CN115085956B - Intrusion detection method, intrusion detection device, electronic equipment and storage medium - Google Patents

Abstract

The invention provides an intrusion detection method, device, electronic equipment and storage medium. The method includes: based on a security channel dedicated to intrusion detection, executing access instructions to obtain real-time multi-dimensional basic data of business system equipment; based on the intrusion detection model and the described Real-time multi-dimensional basic data is used to determine the access instruction anomaly. After executing the access instruction through the secure channel, the present invention obtains real-time multi-dimensional basic data of the business system equipment, performs anomaly detection on the real-time multi-dimensional basic data through an intrusion detection model, and confirms that the access instruction is abnormal, thereby achieving safer intrusion detection and improving efficiency. Intrusion detection capability without occupying the resources of business system equipment.

Description

Intrusion detection methods, devices, electronic equipment and storage media

Technical field

The present invention relates to the field of network security technology, and in particular to an intrusion detection method, device, electronic equipment and storage medium.

Background technique

With the rapid development of network technology, people increasingly rely on the network for information processing. Therefore, network security is becoming more and more important, and security intrusion detection technology is one of the core technologies to ensure network security.

The existing intrusion detection technology detection methods mainly include network-based intrusion detection technology and system device-based intrusion detection technology. In network-based intrusion detection technology, the data source is data packets on the network. Network communication packets are obtained through serial connection or bypass, and the communication packets are detected to identify and respond to intrusions. Intrusion detection technology based on system equipment, the data sources are system logs, application logs, etc., by installing agent software on the monitored system equipment, collecting log files and operating information of the system equipment through the agent software, and analyzing the logs and records Conduct analysis to identify and respond to intrusions.

However, both network-based and system device-based intrusion detection technologies require internal resources of the monitored system, such as bandwidth, computing efficiency, etc. At the same time, there is no effective control over network monitoring and agent software, or there are system compatibility issues. Additional security issues include the limited detection effects of the two detection methods, which rely heavily on matching historical intrusion detection records and have limitations in the scope of identification.

Contents of the invention

The present invention provides an intrusion detection method, device, electronic equipment and storage medium to solve the defects in the prior art of consuming the internal resource security of the monitored system and insufficient detection capabilities, achieving safer intrusion detection and improving It improves intrusion detection capabilities without occupying the resources of business system equipment.

In a first aspect, the present invention provides an intrusion detection method, including:

Based on the security channel dedicated for intrusion detection, execute access instructions and obtain real-time multi-dimensional basic data of business system equipment;

Based on the intrusion detection model and the real-time multi-dimensional basic data, it is determined that the access instruction is abnormal.

Optionally, according to an intrusion detection method provided by the present invention, the intrusion detection model includes a user frequent behavior relationship model;

Correspondingly, determining the access instruction anomaly based on the intrusion detection model and the real-time multi-dimensional basic data includes:

Based on the current user behavior data in the real-time multi-dimensional basic data and the user frequent behavior relationship model, it is determined that the access instruction is abnormal.

Optionally, according to an intrusion detection method provided by the present invention, the intrusion detection model includes a behavior mapping relationship model;

Correspondingly, determining the access instruction anomaly based on the intrusion detection model and the real-time multi-dimensional basic data includes:

Determine the device hardware information prediction threshold based on the current user behavior data in the real-time multi-dimensional basic data and the behavior mapping relationship model;

If it is determined that the current device hardware information in the real-time multi-dimensional basic data is not within the device hardware information prediction threshold range, it is determined that the access instruction is abnormal;

Wherein, the current device hardware information is the device hardware information in the real-time multi-dimensional basic data obtained by executing the access instruction.

Optionally, according to an intrusion detection method provided by the present invention, the method further includes:

Based on the Apriori association rule algorithm, historical user behavior information is trained to obtain the user frequent behavior relationship model.

Optionally, according to an intrusion detection method provided by the present invention, the method further includes:

Based on the Bayesian classification algorithm, the historical user behavior information and the device hardware information corresponding to each historical user behavior information are trained to obtain the behavior mapping relationship model.

Optionally, according to an intrusion detection method provided by the present invention, the access instructions are executed based on a dedicated security channel for intrusion detection to obtain real-time multi-dimensional basic data of business system equipment, including:

Authenticate and authenticate the access instruction based on the authentication information provided by the access instruction;

If both the authentication and the authentication are successful, the access instruction is executed to obtain the real-time multi-dimensional basic data of the business system equipment.

Optionally, according to an intrusion detection method provided by the present invention, after authenticating and authenticating the access instruction based on the authentication information provided by the access instruction, the method further includes:

If both the authentication and the authentication are successful, a post-event audit is performed on the operation log of the access instruction.

In a second aspect, the present invention provides an intrusion detection device, including:

The acquisition module is used to execute access instructions based on a dedicated security channel for intrusion detection and obtain real-time multi-dimensional basic data of business system equipment;

A determination module, configured to determine the access instruction anomaly based on the intrusion detection model and the real-time multi-dimensional basic data.

In a third aspect, the present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, the following is implemented: On the one hand, the steps of the intrusion detection method are provided.

In a fourth aspect, the present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the steps of the intrusion detection method as provided in the first aspect are implemented. .

The invention provides an intrusion detection method, device, electronic equipment and storage medium. After executing access instructions through a secure channel, real-time multi-dimensional basic data of business system equipment is obtained, and abnormality detection is performed on the real-time multi-dimensional basic data through an intrusion detection model. Confirming access command anomalies enables safer intrusion detection and improves intrusion detection capabilities without occupying the resources of business system equipment.

Description of drawings

In order to explain the present invention or the technical solutions in the prior art more clearly, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings in the following description are of the present invention. For some embodiments of the invention, those of ordinary skill in the art can also obtain other drawings based on these drawings without exerting creative efforts.

Figure 1 is one of the flow diagrams of the intrusion detection method provided by the present invention;

Figure 2 is a schematic flowchart of the branch reduction process of the Apriori association rule algorithm provided by the present invention;

Figure 3 is the second schematic flow chart of the intrusion detection method provided by the present invention;

Figure 4 is a schematic structural diagram of the intrusion detection device provided by the present invention;

Figure 5 is a schematic structural diagram of the electronic device provided by the present invention.

Detailed ways

In order to make the purpose, technical solutions and advantages of the present invention more clear, the technical solutions in the present invention will be clearly and completely described below in conjunction with the accompanying drawings of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention. , not all examples. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without making creative efforts fall within the scope of protection of the present invention.

Various network security technologies generated by the User Interface (UI) have been continuously developed, such as firewalls, encryption and other static defense technologies. However, it is still difficult to ensure the security of the network simply relying on these technologies. Security intrusion detection technology is One of the core technologies to ensure network security is an active defense technology, which can not only detect the intrusion of unauthorized objects, but also monitor the illegal use of system resources by authorized objects.

Figure 1 is one of the flow diagrams of the intrusion detection method provided by the present invention. As shown in Figure 1, the method includes the following steps:

Step 110: Based on the security channel dedicated for intrusion detection, execute the access command to obtain real-time multi-dimensional basic data of the business system equipment;

Optionally, the security channel dedicated to intrusion detection may be an installation-free security channel. The security channel uses an authentication password string, which is encrypted to form a string to provide credentials for security management and control platform authentication.

Optionally, use the secure channel to connect to the monitored business system equipment. After successful authentication and authentication through the secure channel, the access instruction can be executed to collect real-time multi-dimensional basic data of the business system equipment.

Optionally, the real-time multi-dimensional basic data includes system device dynamic operation information, static configuration information, user behavior information, device hardware data, etc.

Specifically, the dynamic operation information of system equipment includes processes, services, network connections, and file changes. Among them, the process refers to the resident process information of the system, the service refers to the service information of the system, the network connection refers to the system network IP, accumulated traffic and other information, and the file change refers to the file storage status information.

Static configuration information includes startup items, open ports, software, users, scheduled tasks, environment variables, firewall policies, and HOSTS files. Among them, startup items refer to the detailed list of system startup item information, open ports refer to system network port open status information, software refers to system software and service information, users refer to system login user information, scheduled tasks refer to system scheduled task information, and environment variables. Refers to system environment variable information, firewall policy refers to system firewall policy information, and HOSTS file refers to system HOSTS file information.

User behavior information includes login information, file access, and user history commands. Login information refers to the login time point when the user accesses the server, file access refers to the path information of the file accessed by the user, and user history commands refer to the command line instruction statements executed during the user's login.

Device hardware data includes CPU usage, hard disk read and write, and traffic rate. The cpu occupancy rate refers to the system CPU occupancy status information, the hard disk read and write refers to the system hard disk read and write speed, and the traffic rate refers to the system network traffic rate.

Step 120: Determine that the access instruction is abnormal based on the intrusion detection model and the real-time multi-dimensional basic data.

Optionally, the intrusion detection model may include a user frequent behavior relationship model and a behavior mapping relationship model.

Optionally, based on the intrusion detection model and the real-time multi-dimensional basic data, before determining that the access instruction is abnormal, the method further includes:

Perform data preprocessing on the collected historical user behavior information and corresponding hardware data to generate a user behavior data relationship chain and a historical record of hardware data during user execution.

Optionally, use the user behavior data relationship chain as input and determine user behavior anomalies based on the user's frequent behavior relationship model. If it is determined that the user's operation is abnormal, the user will be alerted. If the user's operation is normal, no alarm will be issued.

Optionally, predict the hardware data threshold through the user behavior data relationship chain and behavior mapping relationship model. If it is determined that the current device hardware information in the real-time multi-dimensional basic data is not within the device hardware information prediction threshold range, then the user Provide an alert.

For example, if the CPU occupancy rate in the real-time multi-dimensional basic data is 50% and the CPU occupancy prediction threshold range of the device hardware information is 0-40%, an alarm will be issued to the user, prompting the user that the CPU occupancy rate is too high.

If the CPU occupancy rate in the real-time multi-dimensional basic data is 50% and the maximum CPU occupancy prediction threshold of the device hardware information is 40%, an alarm is issued to the user, prompting the user that the CPU occupancy rate is too high.

If the hard disk read and write speed in the implementation of the multi-dimensional basic data is 300MB/second, and the minimum hard disk read and write speed prediction threshold of the device hardware information is 400MB/second, an alarm will be issued to the user, prompting the user that the hard disk read and write speed is too low. .

Optionally, the above alarms are checked, and the check results are fed back to the intrusion detection model training module to improve the intrusion detection model.

For example, if the above alarm is that the CPU usage is too high, the CPU usage will be checked, and the verification results will be fed back to the behavior mapping relationship model to improve the behavior mapping relationship model.

After executing the access instruction through the secure channel, the present invention obtains the real-time multi-dimensional basic data of the business system equipment, performs anomaly detection on the real-time multi-dimensional basic data through the intrusion detection model, and confirms that the access instruction is abnormal, thereby achieving safer intrusion detection and improving the efficiency of the intrusion detection. Intrusion detection capability without occupying the resources of business system equipment.

Optionally, the intrusion detection model includes a user frequent behavior relationship model.

Correspondingly, determining the access instruction anomaly based on the intrusion detection model and the real-time multi-dimensional basic data includes:

Based on the current user behavior data in the real-time multi-dimensional basic data and the user frequent behavior relationship model, it is determined that the access instruction is abnormal.

Optionally, due to the business stability of the business server and the singleness of the operation and maintenance manufacturer, the server's account user operations are relatively fixed, and the user behavior pattern changes less. For this feature, you can use the Apriori association rule algorithm to train historical user behavior data, mine the interdependencies between different user operations before and after to obtain an association rule model, and use the association rule model to predict the actions that users will continue to perform after performing certain actions. operation to determine the legality of the user's operation.

Specifically, through multiple scans of the historical data set in the multi-dimensional basic data, the correlation degree of the user's historical commands in the multi-dimensional basic data in the data set is calculated, and it is found that all users are associated with frequent item sets before and after a certain command, thereby generating user frequent itemsets. Behavioral relationship model. For example, a user's common operations on business system equipment include querying business system data and adding business system data. This user does not have the permission to delete business system data. At this time, the user appears to delete the business system data. At this time, it can be determined that the user's behavior is abnormal.

The present invention can effectively discover users' illegal operations through the user's frequent behavior relationship model, making the intrusion detection capability stronger.

Optionally, the intrusion detection model includes a behavioral mapping relationship model;

Correspondingly, determining the access instruction anomaly based on the intrusion detection model and the real-time multi-dimensional basic data includes:

Determine the device hardware information prediction threshold based on the current user behavior data in the real-time multi-dimensional basic data and the behavior mapping relationship model;

If it is determined that the current device hardware information in the real-time multi-dimensional basic data is not within the device hardware information prediction threshold range, it is determined that the access instruction is abnormal;

Wherein, the current device hardware information is the device hardware information in the real-time multi-dimensional basic data obtained by executing the access instruction.

Optionally, changes in server software and hardware information caused by user operations in the server are due to the stability of the business, and their data changes or periodic activities have certain rules. While predicting behavior through the association rule model, simple predictions can be used The Bayesian algorithm classifies user operations to predict changes in server software and hardware information caused by user operations. By inputting the historical user frequent behavior relationship chain and the hardware data after historical operations, classification training is performed, and a benchmark library of user access behavior is output.

Among them, the hardware data after historical operations refers to the change data of the server's time period after the user behavior based on the frequent behavior relationship model is executed, such as memory usage, CPU usage and frequency, hard disk read and write changes, network speed and usage and other recorded data.

For example, when the business server accesses a certain service of the business system device, the predicted threshold value of the CPU occupancy rate of the business system device in the mapping relationship benchmark library is 0-40%, but the current access behavior of the business server causes the business The CPU usage in the system device reaches 50% at a certain moment, and the current access behavior at this time can be determined to be abnormal.

Through the behavior mapping relationship model, the present invention can effectively discover abnormal data changes, making the intrusion detection capability stronger.

Optionally, the method also includes:

Based on the Apriori association rule algorithm, historical user behavior information is trained to obtain the user frequent behavior relationship model.

Optionally, the main steps for training historical user behavior information based on the Apriori association rule algorithm are as follows:

Step 11, scan all feature data and generate a set C ₁ of candidate 1-item sets;

Step 12: According to the minimum correlation degree, a set L ₁ of frequent 1-item sets is generated from the set C ₁ of candidate 1-item sets;

Step 13. For k>1, repeat steps 4, 5, and 6;

Step 14: Perform connection and branch reduction operations on L _k to generate a set C _k+1 of candidate k+1-itemsets;

Step 15: According to the minimum correlation degree, a set of frequent (k+1)-itemsets L _k+1 is generated from the set of candidate (k+1)-itemsets C _k+1 ;

Step 16, if L is not equal to Then k=k+1, skip step 4, otherwise end;

Step 17: According to the minimum confidence, the user's frequent behavior relationship chain is generated from the frequent itemset, and this ends.

The connection operation is specifically to find the first L _k (k>1) of the user login feature, and connect L _k-1 with itself to generate a set C _k of candidate k-item sets. Let l ₁ and l ₂ be the itemsets in L _k-1 . Let l _i[j] represent the j-th item of l _i . The Apriori algorithm assumes that the items in the transaction or item set are sorted in lexicographic order; if the elements l ₁ of L _k-1 and the first k-2 items of l ₂ are equal, and the k-1 items of l ₁ are smaller than the k-1 items of l ₂ , Then it can be considered that l ₁ and l ₂ can be connected. Connection results (l _1[1] ,l _1[2] ,l _1[3] ,l _1[4] ,..........,l _1[k-1] ,l _2[k-1] ).

The branch reduction operation is specifically based on the properties of Apriori. Any subset of the frequent item set k-item set must be a frequent item set. The set C _k generated by the connection needs to be verified to remove non-relevant items that do not satisfy the correlation degree. Frequent k-itemsets. Figure 2 is a schematic diagram of the branch reduction process of the Apriori association rule algorithm provided by the present invention, as described in Figure 2 below: Represents an empty set that does not contain any features. 0, 1, 2, and 3 represent feature index values. Through statistical analysis, the set of feature indicators between each behavior is calculated, and the key features of the potential relationship chain scenario between each behavior are analyzed. Eliminate non-frequent chain features.

Through the Apriori association rule algorithm, historical user behaviors are trained to obtain the user's frequent behavior relationship model. For example, a user's common operations on business system equipment include querying business system data and adding business system data. This user has no business system data. System data deletion operation permission. At this time, the user has a deletion instruction for business system data. At this time, it can be determined that the user has abnormal behavior and an alarm will be issued to the user. The present invention can effectively discover users' illegal operations through the user's frequent behavior relationship model, making the intrusion detection capability stronger.

Optionally, the method also includes:

Based on the Bayesian classification algorithm, the historical user behavior information and the device hardware information corresponding to each historical user behavior information are trained to obtain the behavior mapping relationship model.

Optionally, based on the Bayesian classification algorithm, the historical user behavior information and the device hardware information within a certain period corresponding to each historical user behavior information are trained. Specifically, it may include the following steps:

Step 21, in the data cleaning phase, input the historical frequent behavior relationship chain and the hardware data after historical operations to form a training sample set. The input of this stage is the historical training set in A, and the output is the training data sample.

Step 22: In the classifier training phase, calculate the frequency of occurrence of each category of behavioral relationship chain in the training data sample and the conditional probability estimate of the corresponding hardware data change, and generate a model based on the estimated probability, that is, an association classifier. Its input is the training data sample and its output is the correlation classifier.

Step 23, application stage. The task of this stage is to use the association classifier to classify the items to be classified. The input is the association classifier and the items to be classified, and the output is the behavioral mapping relationship benchmark library.

Step 24: According to the mapping relationship of this item 3, form a behavior mapping relationship benchmark library to predict the hardware data threshold value of a user's frequent behavior relationship chain.

Through the Bayesian classification algorithm, the historical user behavior information is associated with the device hardware information within a certain period corresponding to each historical user behavior information, and a prediction threshold within a normal range is predicted. When the real-time operation unifies the user When the user behavior occurs, if the change in device hardware information caused by the user behavior exceeds the prediction threshold within a certain period, it can be determined that the user behavior is abnormal. For example, when the business server accesses a certain service of the business system device, the predicted threshold value of the CPU occupancy rate of the business system device in the mapping relationship benchmark library is 0-40%, but the current access behavior of the business server causes the business The CPU usage in the system device reaches 50% at a certain moment, and the current access behavior at this time can be determined to be abnormal. Through the behavior mapping relationship model, the present invention can effectively discover abnormal data changes, making the intrusion detection capability stronger.

Optionally, based on the security channel dedicated for intrusion detection, the access instructions are executed to obtain real-time multi-dimensional basic data of the business system equipment, including:

Authenticate and authenticate the access instruction based on the authentication information provided by the access instruction;

If both the authentication and the authentication are successful, the access instruction is executed to obtain the real-time multi-dimensional basic data of the business system equipment.

Optionally, when the user proposes an access instruction to the system device, the secure channel receives the authentication information provided by the access instruction, and performs authentication and authentication through the authentication information.

Optionally, if both authentication and authorization are successful, an instruction channel for accessing the system device is opened and the access instruction is executed.

The authentication information may include system device IP, account number, and authentication password string.

Optionally, the authentication password string may include authentication information such as account number, password, source IP, access time and script content.

For example, only the administrator account has access rights to the business backend management system. At this time, ordinary users want to access the business backend management system and authenticate with the ordinary user account in the authentication password string provided. The result will be that the authentication fails. Ordinary users are prohibited from accessing the business backend management system. The user accesses the business background management system. Through the authentication and authentication of access instructions, the security of user access is improved.

Authentication and authentication are carried out through the secure channel. Only after success can the access instructions be executed and real-time multi-dimensional basic data collected. This ensures that the collection behavior is authenticated and can avoid security risks such as covert channel leakage.

Optionally, after authenticating and authenticating the access instruction based on the authentication information provided by the access instruction, the method further includes:

If both the authentication and the authentication are successful, a post-event audit is performed on the operation log of the access instruction.

Optionally, if both the authentication and the authentication are successful, the instruction channel can send the operation logs of all instructions to the centralized audit management module for post-auditing, which can supervise all instructions and effectively improve network security. protective and forensic functions.

Optionally, Figure 3 is the second flow chart of the intrusion detection method provided by the present invention. As shown in Figure 3, the method includes an installation-free secure channel data collection module, a benchmark library multi-dimensional training module and a benchmark model intrusion detection application module. . Figure 3 shows the actions and connections within each module and between modules.

After executing the access instruction through the secure channel, the present invention obtains the real-time multi-dimensional basic data of the business system equipment, performs anomaly detection on the real-time multi-dimensional basic data through the intrusion detection model, and confirms that the access instruction is abnormal. First, since the analysis work is performed on the server side, it avoids It eliminates program compatibility issues and does not occupy the resources of the monitored system equipment, achieving a lower resource occupancy rate. Secondly, a secure channel is used to authenticate access instructions and audited afterwards to avoid the introduction of covert channel data leakage. and other security risks, improving security. Finally, the frequent behavior relationship model and behavior mapping relationship model (analysis method of correlation of hardware data changes) are adopted, which does not rely on historical intrusion detection record matching, breaking the limitations of the identification scope, and for illegal operations Or abnormal data changes can be effectively discovered, making the detection capability stronger.

The signal transmission device provided by the present invention will be described below. The signal transmission device described below and the signal transmission method described above can be referred to each other correspondingly.

Figure 4 is a schematic structural diagram of an intrusion detection device provided by the present invention. As shown in Figure 4, the signal transmission device includes: an acquisition module 410 and a determination module 420, wherein:

The acquisition module 410 is used to execute access instructions based on the security channel dedicated to intrusion detection and obtain real-time multi-dimensional basic data of business system equipment;

The determination module 420 is configured to determine the access instruction anomaly based on the intrusion detection model and the real-time multi-dimensional basic data.

Optionally, the intrusion detection device executes access instructions based on the security channel dedicated to intrusion detection through the acquisition module 410 to obtain real-time multi-dimensional basic data of the business system equipment, and determines through the determination module 420 based on the intrusion detection model and the real-time multi-dimensional basic data. The access command is abnormal.

After executing the access command through the secure channel, real-time multi-dimensional basic data of the business system equipment is obtained. Anomaly detection is performed on the real-time multi-dimensional basic data through the intrusion detection model to confirm that the access command is abnormal, achieving safer intrusion detection and improving its detection capabilities. It is stronger and does not occupy the resources of business system equipment.

Optionally, according to an intrusion detection method provided by the present invention, the intrusion detection model includes a user frequent behavior relationship model;

Correspondingly, determining the access instruction anomaly based on the intrusion detection model and the real-time multi-dimensional basic data includes:

Based on the current user behavior data in the real-time multi-dimensional basic data and the user frequent behavior relationship model, it is determined that the access instruction is abnormal.

Optionally, according to an intrusion detection method provided by the present invention, the intrusion detection model includes a behavior mapping relationship model;

Correspondingly, determining the access instruction anomaly based on the intrusion detection model and the real-time multi-dimensional basic data includes:

Determine the device hardware information prediction threshold based on the current user behavior data in the real-time multi-dimensional basic data and the behavior mapping relationship model;

If it is determined that the current device hardware information in the real-time multi-dimensional basic data is not within the device hardware information prediction threshold range, it is determined that the access instruction is abnormal;

Wherein, the current device hardware information is the device hardware information in the real-time multi-dimensional basic data obtained by executing the access instruction.

Optionally, according to an intrusion detection method provided by the present invention, the method further includes:

Based on the Apriori association rule algorithm, historical user behavior information is trained to obtain the user frequent behavior relationship model.

Optionally, according to an intrusion detection method provided by the present invention, the method further includes:

Based on the Bayesian classification algorithm, the historical user behavior information and the device hardware information corresponding to each historical user behavior information are trained to obtain the behavior mapping relationship model.

Optionally, according to an intrusion detection method provided by the present invention, the access instructions are executed based on a dedicated security channel for intrusion detection to obtain real-time multi-dimensional basic data of business system equipment, including:

Authenticate and authenticate the access instruction based on the authentication information provided by the access instruction;

If both the authentication and the authentication are successful, the access instruction is executed to obtain the real-time multi-dimensional basic data of the business system equipment.

Optionally, according to an intrusion detection method provided by the present invention, after authenticating and authenticating the access instruction based on the authentication information provided by the access instruction, the method further includes:

If both the authentication and the authentication are successful, a post-event audit is performed on the operation log of the access instruction.

Figure 5 is a schematic diagram of the physical structure of an electronic device provided by the present invention, including a memory 510, a processor 530 and a computer program stored in the memory and executable on the processor. The processor executes the The program implements the above intrusion detection method, which includes:

Based on the security channel dedicated for intrusion detection, execute access instructions and obtain real-time multi-dimensional basic data of business system equipment;

Based on the intrusion detection model and the real-time multi-dimensional basic data, it is determined that the access instruction is abnormal.

In addition, the above-mentioned logical instructions in the memory 510 can be implemented in the form of software functional units and can be stored in a computer-readable storage medium when sold or used as an independent product. Based on this understanding, the technical solution of the present invention essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of the present invention. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program code. .

In another aspect, the present invention also provides a non-transitory computer-readable storage medium on which a computer program is stored. The computer program is implemented when executed by a processor to perform the intrusion detection method provided above. The method includes:

Based on the security channel dedicated for intrusion detection, execute access instructions and obtain real-time multi-dimensional basic data of business system equipment;

Based on the intrusion detection model and the real-time multi-dimensional basic data, it is determined that the access instruction is abnormal.

The device embodiments described above are only illustrative. The units described as separate components may or may not be physically separated. The components shown as units may or may not be physical units, that is, they may be located in One location, or it can be distributed across multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. Persons of ordinary skill in the art can understand and implement the method without any creative effort.

Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and of course, it can also be implemented by hardware. Based on this understanding, the part of the above technical solution that essentially contributes to the existing technology can be embodied in the form of a software product. The computer software product can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., including a number of instructions to cause a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the methods described in various embodiments or certain parts of the embodiments.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be used Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent substitutions are made to some of the technical features; however, these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (8)

1. An intrusion detection method, comprising:

based on the special safety channel for intrusion detection, executing an access instruction to obtain real-time multidimensional basic data of service system equipment;

determining that the access instruction is abnormal based on an intrusion detection model and the real-time multidimensional base data;

the intrusion detection model comprises a behavior mapping relation model, and the determining of the access instruction abnormality based on the intrusion detection model and the real-time multidimensional basic data comprises the following steps:

determining a device hardware information prediction threshold based on current user behavior data in the real-time multidimensional base data and the behavior mapping relation model;

if the current equipment hardware information in the real-time multidimensional basic data is not in the equipment hardware information prediction threshold range, determining that the access instruction is abnormal;

the current equipment hardware information is equipment hardware information in the real-time multidimensional basic data obtained by executing the access instruction;

the method further comprises the steps of: training historical user behavior information and equipment hardware information corresponding to each piece of historical user behavior information based on a Bayesian classification algorithm to obtain the behavior mapping relation model.

2. The intrusion detection method according to claim 1, wherein the intrusion detection model comprises a user frequent behavior relationship model;

accordingly, the determining the access instruction anomaly based on the intrusion detection model and the real-time multidimensional base data includes:

and determining that the access instruction is abnormal based on the current user behavior data in the real-time multidimensional basic data and the user frequent behavior relation model.

3. The intrusion detection method according to claim 2, wherein the method further comprises:

training historical user behavior information based on an Apriori association rule algorithm to obtain the user frequent behavior relation model.

4. The intrusion detection method according to claim 1, wherein the performing the access instruction based on the intrusion detection-specific security channel to obtain real-time multidimensional base data of the service system device includes:

authenticating and authenticating the access instruction based on authentication information provided by the access instruction;

and if the authentication and the authentication are successful, executing the access instruction to obtain the real-time multidimensional basic data of the service system equipment.

5. The intrusion detection method according to claim 4, wherein after authenticating and authenticating the access instruction based on the authentication information provided by the access instruction, further comprising:

and if the authentication and the authentication are successful, performing post audit on the operation log of the access instruction.

6. An intrusion detection device, comprising:

the acquisition module is used for executing an access instruction based on a special safety channel for intrusion detection to acquire real-time multidimensional basic data of service system equipment;

the determining module is used for determining that the access instruction is abnormal based on an intrusion detection model and the real-time multidimensional basic data;

the intrusion detection model comprises a behavior mapping relation model, and the determining of the access instruction abnormality based on the intrusion detection model and the real-time multidimensional basic data comprises the following steps:

determining a device hardware information prediction threshold based on current user behavior data in the real-time multidimensional base data and the behavior mapping relation model;

if the current equipment hardware information in the real-time multidimensional basic data is not in the equipment hardware information prediction threshold range, determining that the access instruction is abnormal;

the current equipment hardware information is equipment hardware information in the real-time multidimensional basic data obtained by executing the access instruction;

training historical user behavior information and equipment hardware information corresponding to each piece of historical user behavior information based on a Bayesian classification algorithm to obtain the behavior mapping relation model.

7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the intrusion detection method according to any one of claims 1 to 5 when the program is executed by the processor.

8. A non-transitory computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the intrusion detection method according to any one of claims 1 to 5.