CN111092889B - Distributed data node abnormal behavior detection method, device and server - Google Patents

Abstract

The embodiment of the invention relates to the technical field of data node analysis, in particular to a distributed data node abnormal behavior detection method, a distributed data node abnormal behavior detection device and a server. In the method, when a first data node and a second data node perform data interaction and the node identifications of the first data node and the second data node are the same, a first action instruction stream of the first data node and a second action instruction stream of the second data node can be determined from interaction records between the first data node and the second data node and are analyzed by adopting the same action analysis logic, when the first instruction characteristic and the second instruction characteristic obtained by analysis are not matched, different action identification logics are adopted for identification to obtain a first identification result and a second identification result, and then the data node with abnormal action is determined based on the first identification result and the second identification result. Therefore, the abnormal behavior detection is realized on the premise of ensuring the working performance of the distributed data nodes, so that the invaded distributed data nodes are determined.

Description

Distributed data node abnormal behavior detection method, device and server

technical field

The present invention relates to the technical field of data node analysis, and in particular, to a method, device and server for detecting abnormal behavior of distributed data nodes.

Background technique

With the development of science and technology, distributed data processing technology has been applied to the fields of finance, Internet of Things, insurance and public welfare, which can realize the rapid and safe interaction of data information and the validity verification of data information. It is precisely because the application fields involved in distributed data processing technology are mostly important fields in national production, it is very important to ensure that the distributed data nodes in the distributed data network are not hacked and attacked. Due to the large number of distributed data nodes in the distributed network, and the distributed data nodes usually perform a large amount of data processing work, if each distributed data node is additionally configured with a firewall or a hacker monitoring/interception mechanism to achieve distributed data processing The abnormal behavior detection of distributed data nodes will greatly affect the performance of distributed data nodes (such as data processing speed and data processing accuracy). Therefore, how to realize the detection of abnormal behavior under the premise of ensuring the working performance of the distributed data nodes so as to determine the intruded distributed data nodes is a technical problem to be solved urgently at the present stage.

SUMMARY OF THE INVENTION

In order to at least overcome the above deficiencies in the prior art, one of the objectives of the present invention is to provide a method, device and server for detecting abnormal behavior of distributed data nodes.

An embodiment of the present invention provides a method for detecting abnormal behavior of distributed data nodes, which is applied to a server, where the server communicates with a distributed data network, and data nodes with the same node identifier in the distributed data network share an action parsing Logic, set the binding relationship between each data node and the server, as well as the corresponding action analysis logic and behavior recognition logic, each data node activates the action analysis logic corresponding to the data node through the server when starting the data processing process and behavior recognition logic, the method includes at least:

When the first data node in the distributed data network performs data interaction with the second data node, determine whether the node identifier of the first data node is the same as that of the second data node;

When the node identifier of the first data node is the same as the node identifier of the second data node, determine the first data node from the interaction record between the first data node and the second data node a first action instruction stream and a second action instruction stream of the second data node;

According to the action parsing logic corresponding to the first data node or the second data node, parse the first action instruction stream and the second action instruction stream respectively, and obtain the first instruction feature and the second instruction feature ;

When the first instruction feature and the second instruction feature do not match, identify the first instruction feature based on the first behavior identification logic corresponding to the first data node to obtain a first identification result and obtain a first identification result based on the first behavior identification logic corresponding to the first data node. The second behavior identification logic corresponding to the second data node identifies the second instruction feature to obtain a second identification result;

It is determined according to the first identification result and the second identification result that a data node with abnormal behavior exists in the first data node and the second data node.

In an optional embodiment, the first action instruction stream of the first data node and the second data are determined from the interaction record between the first data node and the second data node The second action instruction flow of the node, including:

Obtain the metadata trust degree of the interaction record and each action instruction pair;

In the case where it is determined according to the metadata trust degree that the interaction record contains invalid interaction behaviors, it is determined that the interaction record is under valid interaction behaviors according to the action instruction pair and its digital signature of the interaction record under invalid interaction behaviors The difference between the response success rate of each action instruction pair and the action instruction pair recorded under the invalid interaction behavior, and the response success rate of the interaction record under the valid interaction behavior and the action instruction pair under the invalid interaction behavior The action instruction pairs with the same rate are adjusted to the corresponding invalid interaction behavior classification;

In the case where the currently valid interaction behavior of the interaction record contains multiple action instruction pairs, each action recorded in the interaction record under the current valid interaction behavior is determined according to the action instruction pairs and their digital signatures of the interaction record under the invalid interaction behavior The difference between the response success rates between the instruction pairs, and screening each action instruction pair under the current effective interaction behavior according to the difference in the response success rate between the action instruction pairs;

Set an invalid interaction behavior signature for each action instruction pair obtained by the above screening according to the action instruction pair and its digital signature recorded under the invalid interaction behavior, and adjust each action instruction pair to the invalid interaction behavior Under the classification of invalid interaction behavior corresponding to the signature;

According to the first action instruction pair under the valid interaction behavior classification, the second action instruction pair under the invalid interaction behavior classification, the first link layer protocol of the first data node, and the second link of the second data node The layer protocol determines the first action instruction stream and the second action instruction stream.

In an optional embodiment, according to the first action instruction pair under the valid interaction behavior classification, the second action instruction pair under the invalid interaction behavior classification, and the first link layer protocol of the first data node and the second link layer protocol of the second data node determines the first action instruction stream and the second action instruction stream, including:

According to the first action instruction pair, the second action instruction pair, the first link layer protocol and the second link layer protocol, determine that the first data node and the second data node are respectively The corresponding first action instruction set and the second action instruction set; wherein, the first action instruction set includes that the first data node sends to the second data node within the valid invocation time range of the interaction record A series of request instructions, the second action instruction set includes that the second data node sends the request instruction received by the first data node to the A series of response commands fed back by the first data node;

determining the first structured sequence of the first data node based on the first action instruction set, the second action instruction set, the first link layer protocol and the second link layer protocol; and a second structured sequence of said second data nodes;

Based on the first structured sequence and the second structured sequence, the first instruction sequence and the first instruction sequence of the first data node are determined from the first action instruction set and the second action instruction set, respectively. The second instruction sequence of the two data nodes;

When the first instruction sequence and the second instruction sequence are determined, instruction sequence pairing is performed with the first instruction sequence and the second instruction sequence to obtain a pairing result; the first instruction sequence is determined according to the pairing result. Whether an instruction sequence and the second instruction sequence are a sequence pair of multi-branch threads; if so, convert the first instruction sequence and the second instruction sequence into a multi-branch thread according to each branch thread. The first instruction form and the second instruction form of the thread; according to the first instruction form and the second instruction form respectively, find the preset instructions with the same or similar branch thread as the first instruction form and the second instruction form a script file; synthesize an action instruction stream set with the script stream corresponding to the pairing result and the preset instruction script file;

According to the preset instruction script file in the action instruction stream set, the script stream corresponding to the preset instruction script file, and the first interface information and the second data corresponding to the action parsing logic of the first data node The second interface information corresponding to the action parsing logic of the node determines the first action instruction stream and the second action instruction stream.

In an optional embodiment, according to the action parsing logic corresponding to the first data node or the second data node, the first action instruction stream and the second action instruction stream are respectively performed. Parsing to obtain the first instruction feature and the second instruction feature, including:

According to the instruction splitting rule in the action instruction logic, the first action instruction stream and the second action instruction stream are split respectively to obtain a first split set of the first action instruction stream and all a second split set of the second action instruction stream; wherein the first split set includes a plurality of first single-action instructions of the first action instruction stream, and the second split set includes the first Multiple second single-action instructions of the two-action instruction stream;

An action instruction package is arbitrarily determined as the target action instruction package in the preset action instruction package set; each first single action instruction and the first single action instruction in the first split set corresponding to the first action instruction stream are respectively Each second single-action instruction in the second split set corresponding to the two-action instruction stream is compared with each reference action instruction in the target action instruction package to obtain the first action instruction stream and the target action instruction The first comparison result between the packages and the second comparison result between the second action instruction stream and the target action instruction package; the action instruction package set includes taking each verified action instruction in the instruction database as a reference The comparison action instruction package of the action instruction, the action instruction node of the comparison action instruction package is the relative timing information of the reference action instruction, and each subsequent action instruction node includes the time sequence association between the reference action instruction and other action instructions in the instruction database degree and relative timing information of the other action instructions, the action instructions in each of the comparison action instruction packets are arranged in ascending order according to the timing correlation degree;

Taking the target action instruction packet as a reference position, the comparison is carried out along the set sequence direction until a current action instruction packet appears in the action instruction packet set, so that the first action instruction stream and the current action instruction packet have a difference. The first similarity value between the third comparison result and the first comparison result between the first action instruction stream and the target action instruction packet is greater than the set threshold, and the second action instruction stream and the The second similarity value between the fourth comparison result between the current action instruction packets and the second comparison result between the second action instruction stream and the current action instruction packet is greater than the set threshold;

determining a third instruction feature corresponding to the current action instruction packet, where the third instruction feature determines a parsing thread of the action parsing logic; splitting the first split set and the second split according to the parsing thread The set performs feature extraction to obtain the first instruction feature and the second instruction feature.

In an optional embodiment, the first identification result is obtained by identifying the first instruction feature based on the first behavior identification logic corresponding to the first data node, and the first identification result is obtained based on the first behavior identification logic corresponding to the second data node. The second behavior identification logic identifies the second instruction feature to obtain a second identification result, including:

According to the first action class corresponding to the first command feature of the first data node and the second action class corresponding to the second command feature of the second data node, it is determined that the first data node is relative to the second data node. a first role mapping vector of the data node and a second role mapping vector of the second data node relative to the first data node;

Based on the first role mapping vector and the first accumulated value of the request instruction sent by the first data node to the second data node represented by the first instruction feature, the first behavior identification logic The first logical recognition unit and the first logical directed edge are adjusted to obtain the first target behavior recognition logic; based on the second role mapping vector and the second data node represented by the second instruction feature the second cumulative value of the response command sent by the first data node, and adjusting the second logic recognition unit and the second logic directed edge in the second behavior recognition logic to obtain the second target behavior recognition logic;

The duration for identifying the first instruction feature and the second instruction feature is determined according to the first target behavior identification logic and the second target behavior identification logic; wherein the duration is used to characterize The first start time when the first instruction feature is recognized by the first target behavior recognition logic is the same as the second start time when the second command feature is recognized by the second target behavior recognition logic and The first end time at which the first instruction feature is recognized by the first target behavior recognition logic is the same as the second end time when the second instruction feature is recognized by the second target behavior recognition logic;

Determine the first feature correlation degree of the first instruction feature by using the first target behavior recognition logic within the duration; according to the first feature correlation degree and the pre-stored second data node and the distribution the first verification result between the second data node and the first data node included in the verification form between other data nodes in the data network, to obtain the first identification result; the first verification The result is that the second data node is used as the verification terminal and the first data node is used as the verification result corresponding to the terminal to be verified;

Determine the second feature correlation degree of the second instruction feature by using the second target behavior recognition logic within the duration; according to the second feature correlation degree and the pre-stored first data node and the distribution obtain the second identification result; the second verification As a result, the first data node is used as a verification terminal and the second data node is used as a verification result corresponding to the terminal to be verified.

In an optional embodiment, the determining, according to the first identification result and the second identification result, that the first data node and the second data node have data nodes with abnormal behavior, including :

extracting the first confidence parameter in the first recognition result and the second confidence parameter in the second recognition result;

obtaining a first check code mapping the first data node to the second data node according to the first identification result;

obtaining, according to the first check code and the second identification result, a second check code of the second data node mapped to the first data node;

determining the third check code according to the pre-stored first dynamic random number corresponding to the first device identifier of the first data node and the first identification result;

Determine the fourth check code according to the second dynamic random number corresponding to the second device identifier of the second data node and the second identification result pre-stored;

Determine whether the first check code and the third check code are consistent, and determine that the first data node has abnormal behavior when the first check code and the third check code are inconsistent;

It is judged whether the second check code and the fourth check code are consistent, and when the second check code and the fourth check code are inconsistent, it is determined that the second data node has abnormal behavior.

In an optional embodiment, the method further includes:

The first data node or the second data node with abnormal behavior is shielded.

The embodiment of the present invention also provides a distributed data node abnormal behavior detection device, which is applied to a server, the server communicates with a distributed data network, and data nodes with the same node identifier in the distributed data network share one action Parsing logic, setting the binding relationship between each data node and the server, as well as the corresponding action parsing logic and behavior recognition logic, each data node activates the action parsing corresponding to the data node through the server when starting the data processing process Logic and behavior recognition logic, the apparatus includes at least:

a judgment module, configured to judge whether the node identifier of the first data node is the same as that of the second data node when the first data node in the distributed data network interacts with the second data node;

A determination module, configured to determine from the interaction record between the first data node and the second data node when the node identification of the first data node is the same as the node identification of the second data node the first action instruction stream of the first data node and the second action instruction stream of the second data node;

A parsing module, configured to parse the first action instruction stream and the second action instruction stream respectively according to the action parsing logic corresponding to the first data node or the second data node, to obtain the first instruction feature and the second instruction feature;

An identification module, configured to identify the first instruction feature based on the first behavior identification logic corresponding to the first data node when the first instruction feature does not match the second instruction feature to obtain a first identification result and identify the second instruction feature based on the second behavior identification logic corresponding to the second data node to obtain a second identification result;

A detection module, configured to determine a data node with abnormal behavior in the first data node and the second data node according to the first identification result and the second identification result.

An embodiment of the present invention provides a server, including a processor, a memory and a bus connected to the processor; wherein, the processor and the memory communicate with each other through the bus; the processor is used for The program instructions in the memory are invoked to execute the above-mentioned method for detecting abnormal behavior of distributed data nodes.

An embodiment of the present invention provides a readable storage medium on which a program is stored, and when the program is executed by a processor, the above-mentioned method for detecting abnormal behavior of a distributed data node is implemented.

In the method, device, and server for detecting abnormal behavior of distributed data nodes provided by the embodiments of the present invention, the action analysis logic of data nodes with the same node identifier is the same, and the server performs behavior recognition logic deployment according to different data nodes Therefore, when the first data node and the second data node interact, the action analysis logic and behavior recognition logic deployed on the server side will not affect the working performance of the first data node and the second data node. The interaction record acquired by the server is normally generated during data interaction between the first data node and the second data node, and this behavior will not affect the working performance of the first data node and the second data node. In detail, if the node identifiers of the first data node and the second data node are the same, the first instruction feature and the second instruction feature obtained by parsing the first action instruction stream and the second action instruction stream using the same action parsing logic. When there is no match, the first instruction feature and the second instruction feature can be identified based on different behavior identification logic to determine the first identification result and the second identification result, and then determine according to the first identification result and the second identification result. A data node with abnormal behavior appears. In this way, there is no need to deploy a firewall or a hacker monitoring/interception mechanism on the data node side, and the abnormal behavior can be detected on the premise of ensuring the working performance of the distributed data node, thereby determining the intruded distributed data node.

Description of drawings

In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the embodiments. It should be understood that the following drawings only show some embodiments of the present invention, and therefore do not It should be regarded as a limitation of the scope, and for those of ordinary skill in the art, other related drawings can also be obtained according to these drawings without any creative effort.

FIG. 1 is a flowchart of a method for detecting abnormal behavior of distributed data nodes according to an embodiment of the present invention.

FIG. 2 is a functional module block diagram of an apparatus for detecting abnormal behavior of distributed data nodes according to an embodiment of the present invention.

FIG. 3 is a schematic block diagram of a server according to an embodiment of the present invention.

icon:

200-distributed data node abnormal behavior detection device; 201-judging module; 202-determining module; 203-analyzing module; 204-identifying module; 205-detecting module;

300-server; 301-processor; 302-memory; 303-bus.

Detailed ways

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided so that the present disclosure will be more thoroughly understood, and will fully convey the scope of the present disclosure to those skilled in the art.

Embodiments of the present invention provide a method, device, and server for detecting abnormal behavior of distributed data nodes, which are used to improve the difficulty in the prior art to detect abnormal behaviors on the premise of ensuring the working performance of distributed data nodes, so as to determine the intrusion technical issues of distributed data nodes.

In order to better understand the above technical solutions, the technical solutions of the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments. It is not intended to limit the technical solutions of the present invention, and the embodiments of the present invention and the technical features in the embodiments may be combined with each other without conflict.

1 is a flowchart of a method for detecting abnormal behavior of distributed data nodes according to an embodiment of the present invention. The method is applied to a server, and the server communicates with a distributed data network, and the same node identifier exists in the distributed data network. The data nodes share an action analysis logic, set the binding relationship between each data node and the server, as well as the corresponding action analysis logic and behavior recognition logic, and each data node is activated by the server when the data processing process is started. Action parsing logic and behavior recognition logic corresponding to the data node.

It can be understood that, in this embodiment, the distributed data network can be applied to the field of Internet of Things, the field of Internet of Vehicles, the field of intelligent medical care, and the field of government affairs data, which is not limited in this embodiment.

Continuing to refer to Figure 1, the method can include the following:

Step S21 , when a first data node in the distributed data network performs data interaction with a second data node, determine whether the node identifier of the first data node is the same as that of the second data node.

Step S22, when the node identifier of the first data node is the same as the node identifier of the second data node, determine the first data node from the interaction record between the first data node and the second data node. The first action instruction stream of the data node and the second action instruction stream of the second data node.

Step S23, according to the action parsing logic corresponding to the first data node or the second data node, parse the first action instruction stream and the second action instruction stream respectively, and obtain the first instruction feature and the second action instruction stream. Two command features.

Step S24, when the first instruction feature and the second instruction feature do not match, identify the first instruction feature based on the first behavior identification logic corresponding to the first data node to obtain a first identification result and obtain a first identification result. The second identification result is obtained by identifying the second instruction feature based on the second behavior identification logic corresponding to the second data node.

Step S25: Determine, according to the first identification result and the second identification result, a data node with abnormal behavior in the first data node and the second data node.

It can be understood that in step S21-step S25, the action analysis logic of data nodes with the same node identification is the same, and the server is deployed according to different data nodes for behavior identification logic. Therefore, when the first data node and the first data node are When the two data nodes interact, the action analysis logic and behavior recognition logic deployed on the server side will not affect the working performance of the first data node and the second data node. The interaction record acquired by the server is normally generated during data interaction between the first data node and the second data node, and this behavior will not affect the working performance of the first data node and the second data node.

In detail, if the node identifiers of the first data node and the second data node are the same, the first instruction feature and the second instruction feature obtained by parsing the first action instruction stream and the second action instruction stream using the same action parsing logic. When there is no match, the first instruction feature and the second instruction feature can be identified based on different behavior identification logic to determine the first identification result and the second identification result, and then determine according to the first identification result and the second identification result. A data node with abnormal behavior appears.

In this way, there is no need to deploy a firewall or a hacker monitoring/interception mechanism on the data node side, and the abnormal behavior can be detected on the premise of ensuring the working performance of the distributed data node, thereby determining the intruded distributed data node.

During specific implementation, there are many data nodes with data interaction in the same time period. In order to ensure the accuracy of the determined first action instruction stream and second action instruction stream, in step S22, the The interaction record between the data node and the second data node determines the first action instruction stream of the first data node and the second action instruction stream of the second data node, which may specifically include the following content:

Step S221, obtaining the metadata trust degree of the interaction record and each action instruction pair.

Step S222, when it is determined that the interaction record contains invalid interaction behavior according to the metadata trust degree, determine that the interaction record is valid according to the action instruction pair under the invalid interaction behavior of the interaction record and its digital signature. The difference between the response success rate of each action instruction pair under the interaction behavior and the action instruction pair under the interaction record under the invalid interaction behavior, and record the interaction between the action instruction pair under the valid interaction behavior and the action instruction pair under the invalid interaction behavior The action instruction pairs with the same response success rate are adjusted to the corresponding invalid interaction behavior classification.

Step S223, in the case where the current valid interaction behavior of the interaction record includes multiple action instruction pairs, determine that the interaction record is under the current valid interaction behavior according to the action instruction pairs and their digital signatures of the interaction record under the invalid interaction behavior. The difference between the response success rates of each action instruction pair, and each action instruction pair under the current effective interaction behavior is screened according to the difference in the response success rate between the action instruction pairs.

Step S224, setting an invalid interaction behavior signature for each action instruction pair obtained by the above screening according to the action instruction pair and its digital signature under the invalid interaction behavior recorded in the interaction, and adjusting each action instruction pair to the Under the classification of invalid interaction behaviors corresponding to invalid interaction behavior signatures;

Step S225, according to the first action instruction pair under the valid interaction behavior classification, the second action instruction pair under the invalid interaction behavior classification, the first link layer protocol of the first data node, and the first link layer protocol of the second data node. The second link layer protocol determines the first action instruction stream and the second action instruction stream.

Through steps S221 to S225, each action instruction pair under the classification of valid interaction behavior and invalid interaction behavior can be determined according to the metadata trust degree of the interaction record and each action instruction pair, thereby realizing the validity of the action instruction pair. accurate division. On the premise of accurately dividing the validity of the action instruction pair, the first action instruction stream and the second action can be determined in combination with the first link layer protocol of the first data node and the second link layer protocol of the second data node instruction flow. In this way, the validity of the action command can be taken into consideration, thereby ensuring the accuracy of the obtained first action command stream and the second action command stream.

When determining the first action command flow and the second action command flow, it is necessary to distinguish the action commands that interact between the first data node and the second data node, so as to ensure the first action command flow and the second action command flow. will not carry the action instruction stream of the other party. Therefore, in step S225, the first action instruction pair under the classification of valid interaction behaviors, the second action instruction pair under the classification of invalid interaction behaviors, and the first data node The first link layer protocol of the second data node and the second link layer protocol of the second data node determine the first action instruction stream and the second action instruction stream, which may specifically include the following content:

Step S2251: Determine the first data node and the second data node according to the first action instruction pair, the second action instruction pair, the first link layer protocol and the second link layer protocol. The first action instruction set and the second action instruction set corresponding to the data nodes respectively.

Step S2252, based on the first action instruction set, the second action instruction set, the first link layer protocol and the second link layer protocol, determine the first structure of the first data node a sequence of izations and a second structured sequence of said second data nodes.

Step S2253, based on the first structured sequence and the second structured sequence, respectively determine the first instruction sequence and the first instruction sequence of the first data node from the first action instruction set and the second action instruction set a second sequence of instructions for the second data node.

Step S2254, when the first instruction sequence and the second instruction sequence are determined, perform instruction sequence pairing with the first instruction sequence and the second instruction sequence to obtain a pairing result; judge according to the pairing result Whether the first instruction sequence and the second instruction sequence are sequence pairs of multi-branch threads; if so, convert the first instruction sequence and the second instruction sequence into multiple The first instruction form and the second instruction form of the branch thread; respectively, according to the first instruction form and the second instruction form to find the branch thread that has the same or similar branch thread as the first instruction form and the second instruction form A preset instruction script file; the pairing result and the script stream corresponding to the preset instruction script file are synthesized into an action instruction stream set.

Step S2255, according to the preset instruction script file in the action instruction stream set, the script stream corresponding to the preset instruction script file, and the first interface information corresponding to the action parsing logic of the first data node, the The second interface information corresponding to the action parsing logic of the second data node determines the first action instruction stream and the second action instruction stream.

In step S2251, the first action instruction set includes a series of request instructions sent by the first data node to the second data node within the valid invocation time range of the interaction record, and the second action instruction set It includes a series of response commands fed back by the second data node to the first data node according to the received request command sent by the first data node within the valid invocation time range of the interaction record.

It can be understood that through steps S2251 to S2255, the action instruction set for winning the bet can be determined according to the corresponding action instruction pair of the first data node and the second data node and the link layer protocol, and then the structured sequence and instructions can be determined. sequence. Further, the instruction sequences are paired, and a preset instruction script file that meets the requirements is determined according to the pairing result, and then the pairing result and the script stream corresponding to the preset instruction script file are synthesized into an action instruction stream set. Finally, based on the preset instruction script file in the action instruction stream set and the script stream corresponding to the preset instruction script file, as well as the first interface information corresponding to the action parsing logic of the first data node, and the action parsing logic of the second data node. The second interface information determines the first action instruction stream and the second action instruction stream.

In this way, the first data node and the second data node can be distinguished through the action instruction set, the structured sequence, and the instruction sequence in turn, so as to distinguish the action instructions in which the first data node and the second data node interact, so as to ensure the first data node and the second data node. The first action instruction stream and the second action instruction stream do not carry each other's action instruction stream.

During specific implementation, although the action parsing logic for parsing the first action instruction stream and the second action instruction stream is consistent, the timing difference between the first action instruction stream and the second action instruction stream should be considered. , in step S22, according to the action parsing logic corresponding to the first data node or the second data node, parse the first action instruction stream and the second action instruction stream respectively, and obtain the first action instruction stream. The first instruction feature and the second instruction feature may specifically include the following:

Step S221, according to the instruction splitting rule in the action instruction logic, split the first action instruction stream and the second action instruction stream respectively to obtain a first split of the first action instruction stream set and a second split set of the second action instruction stream.

Step S222, arbitrarily determine an action instruction packet in the preset action instruction packet set as the target action instruction packet; respectively, each first single action instruction in the first split set corresponding to the first action instruction stream and Each second single action instruction in the second split set corresponding to the second action instruction stream is compared with each reference action instruction in the target action instruction packet, to obtain the first action instruction stream and the A first comparison result between target action instruction packets and a second comparison result between the second action instruction stream and the target action instruction packet.

Step S223, take the target action instruction packet as a reference position, and compare along the set sequence direction until a current action instruction packet appears in the action instruction packet set, so that the first action instruction stream and the current action are The first similarity value between the third comparison result between the instruction packets and the first comparison result between the first action instruction stream and the target action instruction packet is greater than a set threshold, and the second action instruction stream A second similarity value between the fourth comparison result between the current action instruction package and the second comparison result between the second action instruction stream and the current action instruction package is greater than the set threshold.

Step S224: Determine the third instruction feature corresponding to the current action instruction package, and the third instruction feature determines the parsing thread of the action parsing logic; analyze the first split set and the first split set according to the parsing thread. Feature extraction is performed on the second split set to obtain the first instruction feature and the second instruction feature.

In step S221, the first split set includes multiple first single action instructions of the first action instruction stream, and the second split set includes multiple second single action instructions of the second action instruction stream Action command.

In step S222, the action instruction package set includes a comparison action instruction package with each verified action instruction in the instruction database as a reference action instruction, and an action instruction node of the comparison action instruction package is the relative timing information of the reference action instruction , each subsequent action instruction node includes the timing correlation degree between the reference action instruction and other action instructions in the instruction database and the relative timing information of the other action instructions, and the action instructions in each comparison action instruction package are in accordance with the Sorted in ascending order of temporal relevance.

It can be understood that through steps S221 to S224, the first action instruction stream and the second action instruction stream can be split based on the instruction splitting rules in the action instruction logic to obtain the first split set and the second split set, and then Based on the first split set and the second split set, the current action instruction packet is determined from the preset action instruction packet set, and then the parsing thread of the action parsing logic is determined based on the current action instruction packet, and then based on the parsing thread, the first split Feature extraction is performed on the diversity set and the second split set to obtain the first instruction feature and the second instruction feature. In this way, the timing difference between the first action command stream and the second action command stream can be taken into account when determining the current action command packet, thereby ensuring the accuracy of parsing the first action command stream and the second action command stream .

In the specific implementation, since the behavior recognition logic of different data nodes is different, when the behavior recognition of the command features of the data nodes is performed, it is necessary to correspond the relative role relationship between the different data nodes that send the execution request and feedback the response. Taking into account the action mapping of The second behavior identification logic corresponding to the second data node identifies the second instruction feature to obtain a second identification result, which may specifically include the following content:

Step S241, according to the first action category corresponding to the first command feature of the first data node and the second action category corresponding to the second command feature of the second data node, determine the relative relationship between the first data node and the second data node. The first role mapping vector of the second data node and the second role mapping vector of the second data node relative to the first data node.

Step S242, based on the first role mapping vector and the first cumulative value of the request command sent by the first data node to the second data node represented by the first command feature, determine the first behavior. The first logical recognition unit in the recognition logic and the first logical directed edge are adjusted to obtain the first target behavior recognition logic; based on the second role mapping vector and the second data represented by the second instruction feature The second accumulated value of the response command sent by the node to the first data node, the second logic recognition unit and the second logic directed edge in the second behavior recognition logic are adjusted to obtain the second target behavior recognition logic .

Step S243: Determine, according to the first target behavior identification logic and the second target behavior identification logic, the duration for identifying the first instruction feature and the second instruction feature.

Step S244, using the first target behavior recognition logic to determine the first feature correlation degree of the first instruction feature within the duration; according to the first feature correlation degree and the pre-stored second data node and the obtaining the first identification result from the first verification result between the second data node and the first data node included in the verification form between other data nodes in the distributed data network; the The first verification result is the verification result corresponding to the second data node as the verification end and the first data node as the to-be-verified terminal.

Step S245, using the second target behavior recognition logic to determine the second feature correlation degree of the second instruction feature within the duration; according to the second feature correlation degree and the pre-stored first data node and the obtaining the second identification result from the second verification result between the first data node and the second data node included in the verification form between other data nodes in the distributed data network; the The second verification result is the verification result corresponding to the first data node as the verification end and the second data node as the to-be-verified terminal.

In step S243, the duration is used to characterize the first start time of using the first target behavior recognition logic to recognize the first instruction feature and the second target behavior recognition logic to recognize the second target behavior The second starting time for identifying the instruction feature is the same and the first ending time for identifying the first instruction feature using the first target behavior identification logic is the same as the second target behavior identification logic using the second target behavior identification logic. The second end time at which the instruction feature is identified is the same.

It can be understood that through steps S241 to S245, the corresponding role mapping vector can be determined according to the action category of the data node, so as to realize the adjustment of different behavior recognition logic based on the role mapping vector to obtain different target behavior recognition logic. Further, unifying the duration of recognition based on different target behavior recognition logics can ensure the time synchronization of different recognition results, and thus the accuracy of different recognition results. During identification, different identification results can be accurately obtained according to different feature correlation degrees and verification results between different data nodes.

Through the above method, the relative role relationship between data nodes corresponding to different action categories can be distinguished, for example, the identification results corresponding to different data nodes can be determined from the perspectives of request commands and response commands, as well as from the perspectives of verification and to-be-verified terminals. In this way, The action mapping corresponding to the relative role relationship between different data nodes can be taken into account to ensure the accuracy of different recognition results.

During specific implementation, in order to accurately determine the data nodes with abnormal behaviors, it is necessary to analyze the identification results from the perspectives of different data nodes. For this reason, in step S25, the 2. The identification result determines that the first data node and the second data node have data nodes with abnormal behavior, which may specifically include the following content:

Step S251: Extract the first confidence parameter in the first identification result and the second confidence parameter in the second identification result.

Step S252, obtaining a first check code mapping the first data node to the second data node according to the first identification result.

Step S253: Obtain, according to the first check code and the second identification result, a second check code that maps the second data node to the first data node.

Step S254: Determine a third check code according to the pre-stored first dynamic random number corresponding to the first device identifier of the first data node and the first identification result.

Step S255: Determine a fourth check code according to the pre-stored second dynamic random number corresponding to the second device identifier of the second data node and the second identification result.

Step S256, determine whether the first check code and the third check code are consistent, and determine that the first data node has abnormal behavior when the first check code and the third check code are inconsistent .

Step S257, determine whether the second check code and the fourth check code are consistent, and determine that the second data node has abnormal behavior when the second check code and the fourth check code are inconsistent .

It can be understood that through steps S251 to S257, the first check code and the second check code can be determined based on the mutual mapping between the first data node and the second data node, and based on the pre-stored first dynamic random number and The second dynamic random number determines the third check code and the fourth check code. In this way, the identification results can be analyzed from the perspectives of different data nodes, thereby accurately determining the data nodes with abnormal behavior.

During specific implementation, in order to ensure the security of other data nodes in the distributed data network, on the basis of step S251-step S257, the following contents may also be included:

The first data node and the second data node with abnormal behavior are shielded.

It can be understood that by shielding the first data node and the second data node with abnormal behavior, the first data node and the second data node with abnormal behavior can be prevented from communicating with other nodes in the distributed data network, so as to ensure Security of other data nodes in a distributed data network.

During specific implementation, in order to ensure that the normal operation of other data nodes is not affected when the first data node and the second data node with abnormal behavior are shielded, the first data node or the second data node with abnormal behavior is shielded, specifically Can also include the following:

Step S31, when there is a current data interaction behavior corresponding to a third data node other than the first data node and the second data node in the distributed data network, according to the current data interaction behavior for detecting The disturbance parameter of the network stability of the distributed data network, the optimal transmission stability weight value corresponding to the duration of the current data interaction behavior and used to represent the network stability, and at least one corresponding to the duration of the current data interaction behavior. The growth rate of the number of data node accesses of the distributed data network determines the probability of data loss of the third data node when the current data interaction behavior is in progress.

Step S32 , according to the probability and the correspondence between several numerical intervals divided by the margin range of the probability and the current data interaction behavior, determine the frequency band of the masked signal corresponding to the probability.

Step S33, generating a masking signal for masking the request command or response command initiated by the first data node or the second data node according to the masking signal frequency band, and transmitting it through the node distribution sequence of the distributed data network. the shielded signal.

In step S31, the growth rate of the number of accesses of the data nodes is the ratio of the number of valid access requests corresponding to the network structure description of the distributed data network to the total number of access requests.

It can be understood that through steps S31 to S33, the current data interaction behavior corresponding to the third data node other than the first data node and the second data node in the distributed data network can be analyzed, so as to realize the distributed data Analyze the network stability and transmission stability of the network, and then determine the probability of data loss in the third data node during the current data interaction behavior. Then further analysis is performed according to the probability to determine the frequency band of the shielded signal, and then a shielded signal for shielding the request command or response command initiated by the first data node or the second data node is generated, and the signal is transmitted through the node distribution sequence of the distributed data network. the shielded signal. In this way, when the shielding signal is transmitted, the influence on the data interaction behavior of the third data node can be minimized, thereby ensuring the normal operation of the third data node.

Based on the above, an embodiment of the present invention provides an apparatus 200 for detecting abnormal behavior of distributed data nodes. FIG. 2 is a functional block diagram of a distributed data node abnormal behavior detection apparatus 200 provided according to an embodiment of the present invention. The distributed data node abnormal behavior detection apparatus 200 includes:

A judgment module 201, configured to judge whether the node identifier of the first data node is the same as that of the second data node when the first data node in the distributed data network interacts with the second data node;

A determination module 202, configured to determine from the interaction record between the first data node and the second data node when the node identifier of the first data node is the same as the node identifier of the second data node outputting the first action instruction stream of the first data node and the second action instruction stream of the second data node;

The parsing module 203 is configured to parse the first action instruction stream and the second action instruction stream respectively according to the action parsing logic corresponding to the first data node or the second data node to obtain a first instruction features and second instruction features;

The identification module 204 is configured to identify the first instruction feature based on the first behavior identification logic corresponding to the first data node when the first instruction feature does not match the second instruction feature to obtain the first instruction feature. Identify the result and identify the second instruction feature based on the second behavior identification logic corresponding to the second data node to obtain a second identification result;

The detection module 205 is configured to determine, according to the first identification result and the second identification result, a data node with abnormal behavior in the first data node and the second data node.

In an alternative embodiment, the determining module 202 is configured to:

Obtain the metadata trust degree of the interaction record and each action instruction pair;

In the case where it is determined according to the metadata trust degree that the interaction record contains invalid interaction behaviors, it is determined that the interaction record is under valid interaction behaviors according to the action instruction pair and its digital signature of the interaction record under invalid interaction behaviors The difference between the response success rate of each action instruction pair and the action instruction pair recorded under the invalid interaction behavior, and the response success rate of the interaction record under the valid interaction behavior and the action instruction pair under the invalid interaction behavior The action instruction pairs with the same rate are adjusted to the corresponding invalid interaction behavior classification;

In the case where the currently valid interaction behavior of the interaction record contains multiple action instruction pairs, each action recorded in the interaction record under the current valid interaction behavior is determined according to the action instruction pairs and their digital signatures of the interaction record under the invalid interaction behavior The difference between the response success rates between the instruction pairs, and screening each action instruction pair under the current effective interaction behavior according to the difference in the response success rate between the action instruction pairs;

Set an invalid interaction behavior signature for each action instruction pair obtained by the above screening according to the action instruction pair and its digital signature recorded under the invalid interaction behavior, and adjust each action instruction pair to the invalid interaction behavior Under the classification of invalid interaction behavior corresponding to the signature;

According to the first action instruction pair under the valid interaction behavior classification, the second action instruction pair under the invalid interaction behavior classification, the first link layer protocol of the first data node, and the second link of the second data node The layer protocol determines the first action instruction stream and the second action instruction stream.

In an alternative embodiment, the determining module 202 is configured to:

According to the first action instruction pair, the second action instruction pair, the first link layer protocol and the second link layer protocol, determine that the first data node and the second data node are respectively The corresponding first action instruction set and the second action instruction set; wherein, the first action instruction set includes that the first data node sends to the second data node within the valid invocation time range of the interaction record A series of request instructions, the second action instruction set includes that the second data node sends the request instruction received by the first data node to the A series of response commands fed back by the first data node;

determining the first structured sequence of the first data node based on the first action instruction set, the second action instruction set, the first link layer protocol and the second link layer protocol; and a second structured sequence of said second data nodes;

Based on the first structured sequence and the second structured sequence, the first instruction sequence and the first instruction sequence of the first data node are determined from the first action instruction set and the second action instruction set, respectively. The second instruction sequence of the two data nodes;

When the first instruction sequence and the second instruction sequence are determined, instruction sequence pairing is performed with the first instruction sequence and the second instruction sequence to obtain a pairing result; the first instruction sequence is determined according to the pairing result. Whether an instruction sequence and the second instruction sequence are a sequence pair of multi-branch threads; if so, convert the first instruction sequence and the second instruction sequence into a multi-branch thread according to each branch thread. The first instruction form and the second instruction form of the thread; according to the first instruction form and the second instruction form respectively, find the preset instructions with the same or similar branch thread as the first instruction form and the second instruction form a script file; synthesize an action instruction stream set with the script stream corresponding to the pairing result and the preset instruction script file;

According to the preset instruction script file in the action instruction stream set, the script stream corresponding to the preset instruction script file, and the first interface information and the second data corresponding to the action parsing logic of the first data node The second interface information corresponding to the action parsing logic of the node determines the first action instruction stream and the second action instruction stream.

In an alternative embodiment, the parsing module 203 is used for:

According to the instruction splitting rule in the action instruction logic, the first action instruction stream and the second action instruction stream are split respectively to obtain a first split set of the first action instruction stream and all a second split set of the second action instruction stream; wherein the first split set includes a plurality of first single-action instructions of the first action instruction stream, and the second split set includes the first Multiple second single-action instructions of the two-action instruction stream;

An action instruction package is arbitrarily determined as the target action instruction package in the preset action instruction package set; each first single action instruction and the first single action instruction in the first split set corresponding to the first action instruction stream are respectively Each second single-action instruction in the second split set corresponding to the two-action instruction stream is compared with each reference action instruction in the target action instruction package to obtain the first action instruction stream and the target action instruction The first comparison result between the packages and the second comparison result between the second action instruction stream and the target action instruction package; the action instruction package set includes taking each verified action instruction in the instruction database as a reference The comparison action instruction package of the action instruction, the action instruction node of the comparison action instruction package is the relative timing information of the reference action instruction, and each subsequent action instruction node includes the time sequence association between the reference action instruction and other action instructions in the instruction database degree and relative timing information of the other action instructions, the action instructions in each of the comparison action instruction packets are arranged in ascending order according to the timing correlation degree;

Taking the target action instruction packet as a reference position, the comparison is carried out along the set sequence direction until a current action instruction packet appears in the action instruction packet set, so that the first action instruction stream and the current action instruction packet have a difference. The first similarity value between the third comparison result and the first comparison result between the first action instruction stream and the target action instruction packet is greater than the set threshold, and the second action instruction stream and the The second similarity value between the fourth comparison result between the current action instruction packets and the second comparison result between the second action instruction stream and the current action instruction packet is greater than the set threshold;

determining a third instruction feature corresponding to the current action instruction packet, where the third instruction feature determines a parsing thread of the action parsing logic; splitting the first split set and the second split according to the parsing thread The set performs feature extraction to obtain the first instruction feature and the second instruction feature.

In an alternative embodiment, the identification module 204 is used to:

According to the first action class corresponding to the first command feature of the first data node and the second action class corresponding to the second command feature of the second data node, it is determined that the first data node is relative to the second data node. a first role mapping vector of the data node and a second role mapping vector of the second data node relative to the first data node;

Based on the first role mapping vector and the first accumulated value of the request instruction sent by the first data node to the second data node represented by the first instruction feature, the first behavior identification logic The first logical recognition unit and the first logical directed edge are adjusted to obtain the first target behavior recognition logic; based on the second role mapping vector and the second data node represented by the second instruction feature the second cumulative value of the response command sent by the first data node, and adjusting the second logic recognition unit and the second logic directed edge in the second behavior recognition logic to obtain the second target behavior recognition logic;

The duration for identifying the first instruction feature and the second instruction feature is determined according to the first target behavior identification logic and the second target behavior identification logic; wherein the duration is used to characterize The first start time when the first instruction feature is recognized by the first target behavior recognition logic is the same as the second start time when the second command feature is recognized by the second target behavior recognition logic and The first end time at which the first instruction feature is recognized by the first target behavior recognition logic is the same as the second end time when the second instruction feature is recognized by the second target behavior recognition logic;

Determine the first feature correlation degree of the first instruction feature by using the first target behavior recognition logic within the duration; according to the first feature correlation degree and the pre-stored second data node and the distribution the first verification result between the second data node and the first data node included in the verification form between other data nodes in the data network, to obtain the first identification result; the first verification The result is that the second data node is used as the verification terminal and the first data node is used as the verification result corresponding to the terminal to be verified;

Determine the second feature correlation degree of the second instruction feature by using the second target behavior recognition logic within the duration; according to the second feature correlation degree and the pre-stored first data node and the distribution obtain the second identification result; the second verification As a result, the first data node is used as a verification terminal and the second data node is used as a verification result corresponding to the terminal to be verified.

In an alternative embodiment, the detection module 205 is used for:

extracting the first confidence parameter in the first recognition result and the second confidence parameter in the second recognition result;

obtaining a first check code mapping the first data node to the second data node according to the first identification result;

obtaining, according to the first check code and the second identification result, a second check code of the second data node mapped to the first data node;

determining the third check code according to the pre-stored first dynamic random number corresponding to the first device identifier of the first data node and the first identification result;

Determine the fourth check code according to the second dynamic random number corresponding to the second device identifier of the second data node and the second identification result pre-stored;

Determine whether the first check code and the third check code are consistent, and determine that the first data node has abnormal behavior when the first check code and the third check code are inconsistent;

It is judged whether the second check code and the fourth check code are consistent, and when the second check code and the fourth check code are inconsistent, it is determined that the second data node has abnormal behavior.

In an alternative embodiment, the detection module 205 is further configured to:

The first data node or the second data node with abnormal behavior is shielded.

The server 300 includes a processor and a memory, and the above-mentioned judgment module 201, determination module 202, analysis module 203, identification module 204, and detection module 205 are all stored in the memory as program units, and the processor executes the above-mentioned stored in the memory. program unit to achieve the corresponding function.

The processor contains a kernel, and the kernel calls the corresponding program unit from the memory. One or more kernels can be set, and by adjusting the kernel, the detection of abnormal behavior can be realized on the premise of ensuring the working performance of the distributed data nodes, so as to determine the invaded distributed data nodes.

An embodiment of the present invention provides a readable storage medium on which a program is stored, and when the program is executed by a processor, the method for detecting abnormal behavior of a distributed data node is implemented.

An embodiment of the present invention provides a processor for running a program, wherein the method for detecting abnormal behavior of a distributed data node is executed when the program is running.

In this embodiment of the present invention, as shown in FIG. 3 , the server 300 includes at least one processor 301 , and at least one memory 302 and a bus connected to the processor 301 ; wherein the processor 301 and the memory 302 complete the communication between each other through the bus 303 . Communication; the processor 301 is configured to invoke the program instructions in the memory 302 to execute the above-mentioned method for detecting abnormal behavior of distributed data nodes. The server 300 herein may be a server, a PC, a PAD, a mobile phone, and the like.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, servers (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block in the flowcharts and/or block diagrams, and combinations of flows and/or blocks in the flowcharts and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing server to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing server produce Means for implementing the functions specified in one or more of the flowcharts and/or one or more blocks of the block diagrams.

In a typical configuration, a server includes one or more processors (CPUs), memory, and a bus. The server may also include input/output interfaces, network interfaces, and the like.

Memory may include non-persistent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read only memory (ROM) or flash memory (flash RAM), the memory including at least one memory chip. Memory is an example of a computer-readable medium.

Computer-readable media includes both persistent and non-permanent, removable and non-removable media, and storage of information may be implemented by any method or technology. Information may be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Flash Memory or other memory technology, Compact Disc Read Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridges, magnetic tape magnetic disk storage or other magnetic storage servers or any other non-transmission medium that can be used to store information that can be accessed by computing servers. As defined herein, computer-readable media does not include transitory computer-readable media, such as modulated data signals and carrier waves.

It should also be noted that the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion, such that a process, method, article or server comprising a series of elements includes not only those elements, but also Other elements not expressly listed or otherwise inherent to such a process, method, commodity or server. Without further limitation, an element qualified by the phrase "comprises a..." does not preclude the presence of additional identical elements in the process, method, commodity or server that includes the element.

It will be appreciated by those skilled in the art that the embodiments of the present application may be provided as a method, a system or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The above are merely examples of the present application, and are not intended to limit the present application. Various modifications and variations of this application are possible for those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included within the scope of the claims of this application.

Claims (10)

1. a distributed data node abnormal behavior detection method, is characterized in that, is applied to the server, and described server communicates with distributed data network, and the data node that there is identical node identification in described distributed data network shares a kind of action analysis Logic, set the binding relationship between each data node and the server, as well as the corresponding action analysis logic and behavior recognition logic, each data node activates the action analysis logic corresponding to the data node through the server when starting the data processing process and behavior recognition logic, the method includes at least: When the first data node in the distributed data network performs data interaction with the second data node, determine whether the node identifier of the first data node is the same as that of the second data node; When the node identifier of the first data node is the same as the node identifier of the second data node, determine the first data node from the interaction record between the first data node and the second data node a first action instruction stream and a second action instruction stream of the second data node; According to the action parsing logic corresponding to the first data node or the second data node, parse the first action instruction stream and the second action instruction stream respectively, and obtain the first instruction feature and the second instruction feature ; When the first instruction feature and the second instruction feature do not match, identify the first instruction feature based on the first behavior identification logic corresponding to the first data node to obtain a first identification result and obtain a first identification result based on the first behavior identification logic corresponding to the first data node. The second behavior identification logic corresponding to the second data node identifies the second instruction feature to obtain a second identification result; It is determined according to the first identification result and the second identification result that a data node with abnormal behavior exists in the first data node and the second data node. 2 . The method according to claim 1 , wherein, determining the first action instruction stream of the first data node and the The second action instruction flow of the second data node includes: Obtain the metadata trust degree of the interaction record and each action instruction pair; In the case where it is determined according to the metadata trust degree that the interaction record contains invalid interaction behaviors, it is determined that the interaction record is under valid interaction behaviors according to the action instruction pair and its digital signature of the interaction record under invalid interaction behaviors The difference between the response success rate of each action instruction pair and the action instruction pair recorded under the invalid interaction behavior, and the response success rate of the interaction record under the valid interaction behavior and the action instruction pair under the invalid interaction behavior The action instruction pairs with the same rate are adjusted to the corresponding invalid interaction behavior classification; In the case where the currently valid interaction behavior of the interaction record contains multiple action instruction pairs, each action recorded in the interaction record under the current valid interaction behavior is determined according to the action instruction pairs and their digital signatures of the interaction record under the invalid interaction behavior The difference between the response success rates between the instruction pairs, and screening each action instruction pair under the current effective interaction behavior according to the difference in the response success rate between the action instruction pairs; Set an invalid interaction behavior signature for each action instruction pair obtained by the above screening according to the action instruction pair and its digital signature recorded under the invalid interaction behavior, and adjust each action instruction pair to the invalid interaction behavior Under the classification of invalid interaction behavior corresponding to the signature; According to the first action instruction pair under the valid interaction behavior classification, the second action instruction pair under the invalid interaction behavior classification, the first link layer protocol of the first data node, and the second link of the second data node The layer protocol determines the first action instruction stream and the second action instruction stream. 3 . The method according to claim 2 , wherein the first action instruction pair under the classification of valid interaction behaviors, the second action instruction pair under the classification of invalid interaction behaviors, the first action instruction pair of the first data node. 4 . A link layer protocol and a second link layer protocol of the second data node determine the first action instruction stream and the second action instruction stream, including: According to the first action instruction pair, the second action instruction pair, the first link layer protocol and the second link layer protocol, determine that the first data node and the second data node are respectively The corresponding first action instruction set and the second action instruction set; wherein, the first action instruction set includes that the first data node sends to the second data node within the valid invocation time range of the interaction record A series of request instructions, the second action instruction set includes that the second data node sends the request instruction received by the first data node to the A series of response commands fed back by the first data node; determining the first structured sequence of the first data node based on the first action instruction set, the second action instruction set, the first link layer protocol and the second link layer protocol; and a second structured sequence of said second data nodes; Based on the first structured sequence and the second structured sequence, the first instruction sequence and the first instruction sequence of the first data node are determined from the first action instruction set and the second action instruction set, respectively. The second instruction sequence of the two data nodes; When the first instruction sequence and the second instruction sequence are determined, instruction sequence pairing is performed with the first instruction sequence and the second instruction sequence to obtain a pairing result; the first instruction sequence is determined according to the pairing result. Whether an instruction sequence and the second instruction sequence are a sequence pair of multi-branch threads; if so, convert the first instruction sequence and the second instruction sequence into a multi-branch thread according to each branch thread. The first instruction form and the second instruction form of the thread; according to the first instruction form and the second instruction form respectively, find the preset instructions with the same or similar branch thread as the first instruction form and the second instruction form a script file; synthesize an action instruction stream set with the script stream corresponding to the pairing result and the preset instruction script file; According to the preset instruction script file in the action instruction stream set, the script stream corresponding to the preset instruction script file, and the first interface information and the second data corresponding to the action parsing logic of the first data node The second interface information corresponding to the action parsing logic of the node determines the first action instruction stream and the second action instruction stream. 4. The method according to any one of claims 1-3, wherein, according to the action parsing logic corresponding to the first data node or the second data node, the first action instruction is respectively The stream and the second action instruction stream are parsed to obtain the first instruction feature and the second instruction feature, including: According to the instruction splitting rule in the action instruction logic, the first action instruction stream and the second action instruction stream are split respectively to obtain a first split set of the first action instruction stream and all a second split set of the second action instruction stream; wherein the first split set includes a plurality of first single-action instructions of the first action instruction stream, and the second split set includes the first Multiple second single-action instructions of the two-action instruction stream; An action instruction package is arbitrarily determined as the target action instruction package in the preset action instruction package set; each first single action instruction and the first single action instruction in the first split set corresponding to the first action instruction stream are respectively Each second single-action instruction in the second split set corresponding to the two-action instruction stream is compared with each reference action instruction in the target action instruction package to obtain the first action instruction stream and the target action instruction The first comparison result between the packages and the second comparison result between the second action instruction stream and the target action instruction package; the action instruction package set includes taking each verified action instruction in the instruction database as a reference The comparison action instruction package of the action instruction, the action instruction node of the comparison action instruction package is the relative timing information of the reference action instruction, and each subsequent action instruction node includes the time sequence association between the reference action instruction and other action instructions in the instruction database degree and relative timing information of the other action instructions, the action instructions in each of the comparison action instruction packets are arranged in ascending order according to the timing correlation degree; Taking the target action instruction packet as a reference position, the comparison is carried out along the set sequence direction until a current action instruction packet appears in the action instruction packet set, so that the first action instruction stream and the current action instruction packet have a difference. The first similarity value between the third comparison result and the first comparison result between the first action instruction stream and the target action instruction packet is greater than the set threshold, and the second action instruction stream and the The second similarity value between the fourth comparison result between the current action instruction packets and the second comparison result between the second action instruction stream and the current action instruction packet is greater than the set threshold; determining a third instruction feature corresponding to the current action instruction packet, where the third instruction feature determines a parsing thread of the action parsing logic; splitting the first split set and the second split according to the parsing thread The set performs feature extraction to obtain the first instruction feature and the second instruction feature. 5 . The method according to claim 1 , wherein the first identification result is obtained by identifying the first instruction feature based on the first behavior identification logic corresponding to the first data node, and based on the first identification result. 6 . The second behavior identification logic corresponding to the two data nodes identifies the second instruction feature to obtain a second identification result, including: According to the first action class corresponding to the first command feature of the first data node and the second action class corresponding to the second command feature of the second data node, it is determined that the first data node is relative to the second data node. a first role mapping vector of the data node and a second role mapping vector of the second data node relative to the first data node; Based on the first role mapping vector and the first accumulated value of the request instruction sent by the first data node to the second data node represented by the first instruction feature, the first behavior identification logic The first logical recognition unit and the first logical directed edge are adjusted to obtain the first target behavior recognition logic; based on the second role mapping vector and the second data node represented by the second instruction feature the second cumulative value of the response command sent by the first data node, and adjusting the second logic recognition unit and the second logic directed edge in the second behavior recognition logic to obtain the second target behavior recognition logic; The duration for identifying the first instruction feature and the second instruction feature is determined according to the first target behavior identification logic and the second target behavior identification logic; wherein the duration is used to characterize The first start time when the first instruction feature is recognized by the first target behavior recognition logic is the same as the second start time when the second command feature is recognized by the second target behavior recognition logic and The first end time at which the first instruction feature is recognized by the first target behavior recognition logic is the same as the second end time when the second instruction feature is recognized by the second target behavior recognition logic; Determine the first feature correlation degree of the first instruction feature by using the first target behavior recognition logic within the duration; according to the first feature correlation degree and the pre-stored second data node and the distribution the first verification result between the second data node and the first data node included in the verification form between other data nodes in the data network, to obtain the first identification result; the first verification The result is that the second data node is used as the verification terminal and the first data node is used as the verification result corresponding to the terminal to be verified; Determine the second feature correlation degree of the second instruction feature by using the second target behavior recognition logic within the duration; according to the second feature correlation degree and the pre-stored first data node and the distribution obtain the second identification result; the second verification As a result, the first data node is used as a verification terminal and the second data node is used as a verification result corresponding to the terminal to be verified. 6 . The method according to claim 1 , wherein, according to the first identification result and the second identification result, it is determined that abnormal behavior exists in the first data node and the second data node. 7 . data nodes, including: extracting the first confidence parameter in the first recognition result and the second confidence parameter in the second recognition result; obtaining a first check code mapping the first data node to the second data node according to the first identification result; obtaining, according to the first check code and the second identification result, a second check code of the second data node mapped to the first data node; determining the third check code according to the pre-stored first dynamic random number corresponding to the first device identifier of the first data node and the first identification result; Determine the fourth check code according to the second dynamic random number corresponding to the second device identifier of the second data node and the second identification result pre-stored; Determine whether the first check code and the third check code are consistent, and determine that the first data node has abnormal behavior when the first check code and the third check code are inconsistent; It is judged whether the second check code and the fourth check code are consistent, and when the second check code and the fourth check code are inconsistent, it is determined that the second data node has abnormal behavior. 7. The method according to claim 6, wherein the method further comprises: The first data node or the second data node with abnormal behavior is shielded. 8. A distributed data node abnormal behavior detection device, characterized in that it is applied to a server, the server communicates with a distributed data network, and data nodes with the same node identification in the distributed data network share an action analysis Logic, set the binding relationship between each data node and the server, as well as the corresponding action analysis logic and behavior recognition logic, each data node activates the action analysis logic corresponding to the data node through the server when starting the data processing process and behavior recognition logic, the device includes at least: a judgment module, configured to judge whether the node identifier of the first data node is the same as that of the second data node when the first data node in the distributed data network interacts with the second data node; A determination module, configured to determine from the interaction record between the first data node and the second data node when the node identification of the first data node is the same as the node identification of the second data node the first action instruction stream of the first data node and the second action instruction stream of the second data node; A parsing module, configured to parse the first action instruction stream and the second action instruction stream respectively according to the action parsing logic corresponding to the first data node or the second data node, to obtain the first instruction feature and the second instruction feature; An identification module, configured to identify the first instruction feature based on the first behavior identification logic corresponding to the first data node when the first instruction feature does not match the second instruction feature to obtain a first identification result and identify the second instruction feature based on the second behavior identification logic corresponding to the second data node to obtain a second identification result; A detection module, configured to determine a data node with abnormal behavior in the first data node and the second data node according to the first identification result and the second identification result. 9. A server, characterized by comprising a processor, a memory and a bus connected to the processor; wherein, the processor and the memory communicate with each other through the bus; the processor is used for The program instructions in the memory are invoked to execute the method for detecting abnormal behavior of a distributed data node according to any one of claims 1-7. 10 . A readable storage medium, characterized in that a program is stored thereon, and when the program is executed by a processor, the method for detecting abnormal behavior of a distributed data node according to any one of claims 1 to 7 is implemented.

Images