Behavior detection method and device, storage medium and electronic device

By acquiring behavioral information and features associated with attack types from web applications, and combining dynamic and static features, this method utilizes pre-trained models and oversampling techniques to solve the challenge of detecting few-sample attacks, thereby improving detection accuracy and security.

CN115795464BActive Publication Date: 2026-06-09CHINA TELECOM CORP LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA TELECOM CORP LTD
Filing Date
2022-12-16
Publication Date
2026-06-09

Smart Images

  • Figure CN115795464B_ABST
    Figure CN115795464B_ABST
Patent Text Reader

Abstract

The present disclosure relates to a behavior detection method and device, a storage medium and an electronic device, and relates to the technical field of computers. The method comprises: obtaining relevant behavior information associated with a preset attack type when a target application is running by using a preset association algorithm; collecting dynamic feature information and static feature information in the running process of the target application based on the relevant behavior information; obtaining a target feature vector of the target application by fusing the dynamic feature information, the static feature information and the relevant behavior information; detecting the target feature vector of the target application by using a pre-trained attack detection model; determining a detection result of the target application; and determining a response strategy for the target application according to the detection result. In this way, the important behavior features associated with the attack type are obtained by using the association algorithm, the behavior features are combined with the attack features, the important feature information is avoided to be omitted, the new samples are synthesized by using the oversampling method for the small sample set, and the unnecessary calculation amount is reduced.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of computer technology, and more specifically, to a behavior detection method, apparatus, storage medium, and electronic device. Background Technology

[0002] With the development of the internet age, web applications have become widely used, from personal websites and blogs to various e-commerce platforms and data centers. We can see web applications everywhere. At the same time, with the storage and exchange of information on web applications, information security issues have become increasingly prominent. During the web application development phase, not every programmer has a mindset focused on application security, which provides opportunities for hackers. As network attack methods have evolved, many highly complex attack behaviors have emerged, and the sample size for these types is small. For example, an attack event is not a single intrusion action but rather a combination of multiple actions, often combined with auxiliary behaviors.

[0003] This type of attack, involving a small number of samples, is difficult to detect even using currently popular machine learning models. This renders it undetectable by conventional security measures, leading to security incidents and significant losses for businesses and individuals.

[0004] It should be noted that the information in the background section above is only used to enhance the understanding of the background of this disclosure, and therefore may include information that does not constitute prior art known to those skilled in the art. Summary of the Invention

[0005] To overcome the problems existing in related technologies, this disclosure provides a behavior detection method, apparatus, storage medium, and electronic device to at least solve the problem of difficulty in detecting attack types with few samples in related technologies.

[0006] According to one aspect of this disclosure, a behavior detection method is provided, the method comprising:

[0007] Use a preset association algorithm to obtain relevant behavioral information of the target application during runtime that is associated with a preset attack type;

[0008] Based on the relevant behavioral information, dynamic and static feature information during the operation of the target application is collected;

[0009] The target feature vector of the target application is obtained by fusing the dynamic feature information, the static feature information, and the relevant behavioral information.

[0010] The target feature vector of the target application is detected by a pre-trained attack detection model to determine the detection result of the target application; the pre-trained attack detection model is trained using a first sample set and a second sample set; the first sample set is obtained by processing a third sample set using a preset oversampling method;

[0011] Based on the detection results, a response strategy for the target application is determined.

[0012] Optionally, the step of using a preset association algorithm to obtain relevant behavioral information related to the target application's runtime and the preset attack type includes:

[0013] At the application running location indicated by the preset attack type, the preset association algorithm is used to compare the behavioral information of the target application during runtime with the attack behavior information corresponding to the preset attack type, and obtain the relevant behavioral information associated with the attack behavior information during the target application runtime.

[0014] Optionally, the step of collecting dynamic and static feature information during the operation of the target application based on the relevant behavioral information includes:

[0015] Based on the time period corresponding to the relevant behavioral information, collect the dynamic feature information and the static feature information during the operation of the target application within the same time period.

[0016] Optionally, the method further includes:

[0017] Cluster analysis is performed on the second sample set and the third sample set according to the preset oversampling method to obtain the sub-cluster partitioning results corresponding to the second sample set and the sub-cluster partitioning results corresponding to the third sample set;

[0018] Calculate the inter-class distance between the sub-cluster partitioning results corresponding to the second sample set and the sub-cluster partitioning results corresponding to the third sample set, and determine the number of samples to be synthesized in the third sample set;

[0019] Based on the number of samples to be synthesized and the preset synthesis strategy, the third sample set is used to form a new sample set, thus obtaining the first sample set.

[0020] Optionally, the step of synthesizing the third sample set into a new sample set based on the number of samples to be synthesized and a preset synthesis strategy to obtain the first sample set includes:

[0021] Based on the sub-cluster partitioning results corresponding to the third sample set, the inter-class distance is calculated to determine the preset synthesis strategy corresponding to the third sample set;

[0022] The first sample set for synthesizing new samples is determined by calculating the sub-cluster partitioning result corresponding to the third sample set and the number of samples to be synthesized using a preset synthetic sample formula.

[0023] Optionally, the method further includes:

[0024] Obtain the sample feature vectors corresponding to the first sample set and the sample feature vectors corresponding to the second sample set, as well as the corresponding actual detection results;

[0025] The sample feature vector and the real detection result are used as a training sample pair;

[0026] The attack detection model is iteratively trained using training samples to obtain a pre-trained attack detection model whose output sample detection results match the actual detection results.

[0027] Optionally, determining the response strategy for the target application based on the detection result includes:

[0028] If the detection result indicates an attack, then the service of the target application will be denied.

[0029] If the detection result is not an attack, the service of the target application will respond normally.

[0030] According to one aspect of this disclosure, a behavior detection device is provided, the device comprising:

[0031] The first acquisition module is used to acquire relevant behavioral information of the target application during runtime that is associated with a preset attack type using a preset association algorithm;

[0032] The acquisition module is used to acquire dynamic and static feature information during the operation of the target application based on the relevant behavioral information.

[0033] The fusion module is used to fuse the dynamic feature information, the static feature information, and the relevant behavioral information to obtain the target feature vector of the target application;

[0034] The detection module is used to detect the target feature vector of the target application using a pre-trained attack detection model, and determine the detection result of the target application; the pre-trained attack detection model is trained using a first sample set and a second sample set; the first sample set is obtained by processing a third sample set using a preset oversampling method;

[0035] The first determining module is used to determine a response strategy for the target application based on the detection results.

[0036] Optionally, the first acquisition module is further configured to:

[0037] At the application running location indicated by the preset attack type, the preset association algorithm is used to compare the behavioral information of the target application during runtime with the attack behavior information corresponding to the preset attack type, and obtain the relevant behavioral information associated with the attack behavior information during the target application runtime.

[0038] Optionally, the acquisition module is further used for:

[0039] Based on the time period corresponding to the relevant behavioral information, collect the dynamic feature information and the static feature information during the operation of the target application within the same time period.

[0040] Optionally, the device further includes:

[0041] The analysis module is used to perform cluster analysis on the second sample set and the third sample set according to the preset oversampling method, and obtain the sub-cluster partitioning results corresponding to the second sample set and the sub-cluster partitioning results corresponding to the third sample set;

[0042] The calculation module is used to calculate the inter-class distance between the sub-cluster partitioning results corresponding to the second sample set and the sub-cluster partitioning results corresponding to the third sample set, and to determine the number of samples to be synthesized in the third sample set.

[0043] The synthesis module is used to synthesize a new sample from the third sample set based on the number of samples to be synthesized and a preset synthesis strategy, thereby obtaining the first sample set.

[0044] Optionally, the synthesis module is further configured to:

[0045] Based on the sub-cluster partitioning results corresponding to the third sample set, the inter-class distance is calculated to determine the preset synthesis strategy corresponding to the third sample set;

[0046] The first sample set for synthesizing new samples is determined by calculating the sub-cluster partitioning result corresponding to the third sample set and the number of samples to be synthesized using a preset synthetic sample formula.

[0047] Optionally, the device further includes:

[0048] The second acquisition module is used to acquire the sample feature vectors corresponding to the first sample set and the sample feature vectors corresponding to the second sample set, as well as the corresponding real detection results.

[0049] The second determining module is used to treat the sample feature vector and the real detection result as a training sample pair;

[0050] The training module is used to iteratively train the attack detection model using training samples to obtain the pre-trained attack detection model whose output sample detection results match the real detection results.

[0051] Optionally, the first determining module is further configured to:

[0052] If the detection result indicates an attack, then the service of the target application will be denied.

[0053] If the detection result is not an attack, the service of the target application will respond normally.

[0054] According to one aspect of this disclosure, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed by a processor, implements the behavior detection method described in any of the preceding claims.

[0055] According to one aspect of this disclosure, an electronic device is provided, comprising:

[0056] Processor; and

[0057] Memory for storing the executable instructions of the processor;

[0058] The processor is configured to execute any of the above-described behavior detection methods by executing the executable instructions.

[0059] In summary, the behavior detection method provided by this invention can first use a preset association algorithm to obtain relevant behavior information associated with a preset attack type during the runtime of a target application. Based on the relevant behavior information, dynamic and static feature information during the runtime of the target application is collected. The dynamic feature information, static feature information, and relevant behavior information are fused to obtain the target feature vector of the target application. The target feature vector of the target application is detected by a pre-trained attack detection model to determine the detection result of the target application. The pre-trained attack detection model is trained using a first sample set and a second sample set. The first sample set is obtained by processing a third sample set using a preset oversampling method. The response strategy for the target application is determined based on the detection result. In this way, on the one hand, the association algorithm is used to obtain important behavioral features related to the attack type, and the associated behavioral features are combined with the attack's own features to avoid the omission of important feature information and unnecessary data entry. Moreover, compared with the traditional request-based static feature recognition, the introduction of dynamic features during program execution and the combination of static and dynamic features improve the accuracy. On the other hand, the new samples synthesized by oversampling for the small sample set make the new samples more reasonable, reduce unnecessary computation, reduce the generation of noise points and the difference between the new samples and the real samples, avoid the accuracy problem caused by the model's insufficient learning of attack features from the small sample set, improve accuracy, and reduce false negatives and false positives.

[0060] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this disclosure. Attached Figure Description

[0061] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure. It is obvious that the drawings described below are merely some embodiments of this disclosure, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort.

[0062] Figure 1 This schematically illustrates a flowchart of the steps of a behavior detection method provided in an embodiment of the present disclosure;

[0063] Figure 2 This schematically illustrates a flowchart of steps for obtaining a first sample set according to an embodiment of the present disclosure;

[0064] Figure 3 This schematically illustrates a flowchart of the steps for synthesizing a new sample according to an embodiment of the present disclosure;

[0065] Figure 4 This schematically illustrates a flowchart of the steps for obtaining a pre-trained attack detection model according to an embodiment of the present disclosure;

[0066] Figure 5 This diagram illustrates an attack detection method provided by an embodiment of the present disclosure.

[0067] Figure 6 This schematic diagram illustrates a block diagram of a behavior detection device provided in an embodiment of the present disclosure;

[0068] Figure 7 An electronic device for implementing the above-described behavior detection method is illustrated in an embodiment of this disclosure. Detailed Implementation

[0069] Example embodiments will now be described more fully with reference to the accompanying drawings. However, example embodiments can be implemented in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided to make this disclosure more comprehensive and complete, and to fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics can be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a full understanding of embodiments of this disclosure. However, those skilled in the art will recognize that the technical solutions of this disclosure can be practiced with one or more of the specific details omitted, or other methods, components, apparatus, steps, etc., can be employed. In other instances, well-known technical solutions are not shown or described in detail to avoid obscuring various aspects of this disclosure.

[0070] Furthermore, the accompanying drawings are merely illustrative of this disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and therefore repeated descriptions of them will be omitted. Some block diagrams shown in the drawings are functional entities and do not necessarily correspond to physically or logically independent entities. These functional entities may be implemented in software, in one or more hardware modules or integrated circuits, or in different network and / or processor devices and / or microcontroller devices.

[0071] Figure 1 This is a flowchart of the steps of a behavior detection method provided in an embodiment of this disclosure, as follows: Figure 1 As shown, the method may include:

[0072] Step S101: Use a preset association algorithm to obtain relevant behavioral information of the target application during runtime that is associated with a preset attack type.

[0073] In this embodiment of the disclosure, since the attack behavior is not only a behavioral information, but also includes relevant contextual information, and the attack location of different attack types is often determined, the relevant behavioral information of the target application that is related to the preset attack type can be obtained at the location indicated by the preset attack type using a preset association algorithm.

[0074] Step S102: Based on the relevant behavioral information, collect dynamic and static feature information during the operation of the target application.

[0075] In this embodiment of the disclosure, dynamic feature information of the target application during its operation can be collected based on the relevant behavioral information of the target application. This dynamic feature information may include feature information that appears when the target application is running and interacting. Static feature information of the target application during its operation can also be collected. This static feature information may be feature information that appears when the target application makes a request, when the request is running, or after the request is executed and before the response.

[0076] Step S103: The dynamic feature information, the static feature information and the related behavioral information are fused to obtain the target feature vector of the target application.

[0077] In this embodiment, dynamic feature information, static feature information, and related behavioral information may be fused according to a preset feature fusion method, and the fused feature vector may be used as the target feature vector of the target application. For example, relevant dynamic and static information of the request during program execution may be acquired and recorded, mainly including attack self-feature information and behavioral feature information associated with the attack, and these may be processed and fused into a feature vector: X = [x1, x2, ..., x...]. n ].

[0078] Step S104: Detect the target feature vector of the target application using a pre-trained attack detection model to determine the detection result of the target application; the pre-trained attack detection model is trained using a first sample set and a second sample set; the first sample set is obtained by processing a third sample set using a preset oversampling method.

[0079] In this embodiment, the attack detection model can be pre-trained using a first sample set and a second sample set. Through continuous iterative training, the attack detection model can learn to correctly detect whether the behavior corresponding to the feature vector is an attack behavior based on the input sample set. The first sample set can be a set of synthetic new samples obtained by processing a third sample set using a preset oversampling method. The third sample set can be a set of minority class samples, and the second sample set can be a set of majority class samples.

[0080] In this embodiment of the disclosure, the target feature vector of the target application is calculated and detected using a pre-trained attack detection model to determine the detection result of the target application. This can be achieved by using the pre-trained attack detection model to calculate the behavioral information corresponding to the target feature vector and determining whether the behavioral information is an attack behavior. The attack detection model can be a deep neural network (DNN), and this disclosure does not impose any specific limitations.

[0081] It should be noted that the preset oversampling method can be an improved cluster-based oversampling (CBSO) algorithm. Compared with the traditional CBSO oversampling algorithm, the improved CBSO algorithm proposed in this disclosure performs cluster analysis on a small sample dataset, incorporates the spatial structure features within and between classes, and is more scientific and reasonable in terms of the number of oversampling samples and the method of synthesizing new samples, so that the generated new samples are closer to the real samples, avoiding the blind selection of the number of synthesized samples and the generation of noise points.

[0082] Step S105: Determine the response strategy for the target application based on the detection results.

[0083] In this embodiment of the disclosure, the detection result can be either that the behavioral information corresponding to the target feature vector is an attack behavior, or that the behavioral information corresponding to the target feature vector is not an attack behavior. When the detection result is an attack behavior, the service of the target application can be refused to respond. When the detection result is not an attack behavior, the service of the target application can be responded to normally.

[0084] In summary, the behavior detection method provided by this invention can first use a preset association algorithm to obtain relevant behavior information associated with a preset attack type during the runtime of a target application. Based on the relevant behavior information, dynamic and static feature information during the runtime of the target application is collected. The dynamic feature information, static feature information, and relevant behavior information are fused to obtain the target feature vector of the target application. The target feature vector of the target application is detected by a pre-trained attack detection model to determine the detection result of the target application. The pre-trained attack detection model is trained using a first sample set and a second sample set. The first sample set is obtained by processing a third sample set using a preset oversampling method. The response strategy for the target application is determined based on the detection result. In this way, on the one hand, the association algorithm is used to obtain important behavioral features related to the attack type, and the associated behavioral features are combined with the attack's own features to avoid the omission of important feature information and unnecessary data entry. Moreover, compared with the traditional request-based static feature recognition, the introduction of dynamic features during program execution and the combination of static and dynamic features improve the accuracy. On the other hand, the new samples synthesized by oversampling for the small sample set make the new samples more reasonable, reduce unnecessary computation, reduce the generation of noise points and the difference between the new samples and the real samples, avoid the accuracy problem caused by the model's insufficient learning of attack features from the small sample set, improve accuracy, and reduce false negatives and false positives.

[0085] Optionally, in this embodiment of the present disclosure, the operation of obtaining relevant behavioral information related to the target application runtime and the preset attack type using a preset association algorithm may specifically include:

[0086] At the application running location indicated by the preset attack type, the preset association algorithm is used to compare the behavioral information of the target application during runtime with the attack behavior information corresponding to the preset attack type, and obtain the relevant behavioral information associated with the attack behavior information during the target application runtime.

[0087] In this embodiment of the disclosure, the preset association algorithm can be FreeSpan (sequence pattern mining based on frequent pattern projection). The behavior associated with the attack type can be obtained by using this behavior as a source point of a feature, or by using the characteristics of the attack itself as a source point. Combined with instrumentation techniques, hook probes are embedded in the program corresponding to the feature source point. When the program runs and the hook probe is triggered, runtime-related behavioral information of the attack request can be obtained.

[0088] Optionally, in this embodiment of the present disclosure, the operation of collecting dynamic and static feature information during the operation of the target application based on the relevant behavioral information may specifically include:

[0089] Based on the time period corresponding to the relevant behavioral information, collect the dynamic feature information and the static feature information during the operation of the target application within the same time period.

[0090] In this embodiment, dynamic and static feature information of the target application during its operation within the same time period can be collected based on the time period corresponding to the relevant behavioral information. This dynamic and static feature information can then be fused together to form the target feature vector of the target application. The relevant behavioral information can be valid for a period of time before and after the acquisition of the attack's own features.

[0091] Optional, such as Figure 2 As shown, the method described in this embodiment may further include:

[0092] Step S201: Perform cluster analysis on the second sample set and the third sample set according to the preset oversampling method to obtain the sub-cluster partitioning results corresponding to the second sample set and the sub-cluster partitioning results corresponding to the third sample set.

[0093] Step S202: Calculate the inter-class distance for the sub-cluster partitioning results corresponding to the second sample set and the sub-cluster partitioning results corresponding to the third sample set, and determine the number of samples to be synthesized in the third sample set.

[0094] Step S203: Based on the number of samples to be synthesized and the preset synthesis strategy, the third sample set is used to form a new sample set to obtain the first sample set.

[0095] In this embodiment of the disclosure, an imbalanced second sample set and a third sample set are input. The third sample set can be minority class samples, and the second sample set can be majority class samples. Clustering (k-means) analysis is performed on the minority class and majority class samples respectively to obtain the corresponding sub-cluster partitioning results. By weighting the cluster capacity and inter-class distance, the number of samples to be synthesized for the minority class samples is scientifically determined. Different synthesis strategies are adopted for samples in minority class clusters with different sparsity to synthesize new samples.

[0096] Specifically, in this embodiment, oversampling is performed based on the improved CBSO method to obtain the first sample set. The following is the pseudocode for the sampling process:

[0097] Input: Training sample set D = {x} n , y}, n=1,...,M, where y is the attack type label; the number of minority class samples m s The number of samples in the majority class is m. l The maximum tolerance rate d for imbalance th ; Specify the balance level scalar β∈[0,1]; Number of nearest neighbor samples k. Output: G newly synthesized minority class samples.

[0098]

[0099]

[0100] Optionally, in this embodiment of the present disclosure, the operation of synthesizing the third sample set into a new sample set based on the number of samples to be synthesized and a preset synthesis strategy to obtain the first sample set is as follows: Figure 3 As shown, it can specifically include:

[0101] Step S203 1. Calculate the inter-class distance based on the sub-cluster partitioning results corresponding to the third sample set to determine the preset synthesis strategy corresponding to the third sample set.

[0102] In this embodiment of the disclosure, the corresponding preset synthesis strategy may be determined based on whether the sub-cluster partitioning result corresponding to the third sample set is compact. If the sub-cluster partitioning result is compact, the preset synthesis strategy corresponding to the third sample set is a compact synthesis strategy. If the sub-cluster partitioning result is not compact, the preset synthesis strategy corresponding to the third sample set is a non-compact synthesis strategy.

[0103] Step S2032: Calculate the sub-cluster partitioning result corresponding to the third sample set and the number of samples to be synthesized using a preset synthetic sample formula, and determine the first sample set for synthesizing new samples.

[0104] In this embodiment of the disclosure, the number of newly synthesized samples required for the i-th cluster in the minority clusters can be expressed as: Simultaneously considering cluster capacity and inter-class distance, a weighted distribution strategy is applied to different clusters of minority class samples to make the number of synthesized samples for each class more reasonable, avoiding blind selection of the required number of synthesized samples and unnecessary computation. The specific formula for synthesizing samples can be expressed as follows (non-compact): s m =x a +σ*min((x a -x b ), (x a -x i Compact: For compact / non-compact intra-cluster distributed samples, a hybrid synthesis algorithm based on spatial information similarity distribution is proposed, which makes the new sample more similar to the original sample, greatly reducing the generation of noise points and excessive differences between samples, thereby obtaining samples that are closer to reality.

[0105] Optional, such as Figure 4 As shown, the method described in this embodiment further includes:

[0106] Step S301: Obtain the sample feature vector corresponding to the first sample set and the sample feature vector corresponding to the second sample set, as well as the corresponding real detection results.

[0107] In this embodiment, the first sample set can be minority class samples, and the second sample set can be majority class samples. A preset feature selection algorithm can be used to calculate the sample weights corresponding to each sample feature, and the sample feature vector can be selected according to a preset threshold ratio. The actual detection result corresponding to the sample feature vector can be manually detected and labeled, or it can be determined through detection.

[0108] Step S302: Use the sample feature vector and the real detection result as a training sample pair.

[0109] For example, the sample feature vector can be Y = [y1, y2, y3, ..., y4]. n If the actual detection result corresponding to this sample request could be an attack, then Y = [y1, y2, y3, ..., y n The "attack behavior" is used as a training sample pair, and the sample feature vector can be Z = [z1, z2, z3, ..., z...]. n If the actual detection result corresponding to the sample request can be a non-attack behavior, then Z = [z1, z2, z3, ..., z m [] and "non-aggressive behavior" as a training sample pair.

[0110] Step S303: Iteratively train the attack detection model using training samples to obtain the pre-trained attack detection model whose output sample detection results match the real detection results.

[0111] In this embodiment, the sample feature vectors from the training sample pairs can be input into the attack detection model for computation and processing. The model outputs a sample detection result for the given feature vectors, and determines whether the result matches the actual detection result. If they do not match, the training parameters of the attack detection model are adjusted, and the sample feature vectors are re-inputted into the model for iterative training until the output sample detection result matches the actual detection result. The attack detection model whose result matches the actual detection result is then used as the pre-trained attack detection model. This attack detection model can be a random forest model.

[0112] Optionally, in this embodiment of the present disclosure, the operation of determining the response strategy for the target application based on the detection result may specifically include:

[0113] If the detection result indicates an attack, the service of the target application is denied; if the detection result indicates no attack, the service of the target application is provided normally.

[0114] Example, Figure 5 This schematic diagram illustrates an attack detection method provided by an embodiment of the present disclosure, such as... Figure 5 As shown, S41, receive a client request; S42, use a preset association algorithm to obtain dynamic and static feature information of the target application during runtime; S43, fuse the dynamic feature information, static feature information, and related behavioral information to obtain the target feature vector of the target application; S44, use a pre-trained attack detection model to detect the target feature vector of the target application, determine the detection result of the target application, if the detection result is an attack behavior, then reject the service of the target application, if the detection result is not an attack behavior, then respond normally to the service of the target application.

[0115] For example, in one implementation, the behavior detection method could first use the FreeSpan association algorithm to obtain important behaviors related to each type of attack, acquiring more important feature information that can identify the attack type. Then, hook probes are embedded at specified locations in the program. These specified locations can be locations determined by human experience or locations associated with the attack type based on the association analysis results of S1. Instrumentation technology can acquire dynamic and static feature information during program execution, and finally, the features (over a period of time) are fused. This makes the acquired features more comprehensive, avoiding the omission of some important dynamic information. Secondly, oversampling is performed on the minority sample set. Specifically, by weighting the cluster capacity and inter-class distance, the number of samples to be synthesized for the minority class samples is scientifically determined, and different synthesis strategies are used for samples in minority class clusters with different sparsity to synthesize new samples. This reduces the generation of noise points and the difference between the new samples and the real samples. Finally, a random forest model is trained on the oversampled dataset to obtain the final detection model, resulting in higher model detection accuracy.

[0116] Figure 6 This illustration schematically depicts a behavior detection device provided in an embodiment of the present disclosure, such as... Figure 6 As shown, the device 50 may include:

[0117] The first acquisition module 501 is used to acquire relevant behavioral information of the target application during runtime that is associated with a preset attack type using a preset association algorithm;

[0118] The acquisition module 502 is used to acquire dynamic and static feature information during the operation of the target application based on the relevant behavioral information.

[0119] The fusion module 503 is used to fuse the dynamic feature information, the static feature information, and the relevant behavioral information to obtain the target feature vector of the target application;

[0120] The detection module 504 is used to detect the target feature vector of the target application using a pre-trained attack detection model, and determine the detection result of the target application; the pre-trained attack detection model is trained using a first sample set and a second sample set; the first sample set is obtained by processing a third sample set using a preset oversampling method;

[0121] The first determining module 505 is used to determine a response strategy for the target application based on the detection results.

[0122] In summary, the behavior detection method provided by this invention can first use a preset association algorithm to obtain relevant behavior information associated with a preset attack type during the runtime of a target application. Based on the relevant behavior information, dynamic and static feature information during the runtime of the target application is collected. The dynamic feature information, static feature information, and relevant behavior information are fused to obtain the target feature vector of the target application. The target feature vector of the target application is detected by a pre-trained attack detection model to determine the detection result of the target application. The pre-trained attack detection model is trained using a first sample set and a second sample set. The first sample set is obtained by processing a third sample set using a preset oversampling method. The response strategy for the target application is determined based on the detection result. In this way, on the one hand, the association algorithm is used to obtain important behavioral features related to the attack type, and the associated behavioral features are combined with the attack's own features to avoid the omission of important feature information and unnecessary data entry. Moreover, compared with the traditional request-based static feature recognition, the introduction of dynamic features during program execution and the combination of static and dynamic features improve the accuracy. On the other hand, the new samples synthesized by oversampling for the small sample set make the new samples more reasonable, reduce unnecessary computation, reduce the generation of noise points and the difference between the new samples and the real samples, avoid the accuracy problem caused by the model's insufficient learning of attack features from the small sample set, improve accuracy, and reduce false negatives and false positives.

[0123] Optionally, the first acquisition module 501 is further configured to:

[0124] At the application running location indicated by the preset attack type, the preset association algorithm is used to compare the behavioral information of the target application during runtime with the attack behavior information corresponding to the preset attack type, and obtain the relevant behavioral information associated with the attack behavior information during the target application runtime.

[0125] Optionally, the acquisition module 502 is further configured to:

[0126] Based on the time period corresponding to the relevant behavioral information, collect the dynamic feature information and the static feature information during the operation of the target application within the same time period.

[0127] Optionally, the device 50 further includes:

[0128] The analysis module is used to perform cluster analysis on the second sample set and the third sample set according to the preset oversampling method, and obtain the sub-cluster partitioning results corresponding to the second sample set and the sub-cluster partitioning results corresponding to the third sample set;

[0129] The calculation module is used to calculate the inter-class distance between the sub-cluster partitioning results corresponding to the second sample set and the sub-cluster partitioning results corresponding to the third sample set, and to determine the number of samples to be synthesized in the third sample set.

[0130] The synthesis module is used to synthesize a new sample from the third sample set based on the number of samples to be synthesized and a preset synthesis strategy, thereby obtaining the first sample set.

[0131] Optionally, the synthesis module is further configured to:

[0132] Based on the sub-cluster partitioning results corresponding to the third sample set, the inter-class distance is calculated to determine the preset synthesis strategy corresponding to the third sample set;

[0133] The first sample set for synthesizing new samples is determined by calculating the sub-cluster partitioning result corresponding to the third sample set and the number of samples to be synthesized using a preset synthetic sample formula.

[0134] Optionally, the device 50 further includes:

[0135] The second acquisition module is used to acquire the sample feature vectors corresponding to the first sample set and the sample feature vectors corresponding to the second sample set, as well as the corresponding real detection results.

[0136] The second determining module is used to treat the sample feature vector and the real detection result as a training sample pair;

[0137] The training module is used to iteratively train the attack detection model using training samples to obtain the pre-trained attack detection model whose output sample detection results match the real detection results.

[0138] Optionally, the first determining module 505 is further configured to:

[0139] If the detection result indicates an attack, then the service of the target application will be denied.

[0140] If the detection result is not an attack, the service of the target application will respond normally.

[0141] The specific details of each module in the aforementioned behavior detection device have been described in detail in the corresponding behavior detection methods, so they will not be repeated here.

[0142] It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to embodiments of this disclosure, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.

[0143] Furthermore, although the steps of the method in this disclosure are described in a specific order in the accompanying drawings, this does not require or imply that the steps must be performed in that specific order, or that all the steps shown must be performed to achieve the desired result. Additional or alternative steps may be omitted, multiple steps may be combined into one step, and / or a step may be broken down into multiple steps.

[0144] In an exemplary embodiment of this disclosure, an electronic device capable of implementing the above-described method is also provided.

[0145] Those skilled in the art will understand that various aspects of this disclosure can be implemented as a system, method, or program product. Therefore, various aspects of this disclosure can be specifically implemented in the following forms: a completely hardware implementation, a completely software implementation (including firmware, microcode, etc.), or a combination of hardware and software aspects, collectively referred to herein as a "circuit," "module," or "system."

[0146] The following reference Figure 7 To describe an electronic device 600 according to such an embodiment of the present disclosure. Figure 7 The electronic device 600 shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments disclosed herein.

[0147] like Figure 7 As shown, the electronic device 600 is manifested in the form of a general-purpose computing device. The components of the electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one storage unit 620, a bus 630 connecting different system components (including storage unit 620 and processing unit 610), and a display unit 640.

[0148] The storage unit stores program code that can be executed by the processing unit 610, causing the processing unit 610 to perform the steps described in the "Exemplary Methods" section of this specification according to various exemplary embodiments of this disclosure. For example, the processing unit 610 can perform actions such as... Figure 1The steps shown are as follows: Step S101: Obtain relevant behavioral information associated with a preset attack type during the runtime of the target application using a preset association algorithm; Step S102: Based on the relevant behavioral information, collect dynamic and static feature information during the runtime of the target application; Step S103: Fuse the dynamic feature information, the static feature information, and the relevant behavioral information to obtain the target feature vector of the target application; Step S104: Detect the target feature vector of the target application using a pre-trained attack detection model to determine the detection result of the target application; The pre-trained attack detection model is trained using a first sample set and a second sample set; The first sample set is obtained by processing a third sample set using a preset oversampling method; Step S105: Determine the response strategy for the target application based on the detection result.

[0149] Storage unit 620 may include a readable medium in the form of a volatile storage unit, such as random access memory (RAM) 6201 and / or cache memory 6202, and may further include a read-only memory (ROM) 6203.

[0150] Storage unit 620 may also include a program / utility 6204 having a set (at least one) program module 6205, such program module 6205 including but not limited to: operating system, one or more application programs, other program modules and program data, each or some combination of these examples may include an implementation of a network environment.

[0151] Bus 630 can represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of the various bus structures.

[0152] Electronic device 600 can also communicate with one or more external devices 700 (e.g., keyboard, pointing device, Bluetooth device, etc.), and with one or more devices that enable a user to interact with electronic device 600, and / or with any device that enables electronic device 600 to communicate with one or more other computing devices (e.g., router, modem, etc.). This communication can be performed via input / output (I / O) interface 650. Furthermore, electronic device 600 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and / or public networks, such as the Internet) via network adapter 660. As shown, network adapter 660 communicates with other modules of electronic device 600 via bus 630. It should be understood that, although not shown in the figures, other hardware and / or software modules can be used in conjunction with electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.

[0153] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, terminal device, or network device, etc.) to execute the methods according to the embodiments of this disclosure.

[0154] In exemplary embodiments of this disclosure, a computer-readable storage medium is also provided, on which a program product capable of implementing the methods described above is stored. In some possible implementations, various aspects of this disclosure may also be implemented as a program product including program code that, when the program product is run on a terminal device, causes the terminal device to perform the steps of the various exemplary embodiments of this disclosure described in the "Exemplary Methods" section above.

[0155] The program product for implementing the above-described method according to embodiments of the present disclosure may employ a portable compact disc read-only memory (CD-ROM) and include program code, and may run on a terminal device, such as a personal computer. However, the program product of the present disclosure is not limited thereto. In this document, the readable storage medium may be any tangible medium containing or storing a program that may be used by or in conjunction with an instruction execution system, apparatus, or device.

[0156] The program product may employ any combination of one or more readable media. A readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of readable storage media (a non-exhaustive list) include: an electrical connection having one or more wires, a portable disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.

[0157] Computer-readable signal media may include data signals propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A readable signal medium may also be any readable medium other than a readable storage medium, capable of sending, propagating, or transmitting programs for use by or in conjunction with an instruction execution system, apparatus, or device.

[0158] The program code contained on the readable medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.

[0159] Program code for performing the operations of this disclosure can be written in any combination of one or more programming languages, including object-oriented programming languages ​​such as Java and C++, and conventional procedural programming languages ​​such as C or similar languages. The program code can execute entirely on the user's computing device, partially on the user's computing device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0160] Furthermore, the above figures are merely illustrative of the processes included in the method according to exemplary embodiments of this disclosure and are not intended to be limiting. It is readily understood that the processes shown in the above figures do not indicate or limit the temporal order of these processes. Additionally, it is readily understood that these processes may be executed synchronously or asynchronously, for example, in multiple modules.

[0161] Other embodiments of this disclosure will readily occur to those skilled in the art upon consideration of the specification and practice of the invention described herein. This application is intended to cover any variations, uses, or adaptations of this disclosure that follow the general principles of this disclosure and include common knowledge or customary techniques in the art not invented by this disclosure. The specification and embodiments are to be considered exemplary only, and the true scope and spirit of this disclosure are indicated by the claims.

Claims

1. A behavior detection method, characterized in that, The method includes: Use a preset association algorithm to obtain relevant behavioral information of the target application during runtime that is associated with a preset attack type; Based on the relevant behavioral information, dynamic and static feature information during the operation of the target application is collected; The target feature vector of the target application is obtained by fusing the dynamic feature information, the static feature information, and the relevant behavioral information. The target feature vector of the target application is detected by a pre-trained attack detection model to determine the detection result of the target application; the pre-trained attack detection model is trained using a first sample set and a second sample set; the first sample set is obtained by processing a third sample set using a preset oversampling method; Based on the detection results, a response strategy for the target application is determined; The process of obtaining the first sample set is as follows: Cluster analysis is performed on the second sample set and the third sample set according to the preset oversampling method to obtain the sub-cluster partitioning results corresponding to the second sample set and the sub-cluster partitioning results corresponding to the third sample set; Calculate the inter-class distance between the sub-cluster partitioning results corresponding to the second sample set and the sub-cluster partitioning results corresponding to the third sample set, and determine the number of samples to be synthesized in the third sample set; Based on the number of samples to be synthesized and the preset synthesis strategy, the third sample set is used to form a new sample set, thus obtaining the first sample set.

2. The method according to claim 1, characterized in that, The step of obtaining relevant behavioral information related to the target application's runtime and the preset attack type using a preset association algorithm includes: At the application running location indicated by the preset attack type, the preset association algorithm is used to compare the behavioral information of the target application during runtime with the attack behavior information corresponding to the preset attack type, and obtain the relevant behavioral information associated with the attack behavior information during the target application runtime.

3. The method according to claim 1, characterized in that, The step of collecting dynamic and static feature information during the operation of the target application based on the relevant behavioral information includes: Based on the time period corresponding to the relevant behavioral information, collect the dynamic feature information and the static feature information during the operation of the target application within the same time period.

4. The method according to claim 1, characterized in that, The step of synthesizing the third sample set into a new sample set based on the number of samples to be synthesized and a preset synthesis strategy to obtain the first sample set includes: Based on the sub-cluster partitioning results corresponding to the third sample set, the inter-class distance is calculated to determine the preset synthesis strategy corresponding to the third sample set; The first sample set for synthesizing new samples is determined by calculating the sub-cluster partitioning result corresponding to the third sample set and the number of samples to be synthesized using a preset synthetic sample formula.

5. The method according to claim 1, characterized in that, The method further includes: Obtain the sample feature vectors corresponding to the first sample set and the sample feature vectors corresponding to the second sample set, as well as the corresponding actual detection results; The sample feature vector and the real detection result are used as a training sample pair; The attack detection model is iteratively trained using training samples to obtain a pre-trained attack detection model whose output sample detection results match the actual detection results.

6. The method according to claim 1, characterized in that, The step of determining a response strategy for the target application based on the detection results includes: If the detection result indicates an attack, then the service of the target application will be denied. If the detection result is not an attack, the service of the target application will respond normally.

7. A behavior detection device, characterized in that, The device includes: The first acquisition module is used to acquire relevant behavioral information of the target application during runtime that is associated with a preset attack type using a preset association algorithm; The acquisition module is used to acquire dynamic and static feature information during the operation of the target application based on the relevant behavioral information. The fusion module is used to fuse the dynamic feature information, the static feature information, and the relevant behavioral information to obtain the target feature vector of the target application; The detection module is used to detect the target feature vector of the target application using a pre-trained attack detection model and determine the detection result of the target application. The pre-trained attack detection model is trained using a first sample set and a second sample set. The first sample set is obtained by processing a third sample set using a preset oversampling method. The process of obtaining the first sample set is as follows: performing cluster analysis on the second sample set and the third sample set according to the preset oversampling method to obtain the sub-cluster partitioning results corresponding to the second sample set and the third sample set; calculating the inter-class distance between the sub-cluster partitioning results corresponding to the second sample set and the third sample set to determine the number of samples to be synthesized in the third sample set; and synthesizing the third sample set into new samples based on the number of samples to be synthesized and a preset synthesis strategy to obtain the first sample set. The first determining module is used to determine a response strategy for the target application based on the detection results.

8. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the behavior detection method according to any one of claims 1-6.

9. An electronic device, characterized in that, include: processor; as well as Memory for storing the executable instructions of the processor; The processor is configured to execute the behavior detection method of any one of claims 1-6 by executing the executable instructions.