Method and system for identifying abnormality of host operation instructions

A technology of operating instructions and host operations, applied in computer security devices, instruments, computing, etc., can solve the problems of difficulty in obtaining the distribution function of data in advance, large time complexity, limiting the application of abnormal data mining methods, etc., to improve object recognition. Accuracy and high computational efficiency

Active Publication Date: 2022-01-25
SHANGHAI GUAN AN INFORMATION TECH
View PDF9 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

For example, in the distance-based method, there are certain difficulties in the selection of the distance function and parameters; in the statistical-based method, the distribution of the data is required to be known in advance, but the distribution function of the data is difficult to obtain in advance; in the density-based method, the time complexity is large ; cluster-based methods mainly focus on clustering problems
These problems limit the application of abnormal data mining methods, and mainly deal with deterministic data. There is no effective theoretical model and method for uncertain information processing and discrete sequence data, and the internal logical relationship between sequence behaviors cannot be considered.
For sequence anomaly detection methods, the commonly used Markov model and directed graph model are inefficient for processing large data sets.
[0005] The classification recognition algorithm model of the prior art is based on instruction features, and the relationship between instructions is not fully considered, and it cannot make full use of the inherent logical relationship between the front and back instructions of the host operation in the time dimension.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and system for identifying abnormality of host operation instructions
  • Method and system for identifying abnormality of host operation instructions
  • Method and system for identifying abnormality of host operation instructions

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0067] Such as figure 1 As shown, this embodiment provides a method for identifying abnormality of a host operation instruction, including the following steps:

[0068] S1: Sample data extraction

[0069] Extract a certain quarter (or a specified time period (month, year, etc.)) system operation instruction log data as the original sample data.

[0070] S2: Data processing

[0071] Based on the sample data extracted by S1, it is distinguished by month, and processed into a user host account as the ID, and the monthly and ID form a unique index, and the commands are arranged in chronological order, and the combined command behavior forms a behavior sequence record, such as 6m; root ;cd,mv,cp,ls,ls,rm,...,reboot;

[0072] According to the data obtained by S1, count the usage frequency of each host operation instruction.

[0073] S3: Screening of uncommon commands

[0074] According to the frequency of operation instructions obtained by S1, arrange them in ascending order, a...

Embodiment 2

[0112] Such as image 3 As shown, corresponding to Embodiment 1, this embodiment also provides a system for identifying abnormalities in host operation instructions, including

[0113] The sample data extraction module extracts the system operation instruction log data of a specified time period as the original sample data;

[0114] The data processing module, based on the sample data, is distinguished by the set period, and processed into the user host account as the ID, the set period and the ID form a unique index, the instructions are arranged in chronological order, and the combined instruction behavior forms a behavior sequence record.

[0115] According to the sample data, count the usage frequency of each host operation command;

[0116] The non-common instruction screening module arranges the frequency of operation instructions in ascending order, and uses the quantile feature to filter out the operation instructions that are less than the set threshold from the sort...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The present invention provides a method and system for abnormal identification of host operation instructions, including S1. sample data extraction; S2. data processing; obtaining behavior sequence records and frequency of use of each host operation instruction; S3: screening unused instructions to obtain target operations Instruction sequence; S4: compact prediction tree training to obtain the target compact prediction tree; S5: compact prediction tree prediction to obtain the training data set with labels; S6: use word2vec training to operate instruction vectors to form pre-training vectors; S7: use Bi ‑LSTM establishes a classification recognition model; S8: Use the classification model to make predictions. The invention adopts the compact prediction tree to analyze the operation instruction sequence of the user host, and studies the behavior relationship between the instruction behavior sequences, thereby judging whether the operation instruction of the user host is abnormal. Based on this, the internal relationship between user operation instructions is also fully considered, and the logical relationship of instructions in the time dimension is studied to improve the object recognition accuracy of abnormal host operation instructions.

Description

technical field [0001] The invention relates to computer data security, in particular to a method and system for identifying abnormality of host operation instructions. Background technique [0002] Computer system security is one of the key contents of information security. It has become the core technology of computer information system and an important foundation and supplement of network security. [0003] With the continuous development of modern information technology, computer applications involve all walks of life. For computer information security, the country has established a computer network information security mechanism to protect information security and other fields, but it is also difficult to manage computers with a high degree of use. When the protection system is not complete, the computer system still has the threat of information network technology, such as information leakage, information tampering and other dangerous behaviors, which have caused pote...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/55
CPCG06F21/554
Inventor 殷钱安梁淑云刘胜马影陶景龙王启凡魏国富徐明余贤喆周晓勇
Owner SHANGHAI GUAN AN INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap