[go: up one dir, main page]

CN117668400A - Front-end page operation abnormality identification method, device, equipment and medium - Google Patents

Front-end page operation abnormality identification method, device, equipment and medium Download PDF

Info

Publication number
CN117668400A
CN117668400A CN202311643863.6A CN202311643863A CN117668400A CN 117668400 A CN117668400 A CN 117668400A CN 202311643863 A CN202311643863 A CN 202311643863A CN 117668400 A CN117668400 A CN 117668400A
Authority
CN
China
Prior art keywords
operation behavior
threat
behavior data
learning model
deep learning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311643863.6A
Other languages
Chinese (zh)
Inventor
周桂麟
徐治钦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Sanqi Jiyao Network Technology Co ltd
Original Assignee
Guangzhou Sanqi Jiyao Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Sanqi Jiyao Network Technology Co ltd filed Critical Guangzhou Sanqi Jiyao Network Technology Co ltd
Priority to CN202311643863.6A priority Critical patent/CN117668400A/en
Publication of CN117668400A publication Critical patent/CN117668400A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/09Supervised learning
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Health & Medical Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Biomedical Technology (AREA)
  • Computational Linguistics (AREA)
  • Mathematical Physics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application discloses a method, a device, equipment and a medium for identifying front-end page operation abnormality, and belongs to the technical field of Internet. The method comprises the following steps: acquiring operation behavior data of a user on a front page; inputting the operation behavior data into a pre-trained deep learning model, and determining whether the operation behavior data has threat or not and the type of the threat of the operation behavior data according to the output result of the deep learning model; and under the condition that the output result is that the threat exists, determining the type of the threat, and carrying out protection treatment according to the protection measures pre-associated with the type of the threat. According to the technical scheme, whether the operation behavior data of the user has threat or not and the type of the threat can be determined by inputting the operation behavior data of the user into the deep learning model, so that the abnormality of the front-end webpage can be quickly and accurately found and solved, and the safety of the front-end webpage is improved.

Description

Front-end page operation abnormality identification method, device, equipment and medium
Technical Field
The application belongs to the technical field of Internet, and particularly relates to a method, a device, equipment and a medium for identifying front-end page operation abnormality.
Background
The front-end web page refers to a web page part operated and presented in a user browser, can be designed and optimized in a mobile mode in a responsive mode according to equipment and screen sizes used by the user, does not need the user to download fixed application programs, and can be opened by using various browsers. The front-end webpage gradually becomes a main choice for user use and merchant development, so that the front-end webpage is discovered abnormally in time, and the normal operation of the front-end webpage is ensured to be important.
At present, the mode of identifying the front-end webpage abnormality mainly adopts manual audit and dependency rule matching. The manual audit mode is time-consuming and labor-consuming, and the predefined rules in the rule matching mode are unchanged, so that the rule is easy to crack by malicious users and find vulnerabilities. Therefore, how to quickly and accurately identify the front-end page abnormality is a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the application aims to provide a method, a device, equipment and a medium for identifying front-end page operation abnormality, and aims to timely find and solve the abnormality of a front-end page and improve the safety of the front-end page.
In a first aspect, an embodiment of the present application provides a method for identifying an operation exception of a front end page, where the method includes:
Acquiring operation behavior data of a user on a front page;
inputting the operation behavior data into a pre-trained deep learning model, and determining whether the operation behavior data has threat or not and the type of the threat of the operation behavior data according to the output result of the deep learning model; the deep learning model is obtained through supervised training of a preset number of sample data;
and under the condition that the output result is that the threat exists, determining the type of the threat, and carrying out protection treatment according to the protection measures pre-associated with the type of the threat.
In a second aspect, an embodiment of the present application provides a device for identifying an operation abnormality of a front end page, where the device includes:
the operation behavior acquisition module is used for acquiring operation behavior data of a user on a front-end page;
the threat determination module is used for inputting the operation behavior data into a pre-trained deep learning model, and determining whether the operation behavior data has a threat or not and the type of the threat of the operation behavior data according to the output result of the deep learning model; the deep learning model is obtained through supervised training of a preset number of sample data;
And the protection processing module is used for determining the type of the threat under the condition that the output result is the threat, and carrying out protection processing according to the protection measures pre-associated with the type of the threat.
In a third aspect, embodiments of the present application provide an electronic device comprising a processor, a memory and a program or instruction stored on the memory and executable on the processor, the program or instruction implementing the steps of the method according to the first aspect when executed by the processor.
In a fourth aspect, embodiments of the present application provide a readable storage medium having stored thereon a program or instructions which when executed by a processor implement the steps of the method according to the first aspect.
In a fifth aspect, embodiments of the present application provide a chip, where the chip includes a processor and a communication interface, where the communication interface is coupled to the processor, and where the processor is configured to execute a program or instructions to implement a method according to the first aspect.
In the embodiment of the application, operation behavior data of a user on a front-end page is obtained; inputting the operation behavior data into a pre-trained deep learning model, and determining whether the operation behavior data has threat or not and the type of the threat of the operation behavior data according to the output result of the deep learning model; the deep learning model is obtained through supervised training of a preset number of sample data; and under the condition that the output result is that the threat exists, determining the type of the threat, and carrying out protection treatment according to the protection measures pre-associated with the type of the threat. According to the recognition method and device for the front-end webpage operation abnormality, whether the operation behavior data has threat and the type of the threat can be determined by inputting the operation behavior data of the user into the deep learning model, so that the abnormality of the front-end webpage can be quickly and accurately found and solved, and the safety of the front-end webpage is improved.
Drawings
Fig. 1 is a flowchart of a method for identifying an operation anomaly of a front end page according to an embodiment of the present application;
fig. 2 is a flow chart of a method for identifying abnormal operation of a front end page according to a second embodiment of the present application;
fig. 3 is a flow chart of a method for identifying front-end page operation anomalies according to a third embodiment of the present application;
fig. 4 is a schematic structural diagram of a device for identifying abnormal operation of a front end page according to a fourth embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the following detailed description of specific embodiments thereof is given with reference to the accompanying drawings. It is to be understood that the specific embodiments described herein are merely illustrative of the application and not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the matters related to the present application are shown in the accompanying drawings. Before discussing exemplary embodiments in more detail, it should be mentioned that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart depicts operations (or steps) as a sequential process, many of the operations can be performed in parallel, concurrently, or at the same time. Furthermore, the order of the operations may be rearranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figures. The processes may correspond to methods, functions, procedures, subroutines, and the like.
Technical solutions in the embodiments of the present application will be clearly described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application are within the scope of the protection of the present application.
The terms first, second and the like in the description and in the claims, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged, as appropriate, such that embodiments of the present application may be implemented in sequences other than those illustrated or described herein, and that the objects identified by "first," "second," etc. are generally of a type and not limited to the number of objects, e.g., the first object may be one or more. Furthermore, in the description and claims, "and/or" means at least one of the connected objects, and the character "/", generally means that the associated object is an "or" relationship.
The method, the device, the equipment and the medium for identifying the operation abnormality of the front end page provided by the embodiment of the application are described in detail through specific embodiments and application scenes thereof with reference to the accompanying drawings.
Example 1
Fig. 1 is a flowchart of a method for identifying an operation anomaly of a front-end page according to an embodiment of the present application. As shown in fig. 1, the method specifically comprises the following steps:
s101, acquiring operation behavior data of a user on a front-end page;
first, the method and the device are applicable to a scene that the front-end page has operation abnormality. Based on the above usage scenario, it can be appreciated that the execution subject of the present application may be a server. Specifically, the acquisition of the operation behavior data, the threat and the threat type determination, the execution of the protection processing and the like can be executed by the server, and after the front-end page is determined to have the operation abnormality, the protection processing is adopted to solve the operation abnormality in time and maintain the normal operation of the front-end page.
Front-end pages refer to the portion of the user interface that is used in Web development for presentation to a user, and are composed of HTML (HyperText Markup Language ), CSS (Cascading Style Sheets, cascading style sheets), javaScript, and other front-end technologies, and are typically composed of multiple HTML files, each representing a separate page or portion of a page. HTML is responsible for defining the structure and content of a page, describing various elements of the page, such as titles, paragraphs, images, links, etc., by way of markup language; the CSS is used for controlling the style and layout of the page, including colors, fonts, intervals, frames and the like, so that the page can show rich visual effects, and the page has good responsiveness on different devices; javaScript is a scripting language for implementing page interactions and dynamic effects, which can run in a browser, implementing interactive functions of the page, such as form verification, animation effects, and asynchronous loading of data, by manipulating HTML elements and responding to user events. By combining HTML, CSS, and JavaScript together, a developer can create a front-end page with a good user experience that enables a user to interact with a website or Web application.
A server refers to a computer or system that provides services in a network, through which it communicates with clients and provides various services, such as storing and transmitting data, processing requests, running applications, etc. In Web development, servers play an important role, and when a user accesses a Web site in a browser, the browser sends a request to the server, which receives and processes the request, and then returns corresponding data or pages to the browser for display.
The operation behavior data refers to various operation records and behavior data generated when a user interacts with a front-end page, and can comprise click events, hover time, scroll lines, form submission, keyboard events, page navigation, popup windows, modal frames and the like, and the acquisition of the operation behavior data can be realized by using an event monitor to monitor events occurring on the current page. Among them, an event listener is a mechanism for capturing and processing specific events.
S102, inputting the operation behavior data into a pre-trained deep learning model, and determining whether the operation behavior data has a threat and the type of the threat according to the output result of the deep learning model; the deep learning model is obtained through supervised training of a preset number of sample data;
The deep learning model is a machine learning model based on a neural network, consists of a plurality of neural network layers, has a deep structure, and comprises a feedforward neural network, a circulating neural network, a long-term and short-term memory network, a converter, a generation countermeasure network and the like; pre-training refers to the process of performing initial training on a deep learning model using a large-scale data set before a specific task, the pre-training generally employing a supervised training method, in which training data of the model includes an input sample and a corresponding label or target output, and the supervised training target is to let the model learn a mapping relationship between the input sample and the label so as to be able to predict the corresponding label when a new input sample is given; the sample data may refer to operation behavior data obtained before a current time point and a determination result of whether a threat and a type to which the threat belongs exist on the operation behavior data by a worker, wherein the operation behavior data is used as input data of a model, and the determination result of whether the threat and the type to which the threat belong exist on the operation behavior data by the worker is used as a label; the preset number may be set according to the computing power, storage capacity, and the like of the computer, and accuracy requirements of the output result of the deep learning model, and the like.
The threat of the operation behavior data refers to the potential hazard risk of the operation behavior data on the security and privacy of the front-end webpage, and the type of the threat can comprise data disclosure, cross-site scripting attack, cross-site request counterfeiting, unsafe data transmission, improper data use and the like. Data leakage refers to the behavior that operation behavior data has unauthorized access or malicious attack, so that the data is leaked, and the leaked data can be used for illegal purposes, such as identity theft, phishing attack and the like; the cross-site scripting attack means that malicious scripts are injected into the front-end page, so that operation behavior data have actions of tampering the page, hijacking user session and the like; cross-site request forging refers to the fact that the identity and session information of a user are utilized to forge a request, resulting in operational behavior data having the behavior of performing operations that are not authorized by the user; unsafe data transmission refers to the behavior that operation behavior data have network monitoring or man-in-the-middle attack and the like; inappropriate data usage refers to the act of misuse or illegal use of data by operational behavior data, such as for tracking a user, creating a user portrait, deploying targeted advertisements or personal customizations, etc., violating the privacy and personal interests of the user.
The output result of the deep learning model is a determination result of whether threat exists on the operation behavior data and the type of the threat exists on the operation behavior data. The operation behavior data is input into a deep learning model, and the computer is used for carrying out calculation and feeding back whether the operation behavior data has threat or not and the determination result of the type of the threat of the operation behavior data.
And S103, determining the type of the threat under the condition that the output result is the threat, and carrying out protection processing according to the protection measures pre-associated with the type of the threat.
The output results also include probability values for the types of threats that each exists. The probability value is a value indicating the magnitude of the possibility of occurrence of an event, specifically, the probability value indicating the magnitude of the possibility that the operational behavior data has a threat of this type.
And sequencing the types of the threats according to the probability values from large to small, if the probability value of the type of the first threat in sequence exceeds 60%, determining that the operation behavior data has the threat, determining the type of the threat as the type of the threat determined by identifying the front-end page operation abnormality this time, and if the probability value of the type of the first threat in sequence does not exceed 60%, determining that the operation behavior data has no threat.
Protective measures refer to measures and policies taken to protect front-end pages and data from security threats and attacks. The types of safeguards mentioned above that present threats include:
the protective measures of data leakage include: classifying and marking data, and adopting different security measures and access rights according to the sensitivity degree; encrypting the sensitive data ensures that even in the event of data leakage, it is difficult to decrypt and utilize the data; implementing a strict access control mechanism, only granting legal users access to sensitive data;
the protection measures of the cross-site scripting attack comprise: the data input by the user is effectively verified and filtered, so that malicious scripts are not contained; when data is output to a front-end webpage, proper coding is carried out to prevent execution of malicious scripts; limiting script execution and resource loading in the web page;
the protection measures for cross-site request counterfeiting include: generating a random token for each user and including it in the request to verify the legitimacy of the request; verifying the source of the request at the server end to ensure that the request comes from a legal webpage;
the safeguards for unsafe data transmission include: encrypting data transmission through SSL (Secure Sockets Layer, secure socket layer)/TLS (Transport Layer Security, transport layer security protocol) protocol, ensuring confidentiality and integrity of data; avoiding the use of the unencrypted HTTP protocol in the data transmission process;
Protection against improper data use includes: formulating an explicit data use policy, and explicitly specifying legal uses and restrictions of the data; limiting the access authority of the data according to the roles and responsibilities of the user, and monitoring the use condition of the data; periodically backing up data and ensuring the safety and reliability of the backed up data to prevent data loss or damage.
By defining a safeguard function for each belonging type in the code, the safeguard function comprises implementation code of the safeguard, thereby realizing the association of the belonging type and the safeguard. When the belonging type is determined, executing the protection measure function code associated with the belonging type to realize protection treatment according to the protection measure.
In this technical solution, optionally, in a case where the output result is that there is a threat, the method further includes:
determining whether the type of the threat is a target type;
if the threat is of the target type, threat detection is carried out according to detection measures which are associated in advance with the target type, and the threat level information is determined according to the threat detection result.
The target type may be the type of threat that is present that enables threat detection. Comparing the type of the threat with each target type one by one, and if the target type consistent with the type of the threat exists, determining that the type of the threat is the target type.
The detection measures refer to measures and strategies taken to conduct threat detection. Threat detection can determine the level information of the existing threat, and common threat detection methods include log analysis, signature detection, vulnerability scanning, malware detection, network traffic analysis and the like. Wherein the level information is set by dividing the level according to the degree of risk of the threat.
By defining a detection measure function for each target type in the code, the detection measure function comprises implementation codes of detection measures, thereby realizing the association of the target type and the detection measures. When the target type is determined, executing the detection measure function code associated with the target type to realize threat detection according to the detection measure, completing code execution and feeding back the level information of the threat.
The method has the advantages that threat detection is carried out according to detection measures which are associated in advance according to the target type, and the threat level information is determined, so that workers can be helped to intuitively know the threat level of the threat.
In the embodiment of the application, operation behavior data of a user on a front-end page is obtained; inputting the operation behavior data into a pre-trained deep learning model, and determining whether the operation behavior data has threat or not and the type of the threat of the operation behavior data according to the output result of the deep learning model; the deep learning model is obtained through supervised training of a preset number of sample data; and under the condition that the output result is that the threat exists, determining the type of the threat, and carrying out protection treatment according to the protection measures pre-associated with the type of the threat. According to the technical scheme, whether the operation behavior data of the user has threat or not and the type of the threat can be determined by inputting the operation behavior data of the user into the deep learning model, so that the abnormality of the front-end webpage can be quickly and accurately found and solved, and the safety of the front-end webpage is improved.
Example two
Fig. 2 is a flowchart of a method for identifying an operation anomaly of a front end page according to a second embodiment of the present application. The scheme makes better improvement on the embodiment, and the specific improvement is as follows: inputting the operation behavior data into a pre-trained deep learning model, and determining whether the operation behavior data has a threat or not and the type of the threat of the operation behavior data according to the output result of the deep learning model, wherein the method comprises the following steps: extracting operation frequency data in the operation behavior data through the deep learning model; performing characteristic engineering treatment and standardization treatment on the operating frequency data to obtain operating frequency characteristics; and obtaining an output result of the deep learning model according to the operating frequency characteristic, and determining probability values of threats of different types of the operating behavior data.
As shown in fig. 2, the method specifically comprises the following steps:
s201, acquiring operation behavior data of a user on a front-end page;
s202, extracting operation frequency data in the operation behavior data through the deep learning model;
the operation frequency data may refer to the number of times the user makes an operation per unit time.
Counting the total times of all operation behaviors of the user in a preset time, dividing the total times by the preset time, and obtaining a calculation result which is the operation frequency data.
The preset time may be set according to a storage capacity of the computer.
S203, performing characteristic engineering processing and standardization processing on the operation frequency data to obtain operation frequency characteristics;
feature engineering refers to the process of creating new features to improve model performance by converting, extracting and selecting raw data in machine learning and data analysis tasks. The objective of the feature engineering process is to extract features from the raw data that are meaningful to the prediction task so that the machine learning model can better understand the data and make accurate predictions. The following are some common feature engineering approaches: extracting useful information from the original data to create new features; performing numerical conversion or transformation on the original features to make the original features more suitable for the requirements of a machine learning model, such as logarithmic transformation, normalization, dispersion, logarithmic cutting and the like; creating new features by combining multiple features, e.g., adding, multiplying, or averaging two numerical features, unithermally encoding or hash encoding category features, etc.; selecting the most predictive feature from the existing features, and performing feature selection by using statistical methods such as variance threshold, correlation analysis, mutual information and the like, or using model-based methods such as recursive feature elimination, L1 regularization and the like; the computational complexity is reduced and dimension disasters are avoided by reducing the dimension of the features, and common dimension reduction methods comprise principal component analysis, linear discriminant analysis, factor analysis and the like; by model training or feature importance assessment methods, it is determined which features are more important to the prediction task in order to further optimize the feature selection and modeling process.
The normalization process is a data conversion method commonly used in feature engineering, and is used for scaling feature values of different scales or different ranges into a unified standard range so as to better adapt to the requirements of a machine learning model. The goal of the normalization process is to eliminate dimensional differences between features so that different features are comparable and treat the individual features more equally. Z-Score normalization and Min-Max normalization are two common normalization methods. Z-Score normalization converts feature values into standard normal distribution with zero mean and unit variance based on the mean and standard deviation of the features; min-Max normalization scales the eigenvalues by linear transformation to within a given minimum and maximum range.
The operating frequency characteristic is the operating frequency data for characteristic engineering processing and standardization processing.
S204, obtaining an output result of the deep learning model according to the operation frequency characteristics, and determining probability values of threats of different types of the operation behavior data;
the operation frequency characteristics are input into a deep learning model, and the computer calculates and feeds back probability values of threats of different types of operation behavior data.
S205, determining the type of the threat under the condition that the output result is the threat, and carrying out protection processing according to the protection measures pre-associated with the type of the threat.
The method has the advantages that the calculation complexity of the deep learning model can be simplified, the calculation efficiency is improved by extracting the operation frequency characteristics, the deep learning model is facilitated to focus on the user operation frequency, the dependence of the deep learning model on specific operation behavior data is reduced, the risk of overfitting is reduced, the generalization capability of the deep learning model is improved, and the accuracy of calculation results is improved.
In this technical solution, optionally, inputting the operation behavior data into a pre-trained deep learning model, and determining, according to an output result of the deep learning model, whether the operation behavior data has a threat, and a type to which the operation behavior data has a threat, includes:
extracting input content data in the operation behavior data through the deep learning model;
performing feature engineering processing and standardization processing on the input content data to obtain input content features;
and obtaining an output result of the deep learning model according to the input content characteristics, and determining probability values of threats of different types of the operation behavior data.
The input content data is input data related to operation behavior data, and records content input by a user on a front-end webpage, including text input, file uploading, command instruction input, mouse click coordinates, menu selection content and the like. By writing a query language or an analysis code according to the storage mode and structure of the operation behavior data, the input content data in the operation behavior data can be extracted.
The input content features are input content data subjected to feature engineering processing and standardization processing.
The input content features are input into a deep learning model, and the computer calculates and feeds back probability values of threats of different types of operation behavior data.
The method has the advantages that the calculation complexity of the deep learning model can be simplified, the calculation efficiency is improved by extracting the input content features, the deep learning model is facilitated to focus on the user input content features, dependence of the deep learning model on specific operation behavior data is reduced, the risk of overfitting is reduced, the generalization capability of the deep learning model is improved, and the accuracy of calculation results is improved.
Example III
Fig. 3 is a flowchart of a method for identifying an operation anomaly of a front end page according to a third embodiment of the present application. The scheme makes better improvement on the first embodiment, and the specific improvement is as follows: before inputting the operational behavior data into the pre-trained deep learning model, the method further comprises: acquiring access data information of a database in the process of operating the front-end page by a user; correspondingly, the operation behavior data is input into a pre-trained deep learning model, and whether the operation behavior data has threat or not and the type of the threat of the operation behavior data are determined according to the output result of the deep learning model, and the method comprises the following steps: inputting the operation behavior data and the access data information into a pre-trained deep learning model, extracting operation behavior characteristics of the operation behavior data through the deep learning model, and extracting access frequency characteristics of the access data information through the deep learning model; and obtaining an output result of the deep learning model according to the operation behavior characteristics and the access frequency characteristics, and determining probability values of threats of different types of the operation behavior data.
As shown in fig. 3, the method specifically comprises the following steps:
s301, acquiring operation behavior data of a user on a front-end page;
s302, access data information of a database in the process of operating the front-end page by a user is obtained;
a database is a software application for storing, organizing, and managing data that can run and provide database services in a server environment. The database may support data storage and access requirements for multiple users or clients, allowing users to access and manipulate data in the database over a network at a front-end web page.
The access data information refers to record data of access activities to the database, and may include access type information and access object information. The logging function on the database can capture various activities and events of the database and store the activities and events as a log file, and access data information can be obtained by reading the log file of the database.
S303, inputting the operation behavior data and the access data information into a pre-trained deep learning model, extracting operation behavior characteristics of the operation behavior data through the deep learning model, and extracting access frequency characteristics of the access data information through the deep learning model;
The operational behavior features include an operational frequency feature and an input content feature. By extracting the operation frequency data and the input content data from the operation behavior data and performing the characterization processing and the normalization processing on the operation frequency data and the input content data, the operation frequency characteristics and the input content characteristics, that is, the operation behavior characteristics can be obtained.
The access frequency characteristics can be obtained by extracting access frequency data in the access data information and performing characterization processing and normalization processing on the access frequency data. The access frequency data may refer to the number of times the user accesses the data in the database in a unit time; and counting the total times of accessing the data in the database by the user within the preset time, dividing the total times by the preset time, and obtaining a calculation result which is the access frequency data.
S304, obtaining an output result of the deep learning model according to the operation behavior characteristics and the access frequency characteristics, and determining probability values of threats of different types of the operation behavior data;
the operation behavior characteristics and the access frequency characteristics are input into a deep learning model, and the computer calculates and feeds back probability values of threats of different types of operation behavior data.
S305, determining the type of the threat under the condition that the output result is that the threat exists, and carrying out protection processing according to the protection measures pre-associated with the type of the threat.
The method has the advantages that the directivity of the deep learning model to the threat types related to the database data can be improved by extracting the access frequency characteristics of the database, and the accuracy of the output result is improved.
In this technical solution, optionally, before inputting the operational behavior data into a pre-trained deep learning model, the method further includes:
obtaining access type information of a database in the process of operating the front-end page by a user;
correspondingly, the operation behavior data is input into a pre-trained deep learning model, and whether the operation behavior data has threat or not and the type of the threat of the operation behavior data are determined according to the output result of the deep learning model, and the method comprises the following steps:
inputting the operation behavior data and the access type information into a pre-trained deep learning model, extracting operation behavior characteristics of the operation behavior data through the deep learning model, and extracting access type characteristics of the access type information through the deep learning model;
And obtaining an output result of the deep learning model according to the operation behavior characteristics and the access type characteristics, and determining probability values of threats of different types of the operation behavior data.
Access type information refers to different ways or modes for manipulating and processing data in a database and may include reading, writing, updating, inserting, deleting, querying, and the like. The access type information can be obtained by writing a query language or an analysis code according to the storage mode and the structure of the access data information, and extracting the access type information in the access data information.
By performing characterization processing and normalization processing on the access type information, access type characteristics can be acquired.
The operation behavior characteristics and the access type characteristics are input into a deep learning model, and the computer calculates and feeds back probability values of threats of different types of operation behavior data.
The method has the advantages that the directivity of the deep learning model to the threat types related to the access types of the database can be improved by extracting the access type characteristics of the database, and the accuracy of output results is improved.
In this technical solution, optionally, before inputting the operational behavior data into a pre-trained deep learning model, the method further includes:
acquiring access object information of a database in the process of operating the front-end page by a user;
correspondingly, the operation behavior data is input into a pre-trained deep learning model, and whether the operation behavior data has threat or not and the type of the threat of the operation behavior data are determined according to the output result of the deep learning model, and the method comprises the following steps:
inputting the operation behavior data and the access object information into a pre-trained deep learning model, extracting operation behavior characteristics of the operation behavior data through the deep learning model, and extracting access object characteristics of the access object information through the deep learning model;
and obtaining an output result of the deep learning model according to the operation behavior characteristics and the access object characteristics, and determining probability values of threats of different types of the operation behavior data.
The access object information refers to names of data objects in the accessed database, including element names, table names, view names, index names, and the like. The access object information can be obtained by writing a query language or an analysis code according to the storage mode and the structure of the access data information, and extracting the access object information in the access data information.
By performing the characterization process and the normalization process on the access object information, the access object characteristics can be acquired.
The operation behavior characteristics and the access object characteristics are input into a deep learning model, and the computer calculates and feeds back probability values of threats of different types of operation behavior data.
The method has the advantages that the directivity of the deep learning model to the threat types related to the database access object can be improved by extracting the access object characteristics of the database, and the accuracy of the output result is improved.
Example IV
Fig. 4 is a schematic structural diagram of a device for identifying abnormal operation of a front end page according to a fourth embodiment of the present application. As shown in fig. 4, the apparatus includes:
an operation behavior acquisition module 410, configured to acquire operation behavior data of a user on a front page;
the threat determination module 420 is configured to input the operational behavior data into a pre-trained deep learning model, determine, according to an output result of the deep learning model, whether the operational behavior data has a threat, and determine a type to which the operational behavior data has a threat; the deep learning model is obtained through supervised training of a preset number of sample data;
And the protection processing module 430 is configured to determine a type of the threat if the output result is that the threat exists, and perform protection processing according to a protection measure associated in advance with the type of the threat.
In the embodiment of the application, an operation behavior acquisition module is used for acquiring operation behavior data of a user on a front-end page; the threat determination module is used for inputting the operation behavior data into a pre-trained deep learning model, and determining whether the operation behavior data has a threat or not and the type of the threat of the operation behavior data according to the output result of the deep learning model; the deep learning model is obtained through supervised training of a preset number of sample data; and the protection processing module is used for determining the type of the threat under the condition that the output result is the threat, and carrying out protection processing according to the protection measures pre-associated with the type of the threat. According to the recognition device for the front-end webpage operation abnormality, whether the operation behavior data of the user has threat or not and the type of the threat can be determined by inputting the operation behavior data of the user into the deep learning model, so that the abnormality of the front-end webpage can be quickly and accurately found and solved, and the safety of the front-end webpage is improved.
The device for identifying the front-end page operation abnormality in the embodiment of the application can be a device, and can also be a component, an integrated circuit or a chip in a terminal. The device may be a mobile electronic device or a non-mobile electronic device. By way of example, the mobile electronic device may be a cell phone, tablet computer, notebook computer, palm computer, vehicle-mounted electronic device, wearable device, ultra-mobile personal computer (ultra-mobile personal computer, UMPC), netbook or personal digital assistant (personal digital assistant, PDA), etc., and the non-mobile electronic device may be a server, network attached storage (Network Attached Storage, NAS), personal computer (personal computer, PC), television (TV), teller machine or self-service machine, etc., and the embodiments of the present application are not limited in particular.
The device for identifying the front-end page operation abnormality in the embodiment of the present application may be a device with an operating system. The operating system may be an Android operating system, an IOS operating system, or other possible operating systems, which is not specifically limited in the embodiments of the present application.
The device for identifying the abnormal operation of the front end page provided in the embodiment of the present application can implement the processes implemented in the first to third embodiments, and in order to avoid repetition, the description is omitted here.
Example five
As shown in fig. 5, the embodiment of the present application further provides an electronic device 500, which includes a processor 501, a memory 502, and a program or an instruction stored in the memory 502 and capable of running on the processor 501, where the program or the instruction implements each process of the foregoing embodiment of the identifying device for front-end page operation abnormality when executed by the processor 501, and the process can achieve the same technical effect, and for avoiding repetition, a description is omitted herein.
The electronic device in the embodiment of the application includes the mobile electronic device and the non-mobile electronic device described above.
Example six
The embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or the instruction is executed by a processor, the processes of the foregoing embodiment of the identifying device for front-end page operation abnormality are implemented, and the same technical effects can be achieved, so that repetition is avoided, and no further description is given here.
Wherein the processor is a processor in the electronic device described in the above embodiment. The readable storage medium includes a computer readable storage medium such as a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk or an optical disk, and the like.
Example seven
The embodiment of the application further provides a chip, the chip includes a processor and a communication interface, the communication interface is coupled with the processor, the processor is used for running a program or an instruction, implementing each process of the above-mentioned identification device embodiment with abnormal front-end page operation, and achieving the same technical effect, so as to avoid repetition, and no further description is provided here.
It should be understood that the chips referred to in the embodiments of the present application may also be referred to as system-on-chip chips, chip systems, or system-on-chip chips, etc.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Furthermore, it should be noted that the scope of the methods and apparatus in the embodiments of the present application is not limited to performing the functions in the order shown or discussed, but may also include performing the functions in a substantially simultaneous manner or in an opposite order depending on the functions involved, e.g., the described methods may be performed in an order different from that described, and various steps may also be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solutions of the present application may be embodied essentially or in a part contributing to the prior art in the form of a computer software product stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), comprising several instructions for causing a terminal (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the methods described in the embodiments of the present application.
The embodiments of the present application have been described above with reference to the accompanying drawings, but the present application is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those of ordinary skill in the art without departing from the spirit of the present application and the scope of the claims, which are also within the protection of the present application.
The foregoing description is only of the preferred embodiments of the present application and the technical principles employed. The present application is not limited to the specific embodiments described herein, but is capable of numerous obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the present application. Therefore, while the present application has been described in connection with the above embodiments, the present application is not limited to the above embodiments, but may include many other equivalent embodiments without departing from the spirit of the present application, and the scope of the present application is determined by the scope of the claims.

Claims (10)

1. A method for identifying a front-end page operational anomaly, the method comprising:
acquiring operation behavior data of a user on a front page;
inputting the operation behavior data into a pre-trained deep learning model, and determining whether the operation behavior data has threat or not and the type of the threat of the operation behavior data according to the output result of the deep learning model; the deep learning model is obtained through supervised training of a preset number of sample data;
and under the condition that the output result is that the threat exists, determining the type of the threat, and carrying out protection treatment according to the protection measures pre-associated with the type of the threat.
2. The method for identifying abnormal operation of a front-end page according to claim 1, wherein the step of inputting the operation behavior data into a pre-trained deep learning model, and determining whether the operation behavior data has a threat or not and the type of the threat to which the operation behavior data has the threat according to the output result of the deep learning model comprises the steps of:
extracting operation frequency data in the operation behavior data through the deep learning model;
performing characteristic engineering treatment and standardization treatment on the operating frequency data to obtain operating frequency characteristics;
and obtaining an output result of the deep learning model according to the operating frequency characteristic, and determining probability values of threats of different types of the operating behavior data.
3. The method for identifying abnormal operation of a front-end page according to claim 1, wherein the step of inputting the operation behavior data into a pre-trained deep learning model, and determining whether the operation behavior data has a threat or not and the type of the threat to which the operation behavior data has the threat according to the output result of the deep learning model comprises the steps of:
extracting input content data in the operation behavior data through the deep learning model;
Performing feature engineering processing and standardization processing on the input content data to obtain input content features;
and obtaining an output result of the deep learning model according to the input content characteristics, and determining probability values of threats of different types of the operation behavior data.
4. The method of claim 1, wherein prior to inputting the operational behavior data into a pre-trained deep learning model, the method further comprises:
acquiring access data information of a database in the process of operating the front-end page by a user;
correspondingly, the operation behavior data is input into a pre-trained deep learning model, and whether the operation behavior data has threat or not and the type of the threat of the operation behavior data are determined according to the output result of the deep learning model, and the method comprises the following steps:
inputting the operation behavior data and the access data information into a pre-trained deep learning model, extracting operation behavior characteristics of the operation behavior data through the deep learning model, and extracting access frequency characteristics of the access data information through the deep learning model;
And obtaining an output result of the deep learning model according to the operation behavior characteristics and the access frequency characteristics, and determining probability values of threats of different types of the operation behavior data.
5. The method of claim 1, wherein prior to inputting the operational behavior data into a pre-trained deep learning model, the method further comprises:
obtaining access type information of a database in the process of operating the front-end page by a user;
correspondingly, the operation behavior data is input into a pre-trained deep learning model, and whether the operation behavior data has threat or not and the type of the threat of the operation behavior data are determined according to the output result of the deep learning model, and the method comprises the following steps:
inputting the operation behavior data and the access type information into a pre-trained deep learning model, extracting operation behavior characteristics of the operation behavior data through the deep learning model, and extracting access type characteristics of the access type information through the deep learning model;
and obtaining an output result of the deep learning model according to the operation behavior characteristics and the access type characteristics, and determining probability values of threats of different types of the operation behavior data.
6. The method of claim 1, wherein prior to inputting the operational behavior data into a pre-trained deep learning model, the method further comprises:
acquiring access object information of a database in the process of operating the front-end page by a user;
correspondingly, the operation behavior data is input into a pre-trained deep learning model, and whether the operation behavior data has threat or not and the type of the threat of the operation behavior data are determined according to the output result of the deep learning model, and the method comprises the following steps:
inputting the operation behavior data and the access object information into a pre-trained deep learning model, extracting operation behavior characteristics of the operation behavior data through the deep learning model, and extracting access object characteristics of the access object information through the deep learning model;
and obtaining an output result of the deep learning model according to the operation behavior characteristics and the access object characteristics, and determining probability values of threats of different types of the operation behavior data.
7. The method for identifying abnormal operation of a front end page according to claim 1, wherein in the case that the output result is that there is a threat, the method further comprises:
Determining whether the type of the threat is a target type;
if the threat is of the target type, threat detection is carried out according to detection measures which are associated in advance with the target type, and the threat level information is determined according to the threat detection result.
8. An apparatus for identifying a front-end page operational anomaly, the apparatus comprising:
the operation behavior acquisition module is used for acquiring operation behavior data of a user on a front-end page;
the threat determination module is used for inputting the operation behavior data into a pre-trained deep learning model, and determining whether the operation behavior data has a threat or not and the type of the threat of the operation behavior data according to the output result of the deep learning model; the deep learning model is obtained through supervised training of a preset number of sample data;
and the protection processing module is used for determining the type of the threat under the condition that the output result is the threat, and carrying out protection processing according to the protection measures pre-associated with the type of the threat.
9. An electronic device comprising a processor, a memory and a program or instruction stored on the memory and executable on the processor, the program or instruction when executed by the processor implementing the steps of the method of identifying a front end page operational anomaly as claimed in any one of claims 1 to 7.
10. A readable storage medium, wherein a program or instructions is stored on the readable storage medium, which when executed by a processor, implements the steps of the method for identifying a front end page operational anomaly as claimed in any one of claims 1 to 7.
CN202311643863.6A 2023-12-01 2023-12-01 Front-end page operation abnormality identification method, device, equipment and medium Pending CN117668400A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311643863.6A CN117668400A (en) 2023-12-01 2023-12-01 Front-end page operation abnormality identification method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311643863.6A CN117668400A (en) 2023-12-01 2023-12-01 Front-end page operation abnormality identification method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN117668400A true CN117668400A (en) 2024-03-08

Family

ID=90085852

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311643863.6A Pending CN117668400A (en) 2023-12-01 2023-12-01 Front-end page operation abnormality identification method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN117668400A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118523962A (en) * 2024-07-23 2024-08-20 国网浙江省电力有限公司桐庐县供电公司 A method, device, equipment and medium for protecting security of Internet of Things devices
CN119341824A (en) * 2024-10-25 2025-01-21 中国移动通信集团浙江有限公司 Telecommunications user abnormal risk assessment method, device, equipment, medium and product

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118523962A (en) * 2024-07-23 2024-08-20 国网浙江省电力有限公司桐庐县供电公司 A method, device, equipment and medium for protecting security of Internet of Things devices
CN119341824A (en) * 2024-10-25 2025-01-21 中国移动通信集团浙江有限公司 Telecommunications user abnormal risk assessment method, device, equipment, medium and product

Similar Documents

Publication Publication Date Title
US10904286B1 (en) Detection of phishing attacks using similarity analysis
Damshenas et al. M0droid: An android behavioral-based malware detection model
EP2126772B1 (en) Assessment and analysis of software security flaws
US20190073483A1 (en) Identifying sensitive data writes to data stores
US12505208B2 (en) Integrated cybersecurity threat management
EP3002706B1 (en) Site security monitor
WO2015179286A1 (en) Polymorphic treatment of data entered at clients
US12267350B2 (en) Systems, devices, and methods for observing and/or performing data access compliance to a computer network
Onyshchenko et al. DETERMINING THE PATTERNS OF USING INFORMATION PROTECTION SYSTEMS AT FINANCIAL INSTITUTIONS IN ORDER TO IMPROVE THE LEVEL OF FINANCIAL SECURITY.
CN117668400A (en) Front-end page operation abnormality identification method, device, equipment and medium
EP4360249A1 (en) Security risk remediation tool
Laksmiati Vulnerability assessment with network-based scanner method for improving website security
Mihailescu et al. Unveiling threats: Leveraging user behavior analysis for enhanced cybersecurity
Teppap et al. Automating hidden gambling detection in web sites: A beautifulsoup implementation
Kulkarni et al. From ML to LLM: Evaluating the Robustness of Phishing Web Page Detection Models against Adversarial Attacks
WO2024188477A1 (en) A machine-learning-based cyber-attack susceptibility detection and/or monitoring system providing quantitative measures for a system's cyber-attack susceptibility and method thereof
Marukhlenko et al. Complex evaluation of information security of an object with the application of a mathematical model for calculation of risk indicators
GB2535579A (en) Preventing unauthorized access to an application server
JP7320462B2 (en) Systems and methods for performing tasks on computing devices based on access rights
Sahinoglu Cyber security risk assessment and optimal risk management of a national vulnerability database
Zou et al. Autocvss: An approach for automatic assessment of vulnerability severity based on attack process
CN117370701A (en) Browser risk detection method, browser risk detection device, computer equipment and storage medium
CN117675284A (en) Override detection method, device, processor and machine-readable storage medium
Rajadorai et al. Data protection and data privacy act for BIG DATA governance
Chiu et al. Using an Efficient Detection Method to Prevent Personal Data Leakage for Web‐Based Smart City Platforms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination