CN111865987A

CN111865987A - Cheating flow processing method, device, equipment and storage medium

Info

Publication number: CN111865987A
Application number: CN202010706306.4A
Authority: CN
Inventors: 周忠涛; 贾军
Original assignee: Beijing Baidu Netcom Science and Technology Co Ltd
Current assignee: Beijing Baidu Netcom Science and Technology Co Ltd
Priority date: 2020-07-21
Filing date: 2020-07-21
Publication date: 2020-10-30
Anticipated expiration: 2040-07-21
Also published as: CN111865987B

Abstract

The application discloses a method, a device, equipment and a storage medium for cheating traffic processing, and relates to the fields of internet, network security, network traffic monitoring, cloud computing and the like. The specific implementation scheme is as follows: responding to an access request of a user, if the user is judged to be a cheating user, carrying out cheating treatment on the access request based on a black-and-white list mechanism according to user information and access data of the user and if the user meets at least one treatment condition of the black-and-white list mechanism, effectively intercepting cheating traffic and reducing interference on normal users.

Description

Cheating flow processing method, device, equipment and storage medium

Technical Field

The embodiment of the application relates to the fields of internet, network security, network traffic monitoring, cloud computing and the like in computer technology, in particular to a method, a device, equipment and a storage medium for cheating traffic processing.

Background

With the development of the internet, the proportion of non-real person traffic on the network is increasing nowadays, and the non-real person traffic includes traffic used for searching websites such as a search engine, and the traffic follows an industry agreed robots protocol to bring expected traffic to websites; the method also comprises the steps that the method does not follow robots protocols, and a large amount of malicious website content and illegal profit traffic are captured by simulating user behaviors, namely the cheating traffic described in the application.

The existence of the cheating flow can cause a great deal of pressure on a website service provider, invade website bandwidth resources, consume website service capacity, influence the access of normal users, possibly invade the intellectual property of the website service provider and bring huge loss to the website service provider.

Disclosure of Invention

The application provides a method, a device, equipment and a storage medium for cheating traffic processing.

According to an aspect of the present application, there is provided a method for cheating traffic processing, which is applied to a cloud service gateway, and the method includes:

responding to an access request of a user, if the user is judged to be a cheating user, and performing cheating treatment on the access request based on a black-and-white list mechanism if the user meets at least one treatment condition of the black-and-white list mechanism according to user information and access data of the user.

According to another aspect of the present application, there is provided an apparatus for cheating traffic handling, comprising:

and the black-and-white list module is used for responding to an access request of a user, if the user is judged to be a cheating user, and cheating treatment is carried out on the access request based on the black-and-white list mechanism if the user meets at least one treatment condition of the black-and-white list mechanism according to the user information and the access data of the user.

According to another aspect of the present application, there is provided an electronic device including:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,

the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method described above.

According to another aspect of the present application, there is provided a non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method described above.

According to another aspect of the present application, there is provided a method of cheating traffic handling, comprising:

responding to an access request of a user, and if the user is judged to be a cheating user, carrying out cheating treatment on the access request based on a black-and-white list mechanism and a verification code mechanism.

According to the technology of the application, the cheating flow can be effectively intercepted, and meanwhile, the interference to the normal user is reduced.

It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present application, nor do they limit the scope of the present application. Other features of the present application will become apparent from the following description.

Drawings

The drawings are included to provide a better understanding of the present solution and are not intended to limit the present application. Wherein:

fig. 1 is a system architecture for detecting and handling cheating traffic according to an embodiment of the present application;

fig. 2 is a flowchart of a method for processing cheating traffic according to a first embodiment of the present application;

FIG. 3 is a flowchart of a method for cheating traffic handling according to a second embodiment of the present application;

fig. 4 is an overall framework diagram of a cheating traffic detection handling system provided in a third embodiment of the present application;

fig. 5 is a flowchart of a method for cheating traffic handling according to a third embodiment of the present application;

fig. 6 is a schematic diagram of a cheating traffic processing apparatus according to a fourth embodiment of the present application;

fig. 7 is a schematic diagram of a cheating traffic processing apparatus according to a fifth embodiment of the present application;

fig. 8 is a schematic diagram of a cheating traffic processing apparatus according to a sixth embodiment of the present application;

fig. 9 is a block diagram of an electronic device for implementing a method of cheating traffic handling according to an embodiment of the application.

Detailed Description

The following description of the exemplary embodiments of the present application, taken in conjunction with the accompanying drawings, includes various details of the embodiments of the application for the understanding of the same, which are to be considered exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present application. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.

The application provides a method, a device, equipment and a storage medium for processing cheating traffic, which are applied to the fields of Internet, network security, network traffic monitoring, cloud computing and the like in computer technology, so as to achieve the purposes of effectively intercepting the cheating traffic and reducing the interference to normal users.

The embodiment of the application is applied to a cheating traffic detection and handling system, and fig. 1 shows a cheating traffic detection and handling system architecture, and as shown in fig. 1, the cheating traffic detection and handling system comprises a business system, a cheating analysis server and a cloud service gateway. The method comprises the steps that JS (JavaScript) point burying can be carried out in a page of a front end of a business system, when a user accesses the page, JS after the front end loads the page collects JS information of equipment, IP (Internet protocol), browser versions and the like of the user, the JS information is reported to a cheating analysis server, the cheating analysis server judges whether the user is a cheating user according to the JS information, a judgment result is encrypted and then written into cookie of the page of the front end, when the user accesses the page again, the encryption in the cookie can be newly analyzed through a cloud service gateway, and the judgment result whether the user is the cheating user is obtained. The cloud service gateway is used for carrying out corresponding cheating treatment on the access request of the cheating user, effectively intercepts cheating flow by combining a black-and-white list mechanism and a verification code mechanism, simultaneously reduces interference on normal users and resource consumption of a service system as far as possible, and can also reduce pressure of a verification code server. And the business system allows or blocks the current access request according to the cheating treatment result of the cloud service gateway.

In addition, the cloud service gateway also has the functions of recording user access logs and reporting the user access logs to the cheating analysis server in real time, the cheating analysis server can analyze the user access logs to obtain analysis results including IP access frequency information, whether the user access logs come from a preset cloud service provider or not, whether the user access logs carry information reported by JS embedded points or not and the like, and outputs a suspicious cheating IP list and a cheating validity period corresponding to the IP in real time according to the analysis results. The cloud service gateway may pull the list of cheating IPs and the corresponding cheating validity periods for the IPs from the cheating analysis server.

Fig. 2 is a flowchart of a method for processing cheating traffic according to a first embodiment of the present application. The execution subject of the embodiment is a cloud service gateway. As shown in fig. 2, the method comprises the following specific steps:

step S101, responding to an access request of a user, if the user is judged to be a cheating user, according to user information and access data of the user, if the user meets at least one handling condition of a black-and-white list mechanism, cheating handling is conducted on the access request based on the black-and-white list mechanism.

The user information includes the user identifier, the current IP of the user, the user access parameters, the access times, the verification failure times, and the like.

In this embodiment, the black-and-white list mechanism may include at least one of the following: user blacklists at user level, user whitelists at user level, IP blacklists at IP level, and IP whitelists at IP level.

The access requests of some IP can be directly forbidden based on the IP blacklist, the access requests of some users can be directly forbidden based on the user blacklist, the access requests of some IP can be directly exempted based on the IP whitelist, and the access requests of some users can be directly exempted based on the user whitelist.

For users meeting the processing conditions of the black-and-white list mechanism, the access requests of the users can be directly processed through the black-and-white list mechanism without verification of verification codes, cheating flow can be accurately sealed, interference on the users in the white list is avoided, and meanwhile the verification pressure of the verification codes can be reduced.

According to the embodiment of the application, the multiple handling conditions of the black-and-white list mechanism are flexibly set, so that for the user meeting the handling conditions of the black-and-white list mechanism, the access request of the user can be directly handled through the black-and-white list mechanism without verification of the verification code; the verification code is verified based on the verification code mechanism only when the user does not meet the handling condition of the black and white list mechanism, cheating flow can be accurately sealed, interference on the user in the white list is avoided, meanwhile, the verification code verification pressure can be reduced, the cheating flow can be effectively intercepted, meanwhile, the interference on the normal user and the resource consumption are reduced as far as possible, and the pressure of a service system and a verification code server can be reduced.

Fig. 3 is a flowchart of a method for processing cheating traffic according to a second embodiment of the present application. On the basis of the first embodiment, in this embodiment, if the user does not satisfy the condition for handling the black-and-white list mechanism, the access request is handled for cheating based on a verification code mechanism. Considering that the bearing capacity of the verification code service is far smaller than that of the cloud service gateway, on the basis of the verification code mechanism, a black and white list mechanism with rich levels is combined, so that cheating traffic can be prohibited as much as possible under the condition that user interference is reduced as much as possible, and the service pressure of a service system is reduced.

Specifically, the black-and-white list mechanism may include an IP black list at an IP level and a user black list and a user white list at a user level.

Wherein the user blacklist is used to block a specified user. The user blacklist admission rule may be: after a certain user is judged as a cheating user, if the verification failure times of the user are greater than a second threshold value; or if the verification code passes the verification, but the unit time access amount of the user is larger than the first threshold. The first threshold and the second threshold may be configured and adjusted according to an actual application scenario, and this embodiment is not specifically limited herein.

The role of the IP blacklist is: the users who hit the IP blacklist can be directly denied access and are forbidden according to the IP dimension. The IP blacklist admission rules may be: when a certain IP is in the cheating IP list, the verification failure times of the IP are greater than a third threshold value; or, the number of the users blacked down under the IP is larger than the fourth threshold value when a certain IP is in the cheating IP list.

The user white list is used to allow direct access to a given user. The user white list admission rules may include: the user is determined to be a cheating user, but the user is verified by the verification code.

In this embodiment, according to the user information and the access data of the user, if the user satisfies at least one handling condition of the black-and-white list mechanism, the cheating handling is performed on the access request based on the black-and-white list mechanism, where the cheating handling includes at least one of the following:

(1) and if the current IP of the user hits the IP blacklist, or the user is in the user blacklist and the validity period of the user blacklist is not expired, the access request is forbidden.

(2) If the user is in the user white list and the valid period of the user white list is not expired, determining the unit time access amount of the user; if the unit time access amount of the user is less than or equal to the first threshold, allowing the access request, clearing the verification failure times of the user, and updating the access times of the user; and if the unit time access amount of the user is larger than the first threshold value, adding the user into a user blacklist, and blocking the access request.

(3) And if the user is in the user blacklist and the validity period of the user blacklist is expired, or the user is in the user white list and the validity period of the user white list is expired, verifying the verification code.

(4) If the verification of the verification code fails, updating the verification failure times of the user and the verification failure times of the current IP; and if the verification of the verification code is successful, allowing the access request, clearing the verification failure times of the user and updating the access times of the user.

(5) And if the verification failure times of the user are larger than the second threshold value, adding the user into a user blacklist, clearing the verification failure times of the user, and updating the number of the blackened users under the current IP.

(6) And if the number of the users blacked under the current IP is larger than the fourth threshold and the current IP is in the cheating IP list, adding the current IP into the IP blacklist and setting the validity period of the IP blacklist of the current IP.

(7) And if the verification failure times of the current IP are larger than a third threshold value and the current IP is in the cheating IP list, adding the current IP into an IP blacklist and setting the validity period of the IP blacklist of the current IP.

(8) And if the verification of the verification code is successful, adding the user into a user white list, and setting the valid period of the user white list.

In this embodiment, the handling condition of the black-and-white list mechanism includes at least one condition that needs to be satisfied. For example, the user's current IP hits an IP blacklist; the user is in a user blacklist and the validity period of the user blacklist is not expired; the user is in a user white list, and the valid period of the user white list is not expired; the unit time access amount of the user is less than or equal to a first threshold; the unit time access amount of the user is larger than a first threshold value; the user is in a user blacklist and the validity period of the user blacklist is expired; the user is in a user white list and the valid period of the user white list is expired; the verification of the verification code fails; the verification of the verification code is successful; the verification failure times of the user are larger than a second threshold value; the number of the users blacked out under the current IP is larger than a fourth threshold value, and the current IP is in the cheating IP list; the checking failure times of the current IP are larger than a third threshold value, and the current IP is in the cheating IP list; and so on.

In a possible implementation manner, as shown in fig. 3, the method for processing the cheating traffic may specifically be implemented by the following steps:

step S201, responding to the access request of the user, and determining whether the user is a cheating user.

In this embodiment, the cookie may be provided with an encryption string for storing user status information, where the user status information includes a determination result of whether the user is a cheating user. In addition, the user status information may further include: time redirected to the verification code page, access times, verification failure times, user white list validity period, user black list validity period and the like.

In this step, in response to the access request of the user, user state information may be acquired from a cookie of the current access request, where the user state information includes a determination result of whether the user is a cheating user.

In this step, if it is determined that the user is not a cheating user, step S202 is performed to allow the access request and perform normal access.

If the user is determined to be a cheating user, step S203 and the subsequent steps are executed to perform cheating treatment on the current access request.

Step S202, allowing the access request and normally accessing.

Step S203, judging whether the user hits the IP blacklist.

Specifically, if the current IP of the user is in the IP blacklist and the validity period of the IP blacklist of the current IP is not expired, it may be determined that the user hits the IP blacklist. If the user hits the IP blacklist, step S204 is executed to block the access request and disallow the access.

If the current IP of the user is in the IP blacklist, but the validity period of the IP blacklist of the current IP is expired; or the current IP is not in the IP blacklist, it may be determined that the user has missed the IP blacklist. If the user does not hit the IP blacklist, step S205 and the following steps are executed to continue to perform cheating treatment on the current access request.

In addition, if the validity period of the IP blacklist of the current IP is expired, the current IP is deleted from the IP blacklist.

And step S204, the access request is forbidden.

And step S205, judging whether the user is in a user blacklist.

If the user is determined to be in the user blacklist, step S206 is executed to determine whether the validity period of the user blacklist has expired.

If the user is determined not to be in the user blacklist, step S208 and subsequent steps are executed, and cheating treatment is continued on the current access request.

Step S206, judging whether the valid period of the blacklist of the user is expired.

If the validity period of the blacklist of the user is determined to be expired, step S207 is executed, the user jumps to a verification code page, and a verification code pops up.

If the validity period of the blacklist of the user is determined to be not expired, step S204 is executed to block the access request and not allow the access.

And step S207, jumping to a verification code page.

And jumping to a verification code page, so that the user performs verification of the verification code, executing the subsequent step S219, and performing subsequent cheating treatment according to the verification result of the verification code.

In this embodiment, when the user accesses for the first time, if the user is determined as a cheating user, the user goes to the verification code page to verify.

Illustratively, the cloud service gateway redirects the current Uniform Resource Locator (abbreviated URL) as an access parameter back 302 to the passcode page and initializes the relevant information in the cookie for the user: the access times are 0, the verification failure times are 0, the valid period of the user white list is an initial value, and the valid period of the user black list is an initial value, wherein the initial value of the valid period of the user white list and the initial value of the valid period of the user black list can be configured and adjusted according to an actual application scenario, and the embodiment is not particularly limited herein. For example, the initial value of the user white list validity period and the initial value of the user black list validity period may be 0.

The front-end identifying code page collects user input and requests the back-end identifying code service to check. If the verification is successful, the verification code information (for example, the verification code information can be represented by a tb _ signature) is calculated, and the front end skips to access the service again after taking the verification code information. And if the verification fails, updating the information in the cookie, setting the verification failure times plus 1, and adding 1 to the verification failure times under the current IP.

And step S208, judging whether the request parameter carries verification code information.

When the user accesses, if the request parameter carries the verification code information, the verification code page is jumped back.

If the request parameter carries the verification code information, step S209 is executed to verify the verification code information and determine whether the verification of the verification code information is successful. For example, the current URL is read, and the verification code information is verified according to a preset verification rule. The preset check rule may be configured and adjusted according to an actual application scenario, which is not described herein again.

If the request parameter does not carry the verification code information, executing S210 and subsequent steps, and continuing to perform cheating treatment on the current access request.

And step S209, judging whether the verification code information is verified successfully.

And if the request parameter carries the verification code information, verifying the verification code information and judging whether the verification of the verification code information is successful.

If the verification of the verification code information is successful, step S202 is executed to allow the access request and normal access.

If the verification of the verification code information fails, step S207 is executed, and the user jumps to a verification code page to pop up the verification code.

In addition, if the verification of the verification code information is successful, the user can be added into a user white list, and the valid period of the user white list is set. If the verification of the verification code information fails, the information in the cookie can be emptied.

And step S210, judging whether the user is in a user white list.

If the user is determined to be in the user white list, step S211 is executed to determine whether the valid period of the user white list is expired.

If the user is determined not to be in the user white list, step S214 and subsequent steps are executed, and the cheating process is continued on the current access request.

Step S211, determining whether the valid period of the white list of the user is expired.

If the validity period of the white list of the user is determined not to be expired, step S212 is executed to determine whether the unit time visit amount of the user exceeds a first threshold.

If the validity period of the white list of the user is determined to be expired, step S207 is executed, the user jumps to a verification code page, and a verification code pops up.

Step S212, judging whether the unit time access amount of the user is larger than a first threshold value.

If the unit time access amount of the user is less than or equal to the first threshold, step S213 is executed to clear the check failure times of the user, update the access times of the user, and then step S202 is executed to allow the access request for normal access.

If the unit time access amount of the user is larger than the first threshold, step S215 is executed, the user is added to the user blacklist, the number of times of verification failure of the user is cleared, and the number of the users blackened under the current IP is updated.

And step S213, clearing the verification failure times of the user and updating the access times of the user.

The step is a step before step S202, and after clearing the check failure times of the user and updating the access times of the user, step S202 is executed to allow the access request and perform normal access.

Step S214, judging whether the verification failure times of the user is larger than a second threshold value.

If the number of verification failures of the user is greater than the second threshold, step S215 and the following steps are performed.

If the number of verification failures of the user is less than or equal to the second threshold, step S218 is performed.

Step S215, adding the user into a user blacklist, clearing the verification failure times of the user, and updating the number of the blackened users under the current IP.

And step S216, judging whether the current IP meets the condition of adding into an IP blacklist.

If the current IP meets the condition of adding into the IP blacklist, executing the step S217 to add the current IP into the IP blacklist.

If the current IP is determined not to satisfy the condition of adding into the IP blacklist, executing step S204, and blocking the access request and not allowing the access.

And step S217, adding the current IP into an IP blacklist.

After adding the current IP into the IP blacklist, step S204 is executed to block the access request and disallow the access.

Step S218, determining whether the number of verification failures of the current IP is greater than a third threshold.

If the number of failed verification times of the current IP is greater than the third threshold, step S216 is executed.

And if the verification failure times of the current IP are less than or equal to the third threshold, executing the step S207, jumping to a verification code page, and popping up a verification code.

And step S219, judging whether the verification result of the verification code passes or not.

If the verification code passes the verification, executing the steps S220-S221, carrying the verification code information in the request parameter, and jumping to the access request again.

If the verification of the verification code fails, step S222 is executed to perform a verification failure count.

And step S220, adding the user into the user white list, and setting the valid period of the user white list.

And step S221, generating verification code information, returning to a verification code page, and jumping to the access request again, wherein the request parameters carry the verification code information.

And step S222, updating the verification failure times of the user and the verification failure times of the current IP.

And after the verification failure times of the user and the verification failure times of the current IP are updated, jumping to the access request.

According to the embodiment of the application, on the basis of the verification code mechanism, a black and white list mechanism with rich levels is combined, so that cheating traffic can be prohibited as much as possible under the condition that user interference is reduced as much as possible, and the service pressure of a service system is reduced.

Fig. 4 is an overall framework diagram of a cheating traffic detection handling system provided in a third embodiment of the present application. On the basis of the first embodiment or the second embodiment, in the embodiment of the present application, the method for processing the cheating traffic may be implemented through a cloud service platform based on the overall framework of the cheating traffic detection and handling system shown in fig. 4. As shown in fig. 4, the cheating traffic detection and handling system includes a business system, a cheating analysis server, and a cloud service gateway. The cheating analysis server comprises a cheating IP output service, a log receiving service and a JS judgment service, wherein the JS judgment service executes identification and judgment of cheating users. And the cheating analysis server is independently deployed and used for analyzing the user traffic, giving users suspected of cheating through the analysis of the user traffic and outputting a cheating IP list to which the cheating users belong. The analysis of the cheating user is mainly divided into JS behavior reporting analysis and real-time log stream analysis.

The JS behavior reporting analysis comprises the following steps: and the service system carries out JS point burying on the appointed page, the user accesses the appointed page, after the appointed page is loaded at the front end, the JS collects information of equipment, IP (Internet protocol) and browser version and the like of the user, the information is reported to the cheating analysis server for cheating user judgment, the returned judgment result is written into cookie, and the cookie is analyzed by the cloud service gateway when the user accesses the webpage again. The judgment result at least comprises whether the user is a cheating user or not, and also comprises information collected by IP access frequency and JS embedded point and the like.

Optionally, the determination result may be written into the cookie after being encrypted, that is, JS encryption information is written into the cookie, where the JS encryption information includes the determination result. In addition, the cheating analysis server determines the cheating user by judging whether the user meets a preset rule, the preset rule can be set and adjusted according to an actual application scenario, and the embodiment is not specifically limited here.

The real-time log stream analysis comprises: the cloud service gateway collects user access logs according to a set log collection rule and transmits the collected user access logs to the cheating analysis server in real time. After receiving the user access log, the cheating analysis server analyzes and outputs a suspicious cheating IP list at regular time according to the access frequency information of the IP in the access log, whether the IP comes from a cloud service provider (for example, whether the IP belongs to a preset IP set of the cloud service provider), whether the IP with serious problems is matched with the existing IP with serious problems, whether the strategy of JS-embedded reporting information is carried, and the like.

The cloud service gateway can realize the functions of pulling a cheating IP list, uploading logs, performing statistics aggregation and the like through a timed task, and cookie analysis and cheating treatment in the cloud service gateway can be realized in an access phase.

The cloud service gateway can also analyze cookie, analyzes JS encryption information carried by the cookie, and the JS encryption information is embedded when being rendered by the front-end JS, so that the judgment result of whether the user is a cheating user is contained, and meanwhile, the analyzed result of the JS is also acquired as a result to be analyzed and uploaded to a cheating analysis server. Because the JS can be automatically loaded and cookie embedding is performed for a user who normally uses a browser to access, and the embedded JS script cannot be generally executed for cheating scenes such as script access, the probability that the IP is judged to be a cheating IP by the cheating traffic analysis module is very high when a large number of requests under a certain IP do not have JS analysis results.

As shown in fig. 4, the cheating traffic detection and treatment system may further include a monitoring and statistics function, which is capable of collecting logs and displaying the collected logs.

Fig. 5 is a flowchart of a method for processing cheating traffic according to a third embodiment of the present application. As shown in fig. 5, the method comprises the following specific steps:

and step S300, the collected user access logs are sent to a cheating analysis server.

The cloud service gateway can also collect user access logs and upload the user access logs to the cheating analysis server, the cheating analysis server determines a cheating IP list based on the user access logs, the cheating analysis server can share computing tasks of the cloud service gateway, and computing pressure of the cloud service gateway is reduced.

Alternatively, the cheating IP list may set the cheating validity period, and the valid duration of the cheating validity period of each IP in the cheating IP list is consistent, but the start time and the end time of the cheating validity period of each IP may be different. For example, the start time of the cheat validity period for each IP may be the time that the IP is added to the cheat IP list.

For example, the cloud service gateway may directly send the user access log to the cheat analysis server after collecting the user access log.

Illustratively, the sending of the user access log to the cheating analysis server may be specifically implemented as follows:

creating a new buffer area every a time interval; in the current time period, taking the new buffer area as the current buffer area, and storing the collected user access log into the current buffer area; and after sending the user access log in the last buffer area to the cheating analysis server, destroying the last buffer area.

Wherein the user access log may include: the user IP, the browser version, the access path, whether there is a buried point in the cookie, and other information, and the specific format and included information of the user access log may be set and adjusted according to the actual application scenario, which is not specifically limited in this embodiment.

For example, assuming that the time interval is 1 second, when the cloud service gateway is started, a Buffer (Buffer) is created in the memory and set as a, and the current Buffer is set as a, when a user request comes, information accessed by the user is collected and formatted into a reported user access log and inserted into a; and after 1 second, newly building a buffer area, setting the buffer area as B, setting the current buffer area as B, inserting a new user access log into B, simultaneously uploading the data in A to a cheating analysis server in batches according to an agreed format, and destroying A after uploading. And in the next second, a buffer area is newly built, the buffer area is set as C, the C is set as the current buffer area, the C caches the data and uploads the data in the B at the same time, then the B is destroyed, and the like.

In the embodiment, the user access logs are gathered through a continuous buffering mechanism, batch uploading of the user access logs is performed at intervals of a preset time period, real-time uploading of the user access logs can be achieved, and meanwhile pressure of data uploading of the cloud service gateway can be reduced.

Step S301, a cheat IP list is acquired from the cheat analysis server.

The cloud service gateway is used as an entrance of user access traffic, and a feature list of a cheating user is required to be provided for identifying and marking the cheating user in real time, and the feature list is realized by cookie analysis and pulling a cheating IP list from a cheating analysis server at regular time.

Illustratively, the cloud service gateway may be implemented in a cluster, including a plurality of servers. The cloud service gateway can be realized based on nginx, the nginx is a multi-process model, and one nginx instance, a management process and a plurality of working processes are operated on each server in the cluster. The user access request may fall on any one work process (i.e., worker process), and therefore, in order to increase the speed of identifying the cheating user, each work process needs to store a cheating IP list in a memory of the process.

For example, all the work processes in the cloud service gateway may obtain the cheating IP lists from the cheating analysis server, and store the cheating IP lists in the process memory.

In consideration of the fact that all the working processes in the cloud service gateway pull the cheating IP list to the cheating analysis server, the service pressure of the business system is too high. In this step, the cheating IP list is obtained from the cheating analysis server, which can be specifically implemented in the following manner:

when the system is started, a cheating IP list is acquired from a cheating analysis server at regular time through a designated work process, the cheating IP list is written into a shared memory, and an event broadcast notice is sent to notify all work processes of updating; and after receiving the event broadcast notification, all the working processes read the cheating IP list from the shared memory and update the cheating IP list in the memory of the process.

Further, when the configuration is reloaded, all the working processes read the cheating IP list from the shared memory and rebuild the cheating IP list in the memory of the working process.

For example, when each nginx instance starts, a worker process number 0 is designated to create a timing task, and a cheating IP list is pulled in a timing mode. And after pulling the cheating IP list, the worker process No. 0 writes the cheating IP list into the shared memory, and sends an event broadcast notice to inform all worker processes of updating the cheating IP list. And the worker process which receives the notification reads the cheating IP list from the shared memory and updates the cheating IP list in the memory of the process. And when the configuration information changes and nginx carries out reloading configuration operation, all worker processes read the cheating IP list from the shared memory and rebuild the cheating IP list of the process.

Step S302, responding to the access request of the user, and acquiring user state information from the cookie of the current access request, wherein the user state information comprises a judgment result of whether the user is a cheating user.

In this embodiment, the cookie may be provided with an encryption string for storing user status information, where the user status information includes a determination result of whether the user is a cheating user.

In addition, the user status information may further include: time redirected to the verification code page, access times, verification failure times, user white list validity period, user black list validity period and the like.

IP related access information may also be recorded in a global redis database. The method comprises the following steps: the number of times of verification failure of the IP, the number of users blackened under the IP, an IP blacklist and the like.

Optionally, the number of times of check failure of the IP may be stored by adopting a string type data structure, 1 is added when the check of the backend verification code service fails, and the validity period may be an IP cheating validity period.

Optionally, the number of the users blackened under the IP may also be the number of the users who failed in the verification under the IP, and may be stored by adopting a string type data structure, when the cloud service gateway determines that the number of times of the verification failure of the IP is greater than a third threshold, the current IP is added to an IP blacklist, the number of the users blackened under the IP is added by 1, and the validity period may be an IP cheating validity period.

Optionally, the IP blacklist includes a blacked out IP, the type is an ordered set (zset), the storage item (member) is an IP, the ranking score (score) is an IP blacklist validity period, and the IP cheating validity period may be adopted as the IP blacklist validity period.

And S303, if the user is judged to be the cheating user, cheating treatment is carried out based on a black-and-white list mechanism and a verification code mechanism.

And when the access flow reaches the cloud service gateway, if the user is judged not to be the cheating user, the access is performed normally.

If the user is determined to be cheated, cheating is performed based on the black-and-white list mechanism and the verification code mechanism, and the specific process is described in the second embodiment, which is not described herein again.

And step S304, recording the cheating handling logs and printing the cheating handling logs to a designated storage space.

Wherein the cheat-handling log comprises at least one of the following information: the number of times of failure verification, the number of users in a user white list, the number of users in a user black list and the number of IPs in an IP black list.

In this embodiment, the cloud service gateway may further record a cheating disposal log, and print the cheating disposal log to a specified storage space, thereby implementing the monitoring and counting function shown in fig. 4. Wherein the specified storage space may be a disk.

Optionally, the monitoring statistic function may also be implemented by using an independent server, and this embodiment is not specifically limited herein.

Illustratively, after the cheating handling log is recorded, the cheating handling log can also be directly output in a log file in real time.

Due to the limitation of a log mechanism of nginx, the cheating handling log of access flow is output in a log file in real time, so that a large pressure is brought to a disk, and the performance of the cloud service gateway is influenced.

In this step, the cheating disposal log is printed to a designated storage space, which may be specifically implemented in the following manner:

generating index information of the cheating disposal log according to the request time of the access request, and storing the cheating disposal log to a target position corresponding to the index information in a hash array; and determining the index information printed this time according to the current time every a period of time, and printing the elements at the corresponding positions of the index information printed this time in the hash array to the specified storage space.

Specifically, according to the request time of the access request, generating index information of a cheating handling log; if the target position corresponding to the index information in the hash array is empty, storing the cheating disposal log to the target position; if the target position is not empty, aggregating the cheating handling logs and the elements of the target position, and storing the cheating handling logs and the elements of the target position in the target position; and determining the index information printed this time according to the current time every a period of time, and printing the elements at the position corresponding to the index information printed this time to the specified storage space.

Further, the expired cheating handling logs in the hash array can be cleared. Illustratively, according to a preset retention rule, the logs which do not meet the retention rule in the hash array are cleared. The retention rule may be set and adjusted according to an actual application scenario, and this embodiment is not specifically limited herein.

For example, a hash (hash) array is created, the length is set to N, and the print interval at the time of logging is set to G. When a user request comes, the current timestamp is recorded as T, and the generated index information key of the log record is T-T% G and is recorded as K. Searching whether the element corresponding to the K exists in the hash array, if so, aggregating the generated log record and the element corresponding to the K, and then rewriting the element corresponding to the K so as to update the element corresponding to the K; and if the corresponding element of K does not exist in the hash array (the corresponding element of K is empty), writing the generated log record into the corresponding element of K. Every G seconds, a key to be printed 1 is generated, the time when printing is ready is set to T1, and the rule for generating a print key1 is as follows: and T1-T1% G-G is recorded as K1, whether the element corresponding to K1 exists in the hash removing array is searched, and if the element exists, the element is printed to a magnetic disk. And when the hash array insertion number reaches N, the hash array is full, and the expired log records are cleared according to a preset reservation rule.

In the step, the operation state of the system can be obtained by collecting cheating disposal logs, and a basis is provided for observing the operation effect of the system and automatically and manually adjusting the configuration threshold of the system.

The logs are printed to the disk regularly through a log aggregation statistical mode based on the timestamp and the hash array, and the pressure of the cloud service gateway can be reduced.

In the embodiment, the cloud service gateway can also acquire the user access logs and upload the user access logs to the cheating analysis server, the cheating analysis server determines the cheating IP list based on the user access logs, and the cheating analysis server can share the computing task of the cloud service gateway, so that the computing pressure of the cloud service gateway is reduced; furthermore, by recording the cheating disposal logs and printing the cheating disposal logs to a designated storage space, a monitoring and counting function can be realized, workers can observe the cheating disposal effect conveniently, and reference is provided for adjusting parameters of system configuration.

Fig. 6 is a schematic diagram of a device for processing cheating traffic according to a fourth embodiment of the present application. The device for processing the cheating traffic, provided by the embodiment of the application, can execute the processing flow provided by the method for processing the cheating traffic. As shown in fig. 6, the apparatus 60 for cheating traffic processing includes: a black and white list module 601.

Specifically, the black-and-white list module 601 is configured to respond to an access request of a user, determine that the user is a cheating user, and perform cheating treatment on the access request based on the black-and-white list mechanism according to user information and access data of the user if the user meets at least one treatment condition of the black-and-white list mechanism.

The apparatus provided in this embodiment of the present application may be specifically configured to execute the method embodiment provided in the first embodiment, and specific functions are not described herein again.

Fig. 7 is a schematic diagram of a device for processing cheating traffic according to a fifth embodiment of the present application. In addition to the fourth embodiment, in this embodiment, as shown in fig. 7, the apparatus 60 for cheating traffic processing may further include: the verification code module 602 is configured to, if the user does not satisfy the handling condition of the black-and-white list mechanism, perform cheating handling on the access request based on the verification code mechanism.

In one possible embodiment, the black and white list mechanism may include an IP-level IP black list and a user-level user black list and a user white list.

In one possible embodiment, the black-and-white list module is further configured to:

and if the current IP of the user hits the IP blacklist, or the user is in the user blacklist and the validity period of the user blacklist is not expired, the access request is forbidden.

if the user is in the user white list and the valid period of the user white list is not expired, determining the unit time access amount of the user; and if the access amount of the user per unit time is less than or equal to the first threshold, allowing the access request.

and if the unit time access amount of the user is larger than the first threshold value, adding the user into a user blacklist, and blocking the access request.

In one possible implementation, the verification code module is further configured to:

and if the user is in the user blacklist and the validity period of the user blacklist is expired, or the user is in the user white list and the validity period of the user white list is expired, verifying the verification code.

and if the verification of the verification code fails, updating the verification failure times of the user and the verification failure times of the current IP.

and if the verification failure times of the user are larger than the second threshold value, adding the user into a user blacklist, clearing the verification failure times of the user, and updating the number of the blackened users under the current IP.

and if the number of the users blacked under the current IP is larger than the fourth threshold and the current IP is in the cheating IP list, adding the current IP into the IP blacklist and setting the validity period of the IP blacklist of the current IP.

and if the verification failure times of the current IP are larger than a third threshold value and the current IP is in the cheating IP list, adding the current IP into an IP blacklist and setting the validity period of the IP blacklist of the current IP.

and if the verification of the verification code is successful, allowing the access request, clearing the verification failure times of the user and updating the access times of the user.

and if the verification of the verification code is successful, adding the user into a user white list, and setting the valid period of the user white list.

The apparatus provided in the embodiment of the present application may be specifically configured to execute the method embodiment provided in the second embodiment, and specific functions are not described herein again.

Fig. 8 is a schematic diagram of a device for processing cheating traffic according to a sixth embodiment of the present application. In addition to the fourth or fifth embodiment, in this embodiment, as shown in fig. 8, the apparatus 60 further includes: a data processing module 603 configured to:

and responding to the access request of the user, and acquiring user state information from the cookie of the current access request, wherein the user state information comprises a judgment result of whether the user is a cheating user.

In a possible implementation, the data processing module 603 is further configured to:

when the system is started, a cheating IP list is acquired from the cheating analysis server at regular time through the appointed work process, the cheating IP list is written into the shared memory, and an event broadcast notice is sent to notify all the work processes of updating the cheating IP list.

and the collected user access log sends the user access log to a cheating analysis server, and the cheating IP list is determined based on the user access log.

recording cheating disposal logs; generating index information of the cheating disposal log according to the request time of the access request, and storing the cheating disposal log to a target position corresponding to the index information in a hash array; and determining the index information printed this time according to the current time every a period of time, and printing the elements at the corresponding positions of the index information printed this time in the hash array to the specified storage space. .

The apparatus provided in this embodiment of the present application may be specifically configured to execute the method embodiment provided in the third embodiment, and specific functions are not described herein again.

According to an embodiment of the present application, an electronic device and a readable storage medium are also provided.

As shown in fig. 9, the embodiment of the present application is a block diagram of an electronic device of a method for cheating traffic processing. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the present application that are described and/or claimed herein.

As shown in fig. 9, the electronic apparatus includes: one or more processors Y01, a memory Y02, and interfaces for connecting the various components, including a high speed interface and a low speed interface. The various components are interconnected using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions for execution within the electronic device, including instructions stored in or on the memory to display graphical information of a GUI on an external input/output apparatus (such as a display device coupled to the interface). In other embodiments, multiple processors and/or multiple buses may be used, along with multiple memories, as desired. Also, multiple electronic devices may be connected, with each device providing portions of the necessary operations (e.g., as a server array, a group of blade servers, or a multi-processor system). In fig. 9, one processor Y01 is taken as an example.

Memory Y02 is a non-transitory computer readable storage medium as provided herein. The memory stores instructions executable by the at least one processor to cause the at least one processor to perform the method for cheating traffic handling provided herein. The non-transitory computer readable storage medium of the present application stores computer instructions for causing a computer to perform the method of cheating traffic processing provided herein.

Memory Y02 is a non-transitory computer readable storage medium that can be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules (e.g., black and white list module 601 and authentication code module 602 shown in fig. 6) corresponding to the method of cheating traffic handling in the embodiments of the present application. The processor Y01 executes various functional applications of the server and data processing, i.e., a method of implementing the cheating traffic processing in the above-described method embodiments, by executing non-transitory software programs, instructions, and modules stored in the memory Y02.

The memory Y02 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created from use of the electronic device by the cheating traffic process, and the like. Additionally, the memory Y02 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory Y02 may optionally include memory located remotely from processor Y01, which may be connected to the electronic device for cheating traffic handling via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The electronic device of the method of cheating traffic handling may further comprise: an input device Y03 and an output device Y04. The processor Y01, the memory Y02, the input device Y03, and the output device Y04 may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 9.

The input device Y03 may receive input numeric or character information and generate key signal inputs related to user settings and function controls of the electronic device for cheating traffic handling, such as a touch screen, keypad, mouse, track pad, touch pad, pointer stick, one or more mouse buttons, track ball, joystick, or other input device. The output device Y04 may include a display device, an auxiliary lighting device (e.g., LED), a tactile feedback device (e.g., vibration motor), and the like. The display device may include, but is not limited to, a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display, and a plasma display. In some implementations, the display device can be a touch screen.

Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, application specific ASICs (application specific integrated circuits), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.

These computer programs (also known as programs, software applications, or code) include machine instructions for a programmable processor, and may be implemented using high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.

To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.

The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), and the Internet.

The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.

It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present application may be executed in parallel, sequentially, or in different orders, and the present invention is not limited thereto as long as the desired results of the technical solutions disclosed in the present application can be achieved.

The above-described embodiments should not be construed as limiting the scope of the present application. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims

1. A method for processing cheating traffic is applied to a cloud service gateway, and the method comprises the following steps:

2. The method of claim 1, further comprising: and if the user does not meet the treatment condition of the black-and-white list mechanism, performing cheating treatment on the access request based on a verification code mechanism.

3. The method of claim 1, wherein the cheating the access request based on a blacklist mechanism if the user satisfies at least one handling condition of a blacklist mechanism according to user information and access data of the user comprises:

And if the current IP of the user hits an IP blacklist, or the user is in the user blacklist and the validity period of the user blacklist is not expired, the access request is forbidden.

4. The method of claim 1, wherein the cheating the access request based on a blacklist mechanism if the user satisfies at least one handling condition of a blacklist mechanism according to user information and access data of the user further comprises:

if the user is in a user white list and the valid period of the user white list is not expired, determining the unit time visit amount of the user;

and if the unit time access amount of the user is less than or equal to a first threshold, allowing the access request, clearing the verification failure times of the user, and updating the access times of the user.

5. The method of claim 4, further comprising:

6. The method of claim 2, wherein, if the user does not satisfy the disposition condition of the blacklist and whitelist mechanism, performing cheating disposition on the access request based on a passcode mechanism, further comprising:

And if the user is in a user blacklist and the validity period of the user blacklist is expired, or the user is in a user white list and the validity period of the user white list is expired, verifying the verification code.

7. The method of claim 6, further comprising:

8. The method of claim 7, further comprising:

and if the verification failure times of the user are larger than a second threshold value, adding the user into a user blacklist, clearing the verification failure times of the user, and updating the number of the users blackened under the current IP.

9. The method of claim 8, further comprising:

and if the number of the users blackened under the current IP is larger than a fourth threshold value and the current IP is in a cheating IP list, adding the current IP into an IP blacklist and setting the validity period of the IP blacklist of the current IP.

10. The method of claim 7, further comprising:

and if the verification failure times of the current IP are larger than a third threshold value and the current IP is in a cheating IP list, adding the current IP into an IP blacklist and setting the validity period of the IP blacklist of the current IP.

11. The method of claim 6, further comprising:

12. The method of claim 11, further comprising:

13. The method according to any one of claims 1-12, further comprising:

responding to an access request of a user, and acquiring user state information from a cookie of the current access request, wherein the user state information comprises a judgment result of whether the user is a cheating user.

14. The method of claim 9 or 10, further comprising:

when the system is started, a cheating IP list is acquired from a cheating analysis server at regular time through a designated work process, the cheating IP list is written into a shared memory, and an event broadcast notice is sent to notify all the work processes of updating the cheating IP list.

15. The method of claim 14, further comprising:

and sending the collected user access log to the cheating analysis server, wherein the cheating IP list is determined based on the user access log.

16. The method of claim 15, wherein the sending the user access log to the cheat analysis server comprises:

creating a new buffer area every a time interval;

in the current time period, the new buffer area is used as the current buffer area, and the collected user access log is stored in the current buffer area; and after sending the user access log in the last buffer area to the cheating analysis server, destroying the last buffer area.

17. The method according to any one of claims 1-12, further comprising:

recording cheating disposal logs;

generating index information of the cheating disposal log according to the request time of the access request, and storing the cheating disposal log to a target position corresponding to the index information in a hash array;

and determining the index information printed this time according to the current time every a period of time, and printing the elements at the corresponding positions of the index information printed this time in the hash array to the specified storage space.

18. An apparatus for cheating traffic handling, comprising:

19. The apparatus of claim 18, further comprising:

and the verification code module is used for carrying out cheating treatment on the access request based on a verification code mechanism if the user does not meet the treatment condition of the black-and-white list mechanism.

20. The apparatus of claim 18, the blacklist module to further:

21. The apparatus of claim 18, the blacklist module to further:

and if the unit time access amount of the user is less than or equal to a first threshold value, allowing the access request.

22. The apparatus of claim 21, the blacklist module to further:

23. The apparatus of claim 19, the passcode module further to:

24. The apparatus of claim 23, the passcode module further to:

25. The apparatus of claim 24, the passcode module further to:

26. The apparatus of claim 25, the blacklist module to further:

27. The apparatus of claim 24, the blacklist module to further:

28. The apparatus of claim 23, the passcode module further to:

29. The apparatus of claim 28, the blacklist module to further:

30. An electronic device, comprising:

at least one processor; and

the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-16.

31. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-16.