CN108667855A - Network traffic anomaly monitor method, apparatus, electronic equipment and storage medium - Google Patents

Network traffic anomaly monitor method, apparatus, electronic equipment and storage medium Download PDF

Info

Publication number
CN108667855A
CN108667855A CN201810797725.6A CN201810797725A CN108667855A CN 108667855 A CN108667855 A CN 108667855A CN 201810797725 A CN201810797725 A CN 201810797725A CN 108667855 A CN108667855 A CN 108667855A
Authority
CN
China
Prior art keywords
data
resource
illegal
network traffic
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810797725.6A
Other languages
Chinese (zh)
Other versions
CN108667855B (en
Inventor
刘俊启
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Baidu Online Network Technology Beijing Co Ltd
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201810797725.6A priority Critical patent/CN108667855B/en
Publication of CN108667855A publication Critical patent/CN108667855A/en
Application granted granted Critical
Publication of CN108667855B publication Critical patent/CN108667855B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A kind of Network traffic anomaly monitor method, apparatus of the application proposition, electronic equipment and storage medium, belong to field of computer technology.Wherein, this method includes:Page load request is obtained, load request includes target pages mark;It is identified according to target pages, determines target downloading data amount;When recording page load, the attribute information of each data of actual download, wherein attribute information includes the data volume of each data of actual download and corresponding resource data;Judge whether the total amount of data of each data of actual download is more than target downloading data amount;If so, sending exception of network traffic message to server, wherein unexpected message includes the corresponding resource data of invalid data.It as a result, by this Network traffic anomaly monitor method, realizes and determines that invalid data, monitoring network traffic exception have not only saved computing cost using client, improve timeliness, and ensure that the information and property safety of user, improve user experience.

Description

Network traffic anomaly monitor method, apparatus, electronic equipment and storage medium
Technical field
This application involves field of computer technology more particularly to a kind of Network traffic anomaly monitor method, apparatus, electronics to set Standby and storage medium.
Background technology
Since the 21th century, development in science and technology is maked rapid progress, and internet has been deep into side's aspect of people's daily life Face.It has been the normality of information-intensive society to be worked, learnt using internet, entertained etc..The extension of the Internet, applications range is given While production, the life of people bring many convenient, many drawbacks are also gradually exposed.In order to speculate, criminal User information can be stolen by internet.For example, illegal website is by injecting the invalid data that can obtain data from the background In the page of user's current transmission, the private data or malice of stealing user steal customer flow etc., seriously compromise user's Information security and property safety.
Therefore, the invalid data in the screen of high efficient and reliable ensures the information and property safety of user, has very Important realistic meaning.In existing network Traffic Anomaly monitoring technology, mainly utilize server to the invalid data in network It is monitored and filters.For example, before the data for obtaining client request are sent to client, server can first logarithm According to being preloaded, to judge whether be filled with invalid data in data.Frequent preloading procedure not only needs largely High in the clouds stores, and computing cost is huge, has aggravated the computational burden of server.In addition, invalid data is probably servicing Device injects during sending the data to client, then server can not monitor illegal number when being preloaded to data According to.Therefore, the existing method that the invalid data in network is detected and is filtered using server, not only computing cost is huge Greatly, and poor in timeliness.
Invention content
Network traffic anomaly monitor method, apparatus, electronic equipment and the storage medium that the application proposes, for solving correlation In technology, the existing method that the invalid data in network is detected and is filtered using server, not only computing cost is huge, And poor in timeliness, the problem of damaging the information and property safety of user.
The Network traffic anomaly monitor method that the application one side embodiment proposes is applied to client, including:Obtain page Face load request, the load request include target pages mark;It is identified according to the target pages, determines that target downloads number According to amount;When recording the page load, the attribute information of each data of actual download, wherein the attribute information includes real The data volume for each data that border is downloaded and corresponding resource data;Judge the total amount of data of each data of the actual download Whether the target downloading data amount is more than;If so, exception of network traffic message is sent to server, wherein the exception disappears Breath includes the corresponding resource data of invalid data in the data of the actual download.
The Network traffic anomaly monitor method that the application another aspect embodiment proposes is applied to server, including:It obtains The exception of network traffic message that client is sent, wherein the unexpected message includes resource corresponding with invalid data Data;Using the resource data, processing is updated to illegal resource library, to generate updated illegal resource library;By institute It states updated illegal resource library and is sent respectively to each client.
The Network traffic anomaly monitor device that the application another further aspect embodiment proposes is applied to client, including:It obtains Module, for obtaining page load request, the load request includes target pages mark;Determining module, for according to institute Target pages mark is stated, determines target downloading data amount;Logging modle, when for recording the page load, actual download The attribute information of each data, wherein the attribute information includes the data volumes of each data of actual download and corresponding Resource data;Judgment module is downloaded for judging whether the total amount of data of each data of the actual download is more than the target Data volume;If so, exception of network traffic message is sent to server, wherein the unexpected message includes the actual download Data in the corresponding resource data of invalid data.
The Network traffic anomaly monitor device that the another aspect embodiment of the application proposes is applied to server, including:It obtains Module, the exception of network traffic message for obtaining client transmission, wherein the unexpected message includes and invalid data divides Not corresponding resource data;Update module is updated processing, with life for utilizing the resource data to illegal resource library At updated illegal resource library;Sending module, for the updated illegal resource library to be sent respectively to each client.
The electronic equipment that the another aspect embodiment of the application proposes comprising:Memory, processor and it is stored in memory Computer program that is upper and can running on a processor, which is characterized in that the processor is realized when executing described program as before The Network traffic anomaly monitor method.
The computer readable storage medium that the application another aspect embodiment proposes, is stored thereon with computer program, It is characterized in that, foregoing Network traffic anomaly monitor method is realized when described program is executed by processor.
The computer program that the application another further aspect embodiment proposes, when which is executed by processor, to realize this Shen Network traffic anomaly monitor method that please be described in embodiment.
Network traffic anomaly monitor method, apparatus provided by the embodiments of the present application, electronic equipment, computer-readable storage medium Matter and computer program obtain page load request by client, are identified according to the target pages in load request, determine mesh When marking downloading data amount, and recording page load, the attribute information of each data of actual download, and then judge each of actual download Whether the total amount of data of data is more than target downloading data amount, if so, exception of network traffic message is sent to server, so that Server updates illegal resource library and is sent to client according to the corresponding resource data of invalid data in unexpected message.By This determines invalid data by each total amount of data according to target downloading data amount and actual download, later can be according to non- The attribute information update illegal resource library of method data, invalid data, monitoring network flow are determined to realize using client It is abnormal, computing cost has not only been saved, timeliness is improved, and ensure that the information and property safety of user, has improved use It experiences at family.
The additional aspect of the application and advantage will be set forth in part in the description, and will partly become from the following description It obtains obviously, or recognized by the practice of the application.
Description of the drawings
The application is above-mentioned and/or additional aspect and advantage will become from the following description of the accompanying drawings of embodiments Obviously and it is readily appreciated that, wherein:
A kind of flow diagram for Network traffic anomaly monitor method that Fig. 1 is provided by the embodiment of the present application;
The flow diagram for another Network traffic anomaly monitor method that Fig. 2 is provided by the embodiment of the present application;
The flow diagram for another Network traffic anomaly monitor method that Fig. 3 is provided by the embodiment of the present application;
A kind of signaling interaction diagram for Network traffic anomaly monitor method that Fig. 4 is provided by the embodiment of the present application;
Fig. 5 is a kind of structural schematic diagram of Network traffic anomaly monitor device provided by the embodiments of the present application;
Fig. 6 is the structural schematic diagram of another Network traffic anomaly monitor device provided by the embodiments of the present application;
Fig. 7 is the structural schematic diagram of electronic equipment provided by the embodiments of the present application.
Specific implementation mode
Embodiments herein is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end Same or similar label indicates same or similar element.The embodiments described below with reference to the accompanying drawings are exemplary, It is intended for explaining the application, and should not be understood as the limitation to the application.
The embodiment of the present application is current by the way that the invalid data that can obtain data from the background is injected user for illegal website In the page of transmission, the private data or malice of stealing user steal customer flow etc., damage the information security and property of user Safety, and the existing method that the invalid data in network is detected and is filtered using server, not only computing cost is huge, And the problem of poor in timeliness, propose a kind of Network traffic anomaly monitor method.
Network traffic anomaly monitor method provided by the embodiments of the present application obtains page load request, root by client According to the target pages mark in load request, when determining target downloading data amount, and recording page load, each number of actual download According to attribute information, and then judge actual download each data total amount of data whether be more than target downloading data amount, if so, Exception of network traffic message is sent to server, so as to server update illegal resource library and be sent to client.Pass through as a result, According to each total amount of data of target downloading data amount and actual download, invalid data is determined, it later can be according to invalid data Attribute information update illegal resource library, determine invalid data using client to realize, monitoring network traffic exception, no Computing cost has only been saved, timeliness is improved, and ensure that the information and property safety of user, has improved user experience.
Below with reference to the accompanying drawings to Network traffic anomaly monitor method, apparatus provided by the present application, electronic equipment, storage medium And computer program is described in detail.
Separately below by taking client-side, server side as an example, to Network traffic anomaly monitor provided by the embodiments of the present application Method is described in detail.
First by taking client-side as an example, Network traffic anomaly monitor method provided by the embodiments of the present application is carried out specifically It is bright.
A kind of flow diagram for Network traffic anomaly monitor method that Fig. 1 is provided by the embodiment of the present application, this method Applied to client.
As shown in Figure 1, the Network traffic anomaly monitor method, includes the following steps:
Step 101, page load request is obtained, load request includes target pages mark.
In actual use, Network traffic anomaly monitor method provided by the embodiments of the present application, can be implemented by the application The Network traffic anomaly monitor device that example provides executes.Wherein, Network traffic anomaly monitor device can be applied to client, visitor Family end can be arbitrary electronic equipment, such as mobile phone, computer.
Wherein, page load request can be that user is supplied to client, input dress by the input unit of client Setting can be mouse, keyboard etc..
It is understood that page load request includes the mark of target pages.
Wherein, target pages refer to the page that user is loaded by client request.The mark of target pages is feeling the pulse with the finger-tip Mark the authentication information of the page.It is understood that each page is owned by the page iden-tity uniquely determined.For example, can be with It is the corresponding domain name of the page or IP address.
In actual use, client can parse the corresponding server of target pages according to the mark of target pages Address, and server can be sent to by network by page load request.
Step 102, it is identified according to target pages, determines target downloading data amount.
Wherein, target downloading data amount refers to the byte number that the data downloaded are needed when loading target pages.
It should be noted that client can obtain target downloading data amount according to the mark of target pages from local, Page load request can be sent to server, server identifies according to target pages target downloading data amount returning to visitor Family end.
It for example, can be by the page iden-tity of the page got, with clothes when client loads some page for the first time The downloading data amount for the page that business device returns forms one group of mapping, and is buffered in local.If client is not that request adds for the first time Target pages are carried, then when can be according to target pages are loaded for the first time, be buffered in reflecting for local page iden-tity and downloading data amount It penetrates, determines target downloading data amount;If client is to load target pages for the first time, page load request can be sent to clothes Business device, and identified and target downloading data from the target downloading data amount of server acquisition target pages, while by target pages The mapped cache of amount is in local.
Further, in a kind of possible way of realization of the embodiment of the present application, target pages usually can include multiple Need the data downloaded.For example, the Baidu search page includes the data such as " Baidu's icon ", " search box ", " advertisement recommendation ".On i.e. After stating step 101, can also include:
According to the mark of the target pages, the mark of each target data is determined.
Wherein, target data refers to the data for needing to download when loading target pages.Client can be according to target pages Mark, determine the mark of the target data and target pages in target pages.The mark of target data can be by number of targets According to uniquely determining, according to the mark of target data, it may be determined that the data volume of target data.
Step 103, when the load of the record page, the attribute information of each data of actual download, wherein attribute information includes The data volume of each data of actual download and corresponding resource data.
Wherein, resource data, it can may include the script, source code, cloth of data with the element of the characteristic of characterize data to refer to Office file etc..
Step 104, judge whether the total amount of data of each data of actual download is more than target downloading data amount, if so, Execute step 105;Otherwise, terminate this Network traffic anomaly monitor process.
It is to be appreciated that when the total amount of data of each data of actual download is more than target downloading data amount, it may be determined that Include the invalid data for leading to exception of network traffic in target pages, you can to send exception of network traffic message to server, So that server is analyzed and is handled to invalid data.
Further, in a kind of possible way of realization of the embodiment of the present application, lead to the illegal number of exception of network traffic According to can be hidden in each target downloading data of target pages, so as to cause the data volume and mesh of each data of actual download Mark downloading data amount is not inconsistent.The invalid data can be determined according to the data volume of each data of actual download.
It is understood that when invalid data is hidden in some target downloading data, under the target of actual download The data volume of data is carried, can be more than according to its determining corresponding data volume of target pages mark.Therefore, implement in the application In a kind of possible way of realization of example, if the data volume of the target downloading data of actual download, identifies more than according to target pages The target downloading data can be then determined as invalid data by its determining corresponding data volume.
Further, in a kind of possible way of realization of the embodiment of the present application, lead to the illegal number of exception of network traffic According to can also be self-existent, so as to cause each target data in the mark and target pages of each data of actual download Mark be not inconsistent.I.e. after above-mentioned steps 104, can also include:
In the mark for judging each target data, if the mark of each data including the actual download;
If in the mark of each target data not including the mark of the first data of actual download, it is determined that the reality The first data downloaded are invalid data.
Wherein, the first data refer to the data that its mark is not included in the actual download in the mark of each target data.
It is understood that when in the mark of each target data in target pages, do not include certain number of actual download According to mark, then can determine that the data are to lead to the invalid data of exception of network traffic.
It further, can be with data in the goal-selling page in a kind of possible way of realization of the embodiment of the present application Data-quantity threshold can then determine that the data are illegal number when the data volume of certain data of actual download is more than the threshold value According to.In actual use, the size of data-quantity threshold can determine that the embodiment of the present application does not limit this according to actual needs. I.e. after above-mentioned steps 104, can also include:
Judge whether the data volume of the second data in the data of the actual download is more than threshold value;
If more than then by the corresponding resource data of second data, increasing newly into preset illegal resource library.
Wherein, the second data refer to the data for the actual download that data volume is more than threshold value.Illegal resource library refers to including The database of the resource data of all known invalid datas.
It should be noted that in the goal-selling page when data-quantity threshold of data, following principle can be followed:Page object The data volume of each target data in face is respectively less than threshold value.Therefore, when the data volume of certain data of actual download is more than threshold value, The data directly can be determined as invalid data by client, and be increased newly into preset illegal resource library.No longer need to by Its resource data is sent to server, using server according to the resource data of the data, judges whether the data are illegal number According to.
Step 105, exception of network traffic message is sent to server, wherein unexpected message includes the data of actual download In the corresponding resource data of invalid data.
Specifically, when client determines that there are when invalid data in target pages, you can deposited with determining in target pages Exception of network traffic message is sent in exception of network traffic situation, and to server, wherein unexpected message includes that client is true The corresponding resource data of invalid data made.Server can analyze the corresponding resource data of the data, and further judging should Whether data are invalid data.
It should be noted that when the invalid data that client is determined is the second data that data volume is more than threshold value, then Exception of network traffic message can not be sent to server, directly increase the data into preset illegal resource library newly.
Network flow abnormal detecting method provided by the embodiments of the present application can be obtained page load by client and be asked It asks, is identified according to the target pages in load request, determine the mark of target downloading data amount and each target data, and record page When face loads, the attribute information of each data of actual download, so that it is total according to data volume, the data of each data of actual download Amount, the mark of each data and target downloading data amount, the mark of each target data, judge actual download each data whether Containing invalid data, if so, exception of network traffic message is sent to server, so that server update illegal resource library is concurrent Client is given, and when the data volume of invalid data is more than threshold value, illegal resource library is directly updated by client.As a result, By according to data volume, total amount of data, the mark of each data and the target downloading data amount of each data of actual download, each The mark of target data determines invalid data, can update illegal resource library according to the attribute information of invalid data later, from And realize and determine invalid data using client, monitoring network traffic exception has not only saved computing cost, improves timeliness Property, and ensure that the information and property safety of user, improve user experience.
In a kind of possible way of realization of the application, illegal resource library or illegal resource model can be preset, i.e., in mesh It, can be first according to preset illegal resource library or preset illegal resource before each target data in the mark page starts download Model determines whether each data to be downloaded are legal.It, can be with the download of the terminal data if data to be downloaded are illegal.
With reference to Fig. 2, Network traffic anomaly monitor method provided by the embodiments of the present application is further described.
The flow diagram for another Network traffic anomaly monitor method that Fig. 2 is provided by the embodiment of the present application, the party Method is applied to client.
As shown in Fig. 2, the Network traffic anomaly monitor method, includes the following steps:
Step 201, page load request is obtained, load request includes target pages mark.
Step 202, it is identified according to target pages, determines each data to be downloaded in target pages.
It is understood that before loading target pages, can be determined in target pages according to the mark of target pages The resource data of each data and each data to be downloaded to be downloaded.
The specific implementation process and principle of above-mentioned steps 201-202, is referred to the detailed description of above-described embodiment, herein It repeats no more.
Step 203, according to preset illegal resource library, judge whether the resource data of each data to be downloaded is legal.
It should be noted that preset illegal resource library includes the resource data of all known invalid datas.It is loading Before target pages, each data to be downloaded in target pages and to be downloaded can be determined according to the mark of target pages The resource data of each data.The resource data of each data to be downloaded is compared with the resource data in illegal resource library, If illegal resources bank includes the resource data of data to be downloaded, it is determined that the data to be downloaded are invalid data, can be with Interrupt the download of the data.
In a kind of possible way of realization of the application, due to being only capable of including known illegal resource number in illegal resource library According to when to carry out invalid data judgement using illegal resource library, for emerging illegal resource data, it is possible to occur not The case where identifying, therefore, in order to improve the accuracy identified to illegal resource, the application can also utilize preset illegal money The resource data of each data to be downloaded is identified in identifing source model, to judge the resource data of each data to be downloaded It is whether legal.Wherein, illegal resource identification model refers to the knowledge that training obtains using known each invalid data as training sample Other model.
It should be noted that training is considered as extracting the process of training sample common characteristic, the model that training obtains is total The shared universal law of a large amount of training samples is tied.Therefore, whether the model that training obtains can follow instruction according to test sample Practice the shared universal law of sample, judges test sample and the similarity of training sample.
In a kind of possible way of realization of the embodiment of the present application, however, it is determined that preset illegal resource library does not include to be downloaded Each data resource data, then can also continue to utilize preset illegal resource identification model, further determine that be downloaded Whether each data are invalid data.When utilizing illegal resource identification model, identify that data to be downloaded have invalid data When characteristic, then it can determine that the data are invalid data, and interrupt the download of the data.
Step 204, however, it is determined that the resource data of third data to be downloaded is illegal, interrupts the download of the third data.
Wherein, third data refer to the illegal number of corresponding resource data in each data to be downloaded in target pages According to.
Specifically, utilizing preset illegal resource library or preset illegal resource identification model, to be downloaded the is determined Three data be invalid data after, the download of the third data can be interrupted, customer flow is stolen to avoid it.Meanwhile in Break the data download after, can the page show warning information, prompt the ownership goal page in there may be steal the non-of flow Method data.
Network traffic anomaly monitor method provided by the embodiments of the present application can be obtained page load by client and be asked Ask, identified according to the target pages in load request, determine each data to be downloaded, so using preset illegal resource library or Illegal resource identification model determines whether each data to be downloaded are invalid data, and interrupts the download of invalid data.As a result, By using preset illegal resource library or illegal resource identification model, and according to the resource data of each data to be downloaded, really Invalid data is made, the download of invalid data can be interrupted later, and illegal resource is updated according to the attribute information of invalid data Library determines that invalid data, monitoring network traffic exception have not only saved computing cost to realize using client, improves Timeliness, and ensure that the information and property safety of user, improve user experience.
Below by taking server side as an example, Network traffic anomaly monitor method provided by the embodiments of the present application is carried out specifically It is bright.
Network traffic anomaly monitor method provided by the embodiments of the present application is further described with reference to Fig. 3.
The flow diagram for another Network traffic anomaly monitor method that Fig. 3 is provided by the embodiment of the present application, the party Method is applied to server.
As shown in figure 3, the Network traffic anomaly monitor method, includes the following steps:
Step 301, the exception of network traffic message that client is sent is obtained, wherein unexpected message includes and illegally counts According to corresponding resource data.
It should be noted that Network traffic anomaly monitor method provided by the embodiments of the present application, can be provided by the application Network traffic anomaly monitor device execute.Wherein, Network traffic anomaly monitor device can be applied to server, and server can To be arbitrary electronic equipment.
Wherein, the corresponding resource data of invalid data refers to the element for the characteristic that can characterize invalid data, may include Script, source code, topology file of data etc..Server can determine invalid data by the resource data of analysis invalid data Feature, and illegal resource library is updated.
Further, the network type belonging to the client is different, alternatively, when the corresponding user's difference of client, attack The type of the invalid data of client can also be different.And hence it is also possible to according to the attribute information of client, invalid data is determined With the correspondence of client.It can also include the attribute of client in the i.e. described unexpected message.The attribute of client can be The information such as the corresponding user of network type, client belonging to client.
Step 302, using resource data, processing is updated to illegal resource library, to generate updated illegal resource Library.
Wherein, illegal resource library refers to the database for the resource data for including all known invalid datas.
It, can be with it is understood that after server gets the invalid data corresponding resource data of client transmission The resource data got is compared with the resource data in illegal resource library, if in illegal resources bank not including the resource Data can then increase the resource data newly in illegal resource library, to generate updated illegal resource library.
Further, when the attribute difference of client, corresponding illegal data type can also be different, because This, can establish different illegal resource libraries respectively according to the attribute of client.That is above-mentioned steps 302 can also include:
It is for statistical analysis to the corresponding resource data of all invalid datas in preset time period, obtained, determine mesh Mark resource data and client terminal attribute corresponding with the target resource data;
Using the target resource data, pair it is updated with the corresponding associated illegal resource library of client terminal attribute Processing.
Wherein, target resource data refer to the corresponding number of resources of all invalid datas to being got in preset time period According to removing the resource data obtained after the resource data of repetition.
As soon as it should be noted that if server often gets the corresponding resource data of an invalid data, it is divided Analysis, then may increase the computing cost and operating load of server.Therefore, number of resources that can be with predetermined server to getting According to time interval for statistical analysis, for example, every 30 minutes for statistical analysis to all resource datas got.It is practical In use, time interval can be preset according to actual needs, for example, the effect that can both ensure to update invalid data library can be followed Rate, and the principle of the computing cost of server can be reduced, the embodiment of the present application does not limit this.
It is understood that within the preset period, the corresponding number of resources of a large amount of invalid datas that server is got According to, can have much repeat resource data, if analyzed the resource data of all acquisitions, it is clear that It is not necessary to, and And the computing resource of server can be wasted.It therefore, can be to uniting to all resource datas in preset time period, obtained Meter analysis, that is, remove the resource data of repetition, and the resource data repeated per class only retains one, determines target resource number According to.
It should be noted that when the attribute difference of client, corresponding illegal data type can also be different, Therefore the corresponding client terminal attribute of target resource data can also be determined.For example, server passes through the resource data to getting It is for statistical analysis, it is found that target resource data A is reported by the client for belonging to mobile network, it may be considered that corresponding In the invalid data of target resource data A, the client for belonging to mobile network can be attacked at present, you can to determine target resource A Corresponding client terminal attribute is " mobile network ".For another example, the attribute of client can also be the corresponding user of client.It can root Custom according to the browsing webpage of the corresponding user of client classifies to client, for example, hobby browsing financing class website The attribute of the corresponding client of user group could be provided as " financing class ".For example, server passes through the resource data to getting It is for statistical analysis, it is found that target resource data B is reported by the client that attribute is " financing class ", it may be considered that right In the invalid data of target resource data B " financing class " client should can be attacked at present, you can to determine that target resource B is corresponded to Client terminal attribute be " financing class ".
Further, after determining target resource data and client terminal attribute corresponding with target resource data, you can Target resource data are increased newly into the corresponding associated illegal resource library of client terminal attribute, to be carried out to illegal resource library Update is handled.
For example, within a preset period of time, server gets the illegal of 50 client transmissions by mobile network The corresponding resource data of data, and this 50 resource datas are all identical;Get 50 clients by unicom network simultaneously The corresponding resource data of invalid data sent is held, and this 50 resource datas are also identical, and by the visitor of mobile network The resource data that family end is sent, it is different from the resource data of client transmission by unicom network.Server is to this 100 resources After data are for statistical analysis, the target resource data C determined is the illegal number that 1 client by mobile network is sent According to corresponding resource data, target resource data D is the corresponding resource of invalid data that 1 client by unicom network is sent Data.Correspondingly, the corresponding client terminal attributes of target resource data C are " mobile network ", the corresponding client categories of target resource D Property be " unicom network ".Target resource data C can be increased to the illegal resource library into mobile network newly, by target data resource D increases the illegal resource library into unicom network newly.
Further, due to being only capable of including known illegal resource data in illegal resource library, to utilize illegal resource Library carry out invalid data judgement when, for emerging illegal resource data, it is possible to occur it is unidentified go out the case where, therefore, In order to improve the accuracy identified to illegal resource, in a kind of possible way of realization of the embodiment of the present application, can also utilize Illegal resource in illegal resource library is training sample, and training generates illegal resource identification model.I.e. above-mentioned steps 302 it Afterwards, can also include:
Using each illegal resource in the updated illegal resource library as training sample, training generates illegal resource identification Model;
The illegal resource identification model is sent respectively to each client.
It should be noted that training is considered as extracting the process of training sample common characteristic, the model that training obtains is total The shared universal law of a large amount of training samples is tied.Therefore, whether the model that training obtains can follow instruction according to test sample Practice the shared universal law of sample, judges test sample and the similarity of training sample.
It is understood that the illegal resource identification model that the embodiment of the present application proposes, summarizes in illegal resource library The shared universal law of each invalid data.In training illegal resource identification model, can will be in illegal resource library it is each illegal Certain characteristics of data are as training sample, such as the script of invalid data, source code etc..Correspondingly, utilizing illegal money When identifing source model judges whether certain data is invalid data, identical characteristic input illegal resource identification mould is also chosen Type to judge the similarity of the data and invalid data, and then determines whether test data is invalid data.
For example, if when training illegal resource identification model, using the script of invalid data and source code as training sample, So when judging whether data A is invalid data using illegal resource identification model, need to make in the script of data A and source code For test sample input illegal resource identification model, and then according to the output of illegal resource identification model determine data A whether be Invalid data.
It should be noted that when identifying invalid data using illegal resource identification model, the corresponding resource data of data can To be not included in illegal resource library, but according to the corresponding resource data of the data whether with the number of resources in illegal resource library According to feature having the same, to determine whether the data are invalid data.
Step 303, updated illegal resource library is sent respectively to each client.
Specifically, after server is updated processing according to the corresponding resource data of invalid data to illegal resource library, Illegal resource associated with the attribute of client library can be sent to pair according to the attribute of the mark of client, client The client answered.
Client can be uniquely determined it should be noted that the mark of client can be IP address of client etc. Information.Client can be when sending exception of network traffic message to server, while the mark of itself is sent to server, So that server can return to updated illegal resource library and illegal resource identification model according to the mark of client.
Network traffic anomaly monitor method provided by the embodiments of the present application, the network flow that can obtain client transmission are different Normal message is updated processing, and utilize according to the corresponding resource data of invalid data in unexpected message to illegal resource library Each illegal resource in updated illegal resource library, training generate illegal resource identification model, and then will be updated illegal Resources bank and illegal resource identification model are sent to each client.As a result, by according to the corresponding resource data of invalid data, more New illegal resource library, and generate illegal resource identification model, later can be according to updated illegal resource library and illegal Resource identification model, determines invalid data, and invalid data is determined using client to realize, monitoring network traffic exception, Computing cost has not only been saved, timeliness is improved, and ensure that the information and property safety of user, has improved user's body It tests.
A kind of signaling interaction diagram for Network traffic anomaly monitor method that Fig. 4 is provided by the embodiment of the present application.
As shown in figure 4, the Network traffic anomaly monitor method, includes the following steps:
Step 401, client obtains page load request.
Wherein, the load request includes target pages mark.
Step 402, client is identified according to target pages, determines target downloading data amount.
Step 403, when the load of the record page, the attribute information of each data of actual download.
Wherein, the attribute information includes the data volume of each data of actual download and corresponding resource data;
Step 404, judge whether the total amount of data of each data of actual download is more than target downloading data amount.
Step 405, if so, user end to server sends exception of network traffic message.
Wherein, unexpected message includes the corresponding resource data of invalid data in the data of actual download.
Step 406, server by utilizing resource data is updated processing to illegal resource library, updated non-to generate Method resources bank.
Step 407, updated illegal resource library is sent respectively to each client by server.
The above process obtains page load request by client, is identified according to the target pages in load request, determined Target downloading data amount, and when recording page load, the attribute information of each data of actual download, and then judge actual download Whether the total amount of data of each data is more than target downloading data amount, if so, exception of network traffic message is sent to server, with Make server according to the corresponding resource data of invalid data in unexpected message, updates illegal resource library and be sent to client. As a result, by each total amount of data according to target downloading data amount and actual download, invalid data is determined, it later can basis The attribute information update illegal resource library of invalid data, invalid data, monitoring network stream are determined to realize using client Amount is abnormal, has not only saved computing cost, has improved timeliness, and ensure that the information and property safety of user, has improved User experience.
In order to realize that above-described embodiment, the application also propose a kind of Network traffic anomaly monitor device.
Fig. 5 is a kind of structural schematic diagram of Network traffic anomaly monitor device provided by the embodiments of the present application, is applied to visitor Family end.
As shown in figure 5, the Network traffic anomaly monitor device 50, including:
Acquisition module 51, for obtaining page load request, load request includes target pages mark.
Determining module 52 determines target downloading data amount for being identified according to target pages.
Logging modle 53, when for recording page load, the attribute information of each data of actual download, wherein attribute is believed Breath includes the data volume of each data of actual download and corresponding resource data.
Judgment module 54, for judging whether the total amount of data of each data of actual download is more than target downloading data amount;
If so, exception of network traffic message is sent to server, wherein the unexpected message includes under the reality The corresponding resource data of invalid data in the data of load.
In actual use, Network traffic anomaly monitor device provided by the embodiments of the present application can be configured in arbitrary In electronic equipment, to execute aforementioned network Traffic Anomaly monitoring method.
Network traffic anomaly monitor device provided by the embodiments of the present application is applied to client, can obtain page load Request, according to the target pages mark in load request, when determining target downloading data amount, and recording page load, under reality The attribute information of each data carried, and then judge whether the total amount of data of each data of actual download is more than target downloading data Amount, if so, exception of network traffic message is sent to server, so as to server update illegal resource library and be sent to client End.As a result, by each total amount of data according to target downloading data amount and actual download, invalid data is determined, later Illegal resource library is updated according to the attribute information of invalid data, invalid data, monitoring net are determined using client to realize Network Traffic Anomaly, has not only saved computing cost, improves timeliness, and ensure that the information and property safety of user, changes It has been apt to user experience.
In a kind of possible way of realization of the application, above-mentioned Network traffic anomaly monitor device is specifically used for:
According to the data volume of each data of actual download, the invalid data is determined.
Further, in the alternatively possible way of realization of the application, above-mentioned Network traffic anomaly monitor device is also used In:
According to the mark of the target pages, the mark of each target data is determined;
In the mark for judging each target data, if the mark of each data including the actual download;
If in the mark of each target data not including the mark of the first data of actual download, it is determined that the reality The first data downloaded are invalid data.
Further, in the alternatively possible way of realization of the application, above-mentioned Network traffic anomaly monitor device is also used In:
Judge whether the data volume of the second data in the data of the actual download is more than threshold value;
If more than then by the corresponding resource data of second data, increasing newly into preset illegal resource library.
Further, in the application in another possible way of realization, above-mentioned Network traffic anomaly monitor device is also used In:
According to preset illegal resource library, judge whether the resource data of each data to be downloaded is legal;
If it is determined that the resource data of third data to be downloaded is illegal, then the download of the third data is interrupted.
Further, in the application in another possible way of realization, above-mentioned Network traffic anomaly monitor device is also used In:
Using preset illegal resource identification model, the resource data of each data to be downloaded is identified, to judge Whether the resource data of each data to be downloaded is legal;
If it is determined that the resource data of third data to be downloaded is illegal, then the download of the third data is interrupted.
It should be noted that aforementioned to Fig. 1, Fig. 2, Fig. 3 or shown in Fig. 4 Network traffic anomaly monitor embodiment of the method The Network traffic anomaly monitor device 50 for being also applied for the embodiment is illustrated, details are not described herein again.
Network traffic anomaly monitor device provided by the embodiments of the present application is applied to client, can obtain page load Request identifies according to the target pages in load request, determines the mark of target downloading data amount and each target data, and record When the page loads, the attribute information of each data of actual download, so that it is total according to data volume, the data of each data of actual download Amount, the mark of each data and target downloading data amount, the mark of each target data, judge actual download each data whether Containing invalid data, if so, exception of network traffic message is sent to server, so that server update illegal resource library is concurrent Client is given, and when the data volume of invalid data is more than threshold value, illegal resource library is directly updated by client.In addition, Invalid data can be identified according to preset illegal resource library and illegal resource identification model, and interrupt the download of invalid data. Pass through data volume, total amount of data, the mark of each data and the target downloading data according to each data of actual download as a result, Amount, the mark of each target data, determine invalid data, can update illegal resource according to the attribute information of invalid data later Library determines that invalid data, monitoring network traffic exception have not only saved computing cost to realize using client, improves Timeliness, and ensure that the information and property safety of user, improve user experience.
In order to realize that above-described embodiment, the application also propose another Network traffic anomaly monitor device.
Fig. 6 is the structural schematic diagram of another Network traffic anomaly monitor device provided by the embodiments of the present application, is applied to Server.
As shown in fig. 6, the Network traffic anomaly monitor device 60, including:
Acquisition module 61, for obtain client transmission exception of network traffic message, wherein unexpected message include with The corresponding resource data of invalid data.
Update module 62, it is updated non-to generate for using resource data, processing to be updated to illegal resource library Method resources bank.
Sending module 63, for updated illegal resource library to be sent respectively to each client.
In actual use, Network traffic anomaly monitor device provided by the embodiments of the present application can be configured in arbitrary In electronic equipment, to execute aforementioned network Traffic Anomaly monitoring method.
Network traffic anomaly monitor device provided by the embodiments of the present application is applied to server, can obtain client hair The exception of network traffic message sent carries out illegal resource library according to the corresponding resource data of invalid data in unexpected message Update is handled, and then updated illegal resource library is sent to each client.As a result, by according to the corresponding money of invalid data Source data has updated illegal resource library, invalid data can be determined according to updated illegal resource library later, to realize It determines that invalid data, monitoring network traffic exception have not only saved computing cost using client, improves timeliness, and The information and property safety that ensure that user, improve user experience.
In a kind of possible way of realization of the application, above-mentioned Network traffic anomaly monitor device is specifically used for:
Using each illegal resource in the updated illegal resource library as training sample, training generates illegal resource identification Model;
The illegal resource identification model is sent respectively to each client.
Further, in the alternatively possible way of realization of the application, above-mentioned Network traffic anomaly monitor device is also used In:
It is for statistical analysis to the corresponding resource data of all invalid datas in preset time period, obtained, determine mesh Mark resource data and client terminal attribute corresponding with the target resource data;
Using the target resource data, pair it is updated with the corresponding associated illegal resource library of client terminal attribute Processing.
It should be noted that aforementioned to Fig. 1, Fig. 2, Fig. 3 or shown in Fig. 4 Network traffic anomaly monitor embodiment of the method The Network traffic anomaly monitor device 60 for being also applied for the embodiment is illustrated, details are not described herein again.
Network traffic anomaly monitor device provided in this embodiment is applied to server, can obtain client transmission Exception of network traffic message is updated illegal resource library according to the corresponding resource data of invalid data in unexpected message Processing, and using each illegal resource in updated illegal resource library, training generates illegal resource identification model, and then will more Illegal resource library and illegal resource identification model after new are sent to each client.As a result, by corresponding according to invalid data Resource data has updated illegal resource library, and generates illegal resource identification model, later can be according to updated illegal money Source library and illegal resource identification model, determine invalid data, and invalid data, monitoring network are determined using client to realize Traffic Anomaly has not only saved computing cost, improves timeliness, and ensure that the information and property safety of user, improves User experience.
In order to realize that above-described embodiment, the application also propose a kind of electronic equipment, it is applied to server side and client-side.
Fig. 7 is the structural schematic diagram of the electronic equipment of one embodiment of the invention.
As shown in fig. 7, above-mentioned electronic equipment 700 includes:
Memory 710 and processor 720 connect the bus 730 of different components (including memory 710 and processor 720), Memory 710 is stored with computer program, and the network described in the embodiment of the present application is realized when processor 720 executes described program Traffic Anomaly monitoring method.
Bus 730 indicates one or more in a few class bus structures, including memory bus or Memory Controller, Peripheral bus, graphics acceleration port, processor or the local bus using the arbitrary bus structures in a variety of bus structures.It lifts For example, these architectures include but not limited to industry standard architecture (ISA) bus, microchannel architecture (MAC) Bus, enhanced isa bus, Video Electronics Standards Association (VESA) local bus and peripheral component interconnection (PCI) bus.
Electronic equipment 700 typically comprises various electronic readable medium.These media can be it is any can be electric The usable medium that sub- equipment 700 accesses, including volatile and non-volatile media, moveable and immovable medium.
Memory 710 can also include the computer system readable media of form of volatile memory, such as arbitrary access Memory (RAM) 740 and/or cache memory 750.Electronic equipment 700 may further include it is other it is removable/can not Mobile, volatile/non-volatile computer system storage medium.Only as an example, storage system 760 can be used for reading and writing not Movably, non-volatile magnetic media (Fig. 7 do not show, commonly referred to as " hard disk drive ").It, can be with although being not shown in Fig. 7 It provides for the disc driver to moving non-volatile magnetic disk (such as " floppy disk ") read-write, and to removable non-volatile The CD drive of CD (such as CD-ROM, DVD-ROM or other optical mediums) read-write.In these cases, each driving Device can be connected by one or more data media interfaces with bus 730.Memory 710 may include at least one program There is one group of (for example, at least one) program module, these program modules to be configured to perform the present invention for product, the program product The function of each embodiment.
Program/utility 780 with one group of (at least one) program module 770, can be stored in such as memory In 710, such program module 770 includes --- but being not limited to --- operating system, one or more application program, other Program module and program data may include the realization of network environment in each or certain combination in these examples.Journey Sequence module 770 usually executes function and/or method in embodiment described in the invention.
Electronic equipment 700 can also be with one or more external equipments 790 (such as keyboard, sensing equipment, display 791 Deng) communication, can also be enabled a user to one or more equipment interact with the electronic equipment 700 communicate, and/or with make Any equipment that the electronic equipment 700 can be communicated with one or more of the other computing device (such as network interface card, modem Etc.) communication.This communication can be carried out by input/output (I/O) interface 792.Also, electronic equipment 700 can also lead to Cross network adapter 793 and one or more network (such as LAN (LAN), wide area network (WAN) and/or public network, example Such as internet) communication.As shown, network adapter 793 is communicated by bus 730 with other modules of electronic equipment 700.It answers When understanding, although not shown in the drawings, other hardware and/or software module can be used in conjunction with electronic equipment 700, including it is but unlimited In:Microcode, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and number According to backup storage system etc..
Processor 720 is stored in the program in memory 710 by operation, to perform various functions application and data Processing.
It should be noted that the implementation process and technical principle of the electronic equipment of the present embodiment are referring to aforementioned real to the application The explanation of the Network traffic anomaly monitor method of example is applied, details are not described herein again.
Electronic equipment provided by the embodiments of the present application can execute foregoing Network traffic anomaly monitor method, lead to It crosses client and obtains page load request, identified according to the target pages in load request, determine target downloading data amount, and remember When recording page load, the attribute information of each data of actual download, and then judge that the total amount of data of each data of actual download is It is no to be more than target downloading data amount, if so, exception of network traffic message is sent to server, so that server disappears according to abnormal The corresponding resource data of invalid data in breath updates illegal resource library and is sent to client.As a result, by according under target Each total amount of data for carrying data volume and actual download, determines invalid data, later can be according to the attribute information of invalid data Illegal resource library is updated, determines that invalid data, monitoring network traffic exception have not only saved meter using client to realize Expense is calculated, timeliness is improved, and ensure that the information and property safety of user, improves user experience.
In order to realize that above-described embodiment, the application also propose a kind of computer readable storage medium.
Wherein, the computer readable storage medium, is stored thereon with computer program, when which is executed by processor, To realize the Network traffic anomaly monitor method described in the embodiment of the present application.
In order to realize that above-described embodiment, the application another further aspect embodiment provide a kind of computer program, which is located When managing device execution, to realize the Network traffic anomaly monitor method described in the embodiment of the present application.
In a kind of optional way of realization, arbitrary group of one or more computer-readable media may be used in the present embodiment It closes.Computer-readable medium can be computer-readable signal media or computer readable storage medium.It is computer-readable to deposit Storage media for example may be-but not limited to-system, device or the device of electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor Part, or the arbitrary above combination.The more specific example (non exhaustive list) of computer readable storage medium includes:Have The electrical connection of one or more conducting wires, portable computer diskette, hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD- ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.In this document, computer-readable storage Medium, which can be any, includes or the tangible medium of storage program, which can be commanded execution system, device or device Using or it is in connection.
Computer-readable signal media may include in a base band or as the data-signal that a carrier wave part is propagated, Wherein carry computer-readable program code.Diversified forms may be used in the data-signal of this propagation, including --- but It is not limited to --- electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be Any computer-readable medium other than computer readable storage medium, which can send, propagate or Transmission for by instruction execution system, device either device use or program in connection.
The program code for including on computer-readable medium can transmit with any suitable medium, including --- but it is unlimited In --- wireless, electric wire, optical cable, RF etc. or above-mentioned any appropriate combination.
It can be write with one or more programming languages or combinations thereof for executing the computer that operates of the present invention Program code, described program design language include object oriented program language-such as Java, Smalltalk, C++, Further include conventional procedural programming language-such as " C " language or similar programming language.Program code can be with It is fully executed on consumer electronic devices, partly executes on consumer electronic devices, holds as an independent software package Row, partly part executes in devices in remote electronic or completely in devices in remote electronic or service on consumer electronic devices It is executed on device.In the situation for being related to devices in remote electronic, devices in remote electronic can pass through the network of any kind --- packet It includes LAN (LAN) or wide area network (WAN)-is connected to consumer electronic devices, or, it may be connected to external electronic device (example It is such as connected by internet using ISP).
Those skilled in the art will readily occur to its of the application after considering specification and putting into practice the invention applied here Its embodiment.This application is intended to cover any variations, uses, or adaptations of the application, these modifications, purposes or Person's adaptive change follows the general principle of the application and includes the common knowledge in the art that the application does not invent Or conventional techniques.The description and examples are only to be considered as illustrative, and the true scope and spirit of the application are wanted by right It asks and points out.
It should be understood that the application is not limited to the precision architecture for being described above and being shown in the accompanying drawings, and And various modifications and changes may be made without departing from the scope thereof.Scope of the present application is only limited by the accompanying claims.

Claims (13)

1. a kind of Network traffic anomaly monitor method, which is characterized in that including:
Page load request is obtained, the load request includes target pages mark;
It is identified according to the target pages, determines target downloading data amount;
When recording the page load, the attribute information of each data of actual download, wherein the attribute information includes practical The data volume for each data downloaded and corresponding resource data;
Judge whether the total amount of data of each data of the actual download is more than the target downloading data amount;
If so, exception of network traffic message is sent to server, wherein the unexpected message includes the actual download The corresponding resource data of invalid data in data.
2. the method as described in claim 1, which is characterized in that before the transmission exception of network traffic message to server, Further include:
According to the data volume of each data of actual download, the invalid data is determined.
3. the method as described in claim 1, which is characterized in that further include each data of actual download in the attribute information Mark;
After the acquisition page load request, further include:
According to the mark of the target pages, the mark of each target data is determined;
In the mark for judging each target data, if the mark of each data including the actual download;
If in the mark of each target data not including the mark of the first data of actual download, it is determined that the actual download The first data be invalid data.
4. the method as described in claim 1-4 is any, which is characterized in that described when recording page load, actual download Each data attribute information after, further include:
Judge whether the data volume of the second data in the data of the actual download is more than threshold value;
If more than then by the corresponding resource data of second data, increasing newly into preset illegal resource library.
5. method as claimed in claim 4, which is characterized in that after the acquisition page load request, further include:
According to preset illegal resource library, judge whether the resource data of each data to be downloaded is legal;
If it is determined that the resource data of third data to be downloaded is illegal, then the download of the third data is interrupted.
6. the method as described in claim 1-4 is any, which is characterized in that after the acquisition page load request, further include:
Using preset illegal resource identification model, the resource data of each data to be downloaded is identified, to judge to wait for down Whether the resource data of each data carried is legal;
If it is determined that the resource data of third data to be downloaded is illegal, then the download of the third data is interrupted.
7. a kind of Network traffic anomaly monitor method, which is characterized in that including:
Obtain the exception of network traffic message that client is sent, wherein the unexpected message includes right respectively with invalid data The resource data answered;
Using the resource data, processing is updated to illegal resource library, to generate updated illegal resource library;
The updated illegal resource library is sent respectively to each client.
8. the method for claim 7, which is characterized in that after the updated illegal resource library of generation, further include:
Using each illegal resource in the updated illegal resource library as training sample, training generates illegal resource and identifies mould Type;
The illegal resource identification model is sent respectively to each client.
9. the method for claim 7, which is characterized in that further include the attribute of client in the unexpected message;
It is described to further include before being updated processing to illegal resource library using the resource data:
It is for statistical analysis to the corresponding resource data of all invalid datas in preset time period, obtained, determine that target provides Source data and client terminal attribute corresponding with the target resource data;
It is described to utilize the resource data, processing is updated to illegal resource library, including:
Using the target resource data, pair it is updated place with the corresponding associated illegal resource library of client terminal attribute Reason.
10. a kind of Network traffic anomaly monitor device is applied to client, which is characterized in that including:
Acquisition module, for obtaining page load request, the load request includes target pages mark;
Determining module determines target downloading data amount for being identified according to the target pages;
Logging modle, when for recording the page load, the attribute information of each data of actual download, wherein the attribute Information includes the data volume of each data of actual download and corresponding resource data;
Judgment module, for judging whether the total amount of data of each data of the actual download is more than the target downloading data Amount;
If so, exception of network traffic message is sent to server, wherein the unexpected message includes the actual download The corresponding resource data of invalid data in data.
11. a kind of Network traffic anomaly monitor device is applied to server, which is characterized in that including:
Acquisition module, for obtain client transmission exception of network traffic message, wherein the unexpected message include with it is non- The corresponding resource data of method data;
Update module, it is updated illegal to generate for using the resource data, processing to be updated to illegal resource library Resources bank;
Sending module, for the updated illegal resource library to be sent respectively to each client.
12. a kind of electronic equipment, which is characterized in that including:Memory, processor and storage are on a memory and can be in processor The program of upper operation, which is characterized in that the processor is realized when executing described program as any in claim 1-6 or 7-9 The Network traffic anomaly monitor method.
13. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that described program is handled The Network traffic anomaly monitor method as described in any in claim 1-6 or 7-9 is realized when device executes.
CN201810797725.6A 2018-07-19 2018-07-19 Network flow abnormity monitoring method and device, electronic equipment and storage medium Active CN108667855B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810797725.6A CN108667855B (en) 2018-07-19 2018-07-19 Network flow abnormity monitoring method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810797725.6A CN108667855B (en) 2018-07-19 2018-07-19 Network flow abnormity monitoring method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN108667855A true CN108667855A (en) 2018-10-16
CN108667855B CN108667855B (en) 2021-12-03

Family

ID=63788629

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810797725.6A Active CN108667855B (en) 2018-07-19 2018-07-19 Network flow abnormity monitoring method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN108667855B (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495343A (en) * 2018-11-20 2019-03-19 网宿科技股份有限公司 Processing method, device and the server of abnormal flow data
CN109739711A (en) * 2019-01-04 2019-05-10 广州虎牙信息科技有限公司 A kind of interface test method, device, equipment and storage medium
CN110008243A (en) * 2019-03-22 2019-07-12 新华三大数据技术有限公司 A kind of tables of data processing method and processing device
CN110445711A (en) * 2019-09-16 2019-11-12 陈兖清 A kind of data traffic monitoring system based on big data
CN111556080A (en) * 2020-05-18 2020-08-18 网易(杭州)网络有限公司 Network node monitoring method, device, medium and electronic equipment
CN112001758A (en) * 2020-08-26 2020-11-27 豆盟(北京)科技股份有限公司 Method and device for monitoring state abnormity of advertisement interactive page
CN113098875A (en) * 2021-04-02 2021-07-09 北京兰云科技有限公司 Network monitoring method and device
CN113452656A (en) * 2020-03-26 2021-09-28 百度在线网络技术(北京)有限公司 Method and device for identifying abnormal behaviors
CN113538022A (en) * 2020-04-10 2021-10-22 北京沃东天骏信息技术有限公司 Flow monitoring method, device, equipment and storage medium
CN114553486A (en) * 2022-01-20 2022-05-27 北京百度网讯科技有限公司 Illegal data processing method and device, electronic equipment and storage medium
CN114564369A (en) * 2022-04-28 2022-05-31 云账户技术(天津)有限公司 Application program abnormity monitoring method and device, electronic equipment and storage medium
CN115203292A (en) * 2022-09-15 2022-10-18 昆仑智汇数据科技(北京)有限公司 Data processing method, device and equipment of industrial equipment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001947A (en) * 2012-11-09 2013-03-27 北京奇虎科技有限公司 Program processing method and program processing system
US20140007217A1 (en) * 2011-11-28 2014-01-02 Dell Products, Lp System and Method for Incorporating Quality-of-Service and Reputation in an Intrusion Detection and Prevention System
CN106060046A (en) * 2016-05-30 2016-10-26 努比亚技术有限公司 Device for preventing downloading hijack, mobile terminal and method
CN106354750A (en) * 2016-08-15 2017-01-25 百度在线网络技术(北京)有限公司 Method and device for achieving searching
CN106713358A (en) * 2017-02-04 2017-05-24 国家电网公司信息通信分公司 Attack detection method and device
CN106982196A (en) * 2016-01-19 2017-07-25 阿里巴巴集团控股有限公司 A kind of abnormal access detection method and equipment
CN107633172A (en) * 2016-07-18 2018-01-26 北京搜狗科技发展有限公司 A kind of malicious web pages monitoring method and electronic equipment
CN107979561A (en) * 2016-10-21 2018-05-01 中国电信股份有限公司 For controlling the methods, devices and systems of malicious traffic stream

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140007217A1 (en) * 2011-11-28 2014-01-02 Dell Products, Lp System and Method for Incorporating Quality-of-Service and Reputation in an Intrusion Detection and Prevention System
CN103001947A (en) * 2012-11-09 2013-03-27 北京奇虎科技有限公司 Program processing method and program processing system
CN106982196A (en) * 2016-01-19 2017-07-25 阿里巴巴集团控股有限公司 A kind of abnormal access detection method and equipment
CN106060046A (en) * 2016-05-30 2016-10-26 努比亚技术有限公司 Device for preventing downloading hijack, mobile terminal and method
CN107633172A (en) * 2016-07-18 2018-01-26 北京搜狗科技发展有限公司 A kind of malicious web pages monitoring method and electronic equipment
CN106354750A (en) * 2016-08-15 2017-01-25 百度在线网络技术(北京)有限公司 Method and device for achieving searching
CN107979561A (en) * 2016-10-21 2018-05-01 中国电信股份有限公司 For controlling the methods, devices and systems of malicious traffic stream
CN106713358A (en) * 2017-02-04 2017-05-24 国家电网公司信息通信分公司 Attack detection method and device

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495343A (en) * 2018-11-20 2019-03-19 网宿科技股份有限公司 Processing method, device and the server of abnormal flow data
CN109495343B (en) * 2018-11-20 2021-04-02 网宿科技股份有限公司 Abnormal flow data processing method and device and server
CN109739711A (en) * 2019-01-04 2019-05-10 广州虎牙信息科技有限公司 A kind of interface test method, device, equipment and storage medium
CN109739711B (en) * 2019-01-04 2023-02-28 广州虎牙信息科技有限公司 Interface test method, device, equipment and storage medium
CN110008243A (en) * 2019-03-22 2019-07-12 新华三大数据技术有限公司 A kind of tables of data processing method and processing device
CN110008243B (en) * 2019-03-22 2021-05-07 新华三大数据技术有限公司 Data table processing method and device
CN110445711A (en) * 2019-09-16 2019-11-12 陈兖清 A kind of data traffic monitoring system based on big data
CN113452656B (en) * 2020-03-26 2022-10-11 百度在线网络技术(北京)有限公司 Method, apparatus, electronic device and computer readable medium for identifying abnormal behavior
CN113452656A (en) * 2020-03-26 2021-09-28 百度在线网络技术(北京)有限公司 Method and device for identifying abnormal behaviors
CN113538022A (en) * 2020-04-10 2021-10-22 北京沃东天骏信息技术有限公司 Flow monitoring method, device, equipment and storage medium
CN111556080A (en) * 2020-05-18 2020-08-18 网易(杭州)网络有限公司 Network node monitoring method, device, medium and electronic equipment
CN112001758A (en) * 2020-08-26 2020-11-27 豆盟(北京)科技股份有限公司 Method and device for monitoring state abnormity of advertisement interactive page
CN112001758B (en) * 2020-08-26 2024-01-30 豆盟(北京)科技股份有限公司 Advertisement interaction page state abnormality monitoring method and device
CN113098875B (en) * 2021-04-02 2023-01-10 北京兰云科技有限公司 Network monitoring method and device
CN113098875A (en) * 2021-04-02 2021-07-09 北京兰云科技有限公司 Network monitoring method and device
CN114553486A (en) * 2022-01-20 2022-05-27 北京百度网讯科技有限公司 Illegal data processing method and device, electronic equipment and storage medium
CN114553486B (en) * 2022-01-20 2023-07-21 北京百度网讯科技有限公司 Illegal data processing method and device, electronic equipment and storage medium
CN114564369A (en) * 2022-04-28 2022-05-31 云账户技术(天津)有限公司 Application program abnormity monitoring method and device, electronic equipment and storage medium
CN115203292A (en) * 2022-09-15 2022-10-18 昆仑智汇数据科技(北京)有限公司 Data processing method, device and equipment of industrial equipment
CN115203292B (en) * 2022-09-15 2022-11-25 昆仑智汇数据科技(北京)有限公司 Data processing method, device and equipment for industrial equipment

Also Published As

Publication number Publication date
CN108667855B (en) 2021-12-03

Similar Documents

Publication Publication Date Title
CN108667855A (en) Network traffic anomaly monitor method, apparatus, electronic equipment and storage medium
CN104685510B (en) Recognition application whether be rogue program method, system and storage medium
CN108234472A (en) Detection method and device, computer equipment and the readable medium of Challenging black hole attack
CN110442712B (en) Risk determination method, risk determination device, server and text examination system
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN109450886A (en) A kind of domain name recognition methods, system and electronic equipment and storage medium
CN109547426B (en) Service response method and server
CN103500307A (en) Mobile internet malignant application software detection method based on behavior model
CN103617393A (en) Method for mobile internet malicious application software detection based on support vector machines
CN108667770A (en) A kind of loophole test method, server and the system of website
CN109495513A (en) Unsupervised encryption malicious traffic stream detection method, device, equipment and medium
CN109241722A (en) For obtaining method, electronic equipment and the computer-readable medium of information
CN111355628B (en) Model training method, service identification method, device and electronic device
CN112437034B (en) False terminal detection method and device, storage medium and electronic device
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
CN105227528B (en) To the detection method and device of the attack of Web server group
CN109740094A (en) Page monitoring method, equipment and computer storage medium
CN112347457A (en) Abnormal account detection method and device, computer equipment and storage medium
CN112003834B (en) Abnormal behavior detection method and device
CN110276183A (en) Reversed Turing verification method and device, storage medium, electronic equipment
WO2020258509A1 (en) Method and device for isolating abnormal access of terminal device
CN115119197B (en) Wireless network risk analysis method, device, equipment and medium based on big data
CN116303069A (en) Test method, device, upper computer, system and medium of vehicle-mounted terminal
CN110348438A (en) A kind of picture character identifying method, device and electronic equipment based on artificial nerve network model
CN115643044A (en) Data processing method, device, server and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant