CN114531287A - Method, device, equipment and medium for detecting virtual resource acquisition behavior - Google Patents

Method, device, equipment and medium for detecting virtual resource acquisition behavior Download PDF

Info

Publication number
CN114531287A
CN114531287A CN202210145576.1A CN202210145576A CN114531287A CN 114531287 A CN114531287 A CN 114531287A CN 202210145576 A CN202210145576 A CN 202210145576A CN 114531287 A CN114531287 A CN 114531287A
Authority
CN
China
Prior art keywords
virtual resource
resource acquisition
rule
rule set
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210145576.1A
Other languages
Chinese (zh)
Other versions
CN114531287B (en
Inventor
高志明
尚程
李鹏超
王泽政
傅强
梁彧
蔡琳
杨满智
王杰
田野
金红
陈晓光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Eversec Beijing Technology Co Ltd
Original Assignee
Eversec Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eversec Beijing Technology Co Ltd filed Critical Eversec Beijing Technology Co Ltd
Priority to CN202210145576.1A priority Critical patent/CN114531287B/en
Publication of CN114531287A publication Critical patent/CN114531287A/en
Application granted granted Critical
Publication of CN114531287B publication Critical patent/CN114531287B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Mathematical Physics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device, equipment and a medium for detecting a virtual resource acquisition behavior. The method comprises the following steps: acquiring a preset virtual resource acquisition rule base; the virtual resource acquisition rule base comprises a virtual resource acquisition protocol rule set and a virtual resource acquisition event rule set; performing full-flow matching on the flow of a network to be monitored according to the virtual resource acquisition protocol rule set, acquiring a first flow packet which hits the virtual resource acquisition protocol rule set, and extracting a call ticket file in the first flow packet; performing key field matching on the ticket file according to the virtual resource acquisition event rule set to acquire a second traffic packet which hits the virtual resource acquisition event rule set; and identifying the virtual resource acquisition behavior of the second traffic packet according to the target virtual resource acquisition event rule hit by the second traffic packet. By the technical scheme, the virtual resource acquisition behavior can be accurately identified, and the accuracy of virtual resource acquisition behavior detection is improved.

Description

Method, device, equipment and medium for detecting virtual resource acquisition behavior
Technical Field
The present invention relates to the field of network information security technologies, and in particular, to a method, an apparatus, a device, and a medium for detecting a virtual resource acquisition behavior.
Background
With the rapid development of network technology, virtual resources have been continuously exploded, and behaviors of acquiring the virtual resources gradually appear.
In the prior art, in order to protect network information security, a detection technology based on a blacklist, a detection technology based on a virtual resource acquisition behavior, and a detection technology based on machine learning are mainly used to detect the virtual resource acquisition behavior.
However, the detection technology based on the blacklist in the prior art has a high missed detection rate; detection techniques based on virtual resource acquisition behavior lack generalization; the detection technology based on machine learning has higher false alarm rate and missing report rate, and reduces the accuracy of virtual resource acquisition behavior detection. Therefore, how to accurately detect the virtual resource acquisition behavior is an urgent problem to be solved at present.
Disclosure of Invention
The invention provides a method, a device, equipment and a medium for detecting a virtual resource acquisition behavior, which can solve the problem of low accuracy rate of virtual resource acquisition behavior detection in the prior art.
According to an aspect of the present invention, a method for detecting a virtual resource acquisition behavior is provided, including:
acquiring a preset virtual resource acquisition rule base; the virtual resource acquisition rule base comprises a virtual resource acquisition protocol rule set and a virtual resource acquisition event rule set;
performing full-flow matching on the flow of a network to be monitored according to the virtual resource acquisition protocol rule set, acquiring a first flow packet which hits the virtual resource acquisition protocol rule set, and extracting a call ticket file in the first flow packet;
performing key field matching on the ticket file according to the virtual resource acquisition event rule set to acquire a second traffic packet which hits the virtual resource acquisition event rule set;
and identifying the virtual resource acquisition behavior of the second traffic packet according to the target virtual resource acquisition event rule hit by the second traffic packet.
According to another aspect of the present invention, there is provided an apparatus for detecting a virtual resource acquisition behavior, the apparatus including:
the rule acquisition module is used for acquiring a preset virtual resource acquisition rule base; the virtual resource acquisition rule base comprises a virtual resource acquisition protocol rule set and a virtual resource acquisition event rule set;
the first matching module is used for carrying out full-flow matching on the flow of the network to be monitored according to the virtual resource acquisition protocol rule set, acquiring a first flow packet which hits the virtual resource acquisition protocol rule set, and extracting a call ticket file in the first flow packet;
the second matching module is used for matching key fields of the ticket file according to the virtual resource acquisition event rule set and acquiring a second traffic packet which hits the virtual resource acquisition event rule set;
and the behavior identification module is used for identifying the virtual resource acquisition behavior of the second traffic packet according to the target virtual resource acquisition event rule hit by the second traffic packet.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the method for detecting virtual resource acquisition behavior according to any of the embodiments of the present invention.
According to another aspect of the present invention, a computer-readable storage medium is provided, and computer instructions are stored in the computer-readable storage medium, and when the computer instructions are executed, the computer instructions are configured to enable a processor to implement the method for detecting the virtual resource acquisition behavior according to any embodiment of the present invention.
According to the technical scheme of the embodiment of the invention, through carrying out full flow matching on the flow of a network to be monitored through a virtual resource acquisition protocol rule set in a preset virtual resource acquisition rule base, a call ticket file in a first flow packet which is successfully matched is acquired; performing key field matching on the ticket file through a virtual resource acquisition event rule set in a preset virtual resource acquisition rule base to acquire a successfully matched second traffic packet; and finally, identifying the virtual resource acquisition behavior of the second traffic packet matched with the target virtual resource acquisition event rule, solving the problem of low accuracy of virtual resource acquisition behavior detection in the prior art, and improving the accuracy of virtual resource acquisition behavior detection.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a method for detecting a virtual resource acquisition behavior according to an embodiment of the present invention;
fig. 2a is a flowchart of a method for detecting a virtual resource acquisition behavior according to a second embodiment of the present invention;
FIG. 2b is a schematic structural diagram of a storage space construction process according to a second embodiment of the present invention;
FIG. 2c is a schematic structural diagram of a data mining algorithm model workflow provided according to the second embodiment of the present invention;
FIG. 2d is a flowchart of a preferred method for detecting virtual resource acquisition behavior according to the second embodiment of the present invention;
fig. 3a is a schematic structural diagram of an apparatus for detecting a virtual resource acquisition behavior according to a third embodiment of the present invention;
FIG. 3b is a logic diagram of an apparatus for detecting a preferred virtual resource acquisition behavior according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device implementing the method for detecting a virtual resource acquisition behavior according to the embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
With the rapid development of network technologies, the behavior of acquiring virtual resources has gradually affected the security of network information.
In the prior art, in order to protect network information security, the following three methods are mainly adopted to detect the behavior of acquiring virtual resources: (1) detection technology based on blacklist: the blacklist is a list including information such as a Universal Resource Locator (URL) and a domain name of a malicious web page, and is generally issued and maintained by an authority. Before the user accesses the webpage, the information to be accessed is compared with the information in the blacklist, and if the comparison is successful, the webpage is identified as a malicious webpage and the user is prevented from accessing. (2) Detection technology based on virtual resource acquisition behavior: by analyzing codes, operation behaviors and a communication mechanism of the webpage operation for obtaining the virtual resources, relevant characteristics of the webpage for obtaining the virtual resources and a normal webpage which can be distinguished are extracted, such as information of scripts, Central Processing Units (CPUs), memory, flow data packets and the like for obtaining the virtual resources, and whether the virtual resource obtaining behaviors exist in the webpage or not is identified. (3) Detection technology based on machine learning: the machine learning algorithm is applied to the identification of the virtual resource acquisition behavior, the machine learning algorithm is applied to identify the virtual resource acquisition behavior, and automatic detection is realized by extracting the specific static or dynamic characteristics of the webpage for acquiring the virtual resource.
However, the existing network security detection technology has the following technical defects for monitoring the virtual resource acquisition behavior: (1) the detection mode based on the blacklist can only detect the URL or the domain name of the website which is once identified as the acquired virtual resource, and has no recognition capability for the newly added webpage for acquiring the virtual resource. Secondly, the updating period of most blacklists is slower than that of the domain name of the acquired virtual resource, so that the detection mode has high omission ratio. (2) The detection technology based on the virtual resource acquisition behavior has too single detection characteristic, most evaluation standards are subjectively defined by researchers after observation and analysis, and the generalization is absent. (3) Machine learning-based detection techniques require a large number of data sets, and the acquisition of data sets is a difficult point of research. In addition, most schemes use only a single static or dynamic feature to identify mining behavior, resulting in higher false alarm and false negative rates. Therefore, in order to accurately detect the virtual resource acquisition behavior and improve the accuracy of detecting the virtual resource acquisition behavior, the embodiment of the invention provides a method for detecting the virtual resource acquisition behavior.
Example one
Fig. 1 is a flowchart of a method for detecting a virtual resource acquisition behavior according to an embodiment of the present invention, where the method is applicable to a situation of detecting the virtual resource acquisition behavior, and the method may be executed by a detection apparatus for the virtual resource acquisition behavior, where the detection apparatus for the virtual resource acquisition behavior may be implemented in a form of hardware and/or software, and the detection apparatus for the virtual resource acquisition behavior may be configured in an electronic device, for example, a Deep Packet Inspection (DPI) device. As shown in fig. 1, the method includes:
s110, acquiring a preset virtual resource acquisition rule base; the virtual resource acquisition rule base comprises a virtual resource acquisition protocol rule set and a virtual resource acquisition event rule set.
The virtual resource acquisition rule base can refer to various rules which need to be met when virtual resource acquisition is carried out, and comprises a virtual resource acquisition protocol rule set and a virtual resource acquisition event rule set; the virtual resource acquisition protocol rule set may refer to a set consisting of protocol rules that need to be satisfied when a virtual resource is acquired; the virtual resource acquisition event rule set may refer to a set of acquisition event rules that need to be satisfied when a virtual resource is acquired.
Optionally, the virtual resource acquisition event rule includes the following rule parameters: the virtual resource pool domain name, the virtual resource pool internet protocol, the virtual resource pool port, the virtual resource type, the virtual resource field outlet internet protocol and the virtual resource acquisition device internet protocol.
S120, carrying out full flow matching on the flow of the network to be monitored according to the virtual resource acquisition protocol rule set, acquiring a first flow packet which hits the virtual resource acquisition protocol rule set, and extracting a call ticket file in the first flow packet.
The first traffic packet may refer to a traffic packet matching a virtual resource acquisition protocol rule in the virtual resource acquisition protocol rule set; the ticket file may refer to a table file containing field information in the first traffic packet, such as a domain name of a virtual resource pool, an Internet Protocol (IP) of a virtual resource acquisition device, or login information, and generally, a complete traffic interaction process corresponds to a ticket file.
Specifically, the virtual resource acquisition protocol rule set is used for carrying out rule matching on the full flow of the network to be monitored, the flow packets meeting the virtual resource acquisition protocol rule are screened out to be used as first flow packets, and fields in the first flow packets are extracted to generate a ticket file, so that subsequent operation is facilitated.
S130, performing key field matching on the call ticket file according to the virtual resource acquisition event rule set, and acquiring a second traffic packet which hits the virtual resource acquisition event rule set.
Wherein, the key field matching may refer to matching fields in the dialog sheet file by using key fields, such as a virtual resource pool domain name, a virtual resource acquisition device IP, a virtual resource pool port, a virtual resource type, a virtual resource field outlet IP, and a virtual resource acquisition device IP; the second traffic packet may refer to a traffic packet matching a virtual resource acquisition event rule in the virtual resource acquisition event rule set.
Specifically, after the ticket file is acquired through the first traffic packet, the key field set in the virtual resource acquisition event rule is used for matching with the field in the ticket file, and the traffic packet corresponding to the ticket file matched with the key field in the virtual resource acquisition event rule is used as the second traffic packet, so that the implementation of the subsequent steps is facilitated.
And S140, identifying the virtual resource acquisition behavior of the second traffic packet according to the target virtual resource acquisition event rule hit by the second traffic packet.
The target virtual resource acquisition event rule may refer to a virtual resource acquisition event rule matched with the second traffic packet after the virtual resource acquisition event rule set is matched, that is, the basic content information of the virtual resource acquisition behavior to be finally detected may be obtained through the target virtual resource acquisition event rule. Specifically, the second traffic packets are screened according to the target virtual resource acquisition event rule, the traffic packets meeting the target virtual resource acquisition event rule are obtained from the second traffic packets, and the key field information contained in the traffic packets is used as the virtual resource acquisition behavior.
According to the technical scheme of the embodiment of the invention, through carrying out full flow matching on the flow of a network to be monitored through a virtual resource acquisition protocol rule set in a preset virtual resource acquisition rule base, a call ticket file in a first flow packet which is successfully matched is acquired; performing key field matching on the ticket file through a preset virtual resource acquisition event rule set in a virtual resource acquisition rule base to acquire a second traffic packet successfully matched; and finally, identifying the virtual resource acquisition behavior of the second traffic packet matched with the target virtual resource acquisition event rule, solving the problem of low accuracy of virtual resource acquisition behavior detection in the prior art, and improving the accuracy of virtual resource acquisition behavior detection.
Example two
Fig. 2a is a flowchart of a method for detecting a virtual resource acquisition behavior according to a second embodiment of the present invention, which is detailed based on the second embodiment of the present invention, and in this embodiment, specifically, the method performs full traffic matching on traffic of a network to be monitored according to a virtual resource acquisition protocol rule set, acquires a first traffic packet hitting the virtual resource acquisition protocol rule set, and extracts a ticket file in the first traffic packet to perform refinement, and specifically, the method may include: comparing special identification characters of a head load part of the full-flow message, and extracting keyword information; and comparing the keyword information with the virtual resource acquisition protocol rule set to obtain a first traffic packet meeting the virtual resource acquisition protocol rule set, and extracting a ticket file in the first traffic packet. As shown in fig. 2a, the method comprises:
s210, acquiring a preset virtual resource acquisition rule base; the virtual resource acquisition rule base comprises a virtual resource acquisition protocol rule set and a virtual resource acquisition event rule set.
In an optional embodiment, before the acquiring the preset virtual resource acquisition rule base, the method further includes: acquiring sample data containing a virtual resource acquisition device Internet protocol and a virtual resource pool address through computer equipment; forming, by a computer device, a data sample library according to at least one sample parameter included in each sample data, the sample parameter including: the method comprises the following steps of (1) associating a virtual resource pool, a virtual resource acquisition device, a virtual resource field, a virtual resource type, a virtual resource acquisition protocol and computing power; classifying the sample data in the data sample library by using each sample parameter as a classification factor to obtain a plurality of types of sample data groups; and monitoring the virtual resource acquisition behavior of each sample data set, and generating a virtual resource acquisition rule base containing virtual resource acquisition protocol rules and virtual resource acquisition event rules based on the monitored computer domain name protocol and transmission control protocol. The data sample library is obtained by expanding the data sample library according to the sample parameters of the data sample, and the data sample library can be expanded according to the corresponding relationship between the sample parameters.
Specifically, a batch of virtual resource acquisition equipment internet protocols and virtual resource pool addresses are selected as sample data, the virtual resource pool, the virtual resource acquisition equipment, the virtual resource field, the virtual resource types, the virtual resource acquisition protocols and the correlation among calculation forces are sorted, all sample parameters are classified and sorted, then, a certain amount of various sample data are connected with the virtual resource pool according to the virtual resource acquisition equipment, a virtual resource mining task is acquired, the virtual resource acquisition is carried out, the virtual resource acquisition process of workload and difficulty adjustment is tracked and monitored, characteristic analysis, stratum protocol analysis and computer Domain Name System (DNS) protocol analysis are realized, virtual resource pool Domain Name rules are extracted based on the DNS protocol, virtual resource field outlet internet protocol rules, virtual resource acquisition equipment internet protocol rules, virtual resource pool outlet internet protocol rules, DNS protocol rules and the like, The virtual resource pool Internet protocol rule and the virtual resource type rule take a virtual resource field outlet Internet protocol rule, a virtual resource acquisition device Internet protocol rule and a virtual resource pool Internet protocol rule as a virtual resource acquisition protocol rule set, and take a virtual resource pool domain name rule and a virtual resource type rule as a virtual resource acquisition event rule set, so as to complete the establishment of a virtual resource acquisition rule base and provide a basis for the detection of subsequent virtual resource acquisition behaviors.
S220, comparing the special identification characters of the head load part of the full-flow message, and extracting keyword information.
Wherein, the special identification character can refer to an identifier containing a protocol identifier, such as a protocol fingerprint or a protocol keyword; the keyword information may refer to specific information corresponding to the special identifier character.
S230, comparing the keyword information with the virtual resource acquisition protocol rule set to obtain a first traffic packet meeting the virtual resource acquisition protocol rule set, and extracting a ticket file in the first traffic packet.
Specifically, the keyword information is matched by using a virtual resource acquisition protocol rule set, a traffic packet corresponding to the successfully matched keyword information is used as a first traffic packet, and a ticket file in the traffic packet is extracted, so that subsequent operations are facilitated.
S240, a storage space is constructed according to the sequence of the virtual resource acquisition event rule in the virtual resource acquisition event rule set, and key field matching is carried out on fields in the dialog list file according to the full rule in the storage space until the full rule completes traversal on the fields of the dialog list file, so that a second traffic packet which hits the virtual resource acquisition event rule set is obtained.
The order of the virtual resource acquisition event rules may be an arrangement order of the virtual resource acquisition event rules set according to the importance degree of the virtual resource acquisition event, or an arrangement order of the virtual resource acquisition event rules set autonomously in an actual situation, for example, the arrangement order of the virtual resource acquisition event rules may be a domain name rule for acquiring the virtual resource, a protocol rule for acquiring the virtual resource, a software rule for acquiring the virtual resource, a category rule for acquiring the virtual resource, and a rule for acquiring the traffic of the virtual resource. As shown in fig. 2b, the process of constructing the storage space specifically includes, first, establishing an index according to the sequence of each virtual resource acquisition event rule in the virtual resource acquisition event rule set, traversing each resource acquisition event rule in the resource acquisition event rule set, and acquiring specific conditions that each resource acquisition event rule satisfies. And then, traversing is completed by using fields of the full-scale rule dialog sheet file, and a rule set which accords with the virtual resource acquisition event is obtained.
And S250, identifying the virtual resource obtaining behavior of the second traffic packet according to the target virtual resource obtaining event rule hit by the second traffic packet.
In an optional embodiment, after identifying the virtual resource obtaining behavior of the second traffic packet, the method further includes: performing association analysis on each field in the ticket file based on a frequent item set and a data mining algorithm model containing association rules to obtain a target virtual resource acquisition event rule; and adding the target virtual resource acquisition event rule to a virtual resource acquisition rule base through computer equipment, and optimizing the virtual resource acquisition rule base. The frequent item set may refer to an event that satisfies a minimum support threshold, and if the event a includes k elements and the event a satisfies the minimum support threshold, the frequent item set is called a frequent k item set. The association analysis may refer to analyzing an association relationship between fields in the call ticket. The work flow of the data mining algorithm model can be as shown in fig. 2c, specifically, a ticket file corresponding to the first traffic packet is obtained and used as an original ticket; extracting each field from the original call bill to be used as a training sample; then, through scanning training samples, the count of each matched virtual resource acquisition device IP item is accumulated, items meeting the minimum support degree (namely occurrence probability) are collected, and a set L1 of a frequent 1 item set is found out; then, L1 is used to find the set of frequent 2-item sets, L2, L2 is used to find L3, and so on until no more frequent k-item sets can be found. Where a complete scan of the training sample is performed every time an Lk is found. And finally, merging the obtained frequent items, identifying all the virtual resource obtaining behaviors, and outputting a virtual resource obtaining device IP, a virtual resource pool domain name, a virtual resource field outlet IP and a virtual resource obtaining device list where the virtual resource pool is located, thereby obtaining a target virtual resource obtaining event rule. And then, adding the target virtual resource acquisition event rule into the virtual resource acquisition rule base to complete the optimization of the virtual resource acquisition rule base. Correspondingly, acquiring a preset virtual resource acquisition rule base comprises the following steps: and acquiring the optimized virtual resource acquisition rule base. Therefore, the optimized virtual resource acquisition rule base can be used when the flow of the network to be monitored is matched next time, and the accuracy of virtual resource acquisition behavior detection is improved.
In another optional embodiment, after identifying the virtual resource acquisition behavior of the second traffic packet, the method further includes: acquiring main body information of the virtual resource acquisition behavior according to the virtual resource acquisition behavior; acquiring target subject information corresponding to a full virtual resource pool, a virtual resource field and virtual resources in a flow coverage range of a network to be monitored according to the subject information; and summarizing the subject information and the target subject information, and visually displaying. Com, then abc is the header information of the domain name. The target subject information may refer to header information of a domain name within traffic coverage of the network to be monitored.
According to the technical scheme of the embodiment of the invention, keyword information is extracted by comparing special identification characters of a head load part of a full-flow message; then, comparing the keyword information with a virtual resource acquisition protocol rule set to obtain a first traffic packet meeting the virtual resource acquisition protocol rule set, and extracting a ticket file in the first traffic packet; further, a storage space is constructed according to the sequence of the virtual resource acquisition event rule in the virtual resource acquisition event rule set, key field matching is carried out according to fields in the full-volume rule dialogue single file in the storage space until the fields of the full-volume rule dialogue single file are traversed, and a second traffic packet which hits the virtual resource acquisition event rule set is obtained; finally, the virtual resource obtaining behavior of the second traffic packet is identified according to the target virtual resource obtaining event rule hit by the second traffic packet, so that the problem of low accuracy of virtual resource obtaining behavior detection in the prior art is solved, and the accuracy of virtual resource obtaining behavior detection is improved.
Fig. 2d is a flowchart of a preferred method for detecting a virtual resource acquisition behavior according to an embodiment of the present invention. Specifically, a batch of virtual resource acquisition equipment internet protocols and virtual resource pool addresses are selected as sample data through computer equipment, then a virtual resource acquisition process is monitored, a domain name rule of a virtual resource pool is extracted based on a DNS protocol, a virtual resource field outlet internet protocol rule, a virtual resource acquisition equipment internet protocol rule, a virtual resource pool internet protocol rule and a virtual resource type rule are extracted based on a stratum protocol, and the virtual resource acquisition rule base is established; further, the DPI equipment acquires a virtual resource acquisition protocol rule set and a virtual resource acquisition event rule set in a virtual resource acquisition rule base, performs full-flow matching on the flow of the network to be monitored according to the virtual resource acquisition protocol rule set, acquires a first flow packet hitting the virtual resource acquisition protocol rule set, and extracts a ticket file in the first flow packet; performing key field matching on the ticket file according to the virtual resource acquisition event rule set, acquiring a second traffic packet which hits the virtual resource acquisition event rule set, further acquiring an event rule according to a target virtual resource which hits the second traffic packet, and identifying a virtual resource acquisition behavior of the second traffic packet; further, performing association analysis on each field in the dialogue list file based on the frequent item set and a data mining algorithm model containing association rules, merging the frequent items, identifying all virtual resource acquisition events, outputting a virtual resource acquisition device IP, a virtual resource pool domain name, a virtual resource field outlet IP and a virtual resource acquisition device list where the virtual resource pool is located, and thus obtaining a target virtual resource acquisition event rule; adding the target virtual resource acquisition event rule to a virtual resource acquisition rule base through computer equipment, and optimizing the virtual resource acquisition rule base; further, according to the virtual resource acquisition behavior, acquiring subject information of the virtual resource acquisition behavior; according to the subject information, acquiring target subject information corresponding to a full virtual resource pool, a virtual resource field and virtual resources in the flow coverage range of the network to be monitored; and finally, summarizing the subject information and the target subject information, and visually displaying.
EXAMPLE III
Fig. 3a is a schematic structural diagram of an apparatus for detecting a virtual resource acquisition behavior according to a third embodiment of the present invention. As shown in fig. 3a, the apparatus comprises: a rule obtaining module 310, a first matching module 320, a second matching module 330, and a behavior recognizing module 340;
the rule obtaining module 310 is configured to obtain a preset virtual resource obtaining rule base; the virtual resource acquisition rule base comprises a virtual resource acquisition protocol rule set and a virtual resource acquisition event rule set;
the first matching module 320 is configured to perform full traffic matching on traffic of a network to be monitored according to the virtual resource acquisition protocol rule set, acquire a first traffic packet which hits the virtual resource acquisition protocol rule set, and extract a ticket file in the first traffic packet;
a second matching module 330, configured to perform key field matching on the ticket file according to the virtual resource acquisition event rule set, and acquire a second traffic packet that hits the virtual resource acquisition event rule set;
the behavior identification module 340 is configured to identify a virtual resource obtaining behavior of the second traffic packet according to the target virtual resource obtaining event rule hit by the second traffic packet.
According to the technical scheme of the embodiment of the invention, through carrying out full flow matching on the flow of a network to be monitored through a virtual resource acquisition protocol rule set in a preset virtual resource acquisition rule base, a call ticket file in a first flow packet which is successfully matched is acquired; performing key field matching on the ticket file through a preset virtual resource acquisition event rule set in a virtual resource acquisition rule base to acquire a second traffic packet successfully matched; and finally, identifying the virtual resource acquisition behavior of the second traffic packet matched with the target virtual resource acquisition event rule, solving the problem of low accuracy of virtual resource acquisition behavior detection in the prior art, and improving the accuracy of virtual resource acquisition behavior detection.
Optionally, the apparatus for detecting a virtual resource acquisition behavior may further include a rule establishing module, configured to acquire, by a computer device, sample data including an internet protocol of a virtual resource acquisition device and an address of a virtual resource pool before the preset virtual resource acquisition rule base is acquired; forming, by a computer device, a data sample library according to at least one sample parameter included in each sample data, the sample parameter including: the virtual resource pool, the virtual resource acquisition equipment, the virtual resource field, the virtual resource types, the virtual resource acquisition protocol and the calculation power are associated; classifying the sample data in the data sample library by using each sample parameter as a classification factor to obtain a plurality of types of sample data groups; and monitoring the virtual resource acquisition behavior of each sample data set, and generating a virtual resource acquisition rule base containing virtual resource acquisition protocol rules and virtual resource acquisition event rules based on the monitored computer domain name protocol and transmission control protocol.
Optionally, the first matching module 320 may be specifically configured to compare special identifier characters of a header load portion of a full traffic packet, and extract keyword information; and comparing the keyword information with the virtual resource acquisition protocol rule set to obtain a first traffic packet meeting the virtual resource acquisition protocol rule set, and extracting a ticket file in the first traffic packet.
Optionally, the second matching module 330 may be specifically configured to construct a storage space according to an order of obtaining the event rule by each virtual resource in the virtual resource obtaining event rule set, and perform key field matching on fields in the dialog list file according to a full rule in the storage space until the full rule completes traversal on the fields of the dialog list file, so as to obtain a second traffic packet that hits the virtual resource obtaining event rule set.
Optionally, the detection apparatus for virtual resource acquisition behavior may further include a rule optimization module, configured to perform association analysis on each field in the ticket file based on a frequent item set and a data mining algorithm model including an association rule after identifying the virtual resource acquisition behavior of the second traffic packet, to obtain a target virtual resource acquisition event rule; adding the target virtual resource acquisition event rule to a virtual resource acquisition rule base through computer equipment, and optimizing the virtual resource acquisition rule base;
accordingly, the rule obtaining module 310 may be specifically configured to obtain the optimized virtual resource obtaining rule base.
Optionally, the apparatus for detecting a virtual resource acquisition behavior may further include a result visualization module, configured to, after identifying the virtual resource acquisition behavior of the second traffic packet, acquire subject information of the virtual resource acquisition behavior according to the virtual resource acquisition behavior; acquiring target subject information corresponding to a full virtual resource pool, a virtual resource field and virtual resources in a flow coverage range of a network to be monitored according to the subject information; and summarizing the subject information and the target subject information, and visually displaying.
Optionally, the virtual resource acquisition event rule includes the following rule parameters: the virtual resource pool domain name, the virtual resource pool internet protocol, the virtual resource pool port, the virtual resource type, the virtual resource field outlet internet protocol and the virtual resource acquisition device internet protocol.
The detection device for the virtual resource acquisition behavior provided by the embodiment of the invention can execute the detection method for the virtual resource acquisition behavior provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 3b is a logic diagram of a preferred virtual resource acquisition behavior detection apparatus according to an embodiment of the present invention, specifically, the flowchart includes a rule extraction module (equivalent to a rule establishment module), a rule matching module (equivalent to a rule acquisition module, a first matching module, a second matching module, and a behavior identification module), a data cleaning module (equivalent to a rule optimization module), and an information synchronization query module (equivalent to a result visualization module); the rule extraction module is used for detecting sample data of virtual resource acquisition equipment Internet protocols and virtual resource pool addresses from the aspect of virtual resource acquisition processes to obtain a virtual resource acquisition rule base; the rule matching module is used for acquiring a preset virtual resource acquisition rule base and outputting a phone bill file and a virtual resource acquisition behavior according to a rule set in the acquired virtual resource acquisition rule base; the data cleaning module is used for performing association analysis on each field in the ticket file based on a frequent item set and a data mining algorithm model containing association rules to obtain a target virtual resource acquisition event rule and output effective virtual resource acquisition behaviors; the information synchronization query module is used for acquiring subject information of the virtual resource acquisition behavior according to the virtual resource acquisition behavior, acquiring target subject information corresponding to a full amount of virtual resource pools, virtual resource fields and virtual resource acquisition equipment in a flow coverage range of the network to be monitored according to the subject information, summarizing the subject information and the target subject information, and visually displaying the subject information and the target subject information.
Example four
FIG. 4 shows a schematic block diagram of an electronic device 410 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, electronic device 410 includes at least one processor 420, and a memory communicatively coupled to at least one processor 420, such as a Read Only Memory (ROM)430, a Random Access Memory (RAM)440, etc., where the memory stores computer programs that may be executed by at least one processor, and processor 420 may perform various suitable actions and processes according to the computer programs stored in Read Only Memory (ROM)430 or loaded from storage unit 490 into Random Access Memory (RAM) 440. In the RAM440, various programs and data required for the operation of the electronic device 410 may also be stored. The processor 420, the ROM 430 and the RAM440 are connected to each other through a bus 450. An input/output (I/O) interface 460 is also connected to bus 450.
Various components in the electronic device 410 are connected to the I/O interface 460, including: an input unit 470 such as a keyboard, a mouse, etc.; an output unit 480 such as various types of displays, speakers, and the like; a storage unit 490, such as a magnetic disk, optical disk, or the like; and a communication unit 4100 such as a network card, a modem, a wireless communication transceiver, and the like. The communication unit 4100 allows the electronic device 410 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.
Processor 420 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of processor 420 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. Processor 420 performs the various methods and processes described above, such as the detection of virtual resource acquisition behavior.
The method comprises the following steps:
acquiring a preset virtual resource acquisition rule base; the virtual resource acquisition rule base comprises a virtual resource acquisition protocol rule set and a virtual resource acquisition event rule set;
performing full-flow matching on the flow of a network to be monitored according to the virtual resource acquisition protocol rule set, acquiring a first flow packet which hits the virtual resource acquisition protocol rule set, and extracting a call ticket file in the first flow packet;
performing key field matching on the ticket file according to the virtual resource acquisition event rule set to acquire a second traffic packet which hits the virtual resource acquisition event rule set;
and identifying the virtual resource acquisition behavior of the second traffic packet according to the target virtual resource acquisition event rule hit by the second traffic packet.
In some embodiments, the method of detecting virtual resource acquisition behavior may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 490. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 410 via the ROM 430 and/or the communication unit 4100. When loaded into RAM440 and executed by processor 420, the computer program may perform one or more of the steps of the detection method of virtual resource acquisition behavior described above. Alternatively, in other embodiments, processor 420 may be configured by any other suitable means (e.g., by way of firmware) to perform the detection method of virtual resource acquisition behavior.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), blockchain networks, and the Internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A method for detecting a virtual resource acquisition behavior is characterized by comprising the following steps:
acquiring a preset virtual resource acquisition rule base; the virtual resource acquisition rule base comprises a virtual resource acquisition protocol rule set and a virtual resource acquisition event rule set;
performing full-flow matching on the flow of a network to be monitored according to the virtual resource acquisition protocol rule set, acquiring a first flow packet which hits the virtual resource acquisition protocol rule set, and extracting a call ticket file in the first flow packet;
performing key field matching on the ticket file according to the virtual resource acquisition event rule set to acquire a second traffic packet which hits the virtual resource acquisition event rule set;
and identifying the virtual resource acquisition behavior of the second traffic packet according to the target virtual resource acquisition event rule hit by the second traffic packet.
2. The method according to claim 1, further comprising, before said obtaining the predetermined virtual resource obtaining rule base:
acquiring sample data containing a virtual resource acquisition device Internet protocol and a virtual resource pool address through computer equipment;
forming, by a computer device, a data sample library according to at least one sample parameter included in each sample data, the sample parameter including: the virtual resource pool, the virtual resource acquisition equipment, the virtual resource field, the virtual resource types, the virtual resource acquisition protocol and the calculation power are associated;
classifying the sample data in the data sample library by using each sample parameter as a classification factor to obtain a plurality of types of sample data groups;
and monitoring the virtual resource acquisition behavior of each sample data set, and generating a virtual resource acquisition rule base containing virtual resource acquisition protocol rules and virtual resource acquisition event rules based on the monitored computer domain name protocol and transmission control protocol.
3. The method according to claim 1, wherein the performing full traffic matching on the traffic of the network to be monitored according to the virtual resource acquisition protocol rule set, acquiring a first traffic packet hitting the virtual resource acquisition protocol rule set, and extracting a ticket file in the first traffic packet comprises:
comparing special identification characters of a head load part of the full-flow message, and extracting keyword information;
and comparing the keyword information with the virtual resource acquisition protocol rule set to obtain a first traffic packet meeting the virtual resource acquisition protocol rule set, and extracting a ticket file in the first traffic packet.
4. The method of claim 1, wherein the performing key field matching on the ticket file according to the virtual resource acquisition event rule set to obtain a second traffic packet hitting the virtual resource acquisition event rule set comprises:
and constructing a storage space according to the sequence of each virtual resource acquisition event rule in the virtual resource acquisition event rule set, and performing key field matching on fields in the dialog list file according to a full rule in the storage space until the full rule completes traversal on the fields of the dialog list file, so as to obtain a second traffic packet which hits the virtual resource acquisition event rule set.
5. The method of claim 1, after identifying the virtual resource acquisition behavior of the second traffic packet, further comprising:
performing association analysis on each field in the ticket file based on a frequent item set and a data mining algorithm model containing association rules to obtain a target virtual resource acquisition event rule;
adding the target virtual resource acquisition event rule to a virtual resource acquisition rule base through computer equipment, and optimizing the virtual resource acquisition rule base;
correspondingly, acquiring a preset virtual resource acquisition rule base comprises the following steps:
and acquiring the optimized virtual resource acquisition rule base.
6. The method of claim 1, after identifying the virtual resource acquisition behavior of the second traffic packet, further comprising:
acquiring main body information of the virtual resource acquisition behavior according to the virtual resource acquisition behavior;
acquiring target subject information corresponding to a full virtual resource pool, a virtual resource field and virtual resources in a flow coverage range of a network to be monitored according to the subject information;
and summarizing the subject information and the target subject information, and visually displaying.
7. The method according to claim 1, wherein the virtual resource acquisition event rule comprises the following rule parameters: the virtual resource pool domain name, the virtual resource pool internet protocol, the virtual resource pool port, the virtual resource type, the virtual resource field outlet internet protocol and the virtual resource acquisition device internet protocol.
8. An apparatus for detecting a virtual resource acquisition behavior, comprising:
the rule acquisition module is used for acquiring a preset virtual resource acquisition rule base; the virtual resource acquisition rule base comprises a virtual resource acquisition protocol rule set and a virtual resource acquisition event rule set;
the first matching module is used for carrying out full-flow matching on the flow of the network to be monitored according to the virtual resource acquisition protocol rule set, acquiring a first flow packet which hits the virtual resource acquisition protocol rule set, and extracting a call ticket file in the first flow packet;
the second matching module is used for matching key fields of the ticket file according to the virtual resource acquisition event rule set and acquiring a second traffic packet which hits the virtual resource acquisition event rule set;
and the behavior identification module is used for identifying the virtual resource acquisition behavior of the second traffic packet according to the target virtual resource acquisition event rule hit by the second traffic packet.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of detecting virtual resource acquisition behavior of any of claims 1-7.
10. A computer-readable storage medium storing computer instructions for causing a processor to implement the method for detecting virtual resource acquisition behavior of any one of claims 1-7 when executed.
CN202210145576.1A 2022-02-17 2022-02-17 Method, device, equipment and medium for detecting virtual resource acquisition behavior Active CN114531287B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210145576.1A CN114531287B (en) 2022-02-17 2022-02-17 Method, device, equipment and medium for detecting virtual resource acquisition behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210145576.1A CN114531287B (en) 2022-02-17 2022-02-17 Method, device, equipment and medium for detecting virtual resource acquisition behavior

Publications (2)

Publication Number Publication Date
CN114531287A true CN114531287A (en) 2022-05-24
CN114531287B CN114531287B (en) 2024-06-11

Family

ID=81623143

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210145576.1A Active CN114531287B (en) 2022-02-17 2022-02-17 Method, device, equipment and medium for detecting virtual resource acquisition behavior

Country Status (1)

Country Link
CN (1) CN114531287B (en)

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009164816A (en) * 2007-12-28 2009-07-23 Sharp Corp Wireless communication system, first wireless communication apparatus, second wireless communication apparatus, wireless receiving method, and wireless transmitting method
CN103403689A (en) * 2012-07-30 2013-11-20 华为技术有限公司 Resource failure management method, device and system
CN106375384A (en) * 2016-08-28 2017-02-01 北京瑞和云图科技有限公司 Management system of mirror network flow in virtual network environment and control method
CN107920023A (en) * 2017-12-29 2018-04-17 深信服科技股份有限公司 A kind of realization method and system in secure resources pond
CN107943586A (en) * 2017-11-21 2018-04-20 深信服科技股份有限公司 A kind of virtualization resource priority control method, device, equipment and system
WO2018108035A1 (en) * 2016-12-13 2018-06-21 腾讯科技(深圳)有限公司 Information processing and virtual resource exchange method, apparatus, and device
CN108809718A (en) * 2018-06-12 2018-11-13 深圳华讯网络科技有限公司 Network Access Method, system, computer equipment based on virtual resource and medium
CN110109750A (en) * 2019-04-03 2019-08-09 平安科技(深圳)有限公司 Virtual resource acquisition methods, device, computer equipment and storage medium
CN110224990A (en) * 2019-07-17 2019-09-10 浙江大学 A kind of intruding detection system based on software definition security architecture
CN110298381A (en) * 2019-05-24 2019-10-01 中山大学 A kind of cloud security service functional tree Network Intrusion Detection System
CN110764902A (en) * 2019-09-18 2020-02-07 平安银行股份有限公司 Virtual resource allocation method and device based on AI (Artificial Intelligence), computer equipment and storage medium
CN112202783A (en) * 2020-09-30 2021-01-08 国家计算机网络与信息安全管理中心 5G network anomaly detection method and system based on adaptive deep learning
CN112330367A (en) * 2020-11-13 2021-02-05 北京沃东天骏信息技术有限公司 Virtual resource allocation method, device, system, electronic equipment and storage medium
CN112766945A (en) * 2021-01-27 2021-05-07 广州方硅信息技术有限公司 Virtual resource allocation processing method, device, equipment and storage medium

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009164816A (en) * 2007-12-28 2009-07-23 Sharp Corp Wireless communication system, first wireless communication apparatus, second wireless communication apparatus, wireless receiving method, and wireless transmitting method
CN103403689A (en) * 2012-07-30 2013-11-20 华为技术有限公司 Resource failure management method, device and system
CN106375384A (en) * 2016-08-28 2017-02-01 北京瑞和云图科技有限公司 Management system of mirror network flow in virtual network environment and control method
WO2018108035A1 (en) * 2016-12-13 2018-06-21 腾讯科技(深圳)有限公司 Information processing and virtual resource exchange method, apparatus, and device
CN107943586A (en) * 2017-11-21 2018-04-20 深信服科技股份有限公司 A kind of virtualization resource priority control method, device, equipment and system
CN107920023A (en) * 2017-12-29 2018-04-17 深信服科技股份有限公司 A kind of realization method and system in secure resources pond
CN108809718A (en) * 2018-06-12 2018-11-13 深圳华讯网络科技有限公司 Network Access Method, system, computer equipment based on virtual resource and medium
CN110109750A (en) * 2019-04-03 2019-08-09 平安科技(深圳)有限公司 Virtual resource acquisition methods, device, computer equipment and storage medium
CN110298381A (en) * 2019-05-24 2019-10-01 中山大学 A kind of cloud security service functional tree Network Intrusion Detection System
CN110224990A (en) * 2019-07-17 2019-09-10 浙江大学 A kind of intruding detection system based on software definition security architecture
CN110764902A (en) * 2019-09-18 2020-02-07 平安银行股份有限公司 Virtual resource allocation method and device based on AI (Artificial Intelligence), computer equipment and storage medium
CN112202783A (en) * 2020-09-30 2021-01-08 国家计算机网络与信息安全管理中心 5G network anomaly detection method and system based on adaptive deep learning
CN112330367A (en) * 2020-11-13 2021-02-05 北京沃东天骏信息技术有限公司 Virtual resource allocation method, device, system, electronic equipment and storage medium
CN112766945A (en) * 2021-01-27 2021-05-07 广州方硅信息技术有限公司 Virtual resource allocation processing method, device, equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
FANG-FANG HAN, JUN-JIE PENG, WU ZHANG, QING LI, JIAN-DUN LI, QIN-LONG JIANG, QIN YUAN: "Virtual resource monitoring in cloud computing", 《SPRINGER LINK》 *
姚瑶;韩颖;王燕: "Web网络虚拟资源中特定数据检测优化仿真", 计算机仿真, no. 001 *

Also Published As

Publication number Publication date
CN114531287B (en) 2024-06-11

Similar Documents

Publication Publication Date Title
CN107547555B (en) Website security monitoring method and device
CN108737333B (en) Data detection method and device
CN113779481A (en) Method, device, equipment and storage medium for identifying fraud websites
CN112953938A (en) Network attack defense method and device, electronic equipment and readable storage medium
CN112615861A (en) Malicious domain name identification method and device, electronic equipment and storage medium
CN114528457A (en) Web fingerprint detection method and related equipment
CN114363019A (en) Method, device and equipment for training phishing website detection model and storage medium
CN112532624A (en) Black chain detection method and device, electronic equipment and readable storage medium
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
CN114584351A (en) Monitoring method, monitoring device, electronic equipment and storage medium
CN117609992A (en) Data disclosure detection method, device and storage medium
CN111125704B (en) Webpage Trojan horse recognition method and system
CN109992960B (en) Counterfeit parameter detection method and device, electronic equipment and storage medium
CN114531287B (en) Method, device, equipment and medium for detecting virtual resource acquisition behavior
CN116405261A (en) Malicious flow detection method, system and storage medium based on deep learning
CN115964478A (en) Network attack detection method, model training method and device, equipment and medium
CN113128538A (en) Network behavior classification method, equipment, storage medium and device
CN115102728B (en) Scanner identification method, device, equipment and medium for information security
CN109241428B (en) Method, device, server and storage medium for determining gender of user
CN116361463B (en) Earthquake disaster information extraction method, device, equipment and medium
CN115859151A (en) Method, device, equipment and storage medium for identifying malicious website
CN109495538B (en) Method and device for detecting number of shared access terminals
CN114611108A (en) Data processing method and storage medium
CN117768193A (en) Safety monitoring method, device, equipment and medium for industrial control network
CN114928495A (en) Safety detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant