CN106961410A - A kind of abnormal access detection method and device - Google Patents
A kind of abnormal access detection method and device Download PDFInfo
- Publication number
- CN106961410A CN106961410A CN201610012366.XA CN201610012366A CN106961410A CN 106961410 A CN106961410 A CN 106961410A CN 201610012366 A CN201610012366 A CN 201610012366A CN 106961410 A CN106961410 A CN 106961410A
- Authority
- CN
- China
- Prior art keywords
- url
- downstream
- access
- address
- accessed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The application is related to Internet technical field, more particularly to a kind of abnormal access detection method and device, to the URL for detecting to have abnormal access.The abnormal access detection method that the embodiment of the present application is provided includes:According to the first URL out-degree and in-degree, determine that the first URL's bypasses rate;If the rate that bypasses of the first URL bypasses rate threshold value more than setting, whether the downstream URL for judging the first URL is the URL accessed by normal poll;If the downstream URL is the URL accessed by normal poll, it is determined that abnormal access is not present in the downstream URL, if the downstream URL is not the URL accessed by normal poll, it is determined that the downstream URL has abnormal access.
Description
Technical field
The application is related to Internet technical field, more particularly to a kind of abnormal access detection method and device.
Background technology
With the development of Internet information technique, user is increasing to the visit capacity of website, website visiting
Security becomes more and more important.Detect there is the URL of abnormal access in website
(Uniform Resource Locator, URL), is that have very much must targetedly to carry out risk prevention system
Want.
The access of regular traffic link is typically to have logical order, such as, it is assumed that a service link is included
Three URL:A, B, C, link, which is called, is sequentially:A → B → C, namely B can only be entered by A,
C can only be entered by B, and malicious user is possible to bypass regular traffic logic that can only be by entrance of A,
And B is directly had access to, then by changing some rights parameters in B, get other validated users
Privacy information.
At present, in the abnormal access in detecting URL, typically by checking whether there is malicious user
The URL is largely accessed in a short time using same Internet protocol (Internet Protocol, IP) address,
If in the presence of, then it is assumed that there is abnormal access in the URL, but if malicious user is entered using multiple IP address
Row long access, or IP address is just changed after quickly accessing hundreds of times, that can not just pass through this machine
System is detected.
The content of the invention
The embodiment of the present application provides a kind of abnormal access detection method and device, to detect there is abnormal visit
The URL asked.
The embodiment of the present application provides a kind of abnormal access detection method, including:
According to the out-degree and in-degree of the first uniform resource position mark URL, bypassing for the first URL is determined
Rate;Wherein, the out-degree of the first URL refers under the first URL to the first URL
Swim URL access number, the in-degree of the first URL refer to from the upstream URL of the first URL to
The access number of first URL;First URL's bypasses the downstream that rate reacts the first URL
Situation directly accessed without the first URL URL;
If the rate that bypasses of the first URL bypasses rate threshold value more than setting, judge the first URL's
Whether downstream URL is the URL accessed by normal poll;If the downstream URL is to be accessed by normal poll
URL, it is determined that the downstream URL be not present abnormal access, if the downstream URL is not normal
The URL that poll is accessed, it is determined that the downstream URL has abnormal access.
Alternatively, whether the downstream URL for judging the first URL is the URL accessed by normal poll,
Including:
Multiple internet protocol address according to the downstream URL is accessed are distinguished between corresponding access time
Every determining the corresponding mean access time intervals of the downstream URL;
If the mean access time interval is less than setting duration, it is determined that the downstream URL is not by just
The URL that normal poll is accessed;
If the mean access time interval is more than or equal to setting duration, it is determined that the multiple IP address
The standard deviation at the corresponding access time interval of difference;If the standard deviation is more than established standardses difference limen value, really
The fixed downstream URL is not the URL accessed by normal poll;If the standard deviation is less than or equal to setting
Standard deviation threshold method, it is determined that the downstream URL is the URL accessed by normal poll.
Alternatively, determine that each IP address difference in the multiple IP address is corresponding according to following steps
Access time interval:
For each IP address in the multiple IP address, by the corresponding multiple access times of the IP address
Mode in interval is defined as the corresponding access time interval of the IP address.
Alternatively, selected to access multiple IP address of the downstream URL according to following steps:
From the access downstream URL of record IP address, choose access times and be more than first threshold,
And less than the IP address of Second Threshold.
Alternatively, determine that the first URL's bypasses rate μ according to below equation:
μ=(λ 1- λ 2)/λ 2
Wherein, λ 1 is the out-degree of the first URL, and λ 2 is the in-degree of the first URL.
The embodiment of the present application provides a kind of abnormal access detection means, including:
Rate determining module is bypassed, for the out-degree and in-degree according to the first uniform resource position mark URL, really
Fixed first URL's bypasses rate;Wherein, the out-degree of the first URL refers to from the first URL
To the downstream URL of the first URL access number, the in-degree of the first URL refers to from described
Access numbers of the one URL upstream URL to the first URL;First URL's bypasses rate reaction
Situation directly accessed without the first URL downstream URL of first URL;
Abnormal access determining module, if the rate that bypasses for the first URL bypasses rate threshold value more than setting,
Whether the downstream URL for then judging the first URL is the URL accessed by normal poll;If the downstream
URL is the URL accessed by normal poll, it is determined that abnormal access is not present in the downstream URL, if institute
It is not the URL accessed by normal poll to state downstream URL, it is determined that the downstream URL has abnormal access.
The embodiment of the present application determines that the first URL's bypasses rate according to the first URL out-degree and in-degree;
If the first URL rate that bypasses bypasses rate threshold value more than setting, the first URL downstream URL is judged
Whether it is the URL accessed by normal poll;If downstream URL is the URL accessed by normal poll,
Determine that abnormal access is not present in downstream URL, if downstream URL is not the URL accessed by normal poll,
Then determine that downstream URL has abnormal access.In the embodiment of the present application, if URL's bypasses rate
Rate threshold value is bypassed more than setting, the downstream URL of the URL is not again the URL accessed by normal poll, then
Illustrate that downstream URL has abnormal access.The application bypasses normal service logic for malicious user,
The URL of long access is carried out using multiple IP address, or bypasses normal service logic, is quickly being visited
Ask and the URL that IP address conducts interviews just is changed after hundreds of times, can be come out with effective detection.
Brief description of the drawings
The abnormal access detection method flow chart that Fig. 1 provides for the embodiment of the present application;
Fig. 2 is a service link schematic diagram;
The abnormal access structure of the detecting device schematic diagram that Fig. 3 provides for the embodiment of the present application.
Embodiment
Assuming that a service link includes three URL:A, B, C, link, which is called, is sequentially:A→B→
C.It can be potentially encountered failure, user because of situations such as service link is accessed and actively exit and can not complete, institute
With generally A call number >=B call number >=C call number.Assuming that there is B tune
With the situation of number of times >=A call number >=C call number, then this URL for largely being accessed of B
Be probably be bypassed can only be by entrance of A regular traffic logic.Based on this, for a service link,
The embodiment of the present application is primarily based on URL and bypasses rate to judge whether the downstream URL of the URL is possible to
There is abnormal access:If the URL rate that bypasses bypasses rate threshold value more than setting, under the URL
Trip URL there may exist abnormal access, now further judge downstream URL whether by normal rounds
The URL accessed is ask, if it is not, then illustrating that downstream URL has abnormal access.The application is for disliking
Meaning user bypasses normal service logic, and the URL, Huo Zhe of long access are carried out using multiple IP address
Quickly access and the URL that IP address conducts interviews just is changed after hundreds of times, can be come out with effective detection.
The embodiment of the present application is described in further detail with reference to Figure of description.
As shown in figure 1, the abnormal access detection method flow chart provided for the embodiment of the present application, including it is following
Step:
S101:According to the first URL out-degree and in-degree, determine that the first URL's bypasses rate.
, will be from the URL to the URL for a URL in a service link in specific implementation
Downstream URL access number be defined as the out-degree of the URL, by from the upstream URL of the URL to this
URL access number is defined as the in-degree of the URL, and the URL's bypasses the downstream URL that rate reacts the URL
The situation directly accessed without the URL.
As shown in Fig. 2 in a service link, only downstream URL does not have upstream URL URL
For starting URL (URL1 in such as Fig. 2), existing upstream URL has during downstream URL URL is again
Between URL (URL2 in such as Fig. 2), only upstream URL do not have downstream URL URL be leaf
URL (URL3 in such as Fig. 2).One URL upstream URL out-degree is the in-degree of the URL,
URL in-degree is the out-degree of the URL downstream.The out-degree for originating URL is more than 0, and in-degree is 0, such as
The out-degree of URL1 in Fig. 2 is 1000, and in-degree is 0.Leaf URL in-degree is more than 0, and out-degree is 0,
In-degree such as URL3 in Fig. 2 is 100000.Middle URL in-degree and out-degree is both greater than 0, such as Fig. 2
Middle URL2 in-degree is 1000, and out-degree is 100000.
In specific implementation, according to URL out-degree and in-degree, the rate that bypasses of the URL, URL are determined
The rate that bypasses react the downstream URL of the URL situation directly accessed without the URL, therefore,
The difference of out-degree that can be based on the URL and in-degree determines that this bypasses rate.Such as, bypassing rate can embody
For the ratio of out-degree and in-degree, in this case, the starting URL rate that bypasses is infinity, leaf URL
Bypass rate for 0.For another example, the ratio that rate can be presented as between out-degree and the difference and in-degree of in-degree is bypassed
Value, that is, URL's bypasses rate μ coincidence formulas μ=(λ 1- λ 2)/λ 2, wherein, λ 1 is the URL
Out-degree, λ 2 be the URL in-degree, now, starting URL bypass rate for infinity, leaf URL
Bypass rate for -1.
In the embodiment of the present application, the first URL is centre URL, the first URL downstream URL
May be centre URL, it is also possible to be leaf URL.
S102:The first URL rate that bypasses is bypassed rate threshold value with setting and is compared;If the first URL
The rate that bypasses bypass rate threshold value less than or equal to setting, then into S104, that is, determine under the first URL
Swim URL and abnormal access is not present.
In specific implementation, the URL relatively low for bypassing rate, it is believed that the downstream URL of the URL
In the absence of abnormal access.
S103:If the first URL rate that bypasses bypasses rate threshold value more than setting, the first URL is judged
Downstream URL whether be the URL accessed by normal poll;If downstream URL is to be accessed by normal poll
URL, then into S104, that is, determine downstream URL be not present abnormal access, if downstream URL
It is not the URL accessed by normal poll, then into S105, that is, determines that downstream URL has abnormal access.
In specific implementation, if the first URL rate that bypasses bypasses rate threshold value more than setting, there are two kinds
Situation:
1st, the first URL downstream URL is bypassed regular traffic logic and largely accessed, namely exists
Abnormal access.
2nd, the first URL downstream URL is a URL accessed by normal poll.
Here, first URL higher for bypassing rate, if the first URL downstream URL is a quilt
The URL that normal poll is accessed, the then direct access for bypassing the first URL carried out to downstream URL
Belong to normal access.Such as, if user rests on the page (the such as mailbox of some display unread message always
The inbox page), system can every 5s carry out a unread message refreshing, it is clear that in this case
Autopolling access belong to normal access.
Because the URL accessed by normal poll access time interval is typically all what system was set, therefore
This URL generally has an obvious feature:The access time interval of different IP addresses is relatively fixed.
Such as, it is typically all what is be read out according to fixed time interval that system, which reads unread message,.Therefore, may be used
Judge whether the URL is to be visited by normal poll to access URL time interval according to different IP addresses
The URL asked.
As a kind of embodiment, whether the downstream URL for judging the first URL is to be visited by normal poll
The URL asked specific implementation step is:
S103a:Accessed according to the multiple IP address for the downstream URL for accessing the first URL difference is corresponding
Time interval, determines the corresponding mean access time intervals of downstream URL.
In actually implementing, there is a situation where that multiple users share same IP address in enterprise, in these feelings
Under condition, the number of times that a URL is accessed by same IP address is generally very more (usually more than 1000 times);
In addition, the contribution degree that the less IP address of access times is accessed for identification poll is also smaller.Based on this,
The embodiment of the present application is in order to further improve the discrimination accessed normal poll, to accessing downstream URL
IP address screened, specifically, from the access downstream URL of record IP address, choose visit
Ask that number of times is more than first threshold (such as 10 times), and it is multiple less than Second Threshold (such as 1000 times)
IP address, will use the user of these IP address temporarily as normal personal user;It is then based on selection
Multiple IP address, whether judge downstream URL is the URL accessed by normal poll.
, can be corresponding multiple by the IP address for each IP address filtered out in specific implementation
Mode in access time interval is defined as the corresponding access time interval of the IP address.Here mode
I.e. in multiple access time intervals of the IP address of record, the most access time interval of occurrence number,
If being separated with multiple between the most access time of occurrence number, it can select one of to be used as the IP address
Corresponding access time interval.
S103b:The mean access time interval is compared with setting duration;If the average access
Time interval is less than setting duration, then into S103e, that is, determining downstream URL is visited by normal poll
The URL asked.
In specific implementation, it is possible to can have malicious user using identical or different IP address very short
Time (such as 1s) in have accessed that hundreds of time (malicious user is intensive to be accessed hundreds of times to downstream URL
IP address is intercepted or changes afterwards to continue to access), if being only accurate to 1s to the record at access time interval,
The access time of the IP address then recorded is at intervals of 0.In this case, the access of record downstream
Although (being all 0) is relatively fixed at the access time interval of URL IP address, it is apparent that being not belonging to poll visit
Ask.Therefore, the mean access time interval of corresponding multiple IP address is less than setting by the embodiment of the present application
The URL of duration (such as 1s), is directly classified as the URL that there is abnormal access.
S103c:If the mean access time interval is more than or equal to setting duration, it is determined that the multiple
IP address distinguishes the standard deviation at corresponding access time interval.
Here, the standard deviation sigma at multiple IP address of selection corresponding access time interval respectively meets following public affairs
Formula:
Wherein, xiFor the access time interval of i-th of IP address, μ is that multiple IP address of selection are corresponding
Mean access time interval, N is the number of multiple IP address of selection.
S103d:The standard deviation is compared with established standardses difference limen value, set if the standard deviation is more than
Determine standard deviation threshold method (such as 1000), then into S103e, that is, it is not by normal rounds to determine downstream URL
Ask the URL accessed.If the standard deviation is less than or equal to established standardses difference limen value, into S103f, i.e.,
It is the URL accessed by normal poll to determine downstream URL.
Based on same inventive concept, a kind of and abnormal access detection method pair is additionally provided in the embodiment of the present application
The abnormal access detection means answered, because the device solves the principle and the embodiment of the present application abnormal access of problem
Detection method is similar, therefore the implementation of the device may refer to the implementation of method, repeats part and repeats no more.
As shown in figure 3, the abnormal access structure of the detecting device schematic diagram provided for the embodiment of the present application, including:
Rate determining module 31 is bypassed, for the out-degree and in-degree according to the first uniform resource position mark URL,
Determine that the first URL's bypasses rate;Wherein, the out-degree of the first URL refers to from described first
URL to the downstream URL of the first URL access number, the in-degree of the first URL refers to from institute
The first URL upstream URL is stated to the access number of the first URL;First URL's bypasses rate
React the downstream URL of the first URL situations directly accessed without the first URL.
Abnormal access determining module 32, if the rate that bypasses for the first URL bypasses rate threshold more than setting
Value, then whether the downstream URL for judging the first URL is the URL accessed by normal poll;If described
Downstream URL is the URL accessed by normal poll, it is determined that abnormal access is not present in the downstream URL,
If the downstream URL is not the URL accessed by normal poll, it is determined that the downstream URL exists abnormal
Access.
Alternatively, the abnormal access determining module 32 specifically for:
Multiple internet protocol address according to the downstream URL is accessed are distinguished between corresponding access time
Every determining the corresponding mean access time intervals of the downstream URL;If the mean access time interval
Less than setting duration, it is determined that the downstream URL is not the URL accessed by normal poll;If described flat
Equal access time interval is more than or equal to setting duration, it is determined that the multiple IP address difference is corresponding to visit
Ask the standard deviation of time interval;If the standard deviation is more than established standardses difference limen value, it is determined that the downstream
URL is not the URL accessed by normal poll;If the standard deviation is less than or equal to established standardses difference limen value,
It is the URL accessed by normal poll then to determine the downstream URL.
Alternatively, the abnormal access determining module 32 is the multiple specifically for being determined according to following steps
Each IP address in IP address distinguishes corresponding access time interval:
For each IP address in the multiple IP address, by the corresponding multiple access times of the IP address
Mode in interval is defined as the corresponding access time interval of the IP address.
Alternatively, the abnormal access determining module 32 is specifically for according to following steps selection access
Downstream URL multiple IP address:
From the access downstream URL of record IP address, choose access times and be more than first threshold,
And less than the IP address of Second Threshold.
Alternatively, the rate determining module 31 that bypasses according to below equation specifically for determining described first
URL's bypasses rate μ:
μ=(λ 1- λ 2)/λ 2
Wherein, λ 1 is the out-degree of the first URL, and λ 2 is the in-degree of the first URL.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or meter
Calculation machine program product.Therefore, the application can be using complete hardware embodiment, complete software embodiment or knot
The form of embodiment in terms of conjunction software and hardware.Wherein wrapped one or more moreover, the application can be used
Containing computer usable program code computer-usable storage medium (include but is not limited to magnetic disk storage,
CD-ROM, optical memory etc.) on the form of computer program product implemented.
The application is produced with reference to according to the method for the embodiment of the present application, device (system) and computer program
The flow chart and/or block diagram of product is described.It should be understood that can be realized by computer program instructions flow chart and
/ or each flow and/or square frame in block diagram and the flow in flow chart and/or block diagram and/
Or the combination of square frame.These computer program instructions can be provided to all-purpose computer, special-purpose computer, insertion
Formula processor or the processor of other programmable data processing devices are to produce a machine so that pass through and calculate
The instruction of the computing device of machine or other programmable data processing devices is produced for realizing in flow chart one
The device for the function of being specified in individual flow or multiple flows and/or one square frame of block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or the processing of other programmable datas to set
In the standby computer-readable memory worked in a specific way so that be stored in the computer-readable memory
Instruction produce include the manufacture of command device, the command device realization in one flow or multiple of flow chart
The function of being specified in one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices, made
Obtain and perform series of operation steps on computer or other programmable devices to produce computer implemented place
Reason, so that the instruction performed on computer or other programmable devices is provided for realizing in flow chart one
The step of function of being specified in flow or multiple flows and/or one square frame of block diagram or multiple square frames.
Although having been described for the preferred embodiment of the application, those skilled in the art once know base
This creative concept, then can make other change and modification to these embodiments.So, appended right will
Ask and be intended to be construed to include preferred embodiment and fall into having altered and changing for the application scope.
Obviously, those skilled in the art can carry out various changes and modification without departing from this Shen to the application
Spirit and scope please.So, if the application these modification and modification belong to the application claim and
Within the scope of its equivalent technologies, then the application is also intended to comprising including these changes and modification.
Claims (10)
1. a kind of abnormal access detection method, it is characterised in that including:
According to the out-degree and in-degree of the first uniform resource position mark URL, bypassing for the first URL is determined
Rate;Wherein, the out-degree of the first URL refers under the first URL to the first URL
Swim URL access number, the in-degree of the first URL refer to from the upstream URL of the first URL to
The access number of first URL;First URL's bypasses the downstream that rate reacts the first URL
Situation directly accessed without the first URL URL;
If the rate that bypasses of the first URL bypasses rate threshold value more than setting, judge the first URL's
Whether downstream URL is the URL accessed by normal poll;If the downstream URL is to be accessed by normal poll
URL, it is determined that the downstream URL be not present abnormal access, if the downstream URL is not normal
The URL that poll is accessed, it is determined that the downstream URL has abnormal access.
2. the method as described in claim 1, it is characterised in that judge the downstream of the first URL
Whether URL is the URL accessed by normal poll, including:
Multiple internet protocol address according to the downstream URL is accessed are distinguished between corresponding access time
Every determining the corresponding mean access time intervals of the downstream URL;
If the mean access time interval is less than setting duration, it is determined that the downstream URL is not by just
The URL that normal poll is accessed;
If the mean access time interval is more than or equal to setting duration, it is determined that the multiple IP address
The standard deviation at the corresponding access time interval of difference;If the standard deviation is more than established standardses difference limen value, really
The fixed downstream URL is not the URL accessed by normal poll;If the standard deviation is less than or equal to setting
Standard deviation threshold method, it is determined that the downstream URL is the URL accessed by normal poll.
3. method as claimed in claim 2, it is characterised in that determined according to following steps the multiple
Each IP address in IP address distinguishes corresponding access time interval:
For each IP address in the multiple IP address, by the corresponding multiple access times of the IP address
Mode in interval is defined as the corresponding access time interval of the IP address.
4. method as claimed in claim 2 or claim 3, it is characterised in that selected to access according to following steps
Multiple IP address of the downstream URL:
From the access downstream URL of record IP address, choose access times and be more than first threshold,
And less than the IP address of Second Threshold.
5. the method as described in claim 1, it is characterised in that determine described first according to below equation
URL's bypasses rate μ:
μ=(λ 1- λ 2)/λ 2
Wherein, λ 1 is the out-degree of the first URL, and λ 2 is the in-degree of the first URL.
6. a kind of abnormal access detection means, it is characterised in that including:
Rate determining module is bypassed, for the out-degree and in-degree according to the first uniform resource position mark URL, really
Fixed first URL's bypasses rate;Wherein, the out-degree of the first URL refers to from the first URL
To the downstream URL of the first URL access number, the in-degree of the first URL refers to from described
Access numbers of the one URL upstream URL to the first URL;First URL's bypasses rate reaction
Situation directly accessed without the first URL downstream URL of first URL;
Abnormal access determining module, if the rate that bypasses for the first URL bypasses rate threshold value more than setting,
Whether the downstream URL for then judging the first URL is the URL accessed by normal poll;If the downstream
URL is the URL accessed by normal poll, it is determined that abnormal access is not present in the downstream URL, if institute
It is not the URL accessed by normal poll to state downstream URL, it is determined that the downstream URL has abnormal access.
7. device as claimed in claim 6, it is characterised in that the abnormal access determining module is specific
For:
Multiple internet protocol address according to the downstream URL is accessed are distinguished between corresponding access time
Every determining the corresponding mean access time intervals of the downstream URL;If the mean access time interval
Less than setting duration, it is determined that the downstream URL is not the URL accessed by normal poll;If described flat
Equal access time interval is more than or equal to setting duration, it is determined that the multiple IP address difference is corresponding to visit
Ask the standard deviation of time interval;If the standard deviation is more than established standardses difference limen value, it is determined that the downstream
URL is not the URL accessed by normal poll;If the standard deviation is less than or equal to established standardses difference limen value,
It is the URL accessed by normal poll then to determine the downstream URL.
8. device as claimed in claim 7, it is characterised in that the abnormal access determining module is specific
For determining that each IP address in the multiple IP address distinguishes corresponding access time according to following steps
Interval:
For each IP address in the multiple IP address, by the corresponding multiple access times of the IP address
Mode in interval is defined as the corresponding access time interval of the IP address.
9. device as claimed in claim 7 or 8, it is characterised in that the abnormal access determining module
Specifically for being selected to access multiple IP address of the downstream URL according to following steps:
From the access downstream URL of record IP address, choose access times and be more than first threshold,
And less than the IP address of Second Threshold.
10. device as claimed in claim 6, it is characterised in that the rate determining module that bypasses specifically is used
In determining that the first URL's bypasses rate μ according to below equation:
μ=(λ 1- λ 2)/λ 2
Wherein, λ 1 is the out-degree of the first URL, and λ 2 is the in-degree of the first URL.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610012366.XA CN106961410B (en) | 2016-01-08 | 2016-01-08 | Abnormal access detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610012366.XA CN106961410B (en) | 2016-01-08 | 2016-01-08 | Abnormal access detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106961410A true CN106961410A (en) | 2017-07-18 |
| CN106961410B CN106961410B (en) | 2020-02-18 |
Family
ID=59480588
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610012366.XA Active CN106961410B (en) | 2016-01-08 | 2016-01-08 | Abnormal access detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106961410B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108011881A (en) * | 2017-12-05 | 2018-05-08 | 北京明朝万达科技股份有限公司 | It is a kind of based on the slow leakage detection method of sensitive data adaptively perceived and system |
| CN108683678A (en) * | 2018-05-28 | 2018-10-19 | 北京天地和兴科技有限公司 | A kind of abnormal behaviour prediction technique of Behavior-based control cooperative awareness model |
| CN109167773A (en) * | 2018-08-22 | 2019-01-08 | 杭州安恒信息技术股份有限公司 | A kind of access exception detection method and system based on Markov model |
| CN110516170A (en) * | 2018-07-06 | 2019-11-29 | 北京白山耘科技有限公司 | A kind of method and device checking exception web access |
| CN111885001A (en) * | 2020-06-24 | 2020-11-03 | 国家计算机网络与信息安全管理中心 | Abnormal login behavior recognition method, controller and medium |
| CN113711559A (en) * | 2019-04-16 | 2021-11-26 | 北京嘀嘀无限科技发展有限公司 | System and method for detecting anomalies |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1246082A2 (en) * | 2001-03-30 | 2002-10-02 | Xerox Corporation | Systems and methods for identifying user types using multi-modal clustering and information scent |
| CN1578950A (en) * | 2001-10-30 | 2005-02-09 | 国际商业机器公司 | Method for conducting collaboration between computers on network, system, and computer program |
| CN101547197A (en) * | 2009-04-30 | 2009-09-30 | 珠海金山软件股份有限公司 | A URL washing device and a washing method |
| CN104052811A (en) * | 2014-06-17 | 2014-09-17 | 华为技术有限公司 | Service scheduling method and device and system |
| CN104104554A (en) * | 2013-04-10 | 2014-10-15 | 深圳市腾讯计算机***有限公司 | Life cycle method and apparatus for detecting data access request |
| CN104113519A (en) * | 2013-04-16 | 2014-10-22 | 阿里巴巴集团控股有限公司 | Network attack detection method and device thereof |
| CN104135474A (en) * | 2014-07-18 | 2014-11-05 | 国家计算机网络与信息安全管理中心 | Network anomaly behavior detection method based on out-degree and in-degree of host |
| CN104811459A (en) * | 2014-01-23 | 2015-07-29 | 阿里巴巴集团控股有限公司 | Processing method, processing device and system for message services and message service system |
-
2016
- 2016-01-08 CN CN201610012366.XA patent/CN106961410B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1246082A2 (en) * | 2001-03-30 | 2002-10-02 | Xerox Corporation | Systems and methods for identifying user types using multi-modal clustering and information scent |
| CN1578950A (en) * | 2001-10-30 | 2005-02-09 | 国际商业机器公司 | Method for conducting collaboration between computers on network, system, and computer program |
| CN101547197A (en) * | 2009-04-30 | 2009-09-30 | 珠海金山软件股份有限公司 | A URL washing device and a washing method |
| CN104104554A (en) * | 2013-04-10 | 2014-10-15 | 深圳市腾讯计算机***有限公司 | Life cycle method and apparatus for detecting data access request |
| CN104113519A (en) * | 2013-04-16 | 2014-10-22 | 阿里巴巴集团控股有限公司 | Network attack detection method and device thereof |
| CN104811459A (en) * | 2014-01-23 | 2015-07-29 | 阿里巴巴集团控股有限公司 | Processing method, processing device and system for message services and message service system |
| CN104052811A (en) * | 2014-06-17 | 2014-09-17 | 华为技术有限公司 | Service scheduling method and device and system |
| CN104135474A (en) * | 2014-07-18 | 2014-11-05 | 国家计算机网络与信息安全管理中心 | Network anomaly behavior detection method based on out-degree and in-degree of host |
Non-Patent Citations (1)
| Title |
|---|
| 张小刚: "基于主机出入度的网络异常行为分析", 《无线互联科技》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108011881A (en) * | 2017-12-05 | 2018-05-08 | 北京明朝万达科技股份有限公司 | It is a kind of based on the slow leakage detection method of sensitive data adaptively perceived and system |
| CN108011881B (en) * | 2017-12-05 | 2020-07-10 | 北京明朝万达科技股份有限公司 | Sensitive data slow leakage detection method and system based on self-adaptive sensing |
| CN108683678A (en) * | 2018-05-28 | 2018-10-19 | 北京天地和兴科技有限公司 | A kind of abnormal behaviour prediction technique of Behavior-based control cooperative awareness model |
| CN110516170A (en) * | 2018-07-06 | 2019-11-29 | 北京白山耘科技有限公司 | A kind of method and device checking exception web access |
| CN110516170B (en) * | 2018-07-06 | 2020-04-28 | 北京白山耘科技有限公司 | Method and device for checking abnormal web access |
| CN109167773A (en) * | 2018-08-22 | 2019-01-08 | 杭州安恒信息技术股份有限公司 | A kind of access exception detection method and system based on Markov model |
| CN109167773B (en) * | 2018-08-22 | 2021-01-26 | 杭州安恒信息技术股份有限公司 | Access anomaly detection method and system based on Markov model |
| CN113711559A (en) * | 2019-04-16 | 2021-11-26 | 北京嘀嘀无限科技发展有限公司 | System and method for detecting anomalies |
| CN113711559B (en) * | 2019-04-16 | 2023-09-29 | 北京嘀嘀无限科技发展有限公司 | System and method for detecting anomalies |
| CN111885001A (en) * | 2020-06-24 | 2020-11-03 | 国家计算机网络与信息安全管理中心 | Abnormal login behavior recognition method, controller and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106961410B (en) | 2020-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106961410A (en) | A kind of abnormal access detection method and device | |
| JP6321681B2 (en) | Method and apparatus for identifying website users | |
| CN105426760B (en) | A kind of detection method and device of Android malicious application | |
| US9479516B2 (en) | Automatic detection of fraudulent ratings/comments related to an application store | |
| ES2854701T3 (en) | Computer storage methods and media to divide the security of sessions | |
| CN105635126B (en) | Malice network address accesses means of defence, client, security server and system | |
| US20150295951A1 (en) | Method, server, and system for automatically rating reputation of a web site | |
| CN110381151B (en) | Abnormal equipment detection method and device | |
| CN103368957B (en) | Method and system that web page access behavior is processed, client, server | |
| EP3085023B1 (en) | Communications security | |
| CN105391594B (en) | The method and device of identification feature account | |
| CN106899549B (en) | Network security detection method and device | |
| JP5939645B2 (en) | Information leakage prevention apparatus, method and program | |
| CN107465648A (en) | The recognition methods of warping apparatus and device | |
| CN102592089B (en) | Detection method and detection device for webpage redirection skip loophole | |
| WO2022042194A1 (en) | Block detection method and apparatus for login device, server, and storage medium | |
| CN109302423B (en) | Vulnerability scanning capability testing method and device | |
| CN111597419A (en) | Abnormal access detection method and device | |
| CN106572056B (en) | A kind of risk monitoring and control method and device | |
| CN109474623B (en) | Network security protection and parameter determination method, device, equipment and medium thereof | |
| CN113890762B (en) | Method and system for detecting web crawler behaviors based on flow data | |
| JP2019164591A (en) | Information processing device, information processing method, and information processing program | |
| CN104573486B (en) | leak detection method and device | |
| CN109981533B (en) | DDoS attack detection method, device, electronic equipment and storage medium | |
| CN108920326A (en) | Determine system time-consuming abnormal method, apparatus and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20200927 Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands Patentee after: Innovative advanced technology Co.,Ltd. Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands Patentee before: Advanced innovation technology Co.,Ltd. Effective date of registration: 20200927 Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands Patentee after: Advanced innovation technology Co.,Ltd. Address before: Cayman Islands Grand Cayman capital building, a four storey No. 847 mailbox Patentee before: Alibaba Group Holding Ltd. |
|
| TR01 | Transfer of patent right |