A data anomaly detection method, device and electronic equipment
By employing a data anomaly detection method based on sampling and multi-dimensional risk assessment, this approach addresses the performance and security issues in existing technologies for detecting novel ransomware. It enables rapid and flexible data security detection, thereby improving the overall performance and security of electronic devices.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- LIAONING MOBILE COMM
- Filing Date
- 2026-03-17
- Publication Date
- 2026-06-26
AI Technical Summary
Existing security threat signature databases are insufficient to cover new types of ransomware, causing electronic devices to confuse normal file operations when detecting malicious encryption behavior, consuming a lot of system resources, reducing device performance, and making it difficult to ensure data security.
By sampling data from the stored data of electronic devices, compression ratio anomaly detection and multi-dimensional risk assessment are performed, including change pattern detection and static feature detection, to determine whether the data has been maliciously encrypted or other abnormal situations, thus avoiding reliance on traditional entropy calculation.
It enables flexible and rapid data security detection, adapts to new threats, avoids the significant performance overhead of traditional methods, and improves the overall performance of the device and data security.
Smart Images

Figure CN122293371A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of data security technology, specifically to a data anomaly detection method, apparatus, and electronic device. Background Technology
[0002] Currently, data security threats to electronic devices are becoming increasingly severe, especially with the rapid evolution of ransomware that maliciously encrypts files to extort money. Existing security threat signature databases are struggling to cover the ever-emerging new threats through signature matching. However, continuous real-time monitoring can easily confuse normal file operations with malicious encryption behavior, consuming significant system resources of electronic devices in the process. This not only reduces the overall performance of electronic devices but also makes it difficult to ensure data security. Summary of the Invention
[0003] This application discloses a data anomaly detection method, apparatus, and electronic device, which can achieve data security monitoring through data compression ratio anomaly detection, thereby helping to improve the data security of electronic devices while ensuring the overall performance stability of the electronic devices.
[0004] The first aspect of this application discloses a data anomaly detection method applied to an electronic device, the method comprising: Data to be detected is obtained by sampling from the stored data of the electronic device; A risk assessment is performed on the data to be tested to obtain a risk assessment result corresponding to the data to be tested; wherein, the risk assessment includes at least the detection of compression ratio anomalies in the data to be tested; Based on the risk assessment results, the abnormal data status of the electronic device is determined.
[0005] A second aspect of this application discloses a data anomaly detection device, applied to an electronic device, the device comprising: A sampling unit is used to obtain the data to be detected from the stored data of the electronic device by sampling. An evaluation unit is used to perform a risk assessment on the data to be tested and obtain a risk assessment result corresponding to the data to be tested; wherein, the risk assessment includes at least the detection of compression ratio anomalies in the data to be tested; The determining unit is used to determine the abnormal data status of the electronic device based on the risk assessment results.
[0006] The third aspect of this application discloses an electronic device, including a memory and a processor. The memory stores a computer program, and when the computer program is executed by the processor, the processor enables the processor to implement any of the data anomaly detection methods disclosed in the first aspect of this application.
[0007] The fourth aspect of this application discloses a computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements any of the data anomaly detection methods disclosed in the first aspect of this application.
[0008] Compared with related technologies, the embodiments of this application have the following beneficial effects: In this embodiment, by sampling and obtaining the data to be detected from the stored data of the electronic device, a risk assessment can be further performed on the data to be detected to obtain the risk assessment result corresponding to the data to be detected. The risk assessment can at least include detection of anomalies in the compression ratio of the data to be detected. Based on this, the abnormal data state of the electronic device can be determined according to the risk assessment result. Therefore, by implementing this embodiment, the entropy value of the stored data can be indirectly assessed by detecting the data compression ratio of the data stored in the electronic device, thereby determining whether the stored data has been maliciously encrypted, resulting in an abnormal entropy value, and thus determining whether the electronic device has data security risks. This data anomaly detection method can completely eliminate the dependence on security threat signature databases, flexibly and quickly achieve data security detection to adaptively respond to various new security threats; it also avoids the large performance overhead required to completely read the stored data in the traditional entropy value calculation process, thus helping to improve the data security of the electronic device while ensuring the overall performance stability of the electronic device. Attached Figure Description
[0009] Figure 1 This is a schematic diagram of a tree-like storage structure used in an electronic device disclosed in an embodiment of this application; Figure 2 This is a flowchart illustrating a data anomaly detection method disclosed in an embodiment of this application; Figure 3 This is a flowchart illustrating another data anomaly detection method disclosed in an embodiment of this application; Figure 4 This is a flowchart illustrating another data anomaly detection method disclosed in the embodiments of this application; Figure 5 This is a schematic diagram of the parsing process of the data anomaly detection method disclosed in the embodiments of this application; Figure 6 This is a schematic diagram of another parsing process for the data anomaly detection method disclosed in the embodiments of this application; Figure 7 This is a modular schematic diagram of a data anomaly detection device disclosed in an embodiment of this application; Figure 8 This is a modular schematic diagram of an electronic device disclosed in an embodiment of this application. Detailed Implementation
[0010] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of this application.
[0011] It should be noted that the terms "comprising" and "having" and any variations thereof in the embodiments of this application are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or device that includes a series of steps or units is not necessarily limited to those steps or units that are explicitly listed, but may include other steps or units that are not explicitly listed or that are inherent to these processes, methods, products, or devices.
[0012] This application discloses a data anomaly detection method, apparatus, and electronic device, which can achieve data security monitoring through data compression ratio anomaly detection, thereby helping to improve the data security of electronic devices while ensuring the overall performance stability of the electronic devices.
[0013] The following will be described in detail with reference to the accompanying drawings.
[0014] Please see Figure 1 , Figure 1 This is a schematic diagram of a tree-like storage structure used in an electronic device disclosed in an embodiment of this application. For example... Figure 1 As shown, electronic devices can use a three-level tree-like storage structure including root nodes, intermediate nodes, and leaf nodes for data storage, where each node can be distinguished by a different node ID. For example, the root node can be identified by its root node ID (e.g., ...). Figure 1 The NodeID (as shown: N1, N1*, etc.) is used to mark intermediate nodes; intermediate nodes can be identified by their intermediate node ID (e.g., ...). Figure 1 Nodes are labeled using NodeIDs such as N2, N3, etc.; leaf nodes can be identified by their leaf node IDs (e.g., ...). Figure 1 The NodeIDs shown are used to mark the nodes (N6, N7, N8, etc.).
[0015] In some embodiments, different root nodes can be used to distinguish different backup versions of data stored on an electronic device. For example, the electronic device can use a unique system data tree ID (which may be denoted as TreeID) as an identifier to label different backup versions. Figure 1As shown, the data backup version corresponding to time point T1 can be represented by TreeID: T1, and the new data backup version corresponding to time point T2 after the stored data has been modified can be represented by TreeID: T2. TreeID: T1 can correspond to the root node N1, i.e., it is used to mark the system data tree under the root node N1; TreeID: T2 can correspond to the root node N1* after the stored data has been modified, i.e., it is used to mark the system data tree under the root node N1*. It should be noted that the unmodified intermediate nodes and leaf nodes under the root node N1* can be shared from the system data tree T1, i.e., the system data tree under the root node N1.
[0016] Optionally, the root node may also contain node keys to guide the selection of data retrieval paths. Based on this, the intermediate nodes can undertake corresponding data navigation functions, such as comparing numeric keys or using specific hash functions to handle non-numeric key lookups, thus fulfilling the data addressing needs of electronic devices during data storage, modification, and retrieval, thereby helping to improve the data retrieval efficiency of electronic devices.
[0017] Furthermore, the aforementioned leaf nodes can be used to store the data content corresponding to small files, or to store data pointers corresponding to large files. Small files can include files with a data size less than or equal to the node's storage threshold (e.g., 128KB, 256KB, etc.), while large files can include files with a data size greater than the node's storage threshold.
[0018] For example, such as Figure 1 As shown, when a leaf node (N6, for example) is used to store a small file A, its data content can be directly stored in the data brick or data block corresponding to the leaf node N6 (which can be marked by the corresponding chunk identifier). When a leaf node (N7, for example) is used to store a large file B, the leaf node N7 can store a data pointer pointing to the target metadata tree, and at the same time save the corresponding chunk identifier, file permissions and other key metadata information. The target metadata tree pointed to by the aforementioned data pointer, that is, the metadata tree used to store the data content of file B, can directly adopt or inherit from the system data tree T1, and perform data storage, modification and retrieval operations based on the three-level tree storage structure of the system data tree T1.
[0019] In some embodiments, if the file B pointed to by the data pointer stored in leaf node N7 is modified (for example, the data content contained in data brick 2 is modified to obtain the modified data brick 2*), then in the system data tree T2 corresponding to the new data backup version, a data pointer pointing to the new version file B* can be stored through another leaf node N7* to realize the iteration of the data backup version.
[0020] It is evident that such a differentiated storage strategy can ensure the efficiency of small file access and improve the flexibility of large file management. It helps reduce the performance overhead of electronic devices in the process of data storage, modification, and retrieval, and thus helps improve the efficiency of electronic devices in detecting data anomalies.
[0021] It is understood that the aforementioned electronic devices may include various terminal devices or systems with data storage functions, such as smartphones, smart wearable devices, tablets, PCs (Personal Computers), PDAs (Personal Digital Assistants), server hosts, etc., and no specific limitations are made in the embodiments of this application.
[0022] Please see Figure 2 , Figure 2 This is a flowchart illustrating a data anomaly detection method disclosed in an embodiment of this application. This method can be applied to the aforementioned electronic devices. Figure 2 As shown, the method may include the following steps: S202. Obtain the data to be detected from the stored data of the electronic device by sampling.
[0023] In this embodiment of the application, the electronic device can collect data to be detected from the stored data by sampling, and then apply the data to be detected to subsequent anomaly detection steps to further assess the data security risks of the electronic device.
[0024] In some embodiments, the electronic device can obtain a certain amount of data to be detected from all stored data through random sampling. For example, the electronic device can randomly read a corresponding number of data blocks from the stored data based on a preset sampling rate and detection scale, and use them as the data to be detected for this data anomaly detection.
[0025] In other embodiments, the electronic device may also obtain a certain amount of data to be detected from recently modified stored data through sampling. For example, the electronic device may query multiple backup versions of its stored data within a specified time range, and based on the differences or modification records (e.g., modified leaf node IDs) between the latest backup version and one or more previous backup versions, obtain a certain number of modified data blocks to meet a preset sampling rate and detection scale. These data blocks can then be used as the data to be detected for this data anomaly detection.
[0026] S204. Conduct a risk assessment on the data to be tested to obtain the risk assessment result corresponding to the data to be tested; wherein, the risk assessment includes at least the detection of compression ratio anomalies in the data to be tested.
[0027] In this embodiment of the application, the data security risk assessment of the data to be detected can be achieved through one or more anomaly detection processes of different dimensions. The corresponding risk assessment results can be used in subsequent steps to determine the abnormal data state of the electronic device, and then determine whether the electronic device has a data security threat.
[0028] In some embodiments, the risk assessment of the data to be tested may include at least the detection of anomalies in the compression ratio of the data to be tested. For example, by calculating the compression ratio of the data to be tested, the data entropy value corresponding to the data to be tested can be measured based on the calculation results (such as the compression ratio corresponding to the data to be tested, the standardized compression ratio, or other indicators further calculated based on the above compression ratio) to assess its data randomness, thereby determining whether there is a security risk to the data stored in the electronic device (such as the storage data being maliciously encrypted, resulting in an abnormal decrease in compression ratio or an abnormal increase in data entropy value).
[0029] This compression ratio anomaly detection process can indirectly evaluate the data entropy value by sampling a certain amount of the stored data. Compared with the traditional entropy value calculation process, which usually requires reading all the stored data, it can effectively reduce a lot of performance overhead and quickly evaluate the randomness characteristics of the stored data.
[0030] In other embodiments, the risk assessment of the data to be detected may also include change pattern detection, static feature detection, etc., for the data to be detected. For example, by calculating the data change rate corresponding to the data to be detected (e.g., the proportion of stored data that has been modified within a specified time window to all stored data), the corresponding change pattern detection result can be determined; by calculating the change score corresponding to the data permissions (e.g., file read / write permissions, modification permissions, etc.) and data features (e.g., file extensions, metadata features, etc.) of the data to be detected, the corresponding total static feature score can be further calculated and used as the corresponding static feature detection result.
[0031] Optionally, the anomaly detection processes of the different dimensions described above can be performed simultaneously. This allows for comprehensive multi-dimensional analysis and decision-making to complete the risk assessment of the data to be detected, yielding the corresponding risk assessment result. Further, alternatively, one or more of the above-mentioned anomaly detection processes of different dimensions can be selected as needed, and the data security risks corresponding to the data to be detected can be comprehensively analyzed based on the corresponding anomaly detection results. This application does not impose specific limitations on these methods.
[0032] S206. Based on the above risk assessment results, determine the abnormal data status of the electronic equipment.
[0033] In this application embodiment, the abnormal data status of the electronic device can be used to indicate whether the data stored in the electronic device has been maliciously encrypted or other abnormal situations. Based on this, it can be determined whether the electronic device has corresponding data security risks and whether further security maintenance measures need to be implemented.
[0034] For example, the risk assessment result corresponding to the data to be detected may include a risk indicator value. After obtaining the risk indicator value, the electronic device can compare it with a preset risk threshold. If the risk indicator value exceeds the risk threshold, it can be determined that the stored data of the electronic device is abnormal, and the electronic device can then perform corresponding alarms and data recovery operations; if the risk indicator value does not exceed the risk threshold, it can be determined that the stored data of the electronic device is normal, and the electronic device can then record the data anomaly detection result and archive it normally.
[0035] In some embodiments, the aforementioned risk indicator values may include the data entropy value corresponding to the data to be detected. The risk threshold may then include a preset entropy threshold to determine the data security risk based on the sampled data entropy value of the stored data. In other embodiments, the aforementioned risk indicator values may also include the data change rate, static feature change score, etc., corresponding to the data to be detected. The risk threshold may then include corresponding thresholds for each dimension, or a multi-dimensional comprehensive threshold; no specific limitation is made in this embodiment. Based on this, the data security risk of stored data can be determined based on risk indicators in one or more different dimensions. This facilitates combining the multi-dimensional characteristics of stored data, improving the accuracy of data anomaly detection, and effectively reducing the false alarm rate of electronic devices.
[0036] As can be seen, the data anomaly detection method described in the above embodiments can indirectly assess the entropy value of the stored data by detecting the data compression rate of the data stored in the electronic device. This allows for the determination of whether the stored data has been maliciously encrypted, leading to an abnormal entropy value, and thus, whether the electronic device poses a data security risk. This data anomaly detection method completely eliminates the reliance on security threat signature databases, enabling flexible and rapid data security detection to adaptively respond to various emerging security threats. Furthermore, it avoids the significant performance overhead required to fully read the stored data during traditional entropy value calculation, thereby improving the data security of the electronic device while ensuring its overall performance stability.
[0037] Please see Figure 3 , Figure 3This is a flowchart illustrating another data anomaly detection method disclosed in an embodiment of this application, which can be applied to the aforementioned electronic device. Figure 3 As shown, the method may include the following steps: S302. Obtain the data to be tested from the stored data of the electronic device by sampling.
[0038] Step S302 is similar to step S202 above, and will not be described again here.
[0039] S304. Calculate the compression ratio index for the data to be tested, and based on the calculation results, determine the data entropy value evaluation result corresponding to the data to be tested.
[0040] In this embodiment, the electronic device can indirectly assess the entropy value of the stored data by calculating the compression ratio of the data to be detected, thereby obtaining the corresponding data entropy value assessment result. This data entropy value assessment result can be used to evaluate the randomness of the data to be detected and even the overall stored data, and in subsequent steps, further determine the risk assessment result corresponding to the data to be detected, thus completing the detection of sampling anomalies in the stored data.
[0041] In some embodiments, the compression ratio calculation of the data to be detected by the electronic device can be achieved through a unified evaluation model. For example, the electronic device can first determine the unified score result corresponding to the data to be detected through a unified evaluation function; then, based on the unified score result, the target prediction result corresponding to the unified score result can be determined through a pre-built unified evaluation model, which serves as the data entropy value evaluation result corresponding to the data to be detected.
[0042] Optionally, the unified evaluation function described above can be an evaluation function defined based on the compression ratio index C, the entropy index E, and the randomness index R. For example, the entropy index E can be calculated as shown in Formula 1, the compression ratio index C can be calculated as shown in Formula 2, and the randomness index R can be calculated as shown in Formula 3.
[0043] Formula 1:
[0044] In Formula 1 above, Let represent the probability that the i-th data point in the data to be detected takes the j-th case (i.e., the observed or measured value), where Where m is a positive integer. In some embodiments, the i-th data can correspond to the i-th data block in the data to be detected, and then, based on the statistical situation of different values of the data block, it can be based on probability. Comprehensive calculation of the corresponding entropy index .
[0045] Formula 2:
[0046] Specifically, this refers to the i-th data (e.g., the i-th data block in the data to be detected). It can represent the size of its original data. It can represent the size of the compressed data; the compression ratio obtained by dividing the two can be used as the corresponding compression rate index. .
[0047] Formula 3:
[0048] In formula 3 above, It can represent each sampled data The average value is then used to calculate the possible values for the i-th data (e.g., the i-th data block in the data to be detected). The corresponding sample variance can be used as an indicator of randomness. .in, , where n is a positive integer.
[0049] In some embodiments, the entropy index E, the compression ratio index C, and the randomness index R can all be calculated through standardization to obtain the corresponding standardized entropy index E*, standardized compression ratio index C*, and standardized randomness index R*. For example, if A is used to represent the above-mentioned entropy index E, compression ratio index C, or randomness index R, the corresponding standardization calculation can be as shown in Formula 4 below.
[0050] Formula 4:
[0051] Based on this, the unified score result S corresponding to the data to be detected can be calculated by using a unified evaluation function as shown in Formula 5 below.
[0052] Formula 5:
[0053] Among them, the above , , For adaptive weights, the constraints must be met. and Specifically, the calculation methods for the aforementioned adaptive weights can be shown in formulas 6, 7, and 8 below.
[0054] Formula 6:
[0055] Formula 7:
[0056] Formula 8:
[0057] In formulas 6, 7, and 8 above, k is the traversal index, and this calculation method can be used to implement Softmax normalization.
[0058] Based on this, by adopting a preset adaptive threshold The unified scoring result S can be evaluated, and then a unified evaluation model can be used to determine the target prediction result corresponding to the unified scoring result S, which serves as the data entropy value evaluation result corresponding to the data to be detected. For example, the unified evaluation model can be based on the target prediction function. The constructed, and through adaptive threshold After applying a threshold to the uniform score result S, different methods can be used to determine the target prediction function based on the threshold result. .
[0059] In some embodiments, if the unified scoring result S is greater than or equal to a preset adaptive threshold Then the target prediction function By applying multiple prediction functions The weighted fusion is performed to obtain the result; if the unified score S is less than the preset adaptive threshold... Then the target prediction function By applying multiple prediction functions The average value is calculated. Among them, each prediction function... Each of these can be associated with the i-th data point in the data to be detected. Specifically, the above target prediction function... The determination method can be shown in Formula 9 below.
[0060] Formula 9:
[0061] As shown in Formula 10 below, By applying multiple prediction functions The weights are obtained by weighted fusion. It can then be calculated based on the unified scoring result S as shown in Formula 11 below, and the constraints are satisfied. and .
[0062] Formula 10:
[0063] Formula 11:
[0064] As an optional implementation, the i-th preset adaptive threshold It can be based on a unified scoring result Corresponding average rating Standard deviation of rating And adjustable parameters The result can be calculated as shown in Formula 12 below.
[0065] Formula 12:
[0066] As an optional implementation, the unified evaluation model described above can also employ an appropriate loss function to measure the optimization objective. Optionally, the loss function used by the unified evaluation model may include at least a first loss term corresponding to the compression ratio index C, a second loss term corresponding to the entropy index E, a third loss term corresponding to the stochasticity index R, and / or a prediction loss term. For example, the loss function L may be as shown in Equation 13 below.
[0067] Formula 13:
[0068] in, , , , All parameters are adjustable, and the first loss term corresponds to the compression ratio index C. The second loss term corresponding to the entropy index E The third loss term corresponding to the stochastic index R and predicted loss items These can be shown in formulas 14, 15, 16, and 17 below, respectively.
[0069] Formula 14:
[0070] Formula 15:
[0071] Formula 16:
[0072] Formula 17:
[0073] in, , This can correspond to the optimization objective of the corresponding loss term. For sampled data The corresponding objective prediction function prediction result (i.e., the objective prediction result corresponding to the unified score result S mentioned above). It should be noted that each of the above loss terms must also satisfy the constraints. , as well as .
[0074] Alternatively, the aforementioned unified evaluation model can also incorporate comprehensive performance indicators. Stability indicators Various model indicators, including [list of indicators], were evaluated. and These represent the standard deviation and mean of the comprehensive performance index P, respectively. This evaluation comprehensively measures the performance level of the unified evaluation model, facilitating real-time monitoring and timely improvement of model performance, and enhancing the stability of data anomaly detection in electronic devices.
[0075] S306. Based on the data entropy value assessment results, determine the risk assessment results corresponding to the data to be tested.
[0076] In this embodiment of the application, the risk assessment result corresponding to the data to be detected can be represented by a risk index value. This risk index value can be used to compare with a preset risk threshold in subsequent steps to further determine the abnormal data status of the electronic device.
[0077] In some embodiments, the data entropy assessment result may include the data entropy value corresponding to the data to be detected, and the preset risk threshold of the electronic device may include a preset entropy threshold. Based on this, the data entropy value can be directly used as the risk assessment result corresponding to the data to be detected, that is, directly used as a risk indicator value for subsequent comparison with the preset entropy threshold.
[0078] In other embodiments, the aforementioned data entropy assessment result may also include entropy index data determined based on the data entropy value corresponding to the data to be detected, or determined comprehensively by combining the data entropy value, and the preset risk threshold of the electronic device may include preset index thresholds. Based on this, the aforementioned entropy index data can be subjected to necessary analysis and processing to obtain a risk index value for subsequent comparison with the aforementioned index thresholds, serving as the risk assessment result corresponding to the data to be detected.
[0079] S308. Compare the above risk assessment results with the preset risk threshold, and determine the abnormal data status of the electronic device based on the comparison results.
[0080] S3101. If the abnormal data status indicates that the stored data of the electronic device is normal, record the normal test result; or, S3102. When the data anomaly status indicates that there is an anomaly in the stored data of the electronic device, trigger the electronic device to issue an alarm and perform a data recovery operation.
[0081] Steps S308, S3101, and S3102 are similar in some implementations to step S206 described above. It should be noted that by comparing the risk assessment results with a preset risk threshold, the electronic device can use simple threshold calculations to determine whether its stored data is abnormal, particularly including abnormal data entropy values, thereby determining whether the electronic device has been subjected to security threats such as malicious encryption. When the electronic device is subjected to a security threat, an alarm can be issued promptly, and data recovery operations can be performed using an appropriate data backup version; otherwise, the data anomaly detection result can be recorded and archived normally, thus realizing a complete data anomaly detection process.
[0082] As can be seen, the data anomaly detection method described in the above embodiments can indirectly assess the entropy value of stored data by detecting the data compression rate of the data stored in the electronic device. This allows for the determination of whether the stored data has been maliciously encrypted, leading to abnormal entropy values, and thus, whether the electronic device poses a data security risk. This data anomaly detection method can flexibly and quickly achieve data security detection while avoiding the significant performance overhead required in traditional entropy value calculations. It helps to improve the data security of electronic devices while ensuring overall performance stability. Furthermore, by introducing entropy and randomness indicators in conjunction with the compression rate indicator for unified evaluation, a comprehensive analysis of the data entropy level corresponding to the data to be detected can be achieved, further improving the accuracy of entropy value assessment of stored data and thus enhancing the accuracy of data anomaly detection in electronic devices.
[0083] Please see Figure 4 , Figure 4 This is a flowchart illustrating another data anomaly detection method disclosed in an embodiment of this application, which can be applied to the aforementioned electronic devices. Figure 4 As shown, the method may include the following steps: S402. Obtain the data to be detected from the stored data of the electronic device by sampling.
[0084] Step S402 is similar to step S202 above, and will not be described again here.
[0085] S404. Calculate the compression ratio index for the data to be tested, and determine the data entropy value evaluation result corresponding to the data to be tested based on the calculation result.
[0086] Step S404 is similar to step S304 above, and will not be described again here.
[0087] S406. Perform change pattern detection on the data to be detected to obtain the target change rate corresponding to the data to be detected.
[0088] In this embodiment, by detecting change patterns in the data to be detected, the changing trends of the stored data can be analyzed and determined, more effectively identifying security threats such as malicious encryption that may be posed to the electronic device. In some embodiments, the electronic device can also establish a dynamic benchmark evaluation mechanism based on historical data (i.e., data backup versions for a specified historical period, such as data backup versions from one week ago or one month ago). By querying and analyzing the historical patterns, seasonal trends, and current rate of change of the data to be detected, a target change index is comprehensively determined to determine whether the electronic device has abnormal data modification behavior.
[0089] For example, the aforementioned target change index may include the target change rate corresponding to the data to be detected. Specifically, the electronic device may calculate the target change rate (i.e., Change Rate, which may be denoted as CR) based on the first data volume (which may be denoted as NumChangedFiles) corresponding to the data that has changed in the aforementioned data to be detected within the target window period, and the second data volume (which may be denoted as TotalFiles) corresponding to the data to be detected, as shown in Formula 18 below.
[0090] Formula 18:
[0091] Wherein, TimeWindow can represent the duration of the aforementioned target window period. Based on this, as shown in Formula 19 below, the electronic device can further adjust the target change rate CR for seasonal deviation based on the seasonal adjustment factor, and use the adjusted target change rate as the target change rate (i.e., Adjusted ChangeScore, which can be denoted as ACS) corresponding to the data to be detected.
[0092] Formula 19:
[0093] Where w2 is the weighting coefficient for the change pattern dimension (e.g., it can be set to 0.35, etc., without specific limitation), HR can represent the historical average change rate, and SF can represent the seasonal adjustment factor.
[0094] S408. Perform static feature detection on the data to be detected to obtain the target static feature score corresponding to the data to be detected.
[0095] In this embodiment of the application, by performing static feature detection on the data to be detected, it is possible to further analyze the changing trends of the stored data in more dimensions based on the data permissions (such as file read and write permissions, modification permissions, etc.) and data characteristics (such as file extensions, metadata characteristics, etc.) of the data to be detected, thereby enabling comprehensive and sensitive identification of security threats such as malicious encryption that electronic devices may be subjected to.
[0096] For example, the electronic device can calculate the Permission Change Score (PCS) based on the third data volume corresponding to the data in the data to be detected that has undergone permission changes, as shown in Formula 20 below; it can also calculate the Feature Change Score (FFS) based on the fourth data volume corresponding to the data in the data to be detected that has undergone feature changes, as shown in Formula 21 below.
[0097] Formula 20:
[0098] Formula 21:
[0099] Among them, w3_1, w3_2, and w3_3 are the weight coefficients of different sub-features of the static feature dimension, NumPermissionChanges can represent the amount of data in the data to be detected that has undergone permission changes (i.e., the third data amount mentioned above), NumExtensionChanges can represent the amount of data in the data to be detected that has undergone extension changes, and NumMetadateChanges can represent the amount of data in the data to be detected that has undergone metadata changes (the latter two can correspond to the fourth data amount mentioned above).
[0100] Based on this, the electronic device can calculate the target static feature score (i.e., Static Score, which can be denoted as SS) corresponding to the data to be detected according to the aforementioned permission change score PCS and feature change score FFS, as shown in the following formula 22.
[0101] Formula 22:
[0102] Where w3 is the total weight coefficient of the static feature dimension (for example, it can be set to 0.25, etc., without specific limitation).
[0103] S410. Based on the above data entropy value evaluation results, target change rate, and target static feature score, determine the risk assessment results corresponding to the data to be detected.
[0104] In some embodiments, the risk assessment result corresponding to the data to be detected may include a comprehensive risk score, which can be calculated by combining the data entropy assessment result, the target change rate, and the target static feature score. For example, as shown in Formula 23 below, the comprehensive risk score (i.e., the Final Risk Score, which can be denoted as FRS) can be obtained by directly adding the data entropy assessment result (i.e., the Entropy Score, which can be denoted as ES), the target change rate CR, and the target static feature score SS.
[0105] Formula 23:
[0106] Optionally, the comprehensive risk score FRS can also be obtained by further weighting and summing the data entropy value assessment result ES, target change rate CR, and target static feature score SS. This allows for the redistribution of the weights of anomaly detection results in different dimensions to adapt to various types of data storage states and achieve data security detection more flexibly.
[0107] S412. Compare the above risk assessment results with the preset risk threshold, and determine the abnormal data status of the electronic device based on the comparison results.
[0108] Step S412 is similar to step S308 described above. It should be noted that, in this embodiment, the comprehensive risk score (FRS) can be compared with a preset risk threshold to further execute subsequent steps S4141 or S4142 based on the comparison result.
[0109] S4141. If the abnormal data status indicates that the stored data of the electronic device is normal, record the normal test result; or, S4142. When the data anomaly status indicates that there is an anomaly in the stored data of the electronic device, trigger the electronic device to issue an alarm and perform a data recovery operation.
[0110] Steps S4141 and S4142 are similar to steps S3101 and S3102 above, and will not be repeated here.
[0111] Please refer to further information. Figure 5 , Figure 5 This is a schematic diagram illustrating the parsing process of the data anomaly detection method disclosed in an embodiment of this application. For example... Figure 5 As shown, after the electronic device acquires the data to be detected through sampling and initializes the necessary detection parameters, the following multi-dimensional anomaly detection and analysis can be performed: Compression ratio anomaly detection includes compression ratio calculation, data entropy value analysis, and data randomness assessment. The obtained data entropy value assessment results can be used to determine whether there is a compression ratio anomaly in the data to be detected. Change pattern detection includes target change rate calculation, change pattern analysis, and seasonal analysis based on historical benchmark comparison. The obtained target change rate can be used to determine whether there are abnormal change patterns in the data to be detected. Static feature detection includes static feature analysis, data permission (e.g., file read / write permissions, modification permissions, etc.) analysis, and data feature (e.g., file extensions, metadata features, etc.) analysis. The obtained target static feature score can be used to determine whether there are static feature anomalies in the data to be detected.
[0112] Based on this, through comprehensive decision-making, the electronic device can record normal test results when the stored data is normal; or, when the stored data is abnormal, it can trigger an alarm and start a data recovery mechanism to perform data recovery operations.
[0113] It is evident that by combining the multi-dimensional features of stored data for anomaly detection, the degree of anomaly in each dimension can be accurately assessed, thereby effectively improving the accuracy of data anomaly detection and providing interpretable risk assessment results, which helps electronic devices respond quickly to implement corresponding security maintenance measures.
[0114] S416. Based on the abnormal data status of the aforementioned electronic devices, calculate the risk false alarm rate.
[0115] S418. Adjust the preset risk threshold based on the risk false alarm rate and the preset target false alarm rate.
[0116] In this embodiment, after the electronic device determines its data anomaly state based on the aforementioned risk assessment results, it can further determine whether the data anomaly state accurately reflects the actual anomaly situation of the stored data and calculate the corresponding false alarm rate. Adjusting the aforementioned preset risk threshold based on this false alarm rate allows for dynamic adjustment of the detection threshold, effectively improving the accuracy of data anomaly detection by the electronic device and thus reducing the false alarm rate.
[0117] For example, as shown in Formula 24 below, the new preset risk threshold Based on the current preset risk threshold This is calculated together with the aforementioned false alarm rate.
[0118] Formula 24:
[0119] Where TargetFPR is the target false positive rate, and CurrentFPR is the current risk false positive rate. The learning rate (e.g., it can be set to 0.1, etc., without specific limitation). Based on this, the electronic device can adjust the preset risk threshold. You can either repeat step S412 above, or start the entire data anomaly detection process again from step S402.
[0120] As an optional implementation, the electronic device can also calculate the confidence level corresponding to the risk assessment result based on the above risk assessment result. For example, after obtaining the above comprehensive risk score (FRS), the electronic device can calculate the detection confidence level of this data anomaly detection using the following formula 25 to determine the reliability of the data anomaly detection result.
[0121] Formula 25:
[0122] in, This is the confidence level adjustment factor (e.g., it can be set to 2, etc., without specific limitation).
[0123] As an optional implementation, after performing step S402 to obtain the data to be detected through sampling, the electronic device can also determine the current sampling rate and the current detection scale for risk assessment based on the data to be detected. Based on this, the electronic device can adjust the current sampling rate as shown in Formula 26 below to obtain the target sampling rate (i.e., Sample Rate, denoted as SR); simultaneously, it can also adjust the current detection scale as shown in Formula 27 below to obtain the target detection scale (i.e., Incremental Check Size, denoted as ICZ).
[0124] Formula 26:
[0125] Formula 27:
[0126] Among them, the target sampling rate SR can be the smaller value between the maximum sampling rate MaxSR and the weighted base sampling rate BaseSR, and SystemLoadFactor is a preset system loading parameter; the target detection size ICZ can be the smaller value between the maximum detection size MaxCheckSize and the weighted optimized detection size ChangedFileSize, and IncrementalFactor is a preset incremental parameter.
[0127] It is understandable that the aforementioned target sampling rate and target detection scale can be used by electronic devices to obtain new data to be detected by sampling from their stored data, thereby facilitating dynamic adjustment of the data anomaly detection process of electronic devices to continuously balance the comprehensive requirements of detection accuracy and overall system performance.
[0128] As an alternative implementation method, please refer to further information. Figure 6 , Figure 6 This is a schematic diagram of another parsing process for the data anomaly detection method disclosed in the embodiments of this application. For example... Figure 6 As shown, the pre-process for data anomaly detection in electronic devices may also include: S602. For backup snapshot data stored in electronic devices, identify duplicate data to be deleted and perform a deletion operation on the duplicate data.
[0129] Step S602 above can be used to perform routine deduplication operations on electronic devices, that is, to perform routine cleanup of backup snapshot data that has exceeded a certain time period by deleting redundant copies of duplicate backups. Based on this, if the deletion operation proceeds normally, it can be determined that the electronic device does not pose a data security risk; otherwise: S604. In the event of an anomaly in the above deletion operation, the data to be detected is obtained from the backup snapshot data by sampling.
[0130] Furthermore, the electronic device can perform the data anomaly detection process disclosed in the above embodiments on the data to be detected, including compression ratio anomaly detection, change mode detection, and static feature detection on the data to be detected, to further determine whether the electronic device has data security risks. For example, consider performing change mode detection and compression ratio anomaly detection on the data to be detected sequentially: S606. Perform change pattern detection on the data to be detected, and determine whether there are any abnormal change patterns in the data to be detected based on the obtained target change rate.
[0131] If the target change rate does not exceed the preset change rate threshold, it can be determined that the electronic device does not pose a data security risk; otherwise: S608. Perform compression ratio anomaly detection on the data to be tested, and determine whether there is compression ratio anomaly in the data to be tested based on the obtained data entropy value evaluation result.
[0132] If the data entropy assessment result does not exceed the preset entropy threshold, it can be determined that the electronic device does not pose a data security risk; otherwise, it can be confirmed that the electronic device does pose a data security risk, i.e., it may have been subjected to security threats such as malicious encryption. This allows for the flexible application of multi-dimensional characteristics of stored data to design appropriate data anomaly detection processes, reasonably distinguishing between normal high-frequency operations and abnormal malicious encryption behavior. This is beneficial for various application scenarios of electronic devices, especially various data backup scenarios, to achieve more flexible data security detection.
[0133] As can be seen, the data anomaly detection method described in the above embodiments can indirectly assess the entropy value of stored data by detecting the data compression ratio of the data stored in the electronic device. This allows for the determination of whether the stored data has been maliciously encrypted, leading to an abnormal entropy value, and thus identifying any data security risks associated with the electronic device. This data anomaly detection method can flexibly and quickly achieve data security detection while avoiding the significant performance overhead required in traditional entropy value calculations. This is beneficial for improving the data security of electronic devices while ensuring overall performance stability. Furthermore, by introducing entropy and randomness indicators in conjunction with the compression ratio indicator for unified evaluation, a comprehensive analysis of the data entropy level corresponding to the data to be detected can be conducted, further improving the accuracy of the entropy value assessment of stored data. Moreover, by combining multi-dimensional features of the stored data for anomaly detection, the degree of anomaly in each dimension can be accurately assessed, effectively improving the accuracy of data anomaly detection and providing interpretable risk assessment results. This helps electronic devices respond quickly to implement corresponding security maintenance measures.
[0134] Please see Figure 7 , Figure 7 This is a modular schematic diagram of a data anomaly detection device disclosed in an embodiment of this application. This data anomaly detection device can be applied to the aforementioned electronic equipment. Figure 7 As shown, the data anomaly detection device may include a sampling unit 701, an evaluation unit 702, and a determination unit 703, wherein: The sampling unit 701 is used to obtain the data to be detected from the stored data of the electronic device by sampling. The evaluation unit 702 is used to perform a risk assessment on the data to be tested and obtain a risk assessment result corresponding to the data to be tested; wherein, the risk assessment includes at least the detection of compression ratio anomalies in the data to be tested. The determination unit 703 is used to determine the abnormal data status of the electronic device based on the above risk assessment results.
[0135] As can be seen, the data anomaly detection device described in the above embodiments can indirectly assess the entropy value of the stored data by detecting the data compression rate of the data stored in the electronic device. This allows for the determination of whether the stored data has been maliciously encrypted, leading to an abnormal entropy value, and ultimately, whether the electronic device poses a data security risk. This approach completely eliminates reliance on security threat signature databases, enabling flexible and rapid data security detection to adaptively address various emerging security threats. Furthermore, it avoids the significant performance overhead required to fully read the stored data during traditional entropy value calculations, thus improving the data security of the electronic device while ensuring its overall performance stability.
[0136] In some embodiments, the evaluation unit 702 described above can be specifically used for: The compression ratio index is calculated for the data to be tested, and the data entropy value evaluation result corresponding to the data to be tested is determined based on the calculation result. Based on the data entropy value assessment results, the risk assessment results corresponding to the data to be tested are determined.
[0137] In some embodiments, when the evaluation unit 702 calculates the compression ratio index for the data to be detected and determines the data entropy value evaluation result corresponding to the data to be detected based on the calculation result, it may specifically include: A unified evaluation function is used to determine a unified score result corresponding to the data to be detected; the unified evaluation function is an evaluation function defined based on the compression ratio index, entropy index and randomness index. Based on the unified scoring results, the target prediction results corresponding to the unified scoring results are determined through a pre-built unified evaluation model, which are used as the data entropy value evaluation results corresponding to the data to be detected.
[0138] Optionally, the unified evaluation model described above can be constructed based on a target prediction function. Specifically, when the unified score result is greater than or equal to a preset adaptive threshold, the target prediction function can be obtained by weighted fusion of multiple prediction functions; when the unified score result is less than the preset adaptive threshold, the target prediction function can be obtained by averaging multiple prediction functions.
[0139] Optionally, the loss function used in the above unified evaluation model may include at least a first loss term corresponding to the compression ratio index, a second loss term corresponding to the entropy index, a third loss term corresponding to the randomness index, and / or a prediction loss term.
[0140] As can be seen, the data anomaly detection device described in the above embodiments can also combine entropy and randomness indicators with compression rate indicators for unified evaluation, thereby comprehensively analyzing the data entropy level corresponding to the data to be detected. This is beneficial to further improve the accuracy of the evaluation of the entropy value of stored data, and thus improve the accuracy of data anomaly detection by electronic devices.
[0141] In some embodiments, the evaluation unit 702 described above can also be used specifically for: Compression ratio anomaly detection is performed on the data to be tested to obtain the data entropy value evaluation result corresponding to the data to be tested; Change pattern detection is performed on the data to be detected to obtain the target change rate corresponding to the data to be detected; Static feature detection is performed on the data to be detected to obtain the target static feature score corresponding to the data to be detected; Based on the above data entropy value assessment results, target change rate, and target static feature score, the risk assessment results corresponding to the data to be detected are determined.
[0142] In some embodiments, when the evaluation unit 702 is used to perform change pattern detection on the data to be detected and obtain the target change rate corresponding to the data to be detected, it may specifically include: The target change rate is calculated based on the first data volume corresponding to the data that changed in the data to be detected within the target window period, and the second data volume corresponding to the data to be detected. Based on the seasonal adjustment factor, the target change rate is adjusted for seasonal deviation, and the adjusted target change rate is used as the target change rate corresponding to the data to be detected.
[0143] In some embodiments, when the evaluation unit 702 performs static feature detection on the data to be detected and obtains the target static feature score corresponding to the data to be detected, it may specifically include: Based on the third data volume corresponding to the data in the data to be detected that has undergone permission changes, the permission change score is calculated. The feature change score is calculated based on the fourth data volume corresponding to the data in the data to be detected that has undergone feature changes. Calculate the target static feature score corresponding to the data to be detected based on the permission change score and feature change score.
[0144] As can be seen, the data anomaly detection device described in the above embodiments can accurately assess the degree of anomaly in each dimension by combining the multi-dimensional features of the stored data for anomaly detection, thereby effectively improving the accuracy of data anomaly detection and providing interpretable risk assessment results, which helps electronic devices to respond quickly to implement corresponding security maintenance measures.
[0145] In some embodiments, the determining unit 703 described above may be specifically used for: The risk assessment results are compared with preset risk thresholds, and the abnormal data status of the electronic device is determined based on the comparison results. Based on this, the data anomaly detection device may further include a first operation unit (not shown), which may be used for: If the above-mentioned abnormal data status indicates that the electronic device's stored data is normal, record the normal test result; or, When the above-mentioned abnormal data status indicates that there is an anomaly in the stored data of the electronic device, the electronic device is triggered to issue an alarm and perform a data recovery operation.
[0146] In some embodiments, the data anomaly detection device may further include a calculation unit (not shown) and a second operation unit, wherein: The calculation unit is used to compare the risk assessment result with the preset risk threshold in the determination unit 703 and determine the data abnormality status of the electronic device based on the comparison result, and then calculate the risk false alarm rate based on the data abnormality status of the electronic device. The second operation unit is used to adjust the preset risk threshold based on the aforementioned false alarm rate and preset target false alarm rate.
[0147] In some embodiments, the calculation unit may also be used to calculate the confidence level corresponding to the risk assessment result based on the risk assessment result after the evaluation unit 702 performs a risk assessment on the data to be tested and obtains the risk assessment result corresponding to the data to be tested.
[0148] In some embodiments, the data anomaly detection device may further include a third operation unit (not shown), which may be used specifically to: obtain the data to be detected by sampling from the stored data of the electronic device by the sampling unit 701. Based on the data to be tested, determine the current sampling rate and current testing scale for risk assessment of the data to be tested; Adjust the current sampling rate to obtain the target sampling rate; and, The current detection scale is adjusted to obtain the target detection scale; wherein, the above-mentioned target sampling rate and target detection scale can be used by the sampling unit 701 to obtain new data to be detected from the stored data of the electronic device by sampling.
[0149] In some embodiments, the data anomaly detection device may further include a fourth operation unit (not shown), which may be used specifically to: obtain the data to be detected by sampling from the stored data of the electronic device by the sampling unit 701 described above. For backup snapshot data stored on electronic devices, identify duplicate data to be deleted and perform the deletion operation on the duplicate data.
[0150] Based on this, the aforementioned sampling unit 701 can be specifically used for: In the event of an anomaly during the deletion operation, the data to be detected is obtained by sampling from the backup snapshot data.
[0151] As an optional implementation, the above-mentioned electronic device can use a three-level tree storage structure including root nodes, intermediate nodes, and leaf nodes for data storage. Leaf nodes are used to store the data content corresponding to small files or to store data pointers corresponding to large files. Among them, small files can include files whose data volume is less than or equal to the node storage threshold, while large files can include files whose data volume is greater than the node storage threshold.
[0152] As can be seen, the data anomaly detection device described in the above embodiments can also ensure the efficiency of small file access and improve the flexibility of large file management through differentiated storage strategies. This helps to reduce the performance overhead of electronic devices in the process of data storage, modification, and retrieval, and thus helps to improve the efficiency of electronic devices in data anomaly detection.
[0153] Please see Figure 8 , Figure 8 This is a modular schematic diagram of an electronic device disclosed in an embodiment of this application. For example... Figure 8 As shown, the electronic device may include: Memory 801 storing executable program code; Processor 802 coupled to memory 801; The processor 802 can call the executable program code stored in the memory 801 to execute all or part of the steps in any of the data anomaly detection methods described in the above embodiments.
[0154] Furthermore, embodiments of this application disclose a computer-readable storage medium storing a computer program for electronic data interchange, wherein the computer program enables a computer to execute all or part of the steps in any of the data anomaly detection methods described in the above embodiments.
[0155] Furthermore, this application further discloses a computer program product that, when run on a computer, enables the computer to execute all or part of the steps in any of the data anomaly detection methods described in the above embodiments.
[0156] Those skilled in the art will understand that all or part of the steps in the various methods of the above embodiments can be implemented by a program instructing related hardware. The program can be stored in a computer-readable storage medium, including read-only memory (ROM), random access memory (RAM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), one-time programmable read-only memory (OTPROM), electrically-Erasable Programmable Read-Only Memory (EEPROM), compactdisc read-only memory (CD-ROM) or other optical disc storage, disk storage, magnetic tape storage, or any other computer-readable medium capable of carrying or storing data.
[0157] The above provides a detailed description of a data anomaly detection method, apparatus, and electronic device disclosed in the embodiments of this application. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the above embodiments are only for the purpose of helping to understand the method and core ideas of this application. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this application. Therefore, the content of this specification should not be construed as a limitation of this application.
Claims
1. A method for detecting data anomalies, characterized in that, Applied to electronic devices, the method includes: Data to be detected is obtained by sampling from the stored data of the electronic device; A risk assessment is performed on the data to be tested to obtain a risk assessment result corresponding to the data to be tested; wherein, the risk assessment includes at least the detection of compression ratio anomalies in the data to be tested; Based on the risk assessment results, the abnormal data status of the electronic device is determined.
2. The method according to claim 1, characterized in that, The step of performing a risk assessment on the data to be tested to obtain the risk assessment result corresponding to the data to be tested includes: The compression ratio index is calculated for the data to be tested, and based on the calculation result, the data entropy value evaluation result corresponding to the data to be tested is determined; Based on the data entropy value assessment result, the risk assessment result corresponding to the data to be detected is determined.
3. The method according to claim 2, characterized in that, The step of calculating the compression ratio of the data to be detected and determining the data entropy value evaluation result corresponding to the data to be detected based on the calculation result includes: A unified scoring result corresponding to the data to be detected is determined by a unified evaluation function; wherein, the unified evaluation function is an evaluation function defined based on the compression ratio index, entropy index and randomness index. Based on the unified scoring results, a target prediction result corresponding to the unified scoring results is determined through a pre-constructed unified evaluation model, which serves as the data entropy value evaluation result corresponding to the data to be detected.
4. The method according to claim 3, characterized in that, The unified evaluation model is constructed based on a target prediction function, wherein, when the unified score result is greater than or equal to a preset adaptive threshold, the target prediction function is obtained by weighted fusion of multiple prediction functions; If the unified score result is less than the preset adaptive threshold, the target prediction function is obtained by averaging multiple prediction functions.
5. The method according to claim 3, characterized in that, The loss function used in the unified evaluation model includes at least a first loss term corresponding to the compression ratio index, a second loss term corresponding to the entropy index, a third loss term corresponding to the randomness index, and / or a prediction loss term.
6. The method according to any one of claims 1 to 5, characterized in that, The step of performing a risk assessment on the data to be tested to obtain the risk assessment result corresponding to the data to be tested includes: Anomaly detection of compression ratio is performed on the data to be detected to obtain the data entropy value evaluation result corresponding to the data to be detected. Change pattern detection is performed on the data to be detected to obtain the target change rate corresponding to the data to be detected; Static feature detection is performed on the data to be detected to obtain the target static feature score corresponding to the data to be detected; Based on the data entropy value evaluation result, the target change rate, and the target static feature score, the risk assessment result corresponding to the data to be detected is determined.
7. The method according to claim 6, characterized in that, The step of performing change pattern detection on the data to be detected to obtain the target change rate corresponding to the data to be detected includes: The target change rate is calculated based on the first data volume corresponding to the data that changed in the data to be detected within the target window period, and the second data volume corresponding to the data to be detected. Based on the seasonal adjustment factor, the target change rate is adjusted for seasonal deviation, and the adjusted target change rate is used as the target change rate corresponding to the data to be detected.
8. The method according to claim 6, characterized in that, The step of performing static feature detection on the data to be detected to obtain a target static feature score corresponding to the data to be detected includes: Based on the third data volume corresponding to the data in the data to be detected that has undergone permission changes, the permission change score is calculated. Based on the fourth data quantity corresponding to the data in the data to be detected that has undergone feature changes, the feature change score is calculated. Based on the permission change score and the feature change score, calculate the target static feature score corresponding to the data to be detected.
9. The method according to any one of claims 1 to 5, characterized in that, The step of determining the abnormal data status of the electronic device based on the risk assessment results includes: The risk assessment results are compared with a preset risk threshold, and the abnormal data status of the electronic device is determined based on the comparison results. The method further includes: If the abnormal data status indicates that the stored data of the electronic device is normal, record the normal detection result; or, When the abnormal data state indicates that there is an anomaly in the stored data of the electronic device, the electronic device is triggered to issue an alarm and perform a data recovery operation.
10. The method according to claim 9, characterized in that, After comparing the risk assessment result with a preset risk threshold and determining the abnormal data state of the electronic device based on the comparison result, the method further includes: Based on the abnormal data status of the electronic device, the false alarm rate is calculated. The preset risk threshold is adjusted based on the risk false alarm rate and the preset target false alarm rate.
11. The method according to any one of claims 1 to 5, characterized in that, After performing a risk assessment on the data to be detected and obtaining the risk assessment result corresponding to the data to be detected, the method further includes: Based on the risk assessment results, calculate the confidence level corresponding to the risk assessment results.
12. The method according to any one of claims 1 to 5, characterized in that, After obtaining the data to be detected by sampling from the stored data of the electronic device, the method further includes: Based on the data to be detected, determine the current sampling rate and the current detection scale for risk assessment of the data to be detected; The current sampling rate is adjusted to obtain the target sampling rate; and, The current detection scale is adjusted to obtain a target detection scale; wherein, the target sampling rate and the target detection scale are used to obtain new data to be detected from the stored data of the electronic device in the next sampling.
13. The method according to any one of claims 1 to 5, characterized in that, Before obtaining the data to be detected by sampling from the stored data of the electronic device, the method further includes: For the backup snapshot data stored in the electronic device, identify the duplicate data to be deleted, and perform the deletion operation on the duplicate data; The step of obtaining the data to be detected from the stored data of the electronic device by sampling includes: In the event of an anomaly in the deletion operation, the data to be detected is obtained from the backup snapshot data through sampling.
14. The method according to any one of claims 1 to 5, characterized in that, The electronic device uses a three-level tree-like storage structure including root node, intermediate node and leaf node for data storage. The leaf node is used to store the data content corresponding to small files or to store the data pointer corresponding to large files. The small files include files whose data volume is less than or equal to the node storage threshold, and the large files include files whose data volume is greater than the node storage threshold.
15. A data anomaly detection device, characterized in that, Applied to electronic devices, the device includes: A sampling unit is used to obtain the data to be detected from the stored data of the electronic device by sampling. An evaluation unit is used to perform a risk assessment on the data to be tested and obtain a risk assessment result corresponding to the data to be tested; wherein, the risk assessment includes at least the detection of compression ratio anomalies in the data to be tested; The determining unit is used to determine the abnormal data status of the electronic device based on the risk assessment results.
16. An electronic device, characterized in that, The system includes a memory and a processor, wherein the memory stores a computer program that, when executed by the processor, causes the processor to perform the method as described in any one of claims 1 to 14.
17. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the method as described in any one of claims 1 to 14.