CN109462593A - Network request method for detecting abnormality, device and electronic equipment - Google Patents
Network request method for detecting abnormality, device and electronic equipment Download PDFInfo
- Publication number
- CN109462593A CN109462593A CN201811436041.XA CN201811436041A CN109462593A CN 109462593 A CN109462593 A CN 109462593A CN 201811436041 A CN201811436041 A CN 201811436041A CN 109462593 A CN109462593 A CN 109462593A
- Authority
- CN
- China
- Prior art keywords
- facility environment
- network request
- information
- characteristic information
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present invention provides a kind of network request method for detecting abnormality, device and electronic equipment, the method comprise the steps that obtaining the facility environment identification information in the UA of facility environment characteristic information entrained by network request packet and the network request packet respectively;The correlation degree between the facility environment characteristic information and the facility environment identification information is calculated, and is based on the correlation degree, detection corresponding network request is with the presence or absence of abnormal.The embodiment of the present invention considers the influence of the factors such as facility environment, pass through facility environment characteristic information in acquisition network request packet and the facility environment identification information in UA, and calculate the two correlation degree, effectively to detect that abnormal network is requested, the superperformance of network security defence can be effectively improved, guarantees the network information security.
Description
Technical field
The present embodiments relate to internet security technical fields, more particularly, to a kind of network request abnormality detection
Method, apparatus and electronic equipment.
Background technique
With the fast development and extensive use of Internet technology, information security issue is also therewith as internet area
Huge problem.Hacker is when attacking, it will usually cracking for single dimension is paid close attention to, by largely simulating true people or environment
Behavior is attacked.Therefore, the verification of single dimension is also generally adopted by for behavior verifying at present, i.e., row is only used only
Network behavior verifying is carried out for track.
The method for detecting abnormality of Behavior-based control track is a kind of basic skills of Prevention-Security, usually by browser come complete
It embarks on journey for the interaction of verifying, this process can be generally divided into two stages, when the first stage is that the page is just opened, page elements
Etc. information acquisition and load, second stage be the page load after the completion of, user's consummatory behavior verifying process.
The existing most subordinate act track of behavior verification method judge up it is abnormal, although can be in a degree of defence
Hacker attack is stated, but network attack is carried out from multiple dimensions for more complicated network security threats, such as hacker, only with
The Prevention-Security of action trail verifying is obviously inadequate.
Summary of the invention
In order to overcome the above problem or at least be partially solved the above problem, the embodiment of the present invention provides a kind of network and asks
Method for detecting abnormality, device and electronic equipment are asked, to effectively improve the superperformance of network security defence, guarantees the network information
Safety.
In a first aspect, the embodiment of the present invention provides a kind of network request method for detecting abnormality, comprising:
The UA of facility environment characteristic information entrained by network request packet and the network request packet is obtained respectively
In facility environment identification information;
The correlation degree between the facility environment characteristic information and the facility environment identification information is calculated, and is based on institute
Correlation degree is stated, detection corresponding network request is with the presence or absence of abnormal.
Second aspect, the embodiment of the present invention provide a kind of network request abnormal detector, comprising:
Data obtaining module, for obtaining facility environment characteristic information entrained by network request packet and described respectively
Facility environment identification information in the UA of network request packet;
Output module is detected, for calculating between the facility environment characteristic information and the facility environment identification information
Correlation degree, and it is based on the correlation degree, detection corresponding network request is with the presence or absence of abnormal.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, comprising: at least one processor, at least one
Manage device, communication interface and bus;The memory, the processor and the communication interface are completed mutual by the bus
Communication, the communication interface between the electronic equipment and network request equipment information transmission;In the memory
It is stored with the computer program that can be run on the processor, when the processor executes the computer program, is realized such as
Network request method for detecting abnormality described in upper first aspect.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, the non-transient calculating
Machine readable storage medium storing program for executing stores computer instruction, and the computer instruction executes the computer described in first aspect as above
Network request method for detecting abnormality.
Network request method for detecting abnormality, device and electronic equipment provided in an embodiment of the present invention consider facility environment etc.
The influence of factor, by obtaining the facility environment identification information in network request packet in facility environment characteristic information and UA,
And the two correlation degree is calculated, Lai Youxiao detects that abnormal network is requested, can effectively improve the formedness of network security defence
Can, guarantee the network information security.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow diagram of network request method for detecting abnormality provided in an embodiment of the present invention;
Fig. 2 is the structural schematic diagram according to CNN model in network request method for detecting abnormality provided in an embodiment of the present invention;
Fig. 3 is the structural schematic diagram of network request abnormal detector provided in an embodiment of the present invention;
Fig. 4 is the entity structure schematic diagram of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the embodiment of the present invention, instead of all the embodiments.Based on the embodiment in the embodiment of the present invention, ability
Domain those of ordinary skill every other embodiment obtained without making creative work, belongs to the present invention
The range of embodiment protection.
The existing most subordinate act track of behavior verification method judge up it is abnormal, although can be in a degree of defence
Hacker attack is stated, but network attack is carried out from multiple dimensions for more complicated network security threats, such as hacker, only with
The Prevention-Security of action trail verifying is obviously inadequate.The embodiment of the present invention considers the influence of the factors such as facility environment, passes through acquisition
Facility environment identification information in network request packet in facility environment characteristic information and UA, and correlation degree both is calculated,
Effectively to detect that abnormal network is requested, the superperformance of network security defence can be effectively improved, guarantee the network information security.
Expansion explanation and introduction will be carried out to the embodiment of the present invention especially by multiple embodiments below.
Fig. 1 is the flow diagram of network request method for detecting abnormality provided in an embodiment of the present invention, as described in Figure 1, should
Method includes:
S101 obtains the UA of facility environment characteristic information entrained by network request packet and network request packet respectively
In facility environment identification information.
The embodiment of the present invention is different from action trail abnormality detection, proposes the angle from facility environment, different to network request
Often judged, go deep into the internal association of excavating equipment environment, provides better guarantee for Prevention-Security.First according to net
When network behavior issues network request, the characteristic information for sending facility environment used in network request, i.e. facility environment can be carried
Characteristic information, for example including information relevant to the hardware of facility environment, operating system and browser etc..Therefore net is being collected
When network is requested, the facility environment characteristic information wherein carried can be read.
Meanwhile user-agent (UA) field in network request browser, a feature string is generally comprised, is retouched
The information such as application type, operating system, version number are stated, therefore it can be used as a mark of facility environment.Therefore it is receiving
When getting network request, these facility environment identification informations in UA can be read.
S102 calculates the correlation degree between facility environment characteristic information and facility environment identification information, and based on association
Degree, detection corresponding network request is with the presence or absence of abnormal.
It is set generally, based on the facility environment characteristic information of facility environment with recorded in the UA using same facility environment
Standby environmental labels information should have preferable matching, i.e., corresponding facility environment characteristic information and facility environment mark are believed
Distance is as small as possible in feature space between breath, between the facility environment characteristic information and facility environment identification information of non-corresponding
Distance is answered as big as possible in feature space.Therefore, by detecting facility environment feature entrained by network request to be detected
Correlation degree between information and facility environment identification information can be detected corresponding network request with the presence or absence of abnormal.For example, base
In facility environment characteristic information and facility environment identification information, the convolutional neural networks model of pre-training completion, meter can use
Calculate correlation degree.
Network request method for detecting abnormality provided in an embodiment of the present invention considers the influence of the factors such as facility environment, passes through
Both the facility environment identification information in network request packet in facility environment characteristic information and UA is obtained, and is calculated association journey
Degree, Lai Youxiao detect that abnormal network is requested, can effectively improve the superperformance of network security defence, guarantee network information peace
Entirely.
Furthermore, on the basis of the various embodiments described above, using pre-training complete convolutional neural networks model,
Before the step of calculating correlation degree, the method for the embodiment of the present invention further include: based on a certain number of requestors training sample
This, in program page open and load phase and behavior Qualify Phase, respectively construction procedures to the practical return of signal with set
Surely the time difference sequence returned, and generate sample device environmental characteristic information;From the UA of procedural training sample, reading and sample
The corresponding facility environment identification field of facility environment characteristic information, and it is directed to each sample facility environment characteristic information, it is not right to obtain
The facility environment identification field answered, input when as training pattern;Using the basic convolutional neural networks model of foundation, repeatedly
For the incidence relation between learning sample facility environment characteristic information and sample device environmental labels information, obtain what pre-training was completed
Convolutional neural networks model.
JavaScript is as browser scripting language, mainly for the treatment of the logics such as user's interaction in the page.Its use
It can only be that single thread executes that way, which determines, if setting T at regular intervals in a program returns to a signal, due to single thread
Limitation, in the case where browser carries out other calculating, there is the time of the Actual Time Of Return of signal and setting in program
Difference, this time are associated with all presence such as the page, browser, hardware devices.
The interaction that normal users are generally verified by browser come consummatory behavior, this process can be generally divided into two ranks
Section: the first stage is program page open and load phase, when being that the page is just opened, the acquisition and load of the information such as page elements
Stage;Second stage is behavior Qualify Phase, is the process of user's consummatory behavior verifying after the completion of page load.One can be taken
The practical proper network request of fixed number amount is used as requestor training sample, in above-mentioned two stage, it is assumed that be set as when T
Between return to a signal, the adjacent actual time interval returned twice is recorded, so that it may obtain two sequence B 1=
{b11,b12,...,b1T1And B2={ b21,b22,...,b2T2, above-mentioned two stage is respectively corresponded, the two sequences are at certain
Facility environment is featured in degree, and sample device environmental characteristic information can be generated.
The feature that facility environment can be portrayed in addition to above-mentioned two, it is noted that the user-agent field in browser,
It includes a feature string, describes the information such as application type, operating system, version number, therefore it can be used as equipment ring
One mark in border.Feature B1, B2 and mark user-agent based on facility environment, need to model such pass between them
Connection relationship: the distance between corresponding user-agent and feature are as small as possible, between the user-agent and feature of non-corresponding
Distance it is as big as possible.Therefore it when being trained sample selection, from the UA of procedural training sample, reads and sample device ring
The corresponding facility environment identification field of border characteristic information, to learn the lesser distance between sample device environmental characteristic information, and
The facility environment identification field answered with sample device environmental characteristic Asymmetry information is obtained, to learn to believe with sample device environmental characteristic
Biggish distance between breath.Wherein basis facility environment identification field corresponding and not corresponding with sample device environmental characteristic information,
It may make up sample device environmental labels information.
In addition, in order to learn above-mentioned incidence relation, the embodiment of the present invention proposes the measurement for being based on convolutional neural networks (CNN)
Learning algorithm.It needs to establish basic convolutional neural networks model according to application first, utilizes the sample device of said extracted later
Environmental characteristic information and sample device environmental labels information, to the basis, convolutional neural networks model is trained and updates, most
The convolutional neural networks model of pre-training completion is obtained eventually, is used for actual abnormality detection application.
Wherein, according to the above embodiments optionally, the step of generating sample device environmental characteristic information specifically includes:
For program page open and load phase and behavior Qualify Phase, its corresponding time difference sequence is passed through respectively
Postposition zero padding expands to regular length, and the time difference sequence based on regular length, respectively extract equipment environmental characteristic vector;
Program page open facility environment feature vector corresponding with load phase and behavior Qualify Phase is carried out
Cascade obtains sample device environmental characteristic information.
Since the length of B1, B2 for extracting according to the above embodiments are possible and irregular, they are distinguished first
Regular length L is extended to by way of postposition zero padding, then respectively by the characteristic extracting module being made of CNN, consolidate
Determine the feature vector of dimension, such as obtains the feature vector F that dimension is 32B1、FB2.It later, can be by FB1、FB2It cascades up to obtain
The feature vector F of 64 dimensionsBAs B1, B2 feature to get arrive facility environment characteristic information.
Wherein, according to the above embodiments optionally, the step of constituting sample device environmental labels information specifically includes: from
In corresponding facility environment identification field and not corresponding facility environment identification field, the field of difference extract equipment environmental correclation
Information, and entity embedded mobile GIS is utilized, by the relevant field information vectorization of facility environment, obtain sample device environmental labels letter
Breath.
The vectorization of progress of embodiment of the present invention user-agent.It include some characters of facility information in user-agent
String descriptor information, in order to therefrom extract key message for its vectorization, as system type and digit (such as Windows 32,
Windows 64, Mac OSX) and browser type and version (such as Chrome 69), they are passed through into insertion
(Embedding) skill vectorization obtains feature Fua。
In addition, being based on correlation degree, detection corresponding network request is with the presence or absence of different on the basis of the various embodiments described above
Before normal step, the method for the embodiment of the present invention further include: based on non-abnormal network request in facility environment characteristic information with
Matching degree between facility environment identification information sets outlier threshold;Correspondingly, being based on correlation degree, detection corresponding network is asked
It asks and is specifically included with the presence or absence of abnormal step: comparing the size of correlation degree and outlier threshold, and in correlation degree less than different
When normal threshold value, it is abnormal to determine that network request exists.
In practical application, outlier threshold can be delimited according to the matching degree of real user, be used as the ginseng of abnormality detection
Standard is examined, when the correlation degree calculated according to new network request packet is lower than the outlier threshold, then judges that the network is asked
It asks as exception, otherwise normally.
For the technical solution that the embodiment of the present invention will be further explained, the embodiment of the present invention provides such as according to the above embodiments
Lower specific embodiment, but the protection scope of the embodiment of the present invention is not limited.
Fig. 2 is the structural schematic diagram according to CNN model in network request method for detecting abnormality provided in an embodiment of the present invention,
As described in Figure 2, the entire frame of the model is divided into four parts:
Importation: in order to model incidence relation, the input of algorithm is a triple, including browser feature B1, B2
And corresponding UA data (referred to as UA+), a not corresponding UA data (referred to as UA-) are in addition added, this data is logical
It crosses and randomly selects a UA data inconsistent with UA+ in UA list and obtain.
B1, B2 characteristic extracting module: due to B1, the length of B2 is simultaneously irregular, they are passed through to postposition zero padding respectively first
To regular length L, the feature vector F that dimension is 32 is then obtained by the characteristic extracting module being made of CNN respectivelyB1,FB2,
By FB1,FB2It cascades up to obtain the feature vector F of 64 dimensionsBAs B1, the feature of B2;
User-agent vectorization: including some character string description informations of facility information in user-agent, in order to incite somebody to action
Its vectorization, therefrom extracts key message: system type and digit (such as Windows32, Windows 64, Mac OSX), browsing
They are obtained feature F by being embedded in the skill vectorization of (Embedding) by device type and version (such as Chrome 69)ua;
Loss function: for monitor model study to above-described incidence relation, using Triple Loss, this damage
The purpose for losing function is the feature so that pairs of, i.e. FBWith Fua+The distance between it is as small as possible, between non-paired feature, i.e. FBWith
Fua-The distance between it is as big as possible.Under the supervision of this loss function, continuous iteration more new model, so that model learning arrives
Above-mentioned distance relationship.
After the completion of model training, this model has had the relationship between Modelling feature B1, B2 and facility environment.It is black
For visitor when facing this scheme, the scheme generally used is the data by generating a large amount of B1, B2 at random, is taken in request
One random UA, in this case since B1, B2 of generation are departing from true environment, model can easily be sentenced
Disconnected matching degree out between B1, B2 and UA can be very low.Threshold value delimited according to the matching degree of real user, when the matching for data of newly arriving
Degree is then judged as abnormal lower than threshold value, otherwise normally.
The embodiment of the present invention originally first according to the characteristic of browser, proposes a kind of feature for portraying facility environment, that is, browses
The sequence of the actual time difference composition of the every compartment time return signal of device, this sequence are influenced by factors such as facility environments, because
This can be used as the feature of a description facility environment.Also, it according to above-mentioned sequence and user-agent, proposes one and is based on
The metric learning algorithm frame of CNN, this frame may learn the incidence relation between sequence signature and user-agent, i.e.,
When they match, their distances on feature space are small;When they do not match, their distances on feature space
Greatly.In addition, can judge whether request is different by the matching degree between characteristic sequence and user-agent according to above-mentioned model
Often, the associate feature of this equipment internal data improves the ability of Prevention-Security.
As the other side of the embodiment of the present invention, the embodiment of the present invention provides a kind of network according to the above embodiments
Abnormal detector is requested, the device for realizing network request abnormality detection in the above embodiments.Therefore, above-mentioned each
Description and definition in the network request method for detecting abnormality of embodiment can be used for each execution module in the embodiment of the present invention
Understanding, specifically refer to above-described embodiment, do not repeating herein.
One embodiment according to an embodiment of the present invention, the structure of network request abnormal detector is as shown in figure 3, for this
The structural schematic diagram for the network request abnormal detector that inventive embodiments provide, the device can be used to implement above-mentioned each method
Network request abnormality detection in embodiment, the device include: data obtaining module 301 and detection output module 302.Wherein:
Data obtaining module 301 for obtaining facility environment characteristic information and net entrained by network request packet respectively
Facility environment identification information in the UA of network request data;Detection output module 302 for calculate facility environment characteristic information with
Correlation degree between facility environment identification information, and it is based on correlation degree, detection corresponding network request is with the presence or absence of abnormal.
Specifically, can be loaded in the network request packet of sending when issuing network request according to network behavior
The characteristic information of facility environment used in network request, i.e. facility environment characteristic information are sent, for example including hardware, operation system
System, browser etc..Therefore when collecting network request, it is special that the facility environment wherein carried can be read in data obtaining module 301
Reference breath.
Meanwhile user-agent (UA) field in network request browser, a feature string is generally comprised, is retouched
The information such as application type, operating system, version number are stated, therefore it can be used as a mark of facility environment.Therefore it is receiving
When getting network request, data obtaining module 301 can also read these facility environment identification informations in UA.
Output module 302 is detected by detecting facility environment characteristic information and equipment entrained by network request to be detected
Correlation degree between environmental labels information can be detected corresponding network request with the presence or absence of abnormal.For example, being based on facility environment
Characteristic information and facility environment identification information, detection output module 302 can use the convolutional neural networks mould of pre-training completion
Type calculates correlation degree.
Network request abnormal detector provided in an embodiment of the present invention considers to set by the way that corresponding execution module is arranged
The influence of the factors such as standby environment passes through facility environment characteristic information in acquisition network request packet and the facility environment mark in UA
Know information, and calculate the two correlation degree, Lai Youxiao detects that abnormal network is requested, and can effectively improve network security defence
Superperformance guarantees the network information security.
It is understood that can be by hardware processor (hardware processor) come real in the embodiment of the present invention
Each relative program module in the device of existing the various embodiments described above.Also, the network request abnormality detection of the embodiment of the present invention fills
It sets using above-mentioned each program module, can be realized the network request abnormality detection process of above-mentioned each method embodiment, for real
In existing above-mentioned each method embodiment when network request abnormality detection, beneficial effect that the device of the embodiment of the present invention generates with it is corresponding
Above-mentioned each method embodiment it is identical, can refer to above-mentioned each method embodiment, details are not described herein again.
As the another aspect of the embodiment of the present invention, the present embodiment provides a kind of electronics according to the above embodiments and sets
It is standby, it is the entity structure schematic diagram of electronic equipment provided in an embodiment of the present invention, comprising: at least one processor with reference to Fig. 4
401, at least one processor 402, communication interface 403 and bus 404.
Wherein, memory 401, processor 402 and communication interface 403 complete mutual communication by bus 404, communicate
Interface 403 is for the information transmission between the electronic equipment and network request equipment;Being stored in memory 401 can be in processor
The computer program run on 402 when processor 402 executes the computer program, realizes the net as described in the various embodiments described above
Network requests method for detecting abnormality.
It is to be understood that including at least memory 401, processor 402, communication interface 403 and bus in the electronic equipment
404, and memory 401, processor 402 and communication interface 403 form mutual communication connection by bus 404, and can be complete
The program instruction of network request method for detecting abnormality is read from memory 401 at mutual communication, such as processor 402.
In addition, communication interface 403 can also realize the communication connection between the electronic equipment and network request equipment, and achievable mutual
Between information transmit, such as by communication interface 403 realization network request abnormality detection.
When electronic equipment is run, processor 402 calls the program instruction in memory 401, real to execute above-mentioned each method
Apply method provided by example, for example, obtain facility environment characteristic information and net entrained by network request packet respectively
Facility environment identification information in the UA of network request data;It calculates between facility environment characteristic information and facility environment identification information
Correlation degree, and be based on correlation degree, detection corresponding network request is with the presence or absence of abnormal etc..
Program instruction in above-mentioned memory 401 can be realized and as independent by way of SFU software functional unit
Product when selling or using, can store in a computer readable storage medium.Alternatively, realizing that above-mentioned each method is implemented
This can be accomplished by hardware associated with program instructions for all or part of the steps of example, and program above-mentioned can store to be calculated in one
In machine read/write memory medium, when being executed, execution includes the steps that above-mentioned each method embodiment to the program;And storage above-mentioned
Medium includes: USB flash disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random
Access Memory, RAM), the various media that can store program code such as magnetic or disk.
The embodiment of the present invention provides a kind of non-transient computer readable storage medium also according to the various embodiments described above, this is non-temporarily
State computer-readable recording medium storage computer instruction, the computer instruction execute computer as described in the various embodiments described above
Network request method for detecting abnormality, for example, respectively obtain network request packet entrained by facility environment characteristic information
And the facility environment identification information in the UA of network request packet;It calculates facility environment characteristic information and facility environment mark is believed
Correlation degree between breath, and it is based on correlation degree, detection corresponding network request is with the presence or absence of abnormal etc..
Electronic equipment provided in an embodiment of the present invention and non-transient computer readable storage medium, by executing above-mentioned each reality
Network request method for detecting abnormality described in example is applied, considers the influence of the factors such as facility environment, by obtaining network request packet
Facility environment identification information in middle facility environment characteristic information and UA, and both calculate correlation degree, Lai Youxiao and detect
Abnormal network request, can effectively improve the superperformance of network security defence, guarantee the network information security.
It is understood that the embodiment of device described above, electronic equipment and storage medium is only schematic
, wherein unit may or may not be physically separated as illustrated by the separation member, it can both be located at one
Place, or may be distributed on heterogeneous networks unit.Some or all of modules can be selected according to actual needs
To achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are without paying creative labor
To understand and implement.
By the description of embodiment of above, those skilled in the art is it will be clearly understood that each embodiment can borrow
Help software that the mode of required general hardware platform is added to realize, naturally it is also possible to pass through hardware.Based on this understanding, above-mentioned
Substantially the part that contributes to existing technology can be embodied in the form of software products technical solution in other words, the meter
Calculation machine software product may be stored in a computer readable storage medium, such as USB flash disk, mobile hard disk, ROM, RAM, magnetic disk or light
Disk etc., including some instructions, with so that a computer equipment (such as personal computer, server or network equipment etc.)
Execute method described in certain parts of above-mentioned each method embodiment or embodiment of the method.
In addition, those skilled in the art are it should be understood that in the application documents of the embodiment of the present invention, term
"include", "comprise" or any other variant thereof is intended to cover non-exclusive inclusion, so that including a series of elements
Process, method, article or equipment not only include those elements, but also including other elements that are not explicitly listed, or
Person is to further include for elements inherent to such a process, method, article, or device.In the absence of more restrictions, by
The element that sentence "including a ..." limits, it is not excluded that in the process, method, article or apparatus that includes the element
There is also other identical elements.
In the specification of the embodiment of the present invention, numerous specific details are set forth.It should be understood, however, that the present invention is implemented
The embodiment of example can be practiced without these specific details.In some instances, it is not been shown in detail well known
Methods, structures and technologies, so as not to obscure the understanding of this specification.Similarly, it should be understood that in order to simplify implementation of the present invention
Example is open and helps to understand one or more of the various inventive aspects, above to the exemplary embodiment of the embodiment of the present invention
Description in, each feature of the embodiment of the present invention is grouped together into single embodiment, figure or descriptions thereof sometimes
In.
However, the disclosed method should not be interpreted as reflecting the following intention: i.e. the claimed invention is implemented
Example requires features more more than feature expressly recited in each claim.More precisely, such as claims institute
As reflection, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows specific embodiment party
Thus claims of formula are expressly incorporated in the specific embodiment, wherein each claim itself is real as the present invention
Apply the separate embodiments of example.
Finally, it should be noted that above embodiments are only to illustrate the technical solution of the embodiment of the present invention, rather than it is limited
System;Although the embodiment of the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art it is understood that
It is still possible to modify the technical solutions described in the foregoing embodiments, or part of technical characteristic is carried out etc.
With replacement;And these are modified or replaceed, each embodiment skill of the embodiment of the present invention that it does not separate the essence of the corresponding technical solution
The spirit and scope of art scheme.
Claims (9)
1. a kind of network request method for detecting abnormality characterized by comprising
In the UA for obtaining facility environment characteristic information entrained by network request packet and the network request packet respectively
Facility environment identification information;
The correlation degree between the facility environment characteristic information and the facility environment identification information is calculated, and is based on the pass
Connection degree, detection corresponding network request is with the presence or absence of abnormal.
2. the method according to claim 1, wherein the calculating facility environment characteristic information is set with described
The step of correlation degree between standby environmental labels information, specifically includes:
Based on the facility environment characteristic information and the facility environment identification information, the convolutional Neural net completed using pre-training
Network model calculates the correlation degree.
3. according to the method described in claim 2, it is characterized in that, in the convolutional neural networks mould completed using pre-training
Type, before the step of calculating the correlation degree, further includes:
Based on a certain number of requestor training samples, in program page open and load phase and behavior Qualify Phase,
The time difference sequence that construction procedures return to the practical return and setting of signal respectively, and generate sample device environmental characteristic letter
Breath;
From the UA of described program training sample, facility environment mark corresponding with the sample device environmental characteristic information is read
Field, and it is directed to each sample device environmental characteristic information, not corresponding facility environment identification field is obtained, sample is constituted and sets
Standby environmental labels information;
Using the basic convolutional neural networks model of foundation, sample device environmental characteristic information described in iterative learning and the sample
Incidence relation between facility environment identification information obtains the convolutional neural networks model that the pre-training is completed.
4. according to the method described in claim 3, it is characterized in that, the step of generation sample device environmental characteristic information have
Body includes:
For described program page open and load phase and the behavior Qualify Phase, respectively by its corresponding described time difference
Sequence expands to regular length by postposition zero padding, and the time difference sequence based on regular length, and extract equipment environment is special respectively
Levy vector;
By described program page open facility environment feature vector corresponding with load phase and the behavior Qualify Phase
It is cascaded, obtains the sample device environmental characteristic information.
5. according to the method described in claim 3, it is characterized in that, the step of composition sample device environmental labels information have
Body includes:
From the corresponding facility environment identification field and the not corresponding facility environment identification field, difference extract equipment
The field information of environmental correclation, and entity embedded mobile GIS is utilized, the relevant field information vectorization of the facility environment obtains
The sample device environmental labels information.
6. detecting corresponding network the method according to claim 1, wherein being based on the correlation degree described
Before request is with the presence or absence of abnormal step, further includes:
Based on the matching degree in the request of non-abnormal network between facility environment characteristic information and facility environment identification information, set different
Normal threshold value;
Correspondingly, described be based on the correlation degree, detection corresponding network request is specifically included with the presence or absence of abnormal step:
Compare the size of the correlation degree Yu the outlier threshold, and when the correlation degree is less than the outlier threshold,
It is abnormal to determine that the network request exists.
7. a kind of network request abnormal detector characterized by comprising
Data obtaining module, for obtaining facility environment characteristic information and the network entrained by network request packet respectively
Facility environment identification information in the UA of request data;
Output module is detected, for calculating being associated between the facility environment characteristic information and the facility environment identification information
Degree, and it is based on the correlation degree, detection corresponding network request is with the presence or absence of abnormal.
8. a kind of electronic equipment characterized by comprising at least one processor, at least one processor, communication interface and total
Line;
The memory, the processor and the communication interface complete mutual communication, the communication by the bus
Interface is also used to the transmission of the information between the electronic equipment and network request equipment;
The computer program that can be run on the processor is stored in the memory, the processor executes the calculating
When machine program, the method as described in any in claim 1 to 6 is realized.
9. a kind of non-transient computer readable storage medium, which is characterized in that the non-transient computer readable storage medium is deposited
Computer instruction is stored up, the computer instruction makes the computer execute the method as described in any in claim 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811436041.XA CN109462593B (en) | 2018-11-28 | 2018-11-28 | Network request anomaly detection method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811436041.XA CN109462593B (en) | 2018-11-28 | 2018-11-28 | Network request anomaly detection method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109462593A true CN109462593A (en) | 2019-03-12 |
| CN109462593B CN109462593B (en) | 2021-03-02 |
Family
ID=65611898
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811436041.XA Active CN109462593B (en) | 2018-11-28 | 2018-11-28 | Network request anomaly detection method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109462593B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109327439A (en) * | 2018-09-29 | 2019-02-12 | 武汉极意网络科技有限公司 | Risk Identification Method, device, storage medium and the equipment of service request data |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103500405A (en) * | 2013-09-26 | 2014-01-08 | 北京奇虎科技有限公司 | Method and device for identifying nominal model of target terminal |
| CN107465651A (en) * | 2016-06-06 | 2017-12-12 | 腾讯科技(深圳)有限公司 | Network attack detecting method and device |
| CN108363811A (en) * | 2018-03-09 | 2018-08-03 | 北京京东金融科技控股有限公司 | Device identification method and device, electronic equipment, storage medium |
| CN108804885A (en) * | 2017-05-03 | 2018-11-13 | 阿里巴巴集团控股有限公司 | Man-machine verification method and device, storage medium and processor |
-
2018
- 2018-11-28 CN CN201811436041.XA patent/CN109462593B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103500405A (en) * | 2013-09-26 | 2014-01-08 | 北京奇虎科技有限公司 | Method and device for identifying nominal model of target terminal |
| CN107465651A (en) * | 2016-06-06 | 2017-12-12 | 腾讯科技(深圳)有限公司 | Network attack detecting method and device |
| CN108804885A (en) * | 2017-05-03 | 2018-11-13 | 阿里巴巴集团控股有限公司 | Man-machine verification method and device, storage medium and processor |
| CN108363811A (en) * | 2018-03-09 | 2018-08-03 | 北京京东金融科技控股有限公司 | Device identification method and device, electronic equipment, storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109327439A (en) * | 2018-09-29 | 2019-02-12 | 武汉极意网络科技有限公司 | Risk Identification Method, device, storage medium and the equipment of service request data |
| CN109327439B (en) * | 2018-09-29 | 2021-04-23 | 武汉极意网络科技有限公司 | Risk identification method and device for service request data, storage medium and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109462593B (en) | 2021-03-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10785241B2 (en) | URL attack detection method and apparatus, and electronic device | |
| Liang et al. | Anomaly-based web attack detection: a deep learning approach | |
| CN108616545A (en) | A kind of detection method, system and electronic equipment that network internal threatens | |
| CN110135157A (en) | Malware homology analysis method, system, electronic equipment and storage medium | |
| CN113011895B (en) | Associated account sample screening method, device and equipment and computer storage medium | |
| CN108491714A (en) | The man-machine recognition methods of identifying code | |
| CN109241709A (en) | User behavior recognition method and device based on the verifying of sliding block identifying code | |
| CN109918892A (en) | Verification code generation method, device and storage medium, computer equipment | |
| CN114331829A (en) | Countermeasure sample generation method, device, equipment and readable storage medium | |
| CN110197389A (en) | A kind of user identification method and device | |
| CN107169499A (en) | A kind of Risk Identification Method and device | |
| CN109462578B (en) | Threat information utilization and propagation method based on statistical learning | |
| CN107679626A (en) | Machine learning method, device, system, storage medium and equipment | |
| CN111931153B (en) | Identity verification method and device based on artificial intelligence and computer equipment | |
| CN113011387B (en) | Network training and human face living body detection method, device, equipment and storage medium | |
| CN110084609B (en) | Transaction fraud behavior deep detection method based on characterization learning | |
| CN113468520A (en) | Data intrusion detection method applied to block chain service and big data server | |
| CN106874760A (en) | A kind of Android malicious code sorting techniques based on hierarchy type SimHash | |
| CN110399712A (en) | Validation-cross method, apparatus, medium and calculating equipment based on identifying code | |
| KR20190049286A (en) | Cnn learning based malware analysis apparatus, cnn learning based malware analysis method of performing the same and storage media storing the same | |
| CN109033845A (en) | Disguiser's detection method and system based on file access record space-time analysis | |
| CN114461906A (en) | Sequence recommendation method and device focusing on user core interests | |
| CN109995751A (en) | Equipment for surfing the net labeling method, device and storage medium, computer equipment | |
| CN109462593A (en) | Network request method for detecting abnormality, device and electronic equipment | |
| CN113656798A (en) | Regularization identification method and device for malicious software label turning attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |