Nothing Special   »   [go: up one dir, main page]

CN115589317A - Instruction processing method and device, electronic equipment and nonvolatile storage medium - Google Patents

Instruction processing method and device, electronic equipment and nonvolatile storage medium Download PDF

Info

Publication number
CN115589317A
CN115589317A CN202211214577.3A CN202211214577A CN115589317A CN 115589317 A CN115589317 A CN 115589317A CN 202211214577 A CN202211214577 A CN 202211214577A CN 115589317 A CN115589317 A CN 115589317A
Authority
CN
China
Prior art keywords
network
instruction
risk
command
judgment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211214577.3A
Other languages
Chinese (zh)
Inventor
胡凯
揭凌雁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202211214577.3A priority Critical patent/CN115589317A/en
Publication of CN115589317A publication Critical patent/CN115589317A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请公开了一种指令的处理方法、装置、电子设备及非易失性存储介质。其中,该方法包括:获取目标监控任务检测到的网络指令,其中,网络指令为网络设备产生的网络指令,目标监控任务至少用于对网络设备的登录账户进行风险监控;在网络指令为风险指令的情况下,依据与风险指令对应的处置规则对网络指令进行处理;在网络指令为非风险指令的情况下,判断网络指令是否为风险可疑指令;在判断结果指示网络指令为风险可疑指令的情况下,确定与网络指令对应的判断规则,并依据判断规则对网络指令进行风险判断。本申请解决了现有技术采用人工核对网络设备产生的网络指令的安全性,存在效率较低的技术问题。

Figure 202211214577

The present application discloses an instruction processing method, device, electronic equipment and non-volatile storage medium. Wherein, the method includes: acquiring a network command detected by the target monitoring task, wherein the network command is a network command generated by a network device, and the target monitoring task is at least used to monitor the risk of the login account of the network device; the network command is a risk command In the case of a risky instruction, the network instruction is processed according to the disposal rules corresponding to the risk instruction; in the case of a non-risk instruction, it is judged whether the network instruction is a suspicious risk instruction; Next, determine the judgment rule corresponding to the network instruction, and judge the risk of the network instruction according to the judgment rule. The present application solves the technical problem of low efficiency in the prior art that manually checks the security of network instructions generated by network equipment.

Figure 202211214577

Description

指令的处理方法、装置、电子设备及非易失性存储介质Instruction processing method, device, electronic device, and nonvolatile storage medium

技术领域technical field

本申请涉及数据运维技术领域,具体而言,涉及一种指令的处理方法、装置、电子设备及非易失性存储介质。The present application relates to the technical field of data operation and maintenance, and in particular, relates to an instruction processing method, device, electronic equipment, and non-volatile storage medium.

背景技术Background technique

城域网网络设备的各类操作关系到千家万户上网,因此,需要保证安全指令的安全执行。在网络规模不断扩大、指令自动化工作的不断深入的前提下,如何保障各类指令自动的安全高效的执行显得尤为重要。现有技术一般采用人工核对的方式来对核查网络设备的操作指令的安全性,然而,采用人工核对的方式,存在效率较低且不灵活的问题。Various operations of MAN network equipment are related to thousands of households surfing the Internet. Therefore, it is necessary to ensure the safe execution of security instructions. Under the premise of continuous expansion of network scale and continuous deepening of command automation work, how to ensure the safe and efficient automatic execution of various commands is particularly important. The prior art generally adopts a manual checking method to check the security of operation instructions of network devices. However, the manual checking method has problems of low efficiency and inflexibility.

针对上述的问题,目前尚未提出有效的解决方案。For the above problems, no effective solution has been proposed yet.

发明内容Contents of the invention

本申请实施例提供了一种指令的处理方法、装置、电子设备及非易失性存储介质,以至少解决现有技术采用人工核对网络设备产生的网络指令的安全性,存在效率较低的技术问题。The embodiment of the present application provides a command processing method, device, electronic equipment, and non-volatile storage medium, so as to at least solve the problem of using manual checks on the security of network commands generated by network devices in the prior art, and there is a low-efficiency technology question.

根据本申请实施例的一个方面,提供了一种指令的处理方法,包括:获取目标监控任务检测到的网络指令,其中,网络指令为网络设备产生的网络指令,目标监控任务至少用于对网络设备的登录账户进行风险监控;在网络指令为风险指令的情况下,依据与风险指令对应的处置规则对网络指令进行处理;在网络指令为非风险指令的情况下,判断网络指令是否为风险可疑指令;在判断结果指示网络指令为风险可疑指令的情况下,确定与网络指令对应的判断规则,并依据判断规则对网络指令进行风险判断。According to an aspect of an embodiment of the present application, a method for processing instructions is provided, including: acquiring network instructions detected by a target monitoring task, wherein the network instructions are network instructions generated by network devices, and the target monitoring task is at least used to monitor the network Risk monitoring is performed on the login account of the device; when the network command is a risk command, the network command is processed according to the disposal rules corresponding to the risk command; when the network command is a non-risk command, it is judged whether the network command is suspicious of risk Instructions; when the judgment result indicates that the network instruction is a suspicious risk instruction, determine a judgment rule corresponding to the network instruction, and perform risk judgment on the network instruction according to the judgment rule.

可选地,依据与风险指令对应的处置规则对网络指令进行处理,包括:确定网络指令所属风险指令的生命阶段;在生命阶段为生命初期的情况下,对网络指令进行回退处理;在生命阶段为生命过渡期的情况下,将网络指令发送给目标对象进行确认;在生命阶段为生命结束期的情况下,将网络指令存入待确认区域。Optionally, the network instruction is processed according to the disposal rules corresponding to the risk instruction, including: determining the life stage of the risk instruction to which the network instruction belongs; When the stage is the life transition period, send the network instruction to the target object for confirmation; when the life stage is the end of life period, store the network instruction in the area to be confirmed.

可选地,确定网络指令所属风险指令的生命阶段,包括:在网络指令第一次进入设定区域时,确定网络指令处于生命初期;在设定区域内的网络指令为风险指令的概率低于第一阈值时,确定网络指令处于生命过渡期;在网络指令处于生命过渡期的持续时间超过第二阈值时,确定网络指令处于生命历史期;在处于生命历史期的网络指令持续预设时长未发生变化的情况下,确定网络指令进入生命结束期;在设定区域中处于生命过渡期和生命历史期的网络指令,且被告警命中的情况下,确定网络指令重新进入生命初期。Optionally, determining the life stage of the risky instruction to which the network instruction belongs includes: determining that the network instruction is in the initial life stage when the network instruction enters the set area for the first time; the probability that the network instruction in the set area is a risk instruction is lower than When the first threshold is reached, it is determined that the network instruction is in the life transition period; when the duration of the network instruction in the life transition period exceeds the second threshold, it is determined that the network instruction is in the life history period; In the case of a change, it is determined that the network command enters the end of life period; when the network command is in the life transition period and the life history period in the set area, and is hit by an alarm, it is determined that the network command re-enters the initial life period.

可选地,判断网络指令是否为风险可疑指令,包括:获取数据库中的正则匹配式;将网络指令与正则匹配式进行正则匹配;在匹配到风险关键字的情况下,确定网络指令为风险可疑指令。Optionally, judging whether the network instruction is a suspicious risk instruction includes: obtaining a regular matching expression in the database; performing regular matching on the network instruction and the regular matching expression; and determining that the network instruction is a suspicious risk instruction if the risk keyword is matched instruction.

可选地,确定与网络指令对应的判断规则,包括:获取网络指令的路径深度信息,其中,路径深度信息用于表示网络指令所在的目录路径的信息;依据路径深度信息和指令风险深度的判定标准,对网络指令进行分类,得到网络指令所属的风险场景类别,其中,指令风险深度的判定标准至少由网络设备的设备类型和深度标识确定;依据网络指令所属的风险场景类别,确定与网络指令对应的判断规则。Optionally, determining the judgment rule corresponding to the network instruction includes: obtaining path depth information of the network instruction, wherein the path depth information is used to indicate information of the directory path where the network instruction is located; judging according to the path depth information and the risk depth of the instruction Standards, classify network commands to obtain the risk scenario category to which the network command belongs. Among them, the judgment standard of the command risk depth is at least determined by the device type and depth identifier of the network device; Corresponding judgment rules.

可选地,依据判断规则对网络指令进行风险判断,包括:在风险场景类别为第一类别的情况下,监测网络指令对应的网络设备与产生告警的网络设备是否存在关联关系;在存在关联关系的情况下,确定第一类别的网络指令存在风险;在风险场景类别为第二类别的情况下,将网络指令发送给目标对象,并接收目标对象返回的判定结果,其中,判定结果用于指示网络指令对应的网络设备与产生告警的网络设备是否存在关联关系;在判定结果指示存在关联关系的情况下,确定第二类别的网络指令存在风险;在风险场景类别为第三类别的情况下,依据历史命令的对应关系对网络指令对应的网络设备与产生告警的网络设备之间的关联关系进行风险判定,其中,历史命令的对应关系为历史网络指令对应的网络设备与历史告警的网络设备之间的对应关系;在风险判定结果指示存在关联关系的情况下,确定第三类别的网络指令存在风险。Optionally, performing a risk judgment on the network instruction according to the judgment rule includes: when the risk scenario category is the first category, monitoring whether there is an association between the network device corresponding to the network instruction and the network device that generated the alarm; In the case of , it is determined that the network command of the first category is risky; in the case of the risk scenario category of the second category, the network command is sent to the target object, and the judgment result returned by the target object is received, wherein the judgment result is used to indicate Whether there is an association relationship between the network device corresponding to the network instruction and the network device that generated the alarm; if the judgment result indicates that there is an association relationship, determine that the network instruction of the second category is at risk; if the risk scenario category is the third category, According to the corresponding relationship of historical commands, the risk judgment is made on the relationship between the network device corresponding to the network command and the network device that generates the alarm. Correspondence among them; in the case that the risk determination result indicates that there is an association relationship, it is determined that the network instruction of the third category has a risk.

可选地,依据判断规则对网络指令进行风险判断之后,方法还包括:将命中风险指令或风险可疑指令的网络指令存入数据库中,并对数据库中的网络指令对应的目标对象进行周期性的失误统计,得到与目标对象对应的失误记录,其中,失误记录至少由以下之一确定:处于生命初期的网络指令的数量、处于生命过渡期的网络指令的数量、处于生命结束期的网络指令的数量;在失误记录对应的数值超过第三阈值时,将与失误记录对应的目标对象标记为第一类用户,其中,第一类用户用于表示目标对象为高危用户;在第一类用户满足预设条件的情况下,将第一类用户标记为第二类用户,其中,第二类用户用于表示目标对象为非高危用户,预设条件为第一类用户连续预设周期被标记为第二类用户。Optionally, after judging the risk of the network instruction according to the judgment rule, the method further includes: storing the network instruction that hits the risk instruction or the risk suspicious instruction in the database, and periodically performing the target object corresponding to the network instruction in the database Error statistics to obtain the error records corresponding to the target object, wherein the error records are determined by at least one of the following: the number of network commands in the early life, the number of network commands in the transition period of life, and the number of network commands in the end of life Quantity; when the value corresponding to the error record exceeds the third threshold, the target object corresponding to the error record is marked as the first type of user, wherein, the first type of user is used to indicate that the target object is a high-risk user; when the first type of user meets In the case of preset conditions, the first type of user is marked as the second type of user, wherein the second type of user is used to indicate that the target object is a non-high-risk user, and the preset condition is that the first type of user is marked as The second type of users.

根据本申请实施例的另一方面,还提供了一种指令的处理装置,包括:获取模块,用于获取目标监控任务检测到的网络指令,其中,网络指令为网络设备产生的网络指令,目标监控任务至少用于对网络设备的登录账户进行风险监控;处理模块,用于在网络指令为风险指令的情况下,依据与风险指令对应的处置规则对网络指令进行处理;判断模块,用于在网络指令为非风险指令的情况下,判断网络指令是否为风险可疑指令;确定模块,用于在判断结果指示网络指令为风险可疑指令的情况下,确定与网络指令对应的判断规则,并依据判断规则对网络指令进行风险判断。According to another aspect of the embodiment of the present application, there is also provided an instruction processing device, including: an acquisition module, configured to acquire a network instruction detected by a target monitoring task, wherein the network instruction is a network instruction generated by a network device, and the target The monitoring task is at least used to monitor the risk of the login account of the network device; the processing module is used to process the network command according to the disposal rules corresponding to the risk command when the network command is a risk command; the judgment module is used to When the network instruction is a non-risk instruction, judge whether the network instruction is a suspicious risk instruction; the determination module is used to determine the judgment rule corresponding to the network instruction when the judgment result indicates that the network instruction is a suspicious risk instruction, and according to the judgment The rules make risk judgments on network instructions.

根据本申请实施例的又一方面,还提供了一种电子设备,包括:存储器,用于存储程序指令;处理器,与存储器连接,用于执行实现以下功能的程序指令:获取目标监控任务检测到的网络指令,其中,网络指令为网络设备产生的网络指令,目标监控任务至少用于对网络设备的登录账户进行风险监控;在网络指令为风险指令的情况下,依据与风险指令对应的处置规则对网络指令进行处理;在网络指令为非风险指令的情况下,判断网络指令是否为风险可疑指令;在判断结果指示网络指令为风险可疑指令的情况下,确定与网络指令对应的判断规则,并依据判断规则对网络指令进行风险判断。According to yet another aspect of the embodiments of the present application, there is also provided an electronic device, including: a memory for storing program instructions; a processor connected to the memory for executing the program instructions for realizing the following functions: acquiring target monitoring task detection The network instruction received, wherein, the network instruction is the network instruction generated by the network device, and the target monitoring task is at least used to monitor the risk of the login account of the network device; if the network instruction is a risk instruction, according to the corresponding disposal of the risk instruction The rules process the network instruction; if the network instruction is a non-risk instruction, judge whether the network instruction is a suspicious risk instruction; if the judgment result indicates that the network instruction is a suspicious risk instruction, determine the judgment rule corresponding to the network instruction, And according to the judgment rules, the risk judgment of the network instruction is carried out.

根据本申请实施例的再一方面,还提供了一种非易失性存储介质,该非易失性存储介质包括存储的计算机程序,其中,该非易失性存储介质所在设备通过运行计算机程序执行上述指令的处理方法。According to still another aspect of the embodiments of the present application, there is also provided a non-volatile storage medium, the non-volatile storage medium includes a stored computer program, wherein the device where the non-volatile storage medium is located runs the computer program Execute the processing method of the above command.

在本申请实施例中,通过获取目标监控任务检测到的网络指令,其中,网络指令为网络设备产生的网络指令,目标监控任务至少用于对网络设备的登录账户进行风险监控;在网络指令为风险指令的情况下,依据与风险指令对应的处置规则对网络指令进行处理;在网络指令为非风险指令的情况下,判断网络指令是否为风险可疑指令;在判断结果指示网络指令为风险可疑指令的情况下,确定与网络指令对应的判断规则,并依据判断规则对网络指令进行风险判断,达到了提高网络指令的风险识别的效率的目的,从而实现了对风险指令的动态判断的技术效果,进而解决了现有技术采用人工核对网络设备产生的网络指令的安全性,存在效率较低的技术问题。In the embodiment of the present application, the network instruction detected by the target monitoring task is obtained, wherein the network instruction is a network instruction generated by the network device, and the target monitoring task is at least used to monitor the risk of the login account of the network device; when the network instruction is In the case of a risky command, process the network command according to the disposal rules corresponding to the risky command; if the network command is a non-risk command, judge whether the network command is a suspicious risk command; if the judgment result indicates that the network command is a suspicious risk command In the case of a network command, determine the judgment rule corresponding to the network command, and judge the risk of the network command according to the judgment rule, so as to achieve the purpose of improving the efficiency of risk identification of the network command, thereby realizing the technical effect of dynamic judgment of the risk command, Furthermore, the prior art solves the technical problem that the security of the network instructions generated by the network equipment is manually checked, and the efficiency is low.

附图说明Description of drawings

此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described here are used to provide a further understanding of the application and constitute a part of the application. The schematic embodiments and descriptions of the application are used to explain the application and do not constitute an improper limitation to the application. In the attached picture:

图1是根据本申请实施例的一种用于实现指令的处理方法的计算机终端(或电子设备)的硬件结构框图;Fig. 1 is a hardware structural block diagram of a computer terminal (or electronic device) for implementing a processing method of an instruction according to an embodiment of the present application;

图2是根据本申请实施例的一种指令的处理方法的流程图;FIG. 2 is a flow chart of an instruction processing method according to an embodiment of the present application;

图3是根据本申请实施例的一种指令的处理装置的结构图;FIG. 3 is a structural diagram of an instruction processing device according to an embodiment of the present application;

图4是根据本申请实施例的一种风险指令的判断流程示意图;FIG. 4 is a schematic diagram of a judgment flow of a risk instruction according to an embodiment of the present application;

图5是根据本申请实施例的一种风险人员的打标过程示意图。Fig. 5 is a schematic diagram of a marking process of risk personnel according to an embodiment of the present application.

具体实施方式detailed description

为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分的实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本申请保护的范围。In order to enable those skilled in the art to better understand the solution of the present application, the technical solution in the embodiment of the application will be clearly and completely described below in conjunction with the accompanying drawings in the embodiment of the application. Obviously, the described embodiment is only It is an embodiment of a part of the application, but not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without creative efforts shall fall within the scope of protection of this application.

需要说明的是,本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first" and "second" in the description and claims of the present application and the above drawings are used to distinguish similar objects, but not necessarily used to describe a specific sequence or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances such that the embodiments of the application described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, for example, a process, method, system, product or device comprising a sequence of steps or elements is not necessarily limited to the expressly listed Those steps or elements may instead include other steps or elements not explicitly listed or inherent to the process, method, product or apparatus.

本申请实施例所提供的指令的处理方法实施例可以在移动终端、计算机终端或者类似的运算装置中执行。图1示出了一种用于实现指令的处理方法的计算机终端(或电子设备)的硬件结构框图。如图1所示,计算机终端10(或电子设备10)可以包括一个或多个(图中采用102a、102b,……,102n来示出)处理器(处理器可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)、用于存储数据的存储器104、以及用于通信功能的传输模块106。除此以外,还可以包括:显示器、输入/输出接口(I/O接口)、通用串行总线(USB)端口(可以作为I/O接口的端口中的一个端口被包括)、网络接口、电源和/或相机。本领域普通技术人员可以理解,图1所示的结构仅为示意,其并不对上述电子装置的结构造成限定。例如,计算机终端10还可包括比图1中所示更多或者更少的组件,或者具有与图1所示不同的配置。The embodiment of the instruction processing method provided in the embodiment of the present application may be executed in a mobile terminal, a computer terminal or a similar computing device. FIG. 1 shows a block diagram of a hardware structure of a computer terminal (or electronic device) for implementing a method for processing instructions. As shown in Figure 1, the computer terminal 10 (or electronic device 10) may include one or more (shown by 102a, 102b, ..., 102n in the figure) processors (processors may include but not limited to microprocessors) MCU or a processing device such as a programmable logic device FPGA), a memory 104 for storing data, and a transmission module 106 for communication functions. In addition, it can also include: a display, an input/output interface (I/O interface), a universal serial bus (USB) port (which can be included as one of the ports of the I/O interface), a network interface, a power supply and/or camera. Those of ordinary skill in the art can understand that the structure shown in FIG. 1 is only a schematic diagram, and it does not limit the structure of the above-mentioned electronic device. For example, computer terminal 10 may also include more or fewer components than shown in FIG. 1 , or have a different configuration than that shown in FIG. 1 .

应当注意到的是上述一个或多个处理器和/或其他数据处理电路在本文中通常可以被称为“数据处理电路”。该数据处理电路可以全部或部分的体现为软件、硬件、固件或其他任意组合。此外,数据处理电路可为单个独立的处理模块,或全部或部分的结合到计算机终端10(或电子设备)中的其他元件中的任意一个内。如本申请实施例中所涉及到的,该数据处理电路作为一种处理器控制(例如与接口连接的可变电阻终端路径的选择)。It should be noted that the one or more processors and/or other data processing circuits described above may generally be referred to herein as "data processing circuits". The data processing circuit may be implemented in whole or in part as software, hardware, firmware or other arbitrary combinations. In addition, the data processing circuit can be a single independent processing module, or be fully or partially integrated into any of the other elements in the computer terminal 10 (or electronic equipment). As mentioned in the embodiment of the present application, the data processing circuit is used as a processor control (for example, the selection of the terminal path of the variable resistor connected to the interface).

存储器104可用于存储应用软件的软件程序以及模块,如本申请实施例中的指令的处理方法对应的程序指令/数据存储装置,处理器通过运行存储在存储器104内的软件程序以及模块,从而执行各种功能应用以及数据处理,即实现上述的指令的处理方法。存储器104可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器104可进一步包括相对于处理器远程设置的存储器,这些远程存储器可以通过网络连接至计算机终端10。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 104 can be used to store software programs and modules of application software, such as the program instruction/data storage device corresponding to the instruction processing method in the embodiment of the present application, and the processor runs the software programs and modules stored in the memory 104 to execute Various functional applications and data processing are the processing methods for realizing the above-mentioned instructions. The memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory 104 may further include a memory that is remotely located relative to the processor, and these remote memories may be connected to the computer terminal 10 through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.

传输模块106用于经由一个网络接收或者发送数据。上述的网络具体实例可包括计算机终端10的通信供应商提供的无线网络。在一个实例中,传输装置106包括一个网络适配器(Network Interface Controller,NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置106可以为射频(Radio Frequency,RF)模块,其用于通过无线方式与互联网进行通讯。The transmission module 106 is used to receive or send data via a network. The specific example of the above-mentioned network may include a wireless network provided by the communication provider of the computer terminal 10 . In one example, the transmission device 106 includes a network interface controller (NIC), which can be connected to other network devices through a base station so as to communicate with the Internet. In one example, the transmission device 106 may be a radio frequency (Radio Frequency, RF) module, which is used to communicate with the Internet in a wireless manner.

显示器可以例如触摸屏式的液晶显示器(LCD),该液晶显示器可使得用户能够与计算机终端10(或电子设备)的用户界面进行交互。The display may be, for example, a touchscreen liquid crystal display (LCD), which may enable a user to interact with the user interface of the computer terminal 10 (or electronic device).

此处需要说明的是,在一些可选实施例中,上述图1所示的计算机设备(或电子设备)可以包括硬件元件(包括电路)、软件元件(包括存储在计算机可读介质上的计算机代码)、或硬件元件和软件元件两者的结合。应当指出的是,图1仅为特定具体实例的一个实例,并且旨在示出可存在于上述计算机设备(或电子设备)中的部件的类型。It should be noted here that, in some optional embodiments, the computer equipment (or electronic equipment) shown in FIG. 1 may include hardware components (including circuits), software components (including computer code), or a combination of both hardware and software elements. It should be noted that FIG. 1 is only one example of a particular embodiment, and is intended to illustrate the types of components that may be present in the computer device (or electronic device) described above.

在上述运行环境下,本申请实施例提供了一种指令的处理方法实施例,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。Under the above-mentioned operating environment, the embodiment of the present application provides an embodiment of a method for processing instructions. It should be noted that the steps shown in the flowcharts of the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions , and, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.

图2是根据本申请实施例的一种指令的处理方法的流程图,如图2所示,该方法包括如下步骤:Fig. 2 is a flow chart of an instruction processing method according to an embodiment of the present application. As shown in Fig. 2, the method includes the following steps:

步骤S202,获取目标监控任务检测到的网络指令,其中,网络指令为网络设备产生的网络指令,目标监控任务至少用于对网络设备的登录账户进行风险监控。Step S202, acquiring a network command detected by the target monitoring task, wherein the network command is a network command generated by a network device, and the target monitoring task is at least used for risk monitoring of a login account of the network device.

在本申请实施例中,操作人员在网络设备上通过登录自身账号进行账号登入,将账号登入作为触发事件,采集该操作人员的账号信息以及登录网络设备的设备信息,且将设备信息和账号信息作为监控标识,形成与该监控标识对应的监控任务,即上述目标监控任务,并触发跟踪操作人员登录的网络设备产生的网络指令,以及对登录账号进行风险打标。In this embodiment of the application, the operator logs in his or her own account on the network device to log in the account, takes the account login as a trigger event, collects the operator's account information and the device information for logging into the network device, and stores the device information and account information As a monitoring identifier, a monitoring task corresponding to the monitoring identifier is formed, that is, the above-mentioned target monitoring task, and a network instruction generated by tracking the network device logged in by the operator is triggered, and risk marking is performed on the login account.

步骤S204,在网络指令为风险指令的情况下,依据与风险指令对应的处置规则对网络指令进行处理。Step S204, if the network instruction is a risk instruction, process the network instruction according to the handling rule corresponding to the risk instruction.

在上述步骤中,通过目标监控任务实时检测到的网络指令,并判断网络设备实时产生的网络指令(以下简称为网络指令)是否与风险指令匹配,该风险指令为风险应对规则所判断出的风险指令,在判断结果为是的情况下,也即网络指令为风险指令的情况下,根据与风险指令对应的风险应对的处置规则对网络指令进行处理。In the above steps, the network command detected in real time by the target monitoring task is used to determine whether the network command (hereinafter referred to as the network command) generated by the network device in real time matches the risk command. The risk command is the risk determined by the risk response rules. For the command, if the judgment result is yes, that is, if the network command is a risk command, the network command is processed according to the risk response handling rules corresponding to the risk command.

步骤S206,在网络指令为非风险指令的情况下,判断网络指令是否为风险可疑指令。Step S206, if the network instruction is a non-risk instruction, determine whether the network instruction is a suspicious risk instruction.

在上述步骤S206中,若判断出网络指令与风险指令不匹配的情况下,也即网络指令为非风险指令的情况下,则判断网络指令是否为风险可疑指令,通过将网络指令与预先建立的风险指令正则匹配数据模型库中所包含的关键字正则匹配式进行正则匹配,以判断网络指令是否为风险可疑指令。In the above step S206, if it is determined that the network instruction does not match the risk instruction, that is, if the network instruction is a non-risk instruction, it is determined whether the network instruction is a suspicious risk instruction, and the network instruction is compared with the pre-established The risk instruction regular matching keyword regular matching formula included in the data model library performs regular matching to determine whether the network instruction is a suspicious risk instruction.

步骤S208,在判断结果指示网络指令为风险可疑指令的情况下,确定与网络指令对应的判断规则,并依据判断规则对网络指令进行风险判断。Step S208, if the judgment result indicates that the network instruction is a suspicious risk instruction, determine a judgment rule corresponding to the network instruction, and perform risk judgment on the network instruction according to the judgment rule.

在上述步骤S208中,若判断出网络指令为风险可疑指令的情况下,获取网络指令的路径深度信息,以及基于网络指令的路径深度信息和预先建立的指令风险深度(指令所在的目录路径)判定的标准,对网络指令进行分类,并根据不同类别对应的判断规则对网络指令进行风险判断。In the above step S208, if it is determined that the network instruction is a risky instruction, the path depth information of the network instruction is obtained, and the path depth information of the network instruction and the pre-established instruction risk depth (the directory path where the instruction is located) are determined. According to the standard, the network instructions are classified, and the risk judgment of the network instructions is carried out according to the judgment rules corresponding to different categories.

在上述指令的处理方法中的步骤S204中,依据与风险指令对应的处置规则对网络指令进行处理,具体包括如下步骤:确定网络指令所属风险指令的生命阶段;在生命阶段为生命初期的情况下,对网络指令进行回退处理;在生命阶段为生命过渡期的情况下,将网络指令发送给目标对象进行确认;在生命阶段为生命结束期的情况下,将网络指令存入待确认区域。In step S204 of the above command processing method, the network command is processed according to the disposal rules corresponding to the risk command, specifically including the following steps: determining the life stage of the risk command to which the network command belongs; when the life stage is the initial life stage , to roll back the network command; if the life stage is the life transition period, send the network command to the target object for confirmation; if the life stage is the end of life period, store the network command in the area to be confirmed.

在本申请实施例中,在确定获取的网络指令为风险指令后,根据网络指令所满足的条件,建立风险应对处置规则。具体地,需要确定网络指令所属风险指令的生命阶段,该生命阶段可包括但不限于生命初期、生命过渡期、生命结束期、生命历史期等,对于风险判定处于生命初期的网络指令,通知网络指令所涉及的网络设备将具有风险的网络指令进行自动回退处置,其中,通知的方式包括但不限于短信的方式。对于风险判定处于生命过渡期的网络指令,将网络指令发送给目标对象进行确认,该目标对象可以是维护人员,发送方式例如可以为短信通知的方式。对于风险判定处于生命结束期的网络指令,将相关的网络指令存入待确认区域,该待确认区域为24小时待查确认区域,便于专家后期进行人工评定。In the embodiment of the present application, after determining that the acquired network instruction is a risk instruction, risk response and disposal rules are established according to the conditions satisfied by the network instruction. Specifically, it is necessary to determine the life stage of the risky instruction to which the network instruction belongs. The life stage may include but not limited to the initial stage of life, the transitional stage of life, the end of life stage, and the historical stage of life. The network equipment involved in the instruction will automatically fall back the risky network instruction, and the notification method includes but is not limited to the SMS. For a network instruction whose risk is determined to be in the life transition period, the network instruction is sent to a target object for confirmation. The target object may be a maintenance personnel, and the sending method may be, for example, a short message notification. For the network commands whose risk judgment is at the end of life, the relevant network commands are stored in the area to be confirmed. The area to be confirmed is a 24-hour area to be checked and confirmed, which is convenient for experts to carry out manual evaluation later.

在上述步骤中,确定网络指令所属风险指令的生命阶段,具体包括如下步骤:在网络指令第一次进入设定区域时,确定网络指令处于生命初期;在设定区域内的网络指令为风险指令的概率低于第一阈值时,确定网络指令处于生命过渡期;在网络指令处于生命过渡期的持续时间超过第二阈值时,确定网络指令处于生命历史期;在处于生命历史期的网络指令持续预设时长未发生变化的情况下,确定网络指令进入生命结束期;在设定区域中处于生命过渡期和生命历史期的网络指令,且被告警命中的情况下,确定网络指令重新进入生命初期。In the above steps, determining the life stage of the risky command to which the network command belongs specifically includes the following steps: when the network command enters the set area for the first time, it is determined that the network command is in the early stage of life; the network command in the set area is a risk command When the probability of is lower than the first threshold, it is determined that the network instruction is in the life transition period; when the duration of the network instruction in the life transition period exceeds the second threshold, it is determined that the network instruction is in the life history period; If the preset duration has not changed, it is determined that the network command has entered the end of life period; if the network command is in the life transition period and life history period in the set area, and is hit by the alarm, it is determined that the network command re-enters the initial life period .

在本申请实施例中,在获取网络指令后,需要对网络指令进行风险判断,判断方式包括风险指令判断和风险可疑指令判断,网络指令进入风险判断后,全过程采取周期管理方式,具体地,第一次进入设定区域的网络指令处于生命初期,该设定区域也可称为判定区;经过风险判断后,在设定区域内的风险命中率低于第一阈值的网络指令将进入生命过渡期,该风险命中率为判断网络指令为风险指令的概率;对于生命过渡期持续时间超过第二阈值的网络指令,该网络指令进入生命历史期;若生命历史期的网络指令持续预设时长时间未发生状态变化的情况下,该网络指令会进入生命结束期;对于设定区域中处于生命过渡期和生命历史期,且被告警命中激活的网络指令,将该网络指令会重新进入生命初期。根据上述不同周期的判断标准,实时更新已有风险应对处置规则所判断出的风险指令。In the embodiment of this application, after obtaining the network command, it is necessary to perform risk judgment on the network command. The judgment methods include risk command judgment and risk suspicious command judgment. After the network command enters the risk judgment, the whole process adopts a cycle management method. Specifically, The network command entering the set area for the first time is in the early stage of life, and this set area can also be called the judgment area; after risk judgment, the network command whose risk hit rate in the set area is lower than the first threshold will enter the life During the transition period, the risk hit rate is the probability of judging that the network command is a risk command; for a network command whose life transition period exceeds the second threshold, the network command enters the life history period; if the network command in the life history period lasts for a preset duration If there is no state change in the time, the network command will enter the end of life period; for the network command in the set area that is in the life transition period and life history period, and is activated by the warning hit, the network command will re-enter the early life period . According to the judgment criteria of the above-mentioned different periods, the risk instructions judged by the existing risk response and disposal rules are updated in real time.

在上述指令的处理方法中的步骤S206中,判断网络指令是否为风险可疑指令,具体包括如下步骤:获取数据库中的正则匹配式;将网络指令与正则匹配式进行正则匹配;在匹配到风险关键字的情况下,确定网络指令为风险可疑指令。In step S206 of the above instruction processing method, it is judged whether the network instruction is a suspicious risk instruction, which specifically includes the following steps: obtaining the regular matching expression in the database; performing regular matching on the network instruction and the regular matching expression; In the case of words, the network instruction is determined as a risky suspicious instruction.

在本申请实施例中,若判断出网络指令与风险指令不匹配的情况下,也即网络指令为非风险指令的情况下,则判断网络指令是否为风险可疑指令。具体地,预先为每种网络设备建立风险指令集,且在风险指令集中,将常用的风险指令按关键字形成正则匹配(使用单个字符串来描述、匹配某个句法规则的字符串)的文本,以形成风险指令正则匹配数据模型库(可简称为数据库)。将网络指令与预先建立的风险指令正则匹配数据模型库中所包含的关键字正则匹配式进行正则匹配,以判断网络指令是否为风险可疑指令。在匹配到风险关键字时,表征网络指令为风险可疑指令,否则,表征网络指令不是风险可疑指令。In the embodiment of the present application, if it is determined that the network instruction does not match the risk instruction, that is, if the network instruction is a non-risk instruction, it is determined whether the network instruction is a suspicious risk instruction. Specifically, a risk instruction set is established for each network device in advance, and in the risk instruction set, the commonly used risk instructions are formed into regular matching (using a single character string to describe, matching a string of syntax rules) text , so as to form a risk instruction regular matching data model library (which may be referred to as a database for short). The network command is regularly matched with the keyword regular matching formula contained in the pre-established risk command regular matching data model library, so as to determine whether the network command is a suspicious risk command. When the risk keyword is matched, the network command is characterized as a suspicious risk command; otherwise, the network command is not a suspicious risk command.

在上述指令的处理方法中的步骤S208中,确定与网络指令对应的判断规则,具体包括如下步骤:获取网络指令的路径深度信息,其中,路径深度信息用于表示网络指令所在的目录路径的信息;依据路径深度信息和指令风险深度的判定标准,对网络指令进行分类,得到网络指令所属的风险场景类别,其中,指令风险深度的判定标准至少由网络设备的设备类型和深度标识确定;依据网络指令所属的风险场景类别,确定与网络指令对应的判断规则。In step S208 of the above command processing method, determining the judgment rule corresponding to the network command specifically includes the following steps: obtaining path depth information of the network command, wherein the path depth information is used to indicate the information of the directory path where the network command is located ; According to the path depth information and the judgment standard of the command risk depth, the network command is classified to obtain the risk scenario category to which the network command belongs, wherein the judgment standard of the command risk depth is at least determined by the device type and depth identification of the network device; The risk scenario category to which the command belongs determines the judgment rule corresponding to the network command.

在本申请实施例中,在判断网络指令为风险可疑指令的情况下,获取网络指令的路径深度信息,以及基于网络指令的路径深度信息和预先建立的指令风险深度(指令所在的目录路径)判定的标准,对网络指令进行分类,得到网络指令所属的风险场景类别,在本申请实施例中可以包含三个风险场景类别,分别为第一类别(实时判定风险组)、第二类别(事后专家判定风险组)以及第三类别(大数据判定风险组),从而依据网络指令所属的风险场景类别,确定与网络指令对应的判断规则。需要说明的是,上述预先建立的指令风险深度判定的标准可以是以设备资源网络管理建立动态查询,形成可变长度“设备类型+深度标识”的设备命令深度判定规则。In the embodiment of the present application, in the case of judging that the network instruction is a risky instruction, the path depth information of the network instruction is obtained, and the decision is made based on the path depth information of the network instruction and the pre-established instruction risk depth (directory path where the instruction is located) According to the standard, the network instructions are classified to obtain the risk scenario category to which the network instruction belongs. In the embodiment of this application, three risk scenario categories can be included, which are the first category (real-time judgment risk group), the second category (after-event expert Judgment risk group) and the third category (big data judgment risk group), so as to determine the judgment rule corresponding to the network command according to the risk scenario category to which the network command belongs. It should be noted that the above-mentioned pre-established criterion for judging the depth of command risk can be based on establishing a dynamic query for device resource network management to form a variable-length "device type + depth identifier" device command depth judging rule.

在上述指令的处理方法中的步骤S208中,依据判断规则对网络指令进行风险判断,具体包括如下步骤:在风险场景类别为第一类别的情况下,监测网络指令对应的网络设备与产生告警的网络设备是否存在关联关系;在存在关联关系的情况下,确定第一类别的网络指令存在风险;在风险场景类别为第二类别的情况下,将网络指令发送给目标对象,并接收目标对象返回的判定结果,其中,判定结果用于指示网络指令对应的网络设备与产生告警的网络设备是否存在关联关系;在判定结果指示存在关联关系的情况下,确定第二类别的网络指令存在风险;在风险场景类别为第三类别的情况下,依据历史命令的对应关系对网络指令对应的网络设备与产生告警的网络设备之间的关联关系进行风险判定,其中,历史命令的对应关系为历史网络指令对应的网络设备与历史告警的网络设备之间的对应关系;在风险判定结果指示存在关联关系的情况下,确定第三类别的网络指令存在风险。In step S208 of the above command processing method, the risk judgment of the network command is carried out according to the judgment rules, which specifically includes the following steps: in the case that the risk scenario category is the first category, the network device corresponding to the network command is monitored and the alarm is generated. Whether there is an association relationship between network devices; if there is an association relationship, determine that the first category of network instructions is risky; if the risk scenario category is the second category, send the network instruction to the target object, and receive the return from the target object The judgment result, wherein, the judgment result is used to indicate whether there is an association relationship between the network device corresponding to the network instruction and the network device that generated the alarm; if the judgment result indicates that there is an association relationship, it is determined that the network instruction of the second category is at risk; When the risk scenario category is the third category, the risk judgment is made on the relationship between the network device corresponding to the network command and the network device that generated the alarm according to the corresponding relationship of the historical command, where the corresponding relationship of the historical command is the historical network command The corresponding relationship between the corresponding network device and the network device with historical alarms; if the risk determination result indicates that there is an association relationship, it is determined that the third category of network instructions is risky.

在本申请实施例中,与第一类别对应的实时判定风险组内的网络指令的风险判断规则为实时判定,具体为:将网络指令存入设定区域(即判定区),监测与网络指令对应的网络设备与产生实时告警的网络设备是否存在关联关系,若存在关联关系,表示命中一条风险指令,即归属于第一类别的网络指令存在风险。In this embodiment of the application, the risk judgment rule of the network command in the real-time judgment risk group corresponding to the first category is real-time judgment, specifically: storing the network command in the setting area (ie, the judgment area), monitoring and network command Whether there is a relationship between the corresponding network device and the network device that generates the real-time alarm. If there is a relationship, it means that a risk instruction is hit, that is, a network instruction belonging to the first category is at risk.

与第二类别对应的事后专家判定风险组内的网络指令的风险判断规则为专家进行人工判定,具体为:将网络指令存入设定区域(即判定区),并将网络指令发送给目标对象,该目标对象可以为专家等,定期由专家集中判断设定区域内与网络指令对应的网络设备与产生实时告警的网络设备是否存在关联关系,并接收专家返回的判定结果,若判定结果指示存在关联关系的情况下,表示命中一条风险指令,即第二类别的网络指令存在风险。The post-event expert judgment risk judgment rules for network commands in the risk group corresponding to the second category are manually judged by experts, specifically: store the network commands in the setting area (ie, the judgment area), and send the network commands to the target object , the target object can be an expert, etc., and periodically the expert will centrally judge whether there is a relationship between the network device corresponding to the network command in the set area and the network device that generates the real-time alarm, and receive the judgment result returned by the expert. If the judgment result indicates that there is In the case of an association relationship, it means that a risky instruction is hit, that is, the network instructions of the second category are at risk.

与第三类别对应的大数据判定风险组内的网络指令的风险判断规则为由K-Means聚类算法进行判定,具体为:将网络指令存入设定区域(即判定区),根据各类风险指令规则形成的大数据,采用K-Means聚类算法记录历史命令的对应关系,依据历史命令的对应关系对网络指令对应的网络设备与产生告警的网络设备进行风险关联判定,在风险关联判定结果指示存在关联关系的情况下,表示命中一条风险指令,即第三类别的网络指令存在风险。The risk judgment rules of the network commands in the big data judgment risk group corresponding to the third category are determined by the K-Means clustering algorithm, specifically: store the network commands in the setting area (i.e. the judgment area), according to various The big data formed by the risk instruction rules uses the K-Means clustering algorithm to record the corresponding relationship of historical commands, and according to the corresponding relationship of historical commands, the network equipment corresponding to the network instruction and the network equipment that generates the alarm are judged for risk correlation. When the result indicates that there is an association relationship, it means that a risky instruction is hit, that is, the network instruction of the third category is at risk.

在上述指令的处理方法中,依据判断规则对网络指令进行风险判断之后,方法还包括如下步骤:将命中风险指令或风险可疑指令的网络指令存入数据库中,并对数据库中的网络指令对应的目标对象进行周期性的失误统计,得到与目标对象对应的失误记录,其中,失误记录至少由以下之一确定:处于生命初期的网络指令的数量、处于生命过渡期的网络指令的数量、处于生命结束期的网络指令的数量;在失误记录对应的数值超过第三阈值时,将与失误记录对应的目标对象标记为第一类用户,其中,第一类用户用于表示目标对象为高危用户;在第一类用户满足预设条件的情况下,将第一类用户标记为第二类用户,其中,第二类用户用于表示目标对象为非高危用户,预设条件为第一类用户连续预设周期被标记为第二类用户。In the above instruction processing method, after the risk judgment is made on the network instruction according to the judgment rule, the method further includes the following steps: storing the network instruction that hits the risk instruction or the risk suspicious instruction into the database, and checking the corresponding network instruction in the database. The target object performs periodic error statistics to obtain error records corresponding to the target object. The error record is determined by at least one of the following: the number of network commands in the early life, the number of network commands in the transition period of life, and the number of network commands in the life cycle. The number of network instructions in the end period; when the value corresponding to the error record exceeds the third threshold, mark the target object corresponding to the error record as the first type of user, wherein the first type of user is used to indicate that the target object is a high-risk user; When the first type of user meets the preset conditions, the first type of user is marked as the second type of user, where the second type of user is used to indicate that the target object is a non-high-risk user, and the preset condition is that the first type of user continues to Preset periods are marked as a second type of user.

在本申请实施例中,对网络指令进行风险判断之后,还需要对操作人员进行人员风险打标,即将命中风险指令或风险可疑指令的网络指令存入历史命中库(即上述数据库),并对历史命中库中的网络指令对应的目标对象(即操作人员)进行周期性的失误统计,例如按月度统计,按如下加权公式计算与目标对象对应的失误记录:处于生命初期的网络指令的数量*A+处于生命过渡期的网络指令的数量*B+处于生命结束期的网络指令的数量*C+影响事件*D,(A、B、C、D为权重值,可以用经验值指定),形成针对目标对象(即操作人员)的稽核工作,上述公式中的影响事件一般是指故障事件。将失误记录超过第三阈值的人员标记为第一类用户,即高危用户或高危人员,否则,则标记为第二类用户,即非高危用户或非高危人员。被标记为第一类用户的高危操作人员的操作指令需由人工进行实时审批,以便于实时的进行人员控制。对于稽核为第一类用户(即高危人员)在连续预设周期(若按月进行统计,则该预设周期例如可设为两个月)被标记为第二类用户(即非高危人员),则将第一类用户标记为第二类用户,即将高危人员标识修改为非高危标识。In the embodiment of the present application, after the risk judgment is made on the network command, it is also necessary to mark the personnel risk on the operator, that is, store the network command that hits the risk command or the risk suspicious command into the historical hit database (that is, the above-mentioned database), and The target object (ie, the operator) corresponding to the network command in the historical hit library performs periodic error statistics, for example, on a monthly basis, and calculates the error record corresponding to the target object according to the following weighting formula: the number of network commands in the early stages of life* A + the number of network commands in the life transition period * B + the number of network commands in the end of life period * C + impact events * D, (A, B, C, D are weight values, which can be specified by experience value), forming a target The audit work of the object (ie, the operator), the impact event in the above formula generally refers to the failure event. Those whose error records exceed the third threshold are marked as the first type of users, that is, high-risk users or high-risk personnel; otherwise, they are marked as the second type of users, that is, non-high-risk users or non-high-risk personnel. The operation instructions of high-risk operators marked as the first type of users need to be manually approved in real time, so as to facilitate real-time personnel control. For the audit, the first type of users (that is, high-risk personnel) are marked as the second type of users (that is, non-high-risk personnel) in a continuous preset period (if the statistics are calculated on a monthly basis, the preset period can be set to two months, for example). , the first type of user is marked as the second type of user, that is, the identification of high-risk personnel is changed to a non-high-risk identification.

本申请实施例从城域网设备风险指令识别、风险指令稽核出发,提供一种指令的处理方法,旨在提高对于网络指令的风险识别的效率以及灵活性,并实现对风险识别的动态可学习、可交互的分类调整。该方法是一个以风险指令为切入,结合指令深度加设备类型组合形成自动风险识别,而后进入风险应对区域,结合专家研判和实时告警联动,形成风险应对全生命管控过程,实现高效研判风险指令,并形成风险指令动态生成和有机的退出机制,达到精准控制的目的。另外,通过对有高危操作命令的工号进行稽核和识别,对于未来的一个预测形成高危命令研判,并建议人工审批的有效的介入流程,为风险稽核的未来预测提供基准,为风险控制到最小成为可能。The embodiment of this application starts from the risk command identification and risk command audit of metropolitan area network equipment, and provides a command processing method, which aims to improve the efficiency and flexibility of risk identification for network commands, and realize the dynamic learning of risk identification , Interactive classification adjustment. This method is based on risk instructions, combined with the combination of instruction depth and equipment type to form automatic risk identification, and then enters the risk response area, combined with expert research and judgment and real-time alarm linkage, forms a risk response life-long management and control process, and realizes efficient research and judgment of risk instructions. And form a dynamic generation of risk orders and an organic exit mechanism to achieve the purpose of precise control. In addition, through the audit and identification of job numbers with high-risk operation orders, a high-risk order judgment will be formed for a future prediction, and an effective intervention process for manual approval will be suggested to provide a benchmark for future predictions of risk audits and minimize risks. become possible.

图3是根据本申请实施例的一种指令的处理装置的结构图,如图3所示,该装置包括:FIG. 3 is a structural diagram of an instruction processing device according to an embodiment of the present application. As shown in FIG. 3 , the device includes:

获取模块302,用于获取目标监控任务检测到的网络指令,其中,网络指令为网络设备产生的网络指令,目标监控任务至少用于对网络设备的登录账户进行风险监控;The acquisition module 302 is configured to acquire network instructions detected by the target monitoring task, wherein the network instructions are network instructions generated by network devices, and the target monitoring task is at least used for risk monitoring of login accounts of network devices;

处理模块304,用于在网络指令为风险指令的情况下,依据与风险指令对应的处置规则对网络指令进行处理;A processing module 304, configured to process the network instruction according to the handling rules corresponding to the risk instruction if the network instruction is a risk instruction;

判断模块306,用于在网络指令为非风险指令的情况下,判断网络指令是否为风险可疑指令;A judging module 306, configured to judge whether the network command is a suspicious risk command when the network command is a non-risk command;

确定模块308,用于在判断结果指示网络指令为风险可疑指令的情况下,确定与网络指令对应的判断规则,并依据判断规则对网络指令进行风险判断。The determining module 308 is configured to determine a judgment rule corresponding to the network instruction when the judgment result indicates that the network instruction is a risky instruction, and perform risk judgment on the network instruction according to the judgment rule.

在上述指令的处理装置中的处理模块中,依据与风险指令对应的处置规则对网络指令进行处理,具体包括如下过程:确定网络指令所属风险指令的生命阶段;在生命阶段为生命初期的情况下,对网络指令进行回退处理;在生命阶段为生命过渡期的情况下,将网络指令发送给目标对象进行确认;在生命阶段为生命结束期的情况下,将网络指令存入待确认区域。In the processing module in the above instruction processing device, the network instruction is processed according to the disposal rules corresponding to the risk instruction, specifically including the following process: determining the life stage of the risk instruction to which the network instruction belongs; when the life stage is the initial stage of life , to roll back the network command; if the life stage is the life transition period, send the network command to the target object for confirmation; if the life stage is the end of life period, store the network command in the area to be confirmed.

在上述指令的处理装置中的处理模块中,确定网络指令所属风险指令的生命阶段,具体包括如下过程:在网络指令第一次进入设定区域时,确定网络指令处于生命初期;在设定区域内的网络指令为风险指令的概率低于第一阈值时,确定网络指令处于生命过渡期;在网络指令处于生命过渡期的持续时间超过第二阈值时,确定网络指令处于生命历史期;在处于生命历史期的网络指令持续预设时长未发生变化的情况下,确定网络指令进入生命结束期;在设定区域中处于生命过渡期和生命历史期的网络指令,且被告警命中的情况下,确定网络指令重新进入生命初期。In the processing module of the above instruction processing device, the life stage of the risk instruction to which the network instruction belongs is determined, specifically including the following process: when the network instruction enters the setting area for the first time, it is determined that the network instruction is in the initial stage of life; When the probability that the network instruction in the network instruction is a risk instruction is lower than the first threshold, it is determined that the network instruction is in the life transition period; when the duration of the network instruction in the life transition period exceeds the second threshold, it is determined that the network instruction is in the life history period; If the network command in the life history period has not changed for the preset duration, it is determined that the network command has entered the end of life period; if the network command in the life transition period and life history period in the set area is hit by the alarm, Determining network directives to re-enter early life.

在上述指令的处理装置中的判断模块中,判断网络指令是否为风险可疑指令,具体包括如下过程:获取数据库中的正则匹配式;将网络指令与正则匹配式进行正则匹配;在匹配到风险关键字的情况下,确定网络指令为风险可疑指令。In the judging module in the above instruction processing device, it is judged whether the network instruction is a suspicious risk instruction, which specifically includes the following process: obtaining the regular matching formula in the database; performing regular matching on the network command and the regular matching formula; In the case of words, the network instruction is determined as a risky suspicious instruction.

在上述指令的处理装置中的确定模块中,确定与网络指令对应的判断规则,具体包括如下过程:获取网络指令的路径深度信息,其中,路径深度信息用于表示网络指令所在的目录路径的信息;依据路径深度信息和指令风险深度的判定标准,对网络指令进行分类,得到网络指令所属的风险场景类别,其中,指令风险深度的判定标准至少由网络设备的设备类型和深度标识确定;依据网络指令所属的风险场景类别,确定与网络指令对应的判断规则。In the determination module in the above instruction processing device, determine the judgment rule corresponding to the network instruction, specifically including the following process: obtaining the path depth information of the network instruction, wherein the path depth information is used to represent the information of the directory path where the network instruction is located ; According to the path depth information and the judgment standard of the command risk depth, the network command is classified to obtain the risk scenario category to which the network command belongs, wherein the judgment standard of the command risk depth is at least determined by the device type and depth identification of the network device; The risk scenario category to which the command belongs determines the judgment rule corresponding to the network command.

在上述指令的处理装置中的确定模块中,依据判断规则对网络指令进行风险判断,具体包括如下过程:在风险场景类别为第一类别的情况下,监测网络指令对应的网络设备与产生告警的网络设备是否存在关联关系;在存在关联关系的情况下,确定第一类别的网络指令存在风险;在风险场景类别为第二类别的情况下,将网络指令发送给目标对象,并接收目标对象返回的判定结果,其中,判定结果用于指示网络指令对应的网络设备与产生告警的网络设备是否存在关联关系;在判定结果指示存在关联关系的情况下,确定第二类别的网络指令存在风险;在风险场景类别为第三类别的情况下,依据历史命令的对应关系对网络指令对应的网络设备与产生告警的网络设备之间的关联关系进行风险判定,其中,历史命令的对应关系为历史网络指令对应的网络设备与历史告警的网络设备之间的对应关系;在风险判定结果指示存在关联关系的情况下,确定第三类别的网络指令存在风险。In the determination module in the above-mentioned command processing device, the risk judgment is performed on the network command according to the judgment rule, specifically including the following process: in the case that the risk scene category is the first category, the network device corresponding to the network command is monitored and the alarm is generated. Whether there is an association relationship between network devices; if there is an association relationship, determine that the first category of network instructions is risky; if the risk scenario category is the second category, send the network instruction to the target object, and receive the return from the target object The judgment result, wherein, the judgment result is used to indicate whether there is an association relationship between the network device corresponding to the network instruction and the network device that generated the alarm; if the judgment result indicates that there is an association relationship, it is determined that the network instruction of the second category is at risk; When the risk scenario category is the third category, the risk judgment is made on the relationship between the network device corresponding to the network command and the network device that generated the alarm according to the corresponding relationship of the historical command, where the corresponding relationship of the historical command is the historical network command The corresponding relationship between the corresponding network device and the network device with historical alarms; if the risk determination result indicates that there is an association relationship, it is determined that the third category of network instructions is risky.

在上述指令的处理装置中,该装置还包括统计模块310,该统计模块用于将命中风险指令或风险可疑指令的网络指令存入数据库中,并对数据库中的网络指令对应的目标对象进行周期性的失误统计,得到与目标对象对应的失误记录,其中,失误记录至少由以下之一确定:处于生命初期的网络指令的数量、处于生命过渡期的网络指令的数量、处于生命结束期的网络指令的数量;在失误记录对应的数值超过第三阈值时,将与失误记录对应的目标对象标记为第一类用户,其中,第一类用户用于表示目标对象为高危用户;在第一类用户满足预设条件的情况下,将第一类用户标记为第二类用户,其中,第二类用户用于表示目标对象为非高危用户,预设条件为第一类用户连续预设周期被标记为第二类用户。In the above-mentioned instruction processing device, the device also includes a statistics module 310, which is used to store network instructions that hit risk instructions or risk suspicious instructions into the database, and perform periodic According to the comprehensive error statistics, the error records corresponding to the target objects are obtained, and the error records are determined by at least one of the following: the number of network commands in the early stage of life, the number of network commands in the transition period of life, and the number of network commands in the end of life period. The number of instructions; when the value corresponding to the error record exceeds the third threshold, the target object corresponding to the error record is marked as the first type of user, wherein, the first type of user is used to indicate that the target object is a high-risk user; in the first type When the user satisfies the preset condition, the first type of user is marked as the second type of user, wherein the second type of user is used to indicate that the target object is a non-high-risk user, and the preset condition is that the first type of user has been Marked as a second type of user.

需要说明的是,图3所示的指令的处理装置用于执行图2所示的指令的处理方法,因此,上述指令的处理方法中的相关解释说明也适用于该指令的处理装置,此处不再赘述。It should be noted that the instruction processing device shown in FIG. 3 is used to execute the instruction processing method shown in FIG. 2 , therefore, the relevant explanations in the above instruction processing method are also applicable to the instruction processing device, here No longer.

图4是根据本申请实施例的一种风险指令的判断流程示意图,如图4所示,操作人员在网络设备上通过登录自身账号进行账号登入,并对当前登录的操作人员进行人员稽核,判断其是否为标记用户(包括高危用户或非高危用户),并判定该操作人员登录的网络设备产生的网络指令是否为风险指令。在判定该操作人员登录的网络设备产生的网络指令不是风险指令的情况下,需判定该网络指令是否为风险可疑指令,即将网络指令与预先建立的风险指令正则匹配数据模型库中所包含的关键字正则匹配式进行风险指令正则匹配,在匹配到风险关键字时,表征网络指令为风险可疑指令,否则,表征网络指令不是风险可疑指令。若匹配到风险关键字,则获取网络指令的路径深度信息,对网络指令的路径深度进行分类,依据路径深度信息和指令风险深度的判定标准,对网络指令进行分类,得到网络指令所属的风险场景类别,该风险场景类别包括第一类别、第二类别、第三类别,不同的风险场景使用不同的判断原则,具体地,第一类别使用告警关联进行风险判定,第二类别使用专家进行风险判定,第三类别使用大数据进行风险判定。若网络指令满足上述类别之一,可理解为该网络指令为风险指令,则进入风险应对环节。Fig. 4 is a schematic diagram of a judgment process of a risk instruction according to an embodiment of the present application. As shown in Fig. 4 , the operator logs in his or her own account on the network device, and conducts a personnel audit on the currently logged-in operator to judge Whether it is a marked user (including a high-risk user or a non-high-risk user), and determine whether the network instruction generated by the network device logged in by the operator is a risk instruction. In the case of determining that the network command generated by the network device logged in by the operator is not a risk command, it is necessary to determine whether the network command is a suspicious risk command, that is, to regularly match the network command with the pre-established risk command. The word regular matching formula performs regular matching of risky instructions. When a risky keyword is matched, it indicates that the network instruction is a risky and suspicious instruction; otherwise, it indicates that the network instruction is not a risky and suspicious instruction. If the risk keyword is matched, obtain the path depth information of the network command, classify the path depth of the network command, classify the network command according to the path depth information and the judgment standard of the command risk depth, and obtain the risk scenario to which the network command belongs Category, the risk scenario category includes the first category, the second category, and the third category. Different risk scenarios use different judgment principles. Specifically, the first category uses alarm correlation for risk judgment, and the second category uses experts for risk judgment. , the third category uses big data for risk determination. If the network command satisfies one of the above categories, it can be understood that the network command is a risk command, and enter the risk response link.

在判定该操作人员登录的网络设备产生的网络指令是风险指令的情况下,则通过与风险指令对应的风险应对处置规则对网络指令进行处理,在风险应对中,定义了网络指令所属风险指令的生命阶段,包括风险指令生命初期、风险指令生命过渡期、风险指令生命历史期、风险指令生命结束期。在确定网络指令所属风险指令的生命阶段之后,根据网络指令所满足的条件,建立风险应对处置规则,即针对于风险指令生命初期应对、风险指令生命过渡期应对、风险指令生命历史期应对,根据判断规则对网络指令进行风险判断和处置之后,还需对风险人员进行打标,并更新该操作人员的标记。When it is determined that the network command generated by the network device logged in by the operator is a risk command, the network command is processed through the risk response and disposal rules corresponding to the risk command. In the risk response, the risk command to which the network command belongs is defined. Life stages, including the initial stage of risk instruction life, the life transition period of risk instruction, the life history period of risk instruction, and the end of life of risk instruction. After determining the life stage of the risk command to which the network command belongs, according to the conditions satisfied by the network command, establish risk response and disposal rules, that is, for the response to the initial life of the risk command, the response to the transition period of the life of the risk command, and the response to the life history of the risk command, according to After judging the risk of the network command and dealing with it by the judgment rule, it is necessary to mark the risk personnel and update the mark of the operator.

在风险应对的环节中,针对每种网络设备,构建以设备类型为单位的风险指令正则匹配数据模型库,由账号登入作为触发事件,将命令回显的文本分为命令部分和路径部分:In the link of risk response, for each network device, build a risk command regular matching data model library based on device type, use account login as a trigger event, and divide the text echoed by the command into a command part and a path part:

例如:<JX-NC-XJX-BAS-3.MAN.NE40E-X16>为最浅目录;For example: <JX-NC-XJX-BAS-3.MAN.NE40E-X16> is the shallowest directory;

[JX-NC-XJX-BAS-3.MAN.NE40E-X16]为配置目录;[JX-NC-XJX-BAS-3.MAN.NE40E-X16] is the configuration directory;

[JX-NC-XJX-BAS-3.MAN.NE40E-X16-bgp]为进了bgp配置目录;[JX-NC-XJX-BAS-3.MAN.NE40E-X16-bgp] is to enter the bgp configuration directory;

[JX-NC-XJX-BAS-3.MAN.NE40E-X16-bgp-CTVPN3001007-JXjianhang]为进了bgp配置目录的vpn为CTVPN3001007-JXjianhang的深目录。[JX-NC-XJX-BAS-3.MAN.NE40E-X16-bgp-CTVPN3001007-JXjianhang] The vpn entered into the bgp configuration directory is the deep directory of CTVPN3001007-JXjianhang.

依次类推,把路径部分和命令部分以及设备类型组合形成一个配置命令。By analogy, the path part, the command part and the device type are combined to form a configuration command.

在风险处置的环节中,针对正在执行过程中每种指令组合进入风险应对中匹配,如果匹配上已有风险应对规则直接进入风险处置。如果未匹配上已有风险应对规则,再判定网络指令是否为可以风险指令。In the link of risk treatment, for each combination of instructions in the process of execution, it enters the risk response matching, and if it matches the existing risk response rules, it directly enters the risk treatment. If it does not match the existing risk response rules, then determine whether the network command is a risk-free command.

风险处置结合风险初期应对、风险过渡期应对、风险历史期应对,处置方法如下:Risk disposal combines initial response to risk, response to risk transition period, and response to risk history period. The disposal methods are as follows:

Figure BDA0003876296320000121
Figure BDA0003876296320000121

Figure BDA0003876296320000131
Figure BDA0003876296320000131

对于未匹配上已有风险应对规则的风险指令,首先进入告警判断,对于本台设备或其他涉及设备所对应的命令在时间敏感区有无告警关联。若有告警关联,则形成风险指令生命初期进入风险应对,应对方法如上;若无告警关联,则进入专家判断。专家判断本台设备或其他涉及设备所对应的命令在时间敏感区有无告警关联。若有告警关联,则形成风险指令生命初期进入风险应对,应对方法如上;若无告警关联,则进入大数据判断。大数据判断采用K-Means聚类算法记录历史命令组合的命令对应关系(由风险指令结束前的组合沉积组成),判断本台设备或其他涉及设备所对应的命令在时间敏感区有无告警关联,如关联上则进入风险指令生命初期,应对方法如上。其中大数据记录了每个命令组合会造成的告警形成的概率,以及每中组合对应的一些概率密度曲线。For risk commands that do not match the existing risk response rules, first enter the alarm judgment, and whether there is an alarm association in the time-sensitive area for the commands corresponding to this device or other related devices. If there is an alarm connection, it will form a risk command and enter the risk response in the early stage of life, and the response method is as above; if there is no alarm connection, it will enter expert judgment. Experts judge whether the commands corresponding to this device or other related devices have alarm associations in the time-sensitive area. If there is an alarm association, it will form a risk command and enter the risk response at the early stage of life, and the response method is as above; if there is no alarm association, it will enter the big data judgment. Big data judgment uses the K-Means clustering algorithm to record the command correspondence of the historical command combination (composed of the combination deposition before the end of the risk command), and judges whether the command corresponding to this device or other related devices has an alarm association in the time-sensitive area , if it is connected, it will enter the early life of the risk command, and the countermeasures are as above. Among them, the big data records the probability of alarm formation caused by each command combination, and some probability density curves corresponding to each combination.

大数据匹配过程采用K-Means聚类算法进行匹配,过程如下:The big data matching process uses the K-Means clustering algorithm for matching, and the process is as follows:

K-Means算法中的k代表类簇个数及解析为命令路径,means代表类簇内数据对象的均值(这种均值是一种对类簇中心的描述),用告警作为原点,以距离作为数据对象间相似性度量的标准,即数据对象间的距离越小,则它们的相似性越高,越有可能在同一个类簇则可能关联上。In the K-Means algorithm, k represents the number of clusters and is parsed into a command path, and means represents the mean value of data objects in the cluster (this mean value is a description of the center of the cluster), with the alarm as the origin and the distance as The standard for similarity measurement between data objects, that is, the smaller the distance between data objects, the higher their similarity, the more likely they are in the same cluster and they may be related.

距离计算公式为:

Figure BDA0003876296320000132
其中,D表示数据对象间的距离,(x1,y1)表示数据1的坐标,(x2,y2)表示数据2的坐标。The distance calculation formula is:
Figure BDA0003876296320000132
Wherein, D represents the distance between data objects, (x 1 , y 1 ) represents the coordinates of data 1, and (x 2 , y 2 ) represents the coordinates of data 2.

图5是根据本申请实施例的一种风险人员的打标过程示意图,在图5中包括以下步骤:Fig. 5 is a schematic diagram of a marking process of risk personnel according to an embodiment of the present application, which includes the following steps:

S001:风险人员登入操作,首先登入人员必须为非风险人员(即非高危用户),当进入路径深度分类匹配阶段的时候进行风险应对识别。S001: Risk personnel login operation. First, the login personnel must be non-risk personnel (ie, non-high-risk users). When entering the stage of path depth classification and matching, carry out risk response identification.

S002:当匹配到风险指令初期,此时进入风险人员打标,当此人员再次输入命令时必须经过进行人员识别审核才能再次匹配指令。S002: When the risk instruction is matched to the early stage, the person who enters the risk will mark at this time. When the person enters the order again, the personnel identification review must be performed before the instruction can be matched again.

S003:当匹配到风险指令过渡期,此时进入风险人员打标,进入人员考察识别区,当此人员再次输入命令时并匹配到除风险指令初期进行计次累计,一旦超过阈值,必须经过进行人员识别审核才能再次匹配指令。S003: When the transition period of the risk instruction is matched, at this time, the person who enters the risk is marked and enters the personnel inspection identification area. When the person enters the order again and is matched to the initial stage of the risk removal instruction, the number of times is accumulated. Once the threshold is exceeded, it must be passed. Personnel identification audits are required to match instructions again.

S004:当匹配到风险指令结束期,进入人员考察识别区,进行稽核历史识别,当此人员在大数据核查中匹配到特定规则进行风险人员打标进入累计计次阈值判断,超阈值进入人员识别审核才能再次输入指令。同时并行进行操作人员的月度内稽核匹配,如果匹配到则直接定义为风险人员,此匹配方法为在历史命中库的所有操作人员进行月度加权统计。按下述加权公式对操作人员进行失误率统计:生命初期命中数量*A+生命过度期命中数量*B+生命结束期命中数量*C+影响事件*D,形成人员风险指令执行人员的稽核工作。S004: When the end of the risk instruction is matched, enter the personnel inspection and identification area for audit history identification. When the person matches a specific rule in the big data verification, the risk personnel marking enters the cumulative counting threshold judgment, and the threshold is exceeded to enter the personnel identification Only after approval can the instruction be entered again. At the same time, the monthly internal audit matching of operators is carried out in parallel. If they are matched, they will be directly defined as risk personnel. This matching method is to carry out monthly weighted statistics for all operators in the historical hit database. Calculate the error rate of operators according to the following weighting formula: the number of hits in the early stage of life * A + the number of hits in the transitional period of life * B + the number of hits in the end of life * C + impact events * D, to form the audit work of personnel risk instruction execution personnel.

核查例如下表,当匹配风险率(或失误率)累计出现超100,则为匹配到。Check the table below, for example, when the matching risk rate (or error rate) exceeds 100, it is a match.

Figure BDA0003876296320000141
Figure BDA0003876296320000141

S005:风险人员打标当超过一定的时间进行自动消除,进行风险人员打标清除,当被管理人员打上标记将必须为管理人员才能进行清除。S005: When the marking of risk personnel exceeds a certain period of time, it will be automatically eliminated, and the risk personnel will be marked and cleared. When the marked personnel are marked, they must be cleared by management personnel.

以下对风险指令历史期的命令激活过程和风险指令正则表达式的补充部分进行说明和介绍:The following explains and introduces the supplementary part of the command activation process and the regular expression of the risk command in the historical period of the risk command:

S001:风险指令历史期的命令组合如果被匹配到,此时该命令置位为未激活进入24小时观察区,为设备故障处理时查询使用。S001: If the command combination in the historical period of the risk command is matched, the command is set to be inactive at this time and enters the 24-hour observation area, which is used for query during equipment failure processing.

S002:当故障发生并无告警显示,大概率为人工操作导致,对于24小时观察区的命令进行搜索查询,将以按设备24小时内判断为关联命令。S002: When a fault occurs and there is no alarm display, it is probably caused by manual operation. Search and query the commands in the 24-hour observation area, and it will be judged as the relevant command within 24 hours by the device.

S003:当发现存在命令导致故障发生,则此命令置位激活,并进行记录。S003: When it is found that there is a command that causes a fault to occur, the command will be set and activated, and will be recorded.

S004:当无法匹配到正则从而无法形成风险指令的,也将此命令进入24小时观察区,按照风险指令历史期激活流程实时激活,此时并对于激活风险命令进行增补为正则规则的命令集。S004: When the regular rule cannot be matched and the risk command cannot be formed, the command will also enter the 24-hour observation area, and be activated in real time according to the activation process of the historical period of the risk command. At this time, the activation risk command is supplemented with a regular rule command set.

本申请实施例由风险指令正则匹配进行触发,结合生成指令深度分类进行风险应对的一套组合的方法,这套组合方法可以在城域网设备命令识别和风险应对应用行之有效。本申请实施例还提供了风险人员打标过程方法,即由人员在执行风险指令匹配时动态产生,并结合风险稽核周期形成静态产生,动态和静态两类方法相互补充,形成风险人员及时的发现和识别,减低人为错误的可能。风险指令由风险指令的全生命过程来标识,即形成风险指令的沉淀和活跃激活,增加风险指令的动态更新,同时对于风险指令的正则表达式形成一个动态的更新过程。The embodiment of the present application is triggered by regular matching of risk commands, combined with a combined method of generating command deep classification for risk response, this combination method can be effective in command identification and risk response applications of metropolitan area network equipment. The embodiment of the present application also provides a risk personnel marking process method, which is dynamically generated by the personnel when executing risk instruction matching, and combined with the risk audit cycle to form a static generation. The dynamic and static methods complement each other to form the timely discovery of risk personnel. and identification, reducing the possibility of human error. The risk instruction is identified by the whole life process of the risk instruction, that is, the precipitation and active activation of the risk instruction is formed, the dynamic update of the risk instruction is increased, and a dynamic update process is formed for the regular expression of the risk instruction.

本申请实施例还提供了一种非易失性存储介质,该非易失性存储介质包括存储的计算机程序,其中,该非易失性存储介质所在设备通过运行计算机程序执行以下指令的处理方法:获取目标监控任务检测到的网络指令,其中,网络指令为网络设备产生的网络指令,目标监控任务至少用于对网络设备的登录账户进行风险监控;在网络指令为风险指令的情况下,依据与风险指令对应的处置规则对网络指令进行处理;在网络指令为非风险指令的情况下,判断网络指令是否为风险可疑指令;在判断结果指示网络指令为风险可疑指令的情况下,确定与网络指令对应的判断规则,并依据判断规则对网络指令进行风险判断。The embodiment of the present application also provides a non-volatile storage medium, the non-volatile storage medium includes a stored computer program, wherein the device where the non-volatile storage medium is located executes the processing method of the following instructions by running the computer program : Obtain the network command detected by the target monitoring task, wherein the network command is a network command generated by the network device, and the target monitoring task is at least used to monitor the risk of the login account of the network device; when the network command is a risk command, according to The disposal rule corresponding to the risk instruction processes the network instruction; if the network instruction is a non-risk instruction, judge whether the network instruction is a suspicious risk instruction; Judgment rules corresponding to the instructions, and make risk judgments on network instructions according to the judgment rules.

上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the above embodiments of the present application are for description only, and do not represent the advantages and disadvantages of the embodiments.

在本申请的上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above-mentioned embodiments of the present application, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.

在本申请所提供的几个实施例中,应该理解到,所揭露的技术内容,可通过其它的方式实现。其中,以上所描述的装置实施例仅仅是示意性的,例如所述单元的划分,可以为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,单元或模块的间接耦合或通信连接,可以是电性或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed technical content can be realized in other ways. Wherein, the device embodiments described above are only illustrative. For example, the division of the units may be a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or may be Integrate into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of units or modules may be in electrical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可为个人计算机、服务器或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or part of the contribution to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions for enabling a computer device (which may be a personal computer, server or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program codes. .

以上所述仅是本申请的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本申请的保护范围。The above description is only the preferred embodiment of the present application. It should be pointed out that for those of ordinary skill in the art, without departing from the principle of the present application, some improvements and modifications can also be made. These improvements and modifications are also It should be regarded as the protection scope of this application.

Claims (10)

1. A method for processing instructions, comprising:
the method comprises the steps that a network instruction detected by a target monitoring task is obtained, wherein the network instruction is generated by network equipment, and the target monitoring task is at least used for carrying out risk monitoring on a login account of the network equipment;
processing the network instruction according to a handling rule corresponding to the risk instruction under the condition that the network instruction is the risk instruction;
under the condition that the network instruction is a non-risk instruction, judging whether the network instruction is a risk suspicious instruction or not;
and under the condition that the judgment result indicates that the network instruction is the risk suspicious instruction, determining a judgment rule corresponding to the network instruction, and performing risk judgment on the network instruction according to the judgment rule.
2. The method of claim 1, wherein processing the network instructions according to the handling rules corresponding to the risk instructions comprises:
determining the life stage of the risk instruction to which the network instruction belongs;
when the life stage is the initial life stage, carrying out rollback processing on the network instruction;
under the condition that the life stage is a life transition period, the network instruction is sent to a target object for confirmation;
and storing the network instruction into an area to be confirmed under the condition that the life stage is the life end period.
3. The method of claim 2, wherein determining the life stage of the risk instruction to which the network instruction belongs comprises:
when the network command enters a set area for the first time, determining that the network command is in the initial life stage;
when the probability that the network command in the set area is the risk command is lower than a first threshold value, determining that the network command is in the life transition period;
when the duration of the network instruction in the life transition period exceeds a second threshold, determining that the network instruction is in a life history period;
determining that the network instruction enters a life ending period under the condition that the duration of the network instruction in the life history period is not changed for a preset time;
and determining that the network instruction re-enters the initial life stage when the network instruction in the life transition period and the life history period in the set area is hit by an alarm.
4. The method of claim 1, wherein determining whether the network command is a risk suspicious command comprises:
acquiring a regular matching formula in a database;
performing regular matching on the network instruction and the regular matching formula;
and under the condition that a risk keyword is matched, determining that the network instruction is the risk suspicious instruction.
5. The method of claim 1, wherein determining the decision rule corresponding to the network command comprises:
acquiring path depth information of the network instruction, wherein the path depth information is used for representing information of a directory path where the network instruction is located;
classifying the network instructions according to the path depth information and instruction risk depth judgment criteria to obtain a risk scene category to which the network instructions belong, wherein the instruction risk depth judgment criteria are at least determined by the equipment type and the depth identification of the network equipment;
and determining a judgment rule corresponding to the network command according to the risk scene category to which the network command belongs.
6. The method of claim 5, wherein performing risk determination on the network command according to the determination rule comprises:
under the condition that the risk scene type is a first type, monitoring whether the network equipment corresponding to the network instruction and the network equipment generating the alarm have an association relation or not;
determining that the first class of network instructions are at risk if the incidence relation exists;
under the condition that the risk scene type is a second type, sending the network instruction to a target object, and receiving a judgment result returned by the target object, wherein the judgment result is used for indicating whether the network equipment corresponding to the network instruction has an association relation with the network equipment generating the alarm;
determining that the network instructions of the second category are at risk if the determination result indicates that the association relationship exists;
under the condition that the risk scene type is a third type, carrying out risk judgment on the incidence relation between the network equipment corresponding to the network instruction and the network equipment generating the alarm according to the corresponding relation of the historical command, wherein the corresponding relation of the historical command is the corresponding relation between the network equipment corresponding to the historical network instruction and the network equipment generating the historical alarm;
and determining that the network instruction of the third category has risk when the risk judgment result indicates that the incidence relation exists.
7. The method of claim 2, wherein after performing a risk determination on the network command according to the determination rule, the method further comprises:
storing the network instruction hitting the risk instruction or the risk suspicious instruction into a database, and performing periodic fault statistics on a target object corresponding to the network instruction in the database to obtain a fault record corresponding to the target object, wherein the fault record is determined by at least one of the following: the number of network instructions in the early life stage, the number of network instructions in the transitional life stage and the number of network instructions in the end life stage;
when the numerical value corresponding to the fault record exceeds a third threshold value, marking a target object corresponding to the fault record as a first class user, wherein the first class user is used for indicating that the target object is a high-risk user;
and under the condition that the first class of users meet a preset condition, marking the first class of users as second class of users, wherein the second class of users are used for indicating that the target object is a non-high-risk user, and the preset condition is that the first class of users are marked as the second class of users in a continuous preset period.
8. An apparatus for processing instructions, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a network instruction detected by a target monitoring task, the network instruction is generated by network equipment, and the target monitoring task is at least used for carrying out risk monitoring on a login account of the network equipment;
the processing module is used for processing the network instruction according to a handling rule corresponding to the risk instruction under the condition that the network instruction is the risk instruction;
the judging module is used for judging whether the network instruction is a risk suspicious instruction or not under the condition that the network instruction is a non-risk instruction;
and the determining module is used for determining a judgment rule corresponding to the network instruction under the condition that the judgment result indicates that the network instruction is the risk suspicious instruction, and carrying out risk judgment on the network instruction according to the judgment rule.
9. An electronic device, comprising:
a memory for storing program instructions;
a processor, coupled to the memory, for executing program instructions that implement the following functions: acquiring a network instruction detected by a target monitoring task, wherein the network instruction is generated by network equipment, and the target monitoring task is at least used for carrying out risk monitoring on a login account of the network equipment; processing the network instruction according to a handling rule corresponding to the risk instruction under the condition that the network instruction is the risk instruction; under the condition that the network instruction is a non-risk instruction, judging whether the network instruction is a risk suspicious instruction or not; and under the condition that the judgment result indicates that the network instruction is the risk suspicious instruction, determining a judgment rule corresponding to the network instruction, and performing risk judgment on the network instruction according to the judgment rule.
10. A non-volatile storage medium, comprising a stored computer program, wherein a device on which the non-volatile storage medium is located executes a processing method of the instructions of any one of claims 1 to 7 by executing the computer program.
CN202211214577.3A 2022-09-30 2022-09-30 Instruction processing method and device, electronic equipment and nonvolatile storage medium Pending CN115589317A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211214577.3A CN115589317A (en) 2022-09-30 2022-09-30 Instruction processing method and device, electronic equipment and nonvolatile storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211214577.3A CN115589317A (en) 2022-09-30 2022-09-30 Instruction processing method and device, electronic equipment and nonvolatile storage medium

Publications (1)

Publication Number Publication Date
CN115589317A true CN115589317A (en) 2023-01-10

Family

ID=84778383

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211214577.3A Pending CN115589317A (en) 2022-09-30 2022-09-30 Instruction processing method and device, electronic equipment and nonvolatile storage medium

Country Status (1)

Country Link
CN (1) CN115589317A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120210158A1 (en) * 2011-02-14 2012-08-16 International Business Machines Corporation Anomaly Detection to Implement Security Protection of a Control System
CN103532760A (en) * 2013-10-18 2014-01-22 北京奇虎科技有限公司 Equipment, system and method for analyzing commands executed on hosts
US20180316706A1 (en) * 2017-04-30 2018-11-01 Splunk Inc. Enabling user definition of custom threat rules in a network security system
CN109714308A (en) * 2018-08-20 2019-05-03 平安普惠企业管理有限公司 The monitoring method of data, device, equipment and readable storage medium storing program for executing in the network architecture

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120210158A1 (en) * 2011-02-14 2012-08-16 International Business Machines Corporation Anomaly Detection to Implement Security Protection of a Control System
CN103532760A (en) * 2013-10-18 2014-01-22 北京奇虎科技有限公司 Equipment, system and method for analyzing commands executed on hosts
US20180316706A1 (en) * 2017-04-30 2018-11-01 Splunk Inc. Enabling user definition of custom threat rules in a network security system
CN109714308A (en) * 2018-08-20 2019-05-03 平安普惠企业管理有限公司 The monitoring method of data, device, equipment and readable storage medium storing program for executing in the network architecture

Similar Documents

Publication Publication Date Title
CN108734201B (en) Classification method and system for experience feedback events of nuclear power plant based on hierarchical reason analysis method
CN109347853B (en) Anomaly detection method for integrated electronic system based on deep packet analysis
CN118094531B (en) Safe operation and maintenance real-time early warning integrated system
CN117439916A (en) Network security test evaluation system and method
CN111754241A (en) User behavior perception method, device, equipment and medium
CN109634802A (en) Process monitoring method and terminal device
TWI812491B (en) System and method for cybersecurity threat detection and early warning
CN105825130B (en) A kind of information security early warning method and device
WO2020211251A1 (en) Monitoring method and apparatus for operating system
CN115686756A (en) Virtual machine migration method and device, storage medium and electronic equipment
CN117657912B (en) Building site construction lifter monitoring system and method
CN115296914A (en) Network security analysis system
CN119071049A (en) A method for monitoring secure access to Internet of Things servers
CN115589317A (en) Instruction processing method and device, electronic equipment and nonvolatile storage medium
CN118673500A (en) Intelligent terminal-based risk detection and assessment system and method
CN118101337A (en) Intelligent defense method and system for railway network space based on information collaboration
TWM630660U (en) System for actively detecting risk of database
CN114548769A (en) Intelligent power grid IT asset big data monitoring system and method
CN118445755B (en) Intelligent fire-fighting open access method based on AI large model recognition algorithm
CN119155177B (en) A method and system for building a network server
CN115967548B (en) Safety protection index optimization method based on big data information safety and artificial intelligence system
CN118691096B (en) A method and device for electric power construction safety control based on knowledge graph
CN102915420A (en) Synergetic security audit and situation evaluation system based on dynamic audit domain models
TW202409868A (en) Internet of vehicles message flow detection system and method thereof for analyzing malicious behavior
CN118540137A (en) Container escape detection method and detection system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination