CN116663021B - Machine request behavior recognition method, device, electronic equipment and storage medium - Google Patents

Machine request behavior recognition method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116663021B
CN116663021B CN202310913126.7A CN202310913126A CN116663021B CN 116663021 B CN116663021 B CN 116663021B CN 202310913126 A CN202310913126 A CN 202310913126A CN 116663021 B CN116663021 B CN 116663021B
Authority
CN
China
Prior art keywords
detected
address
time interval
determining
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310913126.7A
Other languages
Chinese (zh)
Other versions
CN116663021A (en
Inventor
张黎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Flash It Co ltd
Original Assignee
Flash It Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Flash It Co ltd filed Critical Flash It Co ltd
Priority to CN202310913126.7A priority Critical patent/CN116663021B/en
Publication of CN116663021A publication Critical patent/CN116663021A/en
Application granted granted Critical
Publication of CN116663021B publication Critical patent/CN116663021B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a machine request behavior recognition method, a device, electronic equipment and a storage medium, wherein a to-be-detected time interval of an IP address to be detected is determined through an absolute high-frequency threshold value and a relative high-frequency threshold value, so that the judgment range of the machine request behavior is reduced, then the frequency risk value, the stability risk value and the differential risk value of the to-be-detected IP address in the corresponding to-be-detected time intervals are determined based on the request quantity of the to-be-detected IP address in each to-be-detected time interval, the requested time interval and the number of interfaces, and the time interval with the machine request behavior is determined based on the frequency risk value, the stability risk value and the differential risk value, thereby realizing multidimensional analysis of the request behavior and improving the recognition precision of the machine request behavior.

Description

Machine request behavior recognition method, device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a machine request behavior recognition method, a device, an electronic apparatus, and a storage medium.
Background
Machine request behavior refers to the behavior that a machine automatically sends continuous requests to a system through a program, and typical service examples include malicious attacks (such as distributed denial of service (Distributed Denial of Service, DDoS) attacks, challenge black hole (CC) attacks, vulnerability attacks, and the like), crawler robots, interface rotting brush (such as automatic script ticket robbing, machine batch registration), and the like. The occurrence of machine request behavior is often accompanied by a risk that means that the system is receiving an abnormal request, and that the identification of machine request behavior from the request log of the API (Application Programming Interface ) is crucial for maintaining system security. Therefore, in the process of API audit, multidimensional analysis and comprehensive judgment are performed on the request log of the API, and the machine request behavior is captured as accurately as possible so as to ensure the safety of application operation, which is a technical problem to be solved urgently at present.
Disclosure of Invention
The invention provides a machine request behavior recognition method, a device, electronic equipment and a storage medium, which are used for solving the problem of how to accurately capture the machine request behavior so as to ensure the safety of application operation in the prior art.
The invention provides a machine request behavior recognition method, which comprises the following steps:
determining a relative high-frequency threshold value based on the request quantity of the IP address to be detected in each unit time in the working time period;
determining an interval screening threshold based on an absolute high-frequency threshold and the relative high-frequency threshold, and determining a plurality of time intervals to be detected of the IP address to be detected based on the interval screening threshold and the request quantity of the IP address to be detected in each unit time;
determining a frequency risk value of the IP address to be detected in a corresponding time interval to be detected based on the request quantity of the IP address to be detected in each time interval to be detected;
determining a stability risk value of the IP address to be detected in a corresponding time interval to be detected based on the time interval of two adjacent requests of the IP address to be detected in each time interval to be detected;
determining a differential risk value of the IP address to be detected in a corresponding time interval to be detected based on the number of interfaces accessed by the IP address to be detected in each time interval to be detected;
And determining a time interval in which the machine request behavior exists based on the frequency risk value, the stability risk value and the difference risk value of the IP address to be detected in each time interval to be detected.
According to the machine request behavior recognition method provided by the invention, the stability risk value of the IP address to be detected in the corresponding time interval to be detected is determined based on the time interval of two adjacent requests of the IP address to be detected in each time interval to be detected, and the method specifically comprises the following steps:
acquiring the time interval of each two adjacent requests of the IP address to be detected in any time interval to be detected, and dividing the time interval of each two adjacent requests based on a fixed width to obtain the time interval code of each two adjacent requests of the IP address to be detected in any time interval to be detected; the time interval code of any two adjacent requests is a box number obtained by carrying out box separation on the time interval of any two adjacent requests based on the fixed width;
performing information entropy calculation based on time interval codes of every two adjacent requests of the IP address to be detected in any time interval to be detected, so as to obtain normalized information entropy of the IP address to be detected in any time interval to be detected;
And determining the stability risk value of the IP address to be detected in any time interval to be detected based on the difference value between the value 1 and the normalized information entropy of the IP address to be detected in any time interval to be detected.
According to the machine request behavior recognition method provided by the invention, the difference risk value of the IP address to be detected in the corresponding time interval to be detected is determined based on the number of interfaces accessed by the IP address to be detected in each time interval to be detected, and the method specifically comprises the following steps:
determining the number of interfaces of different interfaces accessed by the IP address to be detected in any time interval to be detected;
and determining the reciprocal of the number of the interfaces of different interfaces accessed by the IP address to be detected in any time interval to be detected, and taking the reciprocal as a differential risk value of the IP address to be detected in the corresponding time interval to be detected.
According to the machine request behavior recognition method provided by the invention, the frequency risk value of the IP address to be detected in the corresponding time interval to be detected is determined based on the request quantity of the IP address to be detected in each time interval to be detected, and the method specifically comprises the following steps:
determining a frequency risk value of the IP address to be detected in any time interval to be detected based on the following formula:
Wherein ad_tanh is a frequency risk value of the to-be-detected IP address in any to-be-detected time interval, x is a request quantity of the to-be-detected IP address in any to-be-detected time interval, and alpha is a preset shrinkage coefficient.
According to the machine request behavior recognition method provided by the invention, the relative high-frequency threshold value is determined based on the request quantity of each unit time of the IP address to be detected in the working time period, and the method concretely comprises the following steps:
generating a request frequency list based on the request quantity of each unit time of the IP address to be detected in the working time period; the numerical values at all positions in the request frequency list are in one-to-one correspondence with the request quantity of each unit time of the IP address to be detected in the working time period;
determining the median of the values in the request frequency list;
if the median is 0, carrying out outlier analysis on the numerical values in the request frequency list based on a 3 sigma principle, and determining the relative high-frequency threshold;
if the median is not 0, determining an upper quartile and a lower quartile of the values in the request frequency list, and determining the relatively high frequency threshold based on the upper quartile and the lower quartile of the values in the request frequency list.
According to the machine request behavior recognition method provided by the invention, the relative high-frequency threshold value is determined based on the upper quartile and the lower quartile of the numerical value in the request frequency list, and the method specifically comprises the following steps:
determining the product of the difference between the upper quartile and the lower quartile of the numerical value in the request frequency list and a preset adjustment coefficient;
and determining the sum of the product of the difference between the upper quartile and the lower quartile of the numerical value in the request frequency list and a preset adjustment coefficient and the upper quartile of the numerical value in the request frequency list as the relative high-frequency threshold.
According to the machine request behavior recognition method provided by the invention, the time interval in which the machine request behavior exists is determined based on the frequency risk value, the stability risk value and the difference risk value of the IP address to be detected in each time interval to be detected, and the method specifically comprises the following steps:
carrying out weighted summation on the frequency risk value and the weight thereof, the stability risk value and the weight thereof, and the difference risk value and the weight thereof of the IP address to be detected in each time interval to be detected, so as to obtain the machine request risk value of the IP address to be detected in the corresponding time interval to be detected;
And determining a time interval in which the machine request behavior exists based on the machine request risk value of the IP address to be detected in each time interval to be detected and a preset risk threshold value.
The invention also provides a machine request behavior recognition device, which comprises:
a relative threshold determining unit for determining a relative high frequency threshold based on a request amount per unit time of the IP address to be detected in the operation period;
the to-be-detected interval determining unit is used for determining an interval screening threshold value based on an absolute high-frequency threshold value and the relative high-frequency threshold value, and determining a plurality of to-be-detected time intervals of the to-be-detected IP address based on the interval screening threshold value and the request quantity of the to-be-detected IP address in each unit time;
the frequency risk calculation unit is used for determining a frequency risk value of the IP address to be detected in the corresponding time interval to be detected based on the request quantity of the IP address to be detected in each time interval to be detected;
the stability risk calculation unit is used for determining a stability risk value of the IP address to be detected in the corresponding time interval to be detected based on the time interval of two adjacent requests of the IP address to be detected in each time interval to be detected;
The differential risk calculation unit is used for determining a differential risk value of the IP address to be detected in the corresponding time interval to be detected based on the number of interfaces accessed by the IP address to be detected in each time interval to be detected;
and the machine request positioning unit is used for determining a time interval in which the machine request behavior exists based on the frequency risk value, the stability risk value and the difference risk value of the IP address to be detected in each time interval to be detected.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the machine request behavior recognition method as described in any of the above when executing the program.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a machine request behavior recognition method as described in any of the above.
The invention also provides a computer program product comprising a computer program which when executed by a processor implements a machine request behaviour identification method as described in any one of the above.
According to the machine request behavior recognition method, the device, the electronic equipment and the storage medium, the to-be-detected time interval of the to-be-detected IP address is determined through the absolute high frequency threshold and the relative high frequency threshold, the judgment range of the machine request behavior is reduced, then the frequency risk value, the stability risk value and the difference risk value of the to-be-detected IP address in the corresponding to-be-detected time interval are determined based on the request quantity of the to-be-detected IP address in each to-be-detected time interval, the requested time interval and the number of interfaces, and therefore the time interval in which the machine request behavior exists is determined based on the frequency risk value, the stability risk value and the difference risk value, multidimensional analysis of the request behavior is realized, and recognition precision of the machine request behavior is improved.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a machine request behavior recognition method according to the present invention;
FIG. 2 is a flow chart of a method for determining stability risk provided by the present invention;
FIG. 3 is a schematic diagram of a machine request behavior recognition device according to the present invention;
fig. 4 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a flow chart of a machine request behavior recognition method provided by the present invention, as shown in fig. 1, the method includes:
step 110, determining a relatively high frequency threshold based on the request amount of the IP address to be detected in each unit time in the working period.
Specifically, in the working time range, the machine request often represents a high-frequency request which sends out an abnormality in a short time, so that the request amount of each unit time of each to-be-detected IP address in the working time range can be obtained from the offline request log record of the system in a T+1 mode, and the to-be-detected IP addresses are analyzed one by one. Wherein, can carry out the outlier analysis based on the request volume of each unit time of any one to-be-detected IP address in the working time period, confirm a relative high frequency threshold value. If the request amount of the IP address to be detected in any unit time (for example, one minute) is higher than the relatively high frequency threshold value, it indicates that there may be machine request behavior in this unit time, and further confirmation can be performed. The time period in which the machine request behavior is possible to exist is screened out by utilizing the relative high-frequency threshold value so as to carry out the fine recognition of the subsequent machine request behavior, and compared with the recognition of the machine request behavior in each unit time, the accuracy and the efficiency can be greatly improved.
In some embodiments, the determining the relatively high frequency threshold based on the request amount of the IP address to be detected in each unit time in the working period specifically includes:
generating a request frequency list based on the request quantity of each unit time of the IP address to be detected in the working time period; the numerical values at all positions in the request frequency list are in one-to-one correspondence with the request quantity of each unit time of the IP address to be detected in the working time period;
determining the median of the values in the request frequency list;
if the median is 0, carrying out outlier analysis on the numerical values in the request frequency list based on a 3 sigma principle, and determining the relative high-frequency threshold;
if the median is not 0, determining an upper quartile and a lower quartile of the values in the request frequency list, and determining the relatively high frequency threshold based on the upper quartile and the lower quartile of the values in the request frequency list.
Specifically, a request frequency list is generated based on the request amount per unit time of the IP address to be detected in the operation period. And the numerical value of each position in the request frequency list corresponds to the request quantity of each unit time of the IP address to be detected in the working time period in a one-to-one sequence, and if no request is sent out by the IP address to be detected in any unit time in the working time period, the numerical value of the corresponding unit time in the request frequency list is set to 0. Subsequently, the median of the values in the request frequency list is calculated. If the median of the values in the request frequency list is 0, it indicates that more than half of the values in the request frequency list are 0, which means that more than half of the minutes of the IP address to be detected have no request record. At this time, the value in the request frequency list may be subjected to outlier analysis based on the 3 sigma principle, and a relatively high frequency threshold may be determined. Here, the average mean and standard deviation std of the values in the request frequency list may be calculated with mean+3×std as the above-described relatively high frequency threshold.
If the median of the values in the request frequency list is not 0, it indicates that more than half of the values in the request frequency list are greater than 0, and the request records are all recorded in the minutes representing more than half of the IP addresses to be detected. At this time, the upper quartile Q3 and the lower quartile Q1 of the values in the request frequency list may be determined, and the above-described relatively high frequency threshold may be determined based on the upper quartile Q3 and the lower quartile Q1 of the values in the request frequency list. Here, the product between the difference (Q3-Q1) between the upper and lower quartiles of the values in the request frequency list and the preset adjustment coefficient (e.g., 1.5) may be determined, and the sum (q3+1.5× (Q3-Q1)) between the product between the difference between the upper and lower quartiles of the values in the request frequency list and the preset adjustment coefficient and the upper quartiles of the values in the request frequency list may be determined as the relatively high frequency threshold.
Step 120, determining an interval screening threshold based on the absolute high frequency threshold and the relative high frequency threshold, and determining a plurality of time intervals to be detected of the to-be-detected IP address based on the interval screening threshold and the request amount of the to-be-detected IP address in each unit time.
Specifically, the absolute high frequency threshold is preset, which represents an upper limit on the frequency of operation per minute for a human being. And determining the smaller value of the absolute high-frequency threshold value and the relative high-frequency threshold value as an interval screening threshold value based on the absolute high-frequency threshold value and the relative high-frequency threshold value. And determining a unit time interval with the request quantity larger than or equal to the interval screening threshold value as a plurality of time intervals to be detected of the IP address to be detected by utilizing the interval screening threshold value and the request quantity of the IP address to be detected in each unit time so as to accurately identify the follow-up machine request behavior.
Step 130, determining a frequency risk value of the to-be-detected IP address in the corresponding to-be-detected time interval based on the request amount of the to-be-detected IP address in each to-be-detected time interval.
Specifically, the higher the request amount of the to-be-detected IP address in any to-be-detected time interval, the greater the possibility that the to-be-detected IP address has a machine request behavior in the to-be-detected time interval. Therefore, the request quantity of the IP address to be detected in each time interval to be detected can be converted into the frequency risk value of the IP address to be detected in the corresponding time interval to be detected. The higher the frequency risk value of the to-be-detected IP address in any to-be-detected time interval, the greater the possibility that the to-be-detected IP address has a machine request behavior in the to-be-detected time interval. Here, the frequency risk value of the IP address to be detected in any time interval to be detected may be determined based on the following formula:
Wherein,,and (2) tan h is a frequency risk value of the IP address to be detected in the time interval to be detected, x is a request quantity of the IP address to be detected in the time interval to be detected, alpha is a preset shrinkage coefficient, and alpha can be set to be 2 times of the reciprocal of the upper limit value of the hyperbolic tangent function.
And 140, determining a stability risk value of the IP address to be detected in the corresponding time interval to be detected based on the time interval of two adjacent requests of the IP address to be detected in each time interval to be detected.
Specifically, since the machine request behavior is driven by a program, the time difference between every two requests always presents a certain stability, so that the possibility that the machine request behavior exists in each time interval to be detected by analyzing whether the time interval between two adjacent requests of the IP address to be detected exists in each time interval to be detected or not and determining the stability risk value of the IP address to be detected in the corresponding time interval to be detected based on the time interval between two adjacent requests of the IP address to be detected in each time interval to be detected. The higher the stability risk value of the IP address to be detected in any time interval to be detected, the greater the possibility that the IP address to be detected has a machine request behavior in the time interval to be detected.
Typically, the variance of the time interval between two adjacent requests is considered as an indicator of the time interval stability of the two adjacent requests. However, the premise of using the variance to embody the stability of the data is that the data needs to be kept on the same order of magnitude, but the request amount of the IP address to be detected in different time intervals to be detected may have large difference, and the variance cannot be used to correctly embody the stability of the adjacent request time intervals in the different time intervals to be detected.
In some embodiments, as shown in fig. 2, determining the stability risk value of the IP address to be detected in the corresponding time interval to be detected based on the time interval of two adjacent requests of the IP address to be detected in each time interval to be detected specifically includes:
step 210, obtaining the time interval of every two adjacent requests of the to-be-detected IP address in any to-be-detected time interval, and sorting the time interval of every two adjacent requests based on a fixed width to obtain the time interval code of every two adjacent requests of the to-be-detected IP address in any to-be-detected time interval; the time interval code of any two adjacent requests is a box number obtained by carrying out box separation on the time interval of any two adjacent requests based on the fixed width;
Step 220, performing information entropy calculation based on the time interval codes of every two adjacent requests of the to-be-detected IP address in any to-be-detected time interval, so as to obtain the normalized information entropy of the to-be-detected IP address in any to-be-detected time interval;
step 230, determining a stability risk value of the to-be-detected IP address in any to-be-detected time interval based on a difference value between the value 1 and the normalized information entropy of the to-be-detected IP address in any to-be-detected time interval.
Specifically, after obtaining the time interval of every two adjacent requests of the to-be-detected IP address in any to-be-detected time interval, the time interval of every two adjacent requests is divided into boxes based on a fixed width, and then the corresponding box number (i.e. the number of boxes obtained after the time interval of every two adjacent requests is divided into boxes) is used as the code of the to-be-detected IP address in the to-be-detected time interval of every two adjacent requests. For example, assuming that the time interval per two adjacent requests is (0.97,0.91,0.95,1.09), the resulting time interval per two adjacent requests is encoded as (1, 2) in seconds when binning is performed at 1 second. Here, the request time intervals of all two adjacent times are divided into boxes, which considers that although the request time intervals corresponding to the machine request behaviors are relatively fixed, the request time intervals actually obtained are not necessarily completely consistent due to delay problems of a system, a network and the like, and small differences of the request time intervals may cause misleading to stability analysis, so that the accuracy of machine request behavior identification is reduced. By sorting the time intervals of every two adjacent requests based on a fixed width and then taking the corresponding box number as the time interval code of every two adjacent requests of the IP address to be detected in the time interval to be detected, the tiny difference of the request time interval can be eliminated greatly, and the influence caused by some delay problems is solved to a great extent.
Considering that the information entropy reflects the uncertainty and the confusion degree of a group of data, the larger the information entropy value of the group of data is, the more chaotic the group of data is, the smaller the information entropy value of the group of data is, and the more stable the group of data is, so that the stability of the time interval of two adjacent requests in each time interval to be detected can be analyzed by using the information entropy. Therefore, information entropy calculation can be performed based on the time interval codes of every two adjacent requests of the IP address to be detected in any time interval to be detected, and the normalized information entropy of the IP address to be detected in the time interval to be detected is obtained. Specifically, the normalized information entropy of the to-be-detected IP address in the to-be-detected time interval can be calculated through the following formula:
wherein,,refers to the time zone to be detectedThe number of bins (i.e., time interval codes) corresponding to the ith time interval (i.e., time interval between the ith and the (i+1) th requests) in the interval is the ratio of the total number of bins (i.e., time interval code sum), N is the total number of time intervals in the time interval to be detected (if the request amount of the time interval to be detected is M, n=m-1).
The greater the normalized information entropy of the IP address to be detected in any time interval to be detected, the more chaotic the time interval of the adjacent request of the IP address to be detected in the time interval to be detected is, wherein the less the probability of machine request behavior exists; otherwise, the smaller the normalized information entropy of the to-be-detected IP address in any to-be-detected time interval is, the more stable the time interval of the to-be-detected IP address adjacent requests in the to-be-detected time interval is, and the greater the possibility of machine request behaviors is. Therefore, a difference (1-enterval) between the value 1 and the normalized information entropy of the IP address to be detected in the time interval to be detected can be determined as a stability risk value of the IP address to be detected in the time interval to be detected.
Step 150, determining a differential risk value of the IP address to be detected in the corresponding time interval to be detected based on the number of interfaces accessed by the IP address to be detected in each time interval to be detected.
Specifically, the machine request behavior is often represented by a large number of traversals of a certain interface or continuous access of similar content, so that the stability of the request content can be observed by acquiring the number of interfaces of different interfaces accessed by the to-be-detected IP address in each to-be-detected time interval, thereby obtaining the differential risk value of the to-be-detected IP address in the corresponding to-be-detected time interval. The more stable the request content in any time interval to be detected is, the higher the possibility that the machine request behavior exists in the corresponding time interval to be detected is, and the higher the differential risk value of the IP address to be detected in the corresponding time interval to be detected is. Here, the number of interfaces of different interfaces accessed by the IP address to be detected in any time interval to be detected can be determined, and the reciprocal of the number of interfaces of different interfaces accessed by the IP address to be detected in the time interval to be detected is determined and used as the differential risk value of the IP address to be detected in the corresponding time interval to be detected. The fewer the number of the interfaces of different interfaces accessed by the IP address to be detected in any time interval to be detected, the more stable the request content of the IP address to be detected in the time interval to be detected, and the higher the differential risk value of the IP address to be detected in the corresponding time interval to be detected.
Step 160, determining a time interval in which the machine request behavior exists based on the frequency risk value, the stability risk value and the variability risk value of the IP address to be detected in each time interval to be detected.
Specifically, the frequency risk value, the stability risk value and the difference risk value of the to-be-detected IP address in each to-be-detected time interval can be synthesized, and the machine request risk value of the to-be-detected IP address in the corresponding to-be-detected time interval can be determined. The following formula may be adopted, and the weighted summation is performed based on the frequency risk value and the weight thereof, the stability risk value and the weight thereof, and the difference risk value and the weight thereof of the to-be-detected IP address in each to-be-detected time interval, so as to obtain the machine request risk value Score of the to-be-detected IP address in the corresponding to-be-detected time interval:
Score = a1×x1+a2×x2+a3×x3
wherein x1 and a1 are frequency risk values and weights of the to-be-detected IP address in each to-be-detected time interval, x2 and a2 are stability risk values and weights of the to-be-detected IP address in each to-be-detected time interval, and x3 and a3 are difference risk values and weights of the to-be-detected IP address in each to-be-detected time interval.
And then, determining a time interval in which the machine request behavior exists based on the machine request risk value and the preset risk threshold value of the IP address to be detected in each time interval to be detected. If the machine request risk value of the IP address to be detected in any time interval to be detected is greater than the preset risk threshold, the time interval to be detected is a time interval in which the machine request behavior exists.
In summary, the method provided by the embodiment of the invention determines the time interval to be detected of the IP address to be detected through the absolute high frequency threshold and the relative high frequency threshold, reduces the judging range of the machine request behavior, and then determines the frequency risk value, the stability risk value and the differential risk value of the IP address to be detected in the corresponding time intervals to be detected based on the request amount, the request time interval and the interface number of the IP address to be detected in each time interval to be detected, thereby determining the time interval in which the machine request behavior exists based on the frequency risk value, the stability risk value and the differential risk value, realizing multidimensional analysis of the request behavior, and improving the recognition accuracy of the machine request behavior.
The machine request behavior recognition device provided by the invention is described below, and the machine request behavior recognition device described below and the machine request behavior recognition method described above can be referred to correspondingly.
Based on any of the above embodiments, fig. 3 is a schematic structural diagram of a machine request behavior recognition device provided by the present invention, as shown in fig. 3, the device includes:
a relative threshold determining unit 310 for determining a relative high frequency threshold based on a request amount per unit time of the IP address to be detected in the operation period;
A to-be-detected interval determining unit 320, configured to determine an interval screening threshold based on an absolute high frequency threshold and the relative high frequency threshold, and determine a plurality of to-be-detected time intervals of the to-be-detected IP address based on the interval screening threshold and a request amount of the to-be-detected IP address in each unit time;
a frequency risk calculation unit 330, configured to determine a frequency risk value of the IP address to be detected in a corresponding time interval to be detected based on the request amount of the IP address to be detected in each time interval to be detected;
a stability risk calculation unit 340, configured to determine a stability risk value of the IP address to be detected in a corresponding time interval to be detected based on a time interval between two adjacent requests of the IP address to be detected in each time interval to be detected;
a differential risk calculation unit 350, configured to determine a differential risk value of the IP address to be detected in a corresponding time interval to be detected based on the number of interfaces accessed by the IP address to be detected in each time interval to be detected;
the machine request positioning unit 360 is configured to determine a time interval in which a machine request behavior exists, based on the frequency risk value, the stability risk value, and the variability risk value of the IP address to be detected in each time interval to be detected.
According to the device provided by the embodiment of the invention, the time interval to be detected of the IP address to be detected is determined through the absolute high-frequency threshold value and the relative high-frequency threshold value, the judging range of the machine request behavior is reduced, then the frequency risk value, the stability risk value and the differential risk value of the IP address to be detected in the corresponding time intervals to be detected are determined based on the request quantity, the request time interval and the interface quantity of the IP address to be detected in each time interval to be detected, so that the time interval with the machine request behavior is determined based on the frequency risk value, the stability risk value and the differential risk value, the multidimensional analysis of the request behavior is realized, and the recognition precision of the machine request behavior is improved.
Based on any of the foregoing embodiments, the determining, based on the time interval between two adjacent requests of the IP address to be detected in each time interval to be detected, a stability risk value of the IP address to be detected in the corresponding time interval to be detected specifically includes:
acquiring the time interval of each two adjacent requests of the IP address to be detected in any time interval to be detected, and dividing the time interval of each two adjacent requests based on a fixed width to obtain the time interval code of each two adjacent requests of the IP address to be detected in any time interval to be detected; the time interval code of any two adjacent requests is a box number obtained by carrying out box separation on the time interval of any two adjacent requests based on the fixed width;
Performing information entropy calculation based on time interval codes of every two adjacent requests of the IP address to be detected in any time interval to be detected, so as to obtain normalized information entropy of the IP address to be detected in any time interval to be detected;
and determining the stability risk value of the IP address to be detected in any time interval to be detected based on the difference value between the value 1 and the normalized information entropy of the IP address to be detected in any time interval to be detected.
Based on any of the foregoing embodiments, the determining, based on the number of interfaces accessed by the IP address to be detected in each time interval to be detected, a differential risk value of the IP address to be detected in the corresponding time interval to be detected specifically includes:
determining the number of interfaces of different interfaces accessed by the IP address to be detected in any time interval to be detected;
and determining the reciprocal of the number of the interfaces of different interfaces accessed by the IP address to be detected in any time interval to be detected, and taking the reciprocal as a differential risk value of the IP address to be detected in the corresponding time interval to be detected.
Based on any one of the foregoing embodiments, the determining, based on the request amount of the IP address to be detected in each time interval to be detected, a frequency risk value of the IP address to be detected in the corresponding time interval to be detected specifically includes:
Determining a frequency risk value of the IP address to be detected in any time interval to be detected based on the following formula:
wherein ad_tanh is a frequency risk value of the to-be-detected IP address in any to-be-detected time interval, x is a request quantity of the to-be-detected IP address in any to-be-detected time interval, and alpha is a preset shrinkage coefficient.
Based on any of the above embodiments, the determining the relatively high frequency threshold based on the request amount of the IP address to be detected per unit time in the working period specifically includes:
generating a request frequency list based on the request quantity of each unit time of the IP address to be detected in the working time period; the numerical values at all positions in the request frequency list are in one-to-one correspondence with the request quantity of each unit time of the IP address to be detected in the working time period;
determining the median of the values in the request frequency list;
if the median is 0, carrying out outlier analysis on the numerical values in the request frequency list based on a 3 sigma principle, and determining the relative high-frequency threshold;
if the median is not 0, determining an upper quartile and a lower quartile of the values in the request frequency list, and determining the relatively high frequency threshold based on the upper quartile and the lower quartile of the values in the request frequency list.
Based on any of the above embodiments, the determining the relatively high frequency threshold based on an upper quartile and a lower quartile of values in the request frequency list specifically includes:
determining the product of the difference between the upper quartile and the lower quartile of the numerical value in the request frequency list and a preset adjustment coefficient;
and determining the sum of the product of the difference between the upper quartile and the lower quartile of the numerical value in the request frequency list and a preset adjustment coefficient and the upper quartile of the numerical value in the request frequency list as the relative high-frequency threshold.
Based on any of the foregoing embodiments, the determining, based on the frequency risk value, the stability risk value, and the differential risk value of the IP address to be detected in each time interval to be detected, a time interval in which a machine request behavior exists specifically includes:
carrying out weighted summation on the frequency risk value and the weight thereof, the stability risk value and the weight thereof, and the difference risk value and the weight thereof of the IP address to be detected in each time interval to be detected, so as to obtain the machine request risk value of the IP address to be detected in the corresponding time interval to be detected;
and determining a time interval in which the machine request behavior exists based on the machine request risk value of the IP address to be detected in each time interval to be detected and a preset risk threshold value.
Fig. 4 is a schematic structural diagram of an electronic device according to the present invention, as shown in fig. 4, the electronic device may include: processor 410, memory 420, communication interface (Communications Interface) 430, and communication bus 440, wherein processor 410, memory 420, and communication interface 430 communicate with each other via communication bus 440. Processor 410 may invoke logic instructions in memory 420 to perform a machine request behavior recognition method comprising: determining a relative high-frequency threshold value based on the request quantity of the IP address to be detected in each unit time in the working time period; determining an interval screening threshold based on an absolute high-frequency threshold and the relative high-frequency threshold, and determining a plurality of time intervals to be detected of the IP address to be detected based on the interval screening threshold and the request quantity of the IP address to be detected in each unit time; determining a frequency risk value of the IP address to be detected in a corresponding time interval to be detected based on the request quantity of the IP address to be detected in each time interval to be detected; determining a stability risk value of the IP address to be detected in a corresponding time interval to be detected based on the time interval of two adjacent requests of the IP address to be detected in each time interval to be detected; determining a differential risk value of the IP address to be detected in a corresponding time interval to be detected based on the number of interfaces accessed by the IP address to be detected in each time interval to be detected; and determining a time interval in which the machine request behavior exists based on the frequency risk value, the stability risk value and the difference risk value of the IP address to be detected in each time interval to be detected.
Further, the logic instructions in the memory 420 described above may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the machine request behavior recognition method provided by the methods described above, the method comprising: determining a relative high-frequency threshold value based on the request quantity of the IP address to be detected in each unit time in the working time period; determining an interval screening threshold based on an absolute high-frequency threshold and the relative high-frequency threshold, and determining a plurality of time intervals to be detected of the IP address to be detected based on the interval screening threshold and the request quantity of the IP address to be detected in each unit time; determining a frequency risk value of the IP address to be detected in a corresponding time interval to be detected based on the request quantity of the IP address to be detected in each time interval to be detected; determining a stability risk value of the IP address to be detected in a corresponding time interval to be detected based on the time interval of two adjacent requests of the IP address to be detected in each time interval to be detected; determining a differential risk value of the IP address to be detected in a corresponding time interval to be detected based on the number of interfaces accessed by the IP address to be detected in each time interval to be detected; and determining a time interval in which the machine request behavior exists based on the frequency risk value, the stability risk value and the difference risk value of the IP address to be detected in each time interval to be detected.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the machine request behavior recognition methods provided above, the method comprising: determining a relative high-frequency threshold value based on the request quantity of the IP address to be detected in each unit time in the working time period; determining an interval screening threshold based on an absolute high-frequency threshold and the relative high-frequency threshold, and determining a plurality of time intervals to be detected of the IP address to be detected based on the interval screening threshold and the request quantity of the IP address to be detected in each unit time; determining a frequency risk value of the IP address to be detected in a corresponding time interval to be detected based on the request quantity of the IP address to be detected in each time interval to be detected; determining a stability risk value of the IP address to be detected in a corresponding time interval to be detected based on the time interval of two adjacent requests of the IP address to be detected in each time interval to be detected; determining a differential risk value of the IP address to be detected in a corresponding time interval to be detected based on the number of interfaces accessed by the IP address to be detected in each time interval to be detected; and determining a time interval in which the machine request behavior exists based on the frequency risk value, the stability risk value and the difference risk value of the IP address to be detected in each time interval to be detected.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (8)

1. A method for identifying machine request behavior, comprising:
determining a relative high-frequency threshold value based on the request quantity of the IP address to be detected in each unit time in the working time period;
determining an interval screening threshold based on an absolute high-frequency threshold and the relative high-frequency threshold, and determining a plurality of time intervals to be detected of the IP address to be detected based on the interval screening threshold and the request quantity of the IP address to be detected in each unit time;
determining a frequency risk value of the IP address to be detected in a corresponding time interval to be detected based on the request quantity of the IP address to be detected in each time interval to be detected;
Determining a stability risk value of the IP address to be detected in a corresponding time interval to be detected based on the time interval of two adjacent requests of the IP address to be detected in each time interval to be detected;
determining a differential risk value of the IP address to be detected in a corresponding time interval to be detected based on the number of interfaces accessed by the IP address to be detected in each time interval to be detected;
determining a time interval in which a machine request behavior exists based on a frequency risk value, a stability risk value and a difference risk value of the IP address to be detected in each time interval to be detected;
wherein the absolute high frequency threshold is preset;
the determining a relative high-frequency threshold value based on the request quantity of each unit time of the IP address to be detected in the working time period specifically comprises the following steps:
generating a request frequency list based on the request quantity of each unit time of the IP address to be detected in the working time period; the numerical values at all positions in the request frequency list are in one-to-one correspondence with the request quantity of each unit time of the IP address to be detected in the working time period;
determining the median of the values in the request frequency list;
if the median is 0, carrying out outlier analysis on the numerical values in the request frequency list based on a 3 sigma principle, and determining the relative high-frequency threshold;
If the median is not 0, determining an upper quartile and a lower quartile of the values in the request frequency list, determining a product between a difference value of the upper quartile and the lower quartile of the values in the request frequency list and a preset adjustment coefficient, and determining a sum of the product between the difference value of the upper quartile and the lower quartile of the values in the request frequency list and the preset adjustment coefficient and the upper quartile of the values in the request frequency list as the relatively high frequency threshold;
the determining a section screening threshold based on the absolute high frequency threshold and the relative high frequency threshold, and determining a plurality of time intervals to be detected of the IP address to be detected based on the section screening threshold and the request amount of the IP address to be detected in each unit time specifically includes:
determining the smaller value of the absolute high-frequency threshold value and the relative high-frequency threshold value as an interval screening threshold value based on the absolute high-frequency threshold value and the relative high-frequency threshold value;
and determining a unit time interval with the request quantity larger than or equal to the interval screening threshold value as a plurality of time intervals to be detected of the IP address to be detected by utilizing the interval screening threshold value and the request quantity of the IP address to be detected in each unit time.
2. The machine request behavior recognition method according to claim 1, wherein the determining the stability risk value of the IP address to be detected in the corresponding time interval to be detected based on the time interval between two adjacent requests of the IP address to be detected in each time interval to be detected specifically includes:
acquiring the time interval of each two adjacent requests of the IP address to be detected in any time interval to be detected, and dividing the time interval of each two adjacent requests based on a fixed width to obtain the time interval code of each two adjacent requests of the IP address to be detected in any time interval to be detected; the time interval code of any two adjacent requests is a box number obtained by carrying out box separation on the time interval of any two adjacent requests based on the fixed width;
performing information entropy calculation based on time interval codes of every two adjacent requests of the IP address to be detected in any time interval to be detected, so as to obtain normalized information entropy of the IP address to be detected in any time interval to be detected;
and determining the stability risk value of the IP address to be detected in any time interval to be detected based on the difference value between the value 1 and the normalized information entropy of the IP address to be detected in any time interval to be detected.
3. The machine request behavior identification method according to claim 1, wherein the determining the differential risk value of the IP address to be detected in the corresponding time interval to be detected based on the number of interfaces accessed by the IP address to be detected in each time interval to be detected specifically includes:
determining the number of interfaces of different interfaces accessed by the IP address to be detected in any time interval to be detected;
and determining the reciprocal of the number of the interfaces of different interfaces accessed by the IP address to be detected in any time interval to be detected, and taking the reciprocal as a differential risk value of the IP address to be detected in the corresponding time interval to be detected.
4. The machine request behavior identification method according to claim 1, wherein the determining the frequency risk value of the IP address to be detected in the corresponding time interval to be detected based on the request amount of the IP address to be detected in each time interval to be detected specifically includes:
determining a frequency risk value of the IP address to be detected in any time interval to be detected based on the following formula:
wherein ad_tanh is a frequency risk value of the to-be-detected IP address in any to-be-detected time interval, x is a request quantity of the to-be-detected IP address in any to-be-detected time interval, and alpha is a preset shrinkage coefficient.
5. The machine request behavior identification method according to any one of claims 1 to 4, wherein the determining, based on the frequency risk value, the stability risk value, and the differential risk value of the IP address to be detected in each time interval to be detected, a time interval in which a machine request behavior exists specifically includes:
carrying out weighted summation on the frequency risk value and the weight thereof, the stability risk value and the weight thereof, and the difference risk value and the weight thereof of the IP address to be detected in each time interval to be detected, so as to obtain the machine request risk value of the IP address to be detected in the corresponding time interval to be detected;
and determining a time interval in which the machine request behavior exists based on the machine request risk value of the IP address to be detected in each time interval to be detected and a preset risk threshold value.
6. A machine request behavior recognition apparatus, comprising:
a relative threshold determining unit for determining a relative high frequency threshold based on a request amount per unit time of the IP address to be detected in the operation period;
the to-be-detected interval determining unit is used for determining an interval screening threshold value based on an absolute high-frequency threshold value and the relative high-frequency threshold value, and determining a plurality of to-be-detected time intervals of the to-be-detected IP address based on the interval screening threshold value and the request quantity of the to-be-detected IP address in each unit time;
The frequency risk calculation unit is used for determining a frequency risk value of the IP address to be detected in the corresponding time interval to be detected based on the request quantity of the IP address to be detected in each time interval to be detected;
the stability risk calculation unit is used for determining a stability risk value of the IP address to be detected in the corresponding time interval to be detected based on the time interval of two adjacent requests of the IP address to be detected in each time interval to be detected;
the differential risk calculation unit is used for determining a differential risk value of the IP address to be detected in the corresponding time interval to be detected based on the number of interfaces accessed by the IP address to be detected in each time interval to be detected;
the machine request positioning unit is used for determining a time interval in which a machine request behavior exists based on a frequency risk value, a stability risk value and a difference risk value of the IP address to be detected in each time interval to be detected;
wherein the absolute high frequency threshold is preset;
the determining a relative high-frequency threshold value based on the request quantity of each unit time of the IP address to be detected in the working time period specifically comprises the following steps:
generating a request frequency list based on the request quantity of each unit time of the IP address to be detected in the working time period; the numerical values at all positions in the request frequency list are in one-to-one correspondence with the request quantity of each unit time of the IP address to be detected in the working time period;
Determining the median of the values in the request frequency list;
if the median is 0, carrying out outlier analysis on the numerical values in the request frequency list based on a 3 sigma principle, and determining the relative high-frequency threshold;
if the median is not 0, determining an upper quartile and a lower quartile of the values in the request frequency list, determining a product between a difference value of the upper quartile and the lower quartile of the values in the request frequency list and a preset adjustment coefficient, and determining a sum of the product between the difference value of the upper quartile and the lower quartile of the values in the request frequency list and the preset adjustment coefficient and the upper quartile of the values in the request frequency list as the relatively high frequency threshold;
the determining a section screening threshold based on the absolute high frequency threshold and the relative high frequency threshold, and determining a plurality of time intervals to be detected of the IP address to be detected based on the section screening threshold and the request amount of the IP address to be detected in each unit time specifically includes:
determining the smaller value of the absolute high-frequency threshold value and the relative high-frequency threshold value as an interval screening threshold value based on the absolute high-frequency threshold value and the relative high-frequency threshold value;
And determining a unit time interval with the request quantity larger than or equal to the interval screening threshold value as a plurality of time intervals to be detected of the IP address to be detected by utilizing the interval screening threshold value and the request quantity of the IP address to be detected in each unit time.
7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the machine request behavior recognition method of any one of claims 1 to 5 when the program is executed by the processor.
8. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the machine request behavior recognition method of any one of claims 1 to 5.
CN202310913126.7A 2023-07-25 2023-07-25 Machine request behavior recognition method, device, electronic equipment and storage medium Active CN116663021B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310913126.7A CN116663021B (en) 2023-07-25 2023-07-25 Machine request behavior recognition method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310913126.7A CN116663021B (en) 2023-07-25 2023-07-25 Machine request behavior recognition method, device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN116663021A CN116663021A (en) 2023-08-29
CN116663021B true CN116663021B (en) 2023-11-03

Family

ID=87715587

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310913126.7A Active CN116663021B (en) 2023-07-25 2023-07-25 Machine request behavior recognition method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116663021B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682345A (en) * 2017-10-16 2018-02-09 北京奇艺世纪科技有限公司 Detection method, detection means and the electronic equipment of IP address
CN109413044A (en) * 2018-09-26 2019-03-01 中国平安人寿保险股份有限公司 A kind of request recognition methods of abnormal access and terminal device
CN109831465A (en) * 2019-04-12 2019-05-31 重庆天蓬网络有限公司 A kind of invasion detection method based on big data log analysis
CN114416462A (en) * 2021-12-02 2022-04-29 闪捷信息科技有限公司 Machine behavior identification method and device, electronic equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160241576A1 (en) * 2015-02-13 2016-08-18 Canon Kabushiki Kaisha Detection of anomalous network activity

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682345A (en) * 2017-10-16 2018-02-09 北京奇艺世纪科技有限公司 Detection method, detection means and the electronic equipment of IP address
CN109413044A (en) * 2018-09-26 2019-03-01 中国平安人寿保险股份有限公司 A kind of request recognition methods of abnormal access and terminal device
CN109831465A (en) * 2019-04-12 2019-05-31 重庆天蓬网络有限公司 A kind of invasion detection method based on big data log analysis
CN114416462A (en) * 2021-12-02 2022-04-29 闪捷信息科技有限公司 Machine behavior identification method and device, electronic equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Defence against DoS for mobile IP;Fang Fei et al.;《Journal of Chongqing University of Posts and Telecommunication (Natural Science Edition)》;第13-16页 *
基于流连接信息熵的DDoS攻击检测算法;赵继俊;胡志刚;张健;;计算机工程(16);第139-141页 *

Also Published As

Publication number Publication date
CN116663021A (en) 2023-08-29

Similar Documents

Publication Publication Date Title
CN105791255B (en) Computer risk identification method and system based on account clustering
EP2769508B1 (en) System and method for detection of denial of service attacks
CN110535702B (en) Alarm information processing method and device
US10715544B2 (en) Method, apparatus and system for calculating a risk score of a user request by a user on a web application
CN112153062B (en) Multi-dimension-based suspicious terminal equipment detection method and system
CN114553523A (en) Attack detection method and device based on attack detection model, medium and equipment
US20170171188A1 (en) Non-transitory computer-readable recording medium, access monitoring method, and access monitoring apparatus
US11436323B2 (en) Detecting anomalies in software service usage activity
CN113535823B (en) Abnormal access behavior detection method and device and electronic equipment
CN110535821A (en) A kind of Host Detection method of falling based on DNS multiple features
CN116663021B (en) Machine request behavior recognition method, device, electronic equipment and storage medium
CN110233848B (en) Asset situation analysis method and device
CN115664868B (en) Security level determination method, device, electronic equipment and storage medium
CN116846644A (en) Unauthorized access detection method and device
CN115358772A (en) Transaction risk prediction method and device, storage medium and computer equipment
CN113992355B (en) Attack prediction method, device, equipment and machine-readable storage medium
CN115643044A (en) Data processing method, device, server and storage medium
KR20150131846A (en) Method and System for preventing Login ID theft using captcha
CN110933079B (en) Method and device for identifying fake MAC address group
CN114329449A (en) System security detection method and device, storage medium and electronic device
CN112751830B (en) Method, equipment and medium for improving network attack detection accuracy
CN110866278A (en) Method and device for blocking real-time intrusion of database
CN115098602B (en) Data processing method, device and equipment based on big data platform and storage medium
CN111131248B (en) Website application security defect detection model modeling method and defect detection method
CN115967542A (en) Human factor-based intrusion detection method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant