution identifiers of the plurality of cloud session messages and the log label data to obtain diversified expression content of each cloud session message in the plurality of cloud session messages. And loading diversified expression contents of a plurality of cloud session messages into the GCN model. The GCN model performs overall attack analysis on the cloud service process through different cloud session messages in the independent interaction log, and performs overall attack analysis on the cloud service process through the obvious log content, the tag characteristic value and the quantitative positioning data of the independent interaction log and the relative relation of the different cloud session messages. Clustering a plurality of cloud session messages of the independent interaction log through a clustering processing thread, and obtaining attack intention keywords corresponding to abnormal activity events by combining attack intention keywords of each cloud session message derived by a GCN model.
Under some independently implementable design considerations, after obtaining the global attack intention keyword for the abnormal activity event, the method may further include: determining a corresponding big data attack defense strategy according to the global attack intention keywords of the abnormal activity event; and carrying out big data attack defense according to the big data attack defense strategy.
For example, a firewall or a defense mechanism may be deployed to the server side and/or the terminal side according to the big data attack defense policy, so as to implement corresponding big data attack defense. Further, big data attack defense includes, but is not limited to, dynamic identity authentication, abnormal operation interception, risk service object blacklist handling, and the like.
Under some design ideas which can be independently implemented, determining a corresponding big data attack defense strategy according to the global attack intention keyword of the abnormal activity event may include the following: identifying the global attack intention keywords by utilizing a plurality of submodels of a preset attack protection model to obtain target attack event characteristics corresponding to the global attack intention keywords; and determining a corresponding big data attack defense strategy according to the target attack event characteristics.
Under some design ideas which can be independently implemented, the global attack intention keyword is identified by utilizing a plurality of submodels of a preset attack protection model to obtain target attack event characteristics corresponding to the global attack intention keyword, and the method can be realized by the following technical scheme: loading attack intention derived information corresponding to a global attack intention keyword to an information mining submodel in a preset attack protection model to obtain a first potential harm description and a second potential harm description of the attack intention derived information corresponding to the global attack intention keyword, wherein the first potential harm description and the second potential harm description are derived by a plurality of information mining units which are sequentially connected, the first potential harm description is derived by the information mining units except the u-th information mining unit in the plurality of information mining units which are sequentially connected, and the second potential harm description is derived by the u-th information mining unit in the plurality of information mining units which are sequentially connected; loading the second potential hazard description to a coarse analysis submodel in the preset attack protection model to obtain a target preliminary analysis result derived from the coarse analysis submodel, wherein the target preliminary analysis result is a preliminary analysis result corresponding to a target attack event positioned in attack intention derivative information corresponding to the global attack intention keyword; loading the first potential hazard description, the second potential hazard description, a third potential hazard description and the target preliminary analysis result to a fine analysis submodel in the preset attack protection model, and obtaining target attack event semantics of the target attack event derived by the fine analysis submodel and target distribution information of significant operation behavior data of the target attack event in attack intention derivative information corresponding to the global attack intention keyword, wherein the third potential hazard description is a potential hazard description derived by an information mining unit in the coarse analysis submodel according to an adjusted hazard description, and the adjusted hazard description is a description vector obtained by adjusting the second potential hazard description.
On the basis of the above contents, a corresponding big data attack defense strategy is determined according to the target attack event characteristics, and the method can be realized by the following technical scheme: and determining a corresponding big data attack defense strategy according to the target attack event semantics of the target attack event and the target distribution information corresponding to the target attack event.
It can be understood that by further mining target attack event features (target attack event semantics of the target attack event and target distribution information corresponding to the target attack event), data security risks possibly caused by global attack intention keywords can be refined as much as possible, so that a big data attack defense strategy is determined in a targeted manner, and thus a high matching degree between the big data attack defense strategy and the global attack intention keywords can be guaranteed as much as possible.
Based on the same inventive concept, fig. 2 shows a block diagram of a big data attack processing apparatus for cloud services according to an embodiment of the present invention, and the big data attack processing apparatus for cloud services may include the following modules that implement the relevant method steps shown in fig. 1.
The interaction log determining module 210 is configured to determine a service interaction log of an abnormal activity event in the cloud service process.
The expression content obtaining module 220 is configured to perform dynamic adjustment processing in combination with the service interaction log, and determine diversified expression contents of a plurality of cloud session messages in the service interaction log; the diversified expression content reflects the transfer condition between the key descriptions of the cloud session messages in the service interaction log.
And the attack intention mining module 230 is used for mining and identifying the big data attack intention of the diversified expression contents of the plurality of cloud session messages through the big data attack intention mining model to obtain an attack intention keyword of each cloud session message.
And the keyword adjusting module 240 is configured to sort the attack intention keywords of different cloud session messages pointing to the same abnormal activity event based on the attack intention keyword of each cloud session message, and obtain a global attack intention keyword of the abnormal activity event.
The related embodiment applied to the invention can achieve the following technical effects: determining a service interaction log of an abnormal activity event in a cloud service process, wherein the service interaction log is a local interaction log obtained by a preset log obtaining thread; and performing dynamic adjustment processing by combining the service interaction log, and determining diversified expression contents of a plurality of cloud session messages in the service interaction log, wherein the diversified expression contents reflect the transmission condition among key descriptions of the cloud session messages in the service interaction log. In view of the fact that the key descriptions of the cloud session messages of different abnormal activity events are different, transfer connection exists between the key descriptions of the cloud session messages of the same abnormal activity event, therefore, through a big data attack intention mining model, big data attack intention mining and identification are carried out on diversified expression contents of a plurality of cloud session messages, the key description of each cloud session message in the diversified expression contents can be adjusted to be the key description which has transfer connection with the attack intention, and therefore the attack intention keyword of each cloud session message is determined. Based on the attack intention keywords of each cloud session message, the attack intention keywords of different cloud session messages pointing to the same abnormal activity event are sorted to obtain the global attack intention keywords of the abnormal activity event.
According to the technical scheme, the service interaction logs acquired by the preset log acquisition thread can be mined and identified through the big data attack intention mining model, the complexity and the resource overhead of the attack intention mining identification are reduced to a certain extent, and the global attack intention keywords of the abnormal activity events can be accurately and timely determined, so that the attack intention mining identification of different abnormal activity events is realized, and the targeted big data attack defense processing is performed according to the global attack intention keywords in the subsequent process.
The foregoing is only illustrative of the present application. Those skilled in the art can conceive of changes or substitutions based on the specific embodiments provided in the present application, and all such changes or substitutions are intended to be included within the scope of the present application.
Claims (10)
1. A big data attack processing method for cloud service is applied to a cloud server, and the method comprises the following steps:
determining a service interaction log of an abnormal activity event in a cloud service process; performing dynamic adjustment processing by combining the service interaction log, and determining diversified expression contents of a plurality of cloud session messages in the service interaction log, wherein the diversified expression contents reflect the transmission condition among key descriptions of the cloud session messages in the service interaction log;
performing big data attack intention mining and identification on diversified expression contents of the plurality of cloud session messages through a big data attack intention mining model to obtain an attack intention keyword of each cloud session message; and based on the attack intention keywords of each cloud session message, sorting the attack intention keywords of different cloud session messages pointing to the same abnormal activity event to obtain the global attack intention keywords of the abnormal activity event.
2. The method of claim 1, wherein the determining diversified expression contents of a plurality of cloud session messages in the service interaction log by performing dynamic adjustment processing in combination with the service interaction log comprises:
excavating the content of the obvious log of the service interaction log to obtain the content of the obvious log of the service interaction log; determining log label data of the service interaction log; performing dynamic adjustment processing by combining the contents of the remarkable log, and determining the relative distribution identifiers of a plurality of cloud session messages in the adjusted interactive log;
determining diversified expression content of each cloud session message in the plurality of cloud session messages by combining the significant log content, the relative distribution identifiers of the plurality of cloud session messages and the log tag data;
wherein the determining the diversified expression content of each cloud session message in the plurality of cloud session messages in combination with the prominent log content, the relative distribution identifiers of the plurality of cloud session messages, and the log tag data comprises: combining the significant log content of each state type interaction log, the log label data of each state type interaction log and the relative distribution identification of the plurality of cloud session messages of each state type interaction log to obtain the attention expression content of each cloud session message of the plurality of cloud session messages of each state type interaction log; and splicing the attention expression contents pointing to the same cloud session message in each state type interaction log based on the cloud session message binding result to obtain the diversified expression contents of each cloud session message in the plurality of cloud session messages.
3. The method of claim 2, wherein the service interaction log comprises: a plurality of state-type interaction logs; and dynamically adjusting the contents of the significant log to determine the relative distribution identifiers of the cloud session messages in the adjusted interactive log, wherein the relative distribution identifiers comprise:
based on the significant log content of each state type interaction log in the state type interaction logs, performing cloud session message binding on the state type interaction logs to obtain a plurality of cloud session message binding results, wherein one cloud session message binding result reflects the same cloud session message existing between different state type interaction logs;
performing log dynamic adjustment on a cloud service process corresponding to a reference type interactive log in the state type interactive logs based on the cloud session message binding results to obtain relative distribution identifiers of cloud session messages corresponding to the cloud session message binding results; wherein the reference-type interaction log is one of the plurality of state-type interaction logs.
4. The method of claim 1, wherein the determining diversified expression contents of a plurality of cloud session messages in the service interaction log by performing dynamic adjustment processing in combination with the service interaction log comprises:
clustering a plurality of cloud session messages in the service interaction log to obtain a plurality of session message clusters corresponding to different abnormal activity events; the session message cluster is matched with the abnormal activity events one by one;
and combining a plurality of session message clusters corresponding to different abnormal activity events in the service interaction log, performing dynamic adjustment processing, and determining diversified expression contents of a plurality of cloud session messages corresponding to different abnormal activity events in the service interaction log.
5. The method according to claim 1, wherein the big data attack intention mining and identification are carried out on the diversified expression contents of the plurality of cloud session messages through a big data attack intention mining model, so as to obtain an attack intention keyword of each cloud session message, and the method comprises the following steps:
mining the interactive log thermodynamic content of the diversified expression content of the plurality of cloud session messages through a mining submodel of the big data attack intention mining model to obtain the interactive log thermodynamic content of each cloud session message;
identifying the thermal content of the interaction log of each cloud session message through an identifier model of the big data attack intention mining model to obtain an attack intention keyword of each cloud session message; wherein the big data attack intention mining model is determined via the following steps: determining an authenticated business interaction log paradigm, wherein the authenticated business interaction log paradigm comprises a number of stateful interaction log paradigms of an anomalous activity event paradigm, and a global attack intent keywords paradigms of the anomalous activity event paradigms; loading the authentication type service interaction log example to a basic big data attack intention mining model to obtain undetermined global attack intention keywords of an abnormal activity event example; obtaining quantitative cost data based on the undetermined global attack intention keywords of the abnormal activity event example and preset cost indexes; debugging the basic big data attack intention mining model based on the quantitative cost data to obtain the big data attack intention mining model;
wherein, the determining an authentication-type service interaction log example comprises one of the following items:
performing interactive log acquisition on an abnormal activity event example through a log acquisition thread to obtain a plurality of state type interactive log examples of the abnormal activity event example; determining a global attack intention keyword example of the abnormal activity event example obtained after the global attack intention keyword of the abnormal activity event example is subjected to significance processing;
determining a plurality of state type interactive log example sets; and carrying out attack intention identification on the state type interaction log example sets based on a preset identification strategy of attack intention to obtain a global attack intention keyword example of the abnormal activity event example.
6. The method of claim 5, wherein the big data attack intent mining model includes a specified number of network model nodes; the mining submodel based on the big data attack intention mining model is used for mining the interactive log thermodynamic content of the diversified expression contents of the plurality of cloud session messages to obtain the interactive log thermodynamic content of each cloud session message, and the mining submodel comprises the following steps:
determining diversified expression contents of the specified number of cloud session messages in diversified expression contents of the number of cloud session messages;
and mining the diversified expression contents of the specified number of cloud session messages based on the mining submodel of the big data attack intention mining model to obtain the interactive log thermodynamic content of each cloud session message.
7. The method according to any of claims 2 to 3, wherein the service interaction log comprises: an independent interaction log; and dynamically adjusting the contents of the significant log to determine the relative distribution identifiers of the cloud session messages in the adjusted interactive log, wherein the relative distribution identifiers comprise:
based on the obvious log content, carrying out constraint adjustment on the cloud service process corresponding to the independent interaction log, and determining the relative distribution identification of a plurality of cloud session messages in the independent interaction log.
8. The method according to any one of claims 2 to 3, wherein the performing significant log content mining on the service interaction log to obtain significant log content of the service interaction log comprises:
performing at least one of feature recognition degree optimization and interference reduction on the service interaction log to obtain a target interaction log for completing the pre-operation;
and excavating the contents of the significant logs of the target interaction logs which finish the pre-operation through a significant log content excavating model to obtain the contents of the significant logs.
9. The method according to claim 1, wherein the sorting attack intention keywords of different cloud session messages pointing to the same abnormal activity event based on the attack intention keyword of each cloud session message to obtain a global attack intention keyword of the abnormal activity event comprises:
clustering a plurality of cloud session messages in the service interaction log to obtain a plurality of session message clusters corresponding to different abnormal activity events; the session message cluster is matched with the abnormal activity events one by one;
for each session message cluster, combining the big data attack intention of each cloud session message in the service interaction log to obtain an attack intention keyword of each cloud session message in each session message cluster;
the attack intention keywords of each cloud session message in each session message cluster are sorted to obtain global attack intention keywords pointing to the same abnormal activity event, and the global attack intention keywords of different abnormal activity events in the service interaction log are obtained until a plurality of session message clusters are sorted respectively;
wherein the service interaction log comprises: a plurality of state-type interaction logs; clustering a plurality of cloud session messages in the service interaction log to obtain a plurality of session message clusters corresponding to different abnormal activity events, including:
clustering a plurality of cloud session messages in a reference type interaction log of the state type interaction logs to obtain a plurality of session message clusters corresponding to different abnormal activity events; the reference type interaction log is one of the state type interaction logs;
the step of sorting attack intention keywords of each cloud session message in each session message cluster to obtain global attack intention keywords pointing to the same abnormal activity event includes:
summarizing the same attack intention keywords of each cloud session message in each session message cluster to obtain a summarized result of each attack intention keyword;
and determining global attack intention keywords corresponding to the same abnormal activity event by combining the summary result and the specified summary condition.
10. A cloud server, comprising: a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; wherein the computer instructions, when executed by the processor, cause the cloud server to perform the method of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210207127.5A CN114500099A (en) | 2022-03-04 | 2022-03-04 | Big data attack processing method and server for cloud service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210207127.5A CN114500099A (en) | 2022-03-04 | 2022-03-04 | Big data attack processing method and server for cloud service |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114500099A true CN114500099A (en) | 2022-05-13 |
Family
ID=81485787
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210207127.5A Pending CN114500099A (en) | 2022-03-04 | 2022-03-04 | Big data attack processing method and server for cloud service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114500099A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114866344A (en) * | 2022-07-05 | 2022-08-05 | 佛山市承林科技有限公司 | Information system data security protection method and system and cloud platform |
| CN115022080A (en) * | 2022-07-08 | 2022-09-06 | 济南盈速信息技术有限公司 | Data attack processing method and server applied to smart cloud |
| CN115484112A (en) * | 2022-09-29 | 2022-12-16 | 尚庆为 | Payment big data security protection method and system and cloud platform |
| CN115941265A (en) * | 2022-11-01 | 2023-04-07 | 南京鼎山信息科技有限公司 | Big data attack processing method and system applied to cloud service |
-
2022
- 2022-03-04 CN CN202210207127.5A patent/CN114500099A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114866344A (en) * | 2022-07-05 | 2022-08-05 | 佛山市承林科技有限公司 | Information system data security protection method and system and cloud platform |
| CN114866344B (en) * | 2022-07-05 | 2022-09-27 | 佛山市承林科技有限公司 | Information system data security protection method and system and cloud platform |
| CN115022080A (en) * | 2022-07-08 | 2022-09-06 | 济南盈速信息技术有限公司 | Data attack processing method and server applied to smart cloud |
| CN115484112A (en) * | 2022-09-29 | 2022-12-16 | 尚庆为 | Payment big data security protection method and system and cloud platform |
| CN115941265A (en) * | 2022-11-01 | 2023-04-07 | 南京鼎山信息科技有限公司 | Big data attack processing method and system applied to cloud service |
| CN115941265B (en) * | 2022-11-01 | 2023-10-03 | 南京鼎山信息科技有限公司 | Big data attack processing method and system applied to cloud service |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114500099A (en) | Big data attack processing method and server for cloud service | |
| CN113706177B (en) | Threat identification method based on big data security and data security server | |
| CN106875156B (en) | Universal intelligent auditing platform and auditing method thereof | |
| CN114218568B (en) | Big data attack processing method and system applied to cloud service | |
| CN103618652A (en) | Audit and depth analysis system and audit and depth analysis method of business data | |
| CN111092910B (en) | Database security access method, device, equipment, system and readable storage medium | |
| CN113949577A (en) | Data attack analysis method applied to cloud service and server | |
| CN103701783A (en) | Preprocessing unit, data processing system consisting of same, and processing method | |
| CN114553658B (en) | Resource sharing security processing method based on cloud computing and server | |
| CN114662153B (en) | Shared data privacy processing method and server combined with artificial intelligence | |
| CN110109905A (en) | Risk list data generation method, device, equipment and computer storage medium | |
| CN112581129A (en) | Block chain transaction data management method and device, computer equipment and storage medium | |
| CN113918621A (en) | Big data protection processing method based on internet finance and server | |
| CN110147540A (en) | Service security requirement documents generation method and system | |
| CN110442582B (en) | Scene detection method, device, equipment and medium | |
| CN112948822A (en) | Big data audit scene analysis method and system applied to intelligent education system | |
| CN113836237A (en) | Method and device for auditing data operation of database | |
| CN116226865A (en) | Security detection method, device, server, medium and product of cloud native application | |
| CN113098883B (en) | Block chain and big data based security protection method and block chain service system | |
| CN115268847A (en) | Block chain intelligent contract generation method and device and electronic equipment | |
| CN114422225A (en) | Cloud game big data analysis method and system based on network information security | |
| CN111385253B (en) | Vulnerability detection system for network security of power distribution automation system | |
| CN114511330A (en) | Improved CNN-RF-based Ethernet workshop Pompe deception office detection method and system | |
| CN114510725A (en) | Vulnerability information processing method based on digital service and server | |
| CN113946819A (en) | Online payment information intrusion detection method based on cloud computing and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220817 Address after: No. 25, Taonan Road, Shibei District, Qingdao City, Shandong Province, 266000 Applicant after: Pu Jiahong Address before: 266000 313-26, No. 80 Anshan Road, Shibei District, Qingdao City, Shandong Province Applicant before: Qingdao Dexin Network Technology Co.,Ltd. |
|
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20220513 |