CN113839918A - Method for early warning user activities of network illegal platform - Google Patents
Method for early warning user activities of network illegal platform Download PDFInfo
- Publication number
- CN113839918A CN113839918A CN202110821147.7A CN202110821147A CN113839918A CN 113839918 A CN113839918 A CN 113839918A CN 202110821147 A CN202110821147 A CN 202110821147A CN 113839918 A CN113839918 A CN 113839918A
- Authority
- CN
- China
- Prior art keywords
- network
- platform
- user
- violation
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000000694 effects Effects 0.000 title claims abstract description 20
- 238000000034 method Methods 0.000 title claims abstract description 17
- 238000001914 filtration Methods 0.000 claims abstract description 7
- 238000012545 processing Methods 0.000 claims abstract description 7
- 230000035755 proliferation Effects 0.000 claims description 3
- 238000005215 recombination Methods 0.000 claims description 3
- 230000006798 recombination Effects 0.000 claims description 3
- 238000012546 transfer Methods 0.000 claims description 3
- 230000006399 behavior Effects 0.000 abstract description 19
- 238000012544 monitoring process Methods 0.000 abstract description 8
- 230000002159 abnormal effect Effects 0.000 abstract 1
- 239000003795 chemical substances by application Substances 0.000 description 10
- 230000004044 response Effects 0.000 description 10
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000013598 vector Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/26—Government or public services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/302—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Tourism & Hospitality (AREA)
- Technology Law (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Evolutionary Computation (AREA)
- Health & Medical Sciences (AREA)
- Economics (AREA)
- General Health & Medical Sciences (AREA)
- Educational Administration (AREA)
- Development Economics (AREA)
- Human Resources & Organizations (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for early warning the user activity of a network illegal platform, which comprises the following steps: capturing network traffic containing network illegal platform information, and restoring original information of a website; identifying a network violation platform and presetting an IP (Internet protocol) and a domain name of the network violation platform; analyzing the request characteristics of the network violation platform and extracting alarm rules; filtering out the network violation platform from the original website information through the confirmed network violation platform IP or domain name; and matching the network violation platform user request data through the alarm rule to generate alarm information. The early warning method can monitor the abnormal network violation behaviors of the network violation suspects, can realize real-time tracking, deep analysis and website information reduction on the network, can generate warning information prompt after effective identification, can feed the warning information back to related personnel for processing while monitoring, effectively reduces the loss of people and property, and reduces the network violation behaviors while maintaining the network safety.
Description
Technical Field
The invention relates to the technical field of network illegal activity detection, in particular to a method for early warning user activities of a network illegal platform.
Background
With the development of the internet and the maturity of computer technology, it often happens that some illegal persons attack their systems or information by means of the network, destroy or utilize the network to make other violations. In order to maintain the security of the internet and the financial security of people, the behaviors of the network violation are always subjected to reprimation and attack, so that the behaviors of the network violation suspects are monitored at any time. At present, the method for monitoring the activities of suspects by a network violation suspect reconnaissance object aims at network intrusion monitoring, user behavior abnormity monitoring and no network violation platform.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a method for early warning the user activity of a network illegal platform, which can effectively solve the problems provided by the background technology.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a method for early warning of user activity of a network violation platform comprises the following steps:
step S101, capturing network flow containing network illegal platform information, restoring website original information, decoding, flow table tracking and data recombination through the captured network flow, then carrying out network protocol analysis on the recombined data, carrying out deep analysis on a website hypertext transfer protocol, and finally restoring the website original information;
step S102, identifying a network violation platform, presetting an IP (Internet protocol) and a domain name of the network violation platform, matching restored website original information with a network violation identification model, determining a violation website type according to a model identification result, and extracting the IP and the domain name which are confirmed to be the network violation platform;
step S103, analyzing the request characteristics of the network illegal platform, and extracting alarm rules, wherein the objects of the alarm rules are mainly divided into common users, agents and managers;
step S104, filtering out the network violation platform from the original website information through the confirmed network violation platform IP or domain name, mainly adopting a regular matching mode, and then filtering out the websites hit by matching;
step S105, matching the network illegal platform user request data through the alarm rule to generate alarm information, and taking the access time, the source IP address, the source port number, the target IP address, the target port, the domain name, the alarm type and the network virtual number information as final alarm records from the request data matched and conformed by the alarm rule by the network illegal platform.
Further, in step S101, the captured network traffic may be any one of data center computer room network traffic, metropolitan area network traffic, and telecom operator network traffic.
Further, in step S103, the alarm rule specifically includes:
(1) common users, user proliferation, user registration, user login and user payment;
(2) agent, user access, user registration, user login and user cash withdrawal;
(3) administrator, user access, user registration, user login, user cash withdrawal.
Further, in step S104, in a regular matching manner, it is determined whether the IP is matched with the IP of the network violation platform server and whether the domain name is matched with the host of the network violation platform.
Further, in step S105, when the alarm information is the behavior of the general user, when the mobile phone number of the user is captured in the network virtual number information of the alarm, the risk of property loss possibly caused by the fact that the victim is performing network activities may be notified through a preset short message template; and when the alarm information is the behavior of an agent and an administrator, feeding the complete alarm information back to the related personnel for processing.
Compared with the prior art, the invention has the beneficial effects that:
the invention realizes an early warning method for monitoring the activities of the illegal suspects based on a network platform, which can monitor the network illegal abnormal behaviors of the network illegal suspects, can also realize real-time tracking, deep analysis and website information reduction on the network, can feed back the alarm information to relevant personnel for processing while monitoring through the information prompt of the alarm generated after effective identification, effectively reduces the loss of people and property, reduces the network illegal behaviors while maintaining the network safety, is convenient to operate and has strong practicability.
Drawings
FIG. 1 is a diagram illustrating the early warning execution steps of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, the present invention provides a method for early warning of user activities of a network violation platform, comprising the following steps:
step S101, capturing network flow containing the information of the network illegal platform, and restoring original information of the website.
In this embodiment, the captured network traffic is network illegal data traffic included in the internet, and may be any one of data center machine room network traffic, metropolitan area network traffic, and telecom operator network traffic.
Specifically, network traffic is captured to perform decoding, flow table tracking and data recombination, network protocol analysis is performed on the recombined data, deep analysis is performed on a hypertext transfer protocol http of a website, and finally original information of the website is restored.
Step S102, identifying the network violation platform and presetting the IP and domain name of the network violation platform.
In this embodiment, the restored website original information is matched with the network violation identification model, the type of the violation website is determined according to the model identification result, and then the IP and the domain name which are confirmed to be the network violation platform are extracted.
Specifically, the identification model acquires page text features, extracts feature vectors through a TF-IDF (term frequency-inverse document frequency) algorithm, and then establishes a network violation identification model through Bayesian classification. Identifying by using the established network violation model through the restored website information to determine the website type; and then, extracting the IP and the domain name from the restored website information and adding the IP and the domain name into a list for determining a network illegal platform.
And step S103, analyzing the request characteristics of the network illegal platform and extracting alarm rules.
In this embodiment, the objects of the alarm rule are mainly divided into a common user, an agent and an administrator, and the alarm rule specifically includes:
(1) common users, user proliferation, user registration, user login and user payment;
(2) agent, user access, user registration, user login and user cash withdrawal;
(3) administrator, user access, user registration, user login, user cash withdrawal.
Specifically, in S102, it is determined that the website is a network violation platform, the website is filtered from the original traffic so that there is data, and the filtering rule is extracted through manual analysis, which includes the following operation sequences:
(1) in all host records, user role identification rules are extracted. Analyzing whether all host records have keywords for distinguishing user roles and whether login entries of different roles are inconsistent; if the host can distinguish different roles of the user, extracting keywords as the role identification rule of the network illegal website, and if the default is the role of a common user, the administrator role is the host containing the keyword 'range', and the agent role is the host containing the keyword 'ag'; if the user roles cannot be distinguished in the host, a response data packet of the user response needs to be analyzed, the response is judged according to response content information, the response belongs to the content returned when the user requests the role authority, then the corresponding request data packet is reversely searched, and the role recognition rule characteristics are extracted;
(2) in all url records, the user role recognition rule is extracted. Analyzing whether all url records have keywords for distinguishing user roles and whether login entries url of different roles are inconsistent; if the url can distinguish different roles of the user, extracting keywords as a role identification rule of the network illegal website, and if the role is defaulted to be a common user role, taking the role of an administrator as the url containing the keyword 'admin', and taking the role of an agent as the url containing the keyword 'agent'; if the role of the user cannot be distinguished in the url, analyzing a response data packet of the user response, judging the response is the content returned when the response belongs to the role authority user request according to the response content information, reversely searching a corresponding request data packet, and extracting the role recognition rule characteristic;
(3) in all url records, a user operation behavior recognition rule is extracted. Analyzing whether all url records have keywords for distinguishing user operation behaviors or not and whether the urls of different operation behaviors are inconsistent or not; if the url can distinguish different operation behaviors of the user, extracting keywords as a user operation behavior identification rule of the network illegal website, such as: the user login url contains the keyword "login", the user registration url contains the keyword "register", and the user payment url contains the keyword "buy"; if the user operation behavior cannot be distinguished in the url, the user request parameter needs to be analyzed, and the judgment is carried out through the content information of the request parameter, if the user login request parameter contains a keyword 'username', the user registration request parameter contains a keyword 'repassword', and the user payment request parameter contains a keyword 'money'.
(4) And extracting the user network virtual number information identification rule in all url records. Analyzing whether all url records have virtual number information keywords or not; if the url has the virtual number information keyword, extracting the keyword as a user specific virtual number identification rule of the network illegal website, such as: the url contains a keyword 'QQ' in the virtual number information as QQ number information, the url contains a keyword 'wechat' in the virtual number information as micro signal code information, the url contains a keyword 'phone' in the virtual number information as mobile phone number information, and the like; if the url does not have the virtual number information keyword, the judgment of the user request parameter needs to be analyzed, and if the user login request parameter contains the key information "username is 123456789@ qq.
And step S104, filtering out the network violation platform from the original website information through the confirmed network violation platform IP or domain name.
In this embodiment, a regular matching manner is adopted to determine whether the IP is matched with the IP of the network illegal platform server and whether the domain name is matched with the host of the network illegal platform.
Specifically, the original information of the website restored in S101 is filtered out by regular matching through the IP or domain name of the network violation platform confirmed in S102.
And step S105, matching the network illegal platform user request data through the alarm rule to generate alarm information.
In this embodiment, the network violation platform extracts access time, a source IP address, a source port number, a target IP address, a target port, a domain name, an alarm type, and network virtual number information from the request data matched by the alarm rule and in accordance with the alarm rule as a final alarm record; in order to effectively reduce the property loss of people, when the alarm information is the behavior of a common user, when the mobile phone number of the user is captured in the network virtual number information of the alarm, the risk of property loss possibly brought by network activities of a victim can be informed through a preset short message template; and when the alarm information is the behavior of an agent and an administrator, feeding the complete alarm information back to the related personnel for processing.
Specifically, firstly, matching is performed on the network illegal website filtered in the step S104 by using the role recognition rule analyzed and extracted in the step S103, and the role identity information of the user is confirmed; then, the network illegal website filtered by the S104 is matched by using the user operation behavior recognition rule analyzed and extracted by the S103, and the user behavior is matched; further, the network illegal website filtered by the step S104 is matched by using the network virtual number information identification rule analyzed and extracted by the step S103, and the user virtual number information is matched. And comprehensively evaluating all matched data according to the role authority, and outputting alarm information.
(1) When the role is a common user, the user generates early warning information during registration, login and payment, and when the specific virtual number information of the user is extracted, the victim is informed of the risk of property loss possibly caused by network activities through a preset template.
(2) When the role is administrator or agent, when the user is in the operations of access, registration, login and cash withdrawal, the complete alarm information is fed back to the relevant personnel for processing.
Compared with the prior art, the technical scheme realizes the early warning method for monitoring the activities of the illegal suspects based on the network platform, the early warning method can monitor the network illegal abnormal behaviors of the network illegal suspects, can also realize real-time tracking, deep analysis and website information reduction on the network, generates warning information prompt after effective identification, can feed back the warning information to relevant personnel for processing while monitoring, effectively reduces the loss of people and property, and reduces the network illegal behaviors while maintaining the network security.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (5)
1. A method for early warning of user activity of a network violation platform is characterized by comprising the following steps:
step S101, capturing network flow containing network illegal platform information, restoring website original information, decoding, flow table tracking and data recombination through the captured network flow, then carrying out network protocol analysis on the recombined data, carrying out deep analysis on a website hypertext transfer protocol, and finally restoring the website original information;
step S102, identifying a network violation platform, presetting an IP (Internet protocol) and a domain name of the network violation platform, matching restored website original information with a network violation identification model, determining a violation website type according to a model identification result, and extracting the IP and the domain name which are confirmed to be the network violation platform;
step S103, analyzing the request characteristics of the network illegal platform, and extracting alarm rules, wherein the objects of the alarm rules are mainly divided into common users, agents and managers;
step S104, filtering out the network violation platform from the original website information through the confirmed network violation platform IP or domain name, mainly adopting a regular matching mode, and then filtering out the websites hit by matching;
step S105, matching the network illegal platform user request data through the alarm rule to generate alarm information, and taking the access time, the source IP address, the source port number, the target IP address, the target port, the domain name, the alarm type and the network virtual number information as final alarm records from the request data matched and conformed by the alarm rule by the network illegal platform.
2. The method for warning the user activity of the network illegal platform according to claim 1, wherein in step S101, the captured network traffic may be any one of data center room network traffic, metropolitan area network traffic, and telecom operator network traffic.
3. The method for early warning of user activity of a network violation platform as recited in claim 1, wherein in step S103, the warning rule specifically comprises:
(1) common users, user proliferation, user registration, user login and user payment;
(2) agent, user access, user registration, user login and user cash withdrawal;
(3) administrator, user access, user registration, user login, user cash withdrawal.
4. The method for early warning of user activity of a network illegal platform according to claim 1, wherein in step S104, in a regular matching manner, it is determined whether the IP is matched with the IP of the network illegal platform service end and whether the domain name is matched with the host of the network illegal platform.
5. The method for warning the user activity of the network illegal platform according to claim 1, wherein in step S105, when the warning information is the behavior of a general user, when the mobile phone number of the user is captured in the network virtual number information of the warning, the risk of property loss possibly caused by the fact that the victim is performing the network activity can be notified through a preset short message template; and when the alarm information is the behavior of an agent and an administrator, feeding the complete alarm information back to the related personnel for processing.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110821147.7A CN113839918A (en) | 2021-07-20 | 2021-07-20 | Method for early warning user activities of network illegal platform |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110821147.7A CN113839918A (en) | 2021-07-20 | 2021-07-20 | Method for early warning user activities of network illegal platform |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113839918A true CN113839918A (en) | 2021-12-24 |
Family
ID=78962842
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110821147.7A Pending CN113839918A (en) | 2021-07-20 | 2021-07-20 | Method for early warning user activities of network illegal platform |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113839918A (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007026133A1 (en) * | 2005-08-31 | 2007-03-08 | British Telecommunications Public Limited Company | Personalised heterogeneous network handover alert scheme |
CN103763124A (en) * | 2013-12-26 | 2014-04-30 | 孙伟力 | Internet user behavior analyzing and early-warning system and method |
CN106789980A (en) * | 2016-12-07 | 2017-05-31 | 北京亚鸿世纪科技发展有限公司 | A kind of monitoring administration method and device of website legitimacy |
CN106850500A (en) * | 2015-12-03 | 2017-06-13 | ***通信集团公司 | Fishing website processing method and processing device |
CN112347244A (en) * | 2019-08-08 | 2021-02-09 | 四川大学 | Method for detecting website involved in yellow and gambling based on mixed feature analysis |
CN112688939A (en) * | 2020-12-23 | 2021-04-20 | 上海欣方智能***有限公司 | Method and device for determining illegal organization information, electronic equipment and storage medium |
-
2021
- 2021-07-20 CN CN202110821147.7A patent/CN113839918A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007026133A1 (en) * | 2005-08-31 | 2007-03-08 | British Telecommunications Public Limited Company | Personalised heterogeneous network handover alert scheme |
CN103763124A (en) * | 2013-12-26 | 2014-04-30 | 孙伟力 | Internet user behavior analyzing and early-warning system and method |
CN106850500A (en) * | 2015-12-03 | 2017-06-13 | ***通信集团公司 | Fishing website processing method and processing device |
CN106789980A (en) * | 2016-12-07 | 2017-05-31 | 北京亚鸿世纪科技发展有限公司 | A kind of monitoring administration method and device of website legitimacy |
CN112347244A (en) * | 2019-08-08 | 2021-02-09 | 四川大学 | Method for detecting website involved in yellow and gambling based on mixed feature analysis |
CN112688939A (en) * | 2020-12-23 | 2021-04-20 | 上海欣方智能***有限公司 | Method and device for determining illegal organization information, electronic equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10721245B2 (en) | Method and device for automatically verifying security event | |
CN103026345B (en) | For the dynamic multidimensional pattern of event monitoring priority | |
US8661545B2 (en) | Classifying a message based on fraud indicators | |
US20080271143A1 (en) | Insider threat detection | |
JP2021039754A (en) | Endpoint agent expansion of machine learning cyber defense system for electronic mail | |
US20080201464A1 (en) | Prevention of fraud in computer network | |
KR20040035572A (en) | Integrated Emergency Response System in Information Infrastructure and Operating Method therefor | |
CN111586005B (en) | Scanner scanning behavior identification method and device | |
CN110324348A (en) | A kind of information security of computer network monitoring system | |
CN108446543B (en) | Mail processing method, system and mail proxy gateway | |
GB2592132A (en) | Enterprise network threat detection | |
CN109919438A (en) | Insurance risk appraisal procedure and system before network security insurance is protected | |
CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
Goodman | Making computer crime count | |
CN113839918A (en) | Method for early warning user activities of network illegal platform | |
JP2006295232A (en) | Security monitoring apparatus, and security monitoring method and program | |
CN115442159A (en) | Household routing-based risk management and control method, system and storage medium | |
Iorliam | Cybersecurity in Nigeria: A Case Study of Surveillance and Prevention of Digital Crime | |
CN114157711B (en) | Asset disposal method and device | |
CN112887288B (en) | Internet-based E-commerce platform intrusion detection front-end computer scanning system | |
JP7059741B2 (en) | Fraud detection device, fraud detection method and fraud detection program | |
Alotibi et al. | The feasibility of using behavioural profiling technique for mitigating insider threats | |
Watters | Attack Attribution | |
Kazaure et al. | Digital Forensic Investigation on Social Media Platforms: A Survey on Emerging Machine Learning Approaches. | |
Zope et al. | Event correlation in network security to reduce false positive |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |