CN110602137A - Malicious IP and malicious URL intercepting method, device, equipment and medium - Google Patents
Malicious IP and malicious URL intercepting method, device, equipment and medium Download PDFInfo
- Publication number
- CN110602137A CN110602137A CN201910913986.4A CN201910913986A CN110602137A CN 110602137 A CN110602137 A CN 110602137A CN 201910913986 A CN201910913986 A CN 201910913986A CN 110602137 A CN110602137 A CN 110602137A
- Authority
- CN
- China
- Prior art keywords
- malicious
- url
- data set
- prediction model
- blacklist
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a malicious IP and malicious URL intercepting method, relates to the technical field of network security, and aims to judge and predict malicious IP and malicious URL in real time so as to intercept the malicious IP and the malicious URL in real time and improve the protection speed and the protection accuracy. The method comprises the following steps: receiving an IP data set and a URL data set; analyzing and processing the IP data set to obtain a malicious IP in the IP data set, and adding the malicious IP into an IP blacklist; inputting the URL data set into a prediction model, and outputting a malicious URL through the prediction model; and black-out the IP blacklist and the malicious URL. The invention also discloses a malicious IP and malicious URL intercepting device, electronic equipment and a computer storage medium.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a malicious IP and malicious URL intercepting method, device, equipment and medium.
Background
With the continuous development of internet technology, networks have gradually deepened into each part of people's production and life. People can transmit information through the network, and even can work, study and even shop without going out of home through the network. However, as the dependence of people on the network deepens, the influence of network security on the production and life of people deepens day by day, and the endless network security threats also affect the property security and even the life security of vast network users at any moment.
In daily life, a security-threatening website or a malicious website causes a network user to be constantly threatened by network security problems. Aiming at the problem of network security, an attack behavior is blocked by generally adopting an IP/URL interception mode, and the traditional IP interception and URL interception method comprises the following steps: when a request is determined to be an attack, the request for executing the attack is blocked only a single time. In practical application, a malicious attacker may repeatedly scan and attack an attack target to mine a website vulnerability, and study a website protection strategy according to the vulnerability to try to bypass the website protection strategy to attack the website, so that the traditional IP interception and URL interception methods cannot block the website attacks.
Another common method for intercepting malicious IPs and malicious URLs is: the IP and the URL which initiate the attack behavior are added into the blacklist, when the IP or the URL which are added into the blacklist initiate a request again next time, blocking is directly carried out, however, the blacklist has an updating period, so that malicious IP and malicious URL cannot be intercepted in real time, and therefore the protection speed and the protection accuracy can be influenced.
Disclosure of Invention
In order to overcome the defects of the prior art, one of the purposes of the invention is to provide a malicious IP and malicious URL intercepting method, aiming at judging and predicting the malicious IP and the malicious URL in real time and intercepting the malicious IP and the malicious URL.
One of the purposes of the invention is realized by adopting the following technical scheme:
a malicious IP and malicious URL intercepting method comprises the following steps:
receiving an IP data set and a URL data set;
analyzing and processing the IP data set to obtain a malicious IP in the IP data set, and adding the malicious IP into an IP blacklist;
inputting the URL data set into a prediction model, and outputting a malicious URL through the prediction model;
and black-out the IP blacklist and the malicious URL.
Further, collecting IP from an IP information base to form the IP data set; and analyzing the IP to obtain the URL and/or the URL acquired from the malicious URL database, carrying out validity test, and forming the valid URL into the URL data set.
Further, the specific steps of analyzing and processing the IP data set to obtain the malicious IP in the IP data set include:
comparing the IP data set with an IP blacklist to obtain an IP failed in comparison;
and calculating the scores of the IP failed in comparison by using a judgment scoring rule, judging a malicious IP according to the scores of the IP failed in comparison, acquiring the malicious IP, and adding the malicious IP into the IP blacklist.
Further, according to the scores of the IPs with failed comparison, determining a malicious IP, obtaining the malicious IP, and adding the malicious IP into the IP blacklist specifically includes: and ranking the scores of the IPs failed in comparison in a descending order, taking the n-bit top-ranked IPs as malicious IPs, acquiring the malicious IPs and adding the malicious IPs into the IP blacklist.
Further, the scoring rule is: y is kx + b; wherein y represents the fraction of the IP, x represents the attack times launched by the IP in the effective time, k represents the attack behavior type coefficient, and b represents the value of any one or more items in the IP self-owned attribute, the IP open port information or the IP vulnerability condition.
Further, inputting the URL data set into a predictive model through which malicious URLs are exported, including:
creating an initial prediction model, and training the initial prediction model to obtain the prediction model, wherein the training of the initial prediction model comprises:
collecting related URL;
dividing the related URLs into a training set and a test set according to a proportion;
adding the total character length, the number and the special symbol length of the URL in the training set and whether the IP can be analyzed to be used as a training parameter into the initial prediction model for training to obtain the prediction model;
and adding the test set into the prediction model to obtain a scalar value of a test error, and verifying the prediction accuracy of the prediction model on the test set according to the scalar value.
Further, the IP information base comprises honeypots, Anti-CC, Game-CC and WAF logs.
The invention also aims to provide a malicious IP and malicious URL intercepting device, which aims to acquire, process and predict an IP and a URL respectively and intercept the acquired malicious IP and the malicious URL.
The second purpose of the invention is realized by adopting the following technical scheme:
the data receiving module is used for receiving the IP data set and the URL data set;
the malicious IP judging module is used for analyzing and processing the IP data set to obtain a malicious IP in the IP data set and adding the malicious IP into an IP blacklist;
the malicious URL prediction module is used for inputting the URL data set into a prediction model and outputting a malicious URL through the prediction model;
and the intercepting module is used for blacking the IP blacklist and the malicious URL.
It is a further object of the present invention to provide an electronic device for performing one of the above objects, comprising a processor, a storage medium, and a computer program, the computer program being stored in the storage medium, the computer program, when executed by the processor, implementing the malicious IP and malicious URL intercepting method as described above.
It is a fourth object of the present invention to provide a computer-readable storage medium storing one of the objects of the invention, having stored thereon a computer program which, when executed by a processor, implements the above-described malicious IP and malicious URL intercepting method.
Compared with the prior art, the invention has the beneficial effects that:
the method and the device complete the judgment of the malicious IP by analyzing and processing the IP, add the malicious IP into the IP blacklist, update the IP blacklist in real time, predict malicious URLs by using a prediction model, and realize the real-time interception of the malicious IP and the malicious URLs by combining the IP blacklist and the predicted malicious URLs, thereby improving the protection speed and the protection accuracy.
Drawings
FIG. 1 is a flow chart of the malicious IP and malicious URL intercepting method of the present invention;
fig. 2 is a block diagram showing the structure of a malicious IP and malicious URL intercepting apparatus according to embodiment 2;
fig. 3 is a block diagram of the electronic apparatus of embodiment 3.
Detailed Description
The present invention will now be described in more detail with reference to the accompanying drawings, in which the description of the invention is given by way of illustration and not of limitation. The various embodiments may be combined with each other to form other embodiments not shown in the following description.
Example 1
The embodiment provides a malicious IP and malicious URL intercepting method, which aims to realize the interception of malicious IP and malicious URL by combining an IP blacklist and URL prediction, and the specific realization process is as follows: calculating the scores of the IPs by using a pre-established judgment scoring rule, judging malicious IPs according to the scores of the IPs, adding the malicious IPs into an IP blacklist to complete the updating of the IP blacklist, and finally intercepting all requests of the malicious IPs by using the IP blacklist; and meanwhile, predicting the malicious URL by using a pre-trained prediction model, and intercepting the predicted malicious URL.
According to the above principle, a malicious IP and malicious URL intercepting method is introduced, as shown in fig. 1, the malicious IP and malicious URL intercepting method specifically includes the following steps:
receiving an IP data set and a URL data set;
analyzing and processing the IP data set to obtain a malicious IP in the IP data set, and adding the malicious IP into an IP blacklist;
inputting the URL data set into a prediction model, and outputting a malicious URL through the prediction model;
and black-out the IP blacklist and the malicious URL.
The malicious IP and malicious URL intercepting method is applied to the client, and the client can be a mobile phone, a tablet computer, a desktop computer, a portable notebook computer, a vehicle-mounted computer and the like.
Preferably, the IP is collected from an IP information base to form the IP data set, and the IP data set is sent to the client, and is received by the client, where the IP information base includes, but is not limited to, honeypots, Anti-CC, Game-CC, WAF log base, and the like, that is, the IPs collected from the IP information base all come from a security protection program or system.
And analyzing the URL obtained by the IP and/or the URL acquired from the malicious URL database, carrying out validity test, and forming the valid URL into the URL data set. The malicious URL database includes, but is not limited to, malicious URL. In this embodiment, a python URL 3 library is used to link test whether the URL is in a valid state, so as to complete the validity test of the URL, a valid URL and an invalid URL are obtained through the link test, the invalid URL is removed, all valid URLs form the URL data set, and the URL data set is received by the client.
Preferably, the specific steps of analyzing and processing the IP data set to obtain the malicious IP in the IP data set include:
comparing the IP data set with an IP blacklist to obtain an IP failed in comparison;
and calculating the scores of the IP failed in comparison by using a judgment scoring rule, judging a malicious IP according to the scores of the IP failed in comparison, acquiring the malicious IP, and adding the malicious IP into the IP blacklist.
Comparing the IP data set with an IP blacklist, wherein the IP in the IP data set is matched with the existing IP in the IP blacklist, and if the matching is successful, the IP which is successfully matched is in the IP blacklist, so that other processing is not needed; if the matching fails, it indicates that the IP that failed in matching (failed in comparison) is not included in the existing IP blacklist, and the IP that failed in matching (i.e., the IP that failed in comparison) needs to be further determined to determine whether the IP is a malicious IP, and if the IP is determined to be a malicious IP, the malicious IP is obtained and added into the IP blacklist, so as to complete real-time updating of the existing IP blacklist, and overcome the problem of inaccurate protection caused by untimely updating in the conventional blacklist method.
Preferably, the step of judging a malicious IP according to the score of the IP with failed comparison, acquiring the malicious IP, and adding the malicious IP into the IP blacklist specifically includes: and ranking the scores of the IPs failed in comparison in a descending order, taking the n-bit top-ranked IPs as malicious IPs, acquiring the malicious IPs and adding the malicious IPs into the IP blacklist. The value of n is determined according to actual service requirements, meanwhile, the value of n is less than or equal to the number of the IPs contained in the IP data set, when the value of n is larger, the more the IPs are added into the IP blacklist, the more the IPs are intercepted by the IP blacklist, the interception amount of the IPs is increased, and the accuracy rate of IP interception can be increased to a certain extent.
Of course, in other embodiments of the present invention, the scores of the IPs with failed comparison may be arranged in ascending order, and the n-bit sorted IPs are determined as malicious IPs, so that the same number of malicious IPs can be obtained, and the same IP interception effect can be achieved.
Preferably, the scoring rule is: y is kx + b; wherein y represents the fraction of the IP, x represents the attack times launched by the IP in the effective time, k represents the attack behavior type coefficient, and b represents the value of any one or more items in the IP self-owned attribute, the IP open port information or the IP vulnerability condition.
In this embodiment, the attack frequency initiated by the IP within the effective time is the frequency of the IP stepping on security protection programs or systems such as honeypots, Anti-CC blacklists, Game-CC blacklists, and WAFs within the effective time, and specifically includes: and carrying out duplication elimination treatment on the IP data set and the IP which fails to be compared with the IP blacklist, and then counting the attack times (middle stepping times) initiated by the IP after duplication elimination, wherein the attack times are x.
The assignment rule of k is as follows: and assigning values to the k according to different attack types, wherein the attack types comprise a flow attack type, a CC attack type, a destructive data attack type, a horse hanging type or a black chain hanging type and other attack types. In practical application, the value of k is determined according to business relevance, defense difficulty and the intensity of attack types in different industries. In this embodiment, k values of attack types such as DDos, Dos, and SYN are set high, and k values of the rest attack types are set low.
In this embodiment, the value of b is determined according to the own IP attribute, the open IP port information, and the vulnerability of the IP, and if the own IP attribute is b1, the open IP port information is b2, and the vulnerability of the IP is b3, then b is b1+ b2+ b 3.
The IP self-attribute comprises dynamic IP or static IP and IP geographical position, b1 is IP address position score + dynamic IP score/static IP score, and specifically, the IP of domestic IP or geographical position with dense actual service is set to be high score, and the IP of other geographical positions is set to be low score; since the dynamic IP allocates an IP address when necessary, the IP address changes, and therefore, if the IP belongs to the dynamic IP, a negative number is set, whereas if the IP belongs to the static IP, a positive number is set.
In this embodiment, the number of scanned IP open ports is positively correlated to b2 by scanning the IP open port information through the NAMP.
And determining the vulnerability condition of the IP according to the scanning result of the NAMP, wherein the vulnerability condition of the IP comprises vulnerability severity and vulnerability number, and the vulnerability severity and vulnerability number of the IP can be detected by adopting a conventional vulnerability scanning program or vulnerability detection technology in the field, and are not described herein again. In this embodiment, b3 is used to represent the vulnerability condition of the IP, and b3 is ═ Σ severity coefficient × vulnerability number, where the severity coefficient is proportional to the vulnerability severity, and the vulnerability severity is divided into CRITICAL, HIGH, MEDIUM, LOW, and INFO, the vulnerability severity respectively corresponds to different severity coefficients, and the higher the vulnerability severity, the higher the severity coefficient.
Preferably, inputting the URL data set into a prediction model through which malicious URLs are exported, includes: establishing an initial prediction model, and training the initial prediction model to obtain the prediction model; wherein training the initial prediction model comprises: :
collecting related URL;
dividing the related URLs into a training set and a test set according to a proportion;
adding the total character length, the number and the special symbol length of the URL in the training set and whether the IP can be analyzed to be used as a training parameter into the initial prediction model for training to obtain the prediction model;
and adding the test set into the prediction model to obtain a scalar value of a test error, and verifying the prediction accuracy of the prediction model on the test set according to the scalar value.
The implementation process of the above-mentioned collection of the relevant URL is the same as the above-mentioned collection of the URL data set, and the relevant URL includes: the method comprises the steps of obtaining URLs through analyzing partial IP, collecting URLs from a malicious URL database and collecting URLs from a goodwill URL database, then carrying out effectiveness test on the URLs to eliminate invalid URLs, and then dividing the valid URLs into a training set and a testing set according to the proportion. The effective URL is divided into a training set and a test set according to the proportion, and the method specifically comprises the following steps: in other embodiments of the present invention, the training set and the test set may be divided by setting other ratios, for example, 80% of URLs are the training set and 20% of URLs are the test set.
In the training set, because the total character length of the malicious URL is 8 characters longer than that of the goodwill URL on average, and the malicious URL contains more special characters (such as?,%, #, & and the like) compared with the goodwill URL, and the probability that the malicious URL cannot analyze the IP address is higher than that of the goodwill URL, the total character length, the number and the special symbol length of the URL are selected, whether the IP can be analyzed (namely whether IPv4 and IPv6 can be analyzed) is taken as a characteristic value, an initial prediction model is added for model training, the characteristic value is a training parameter of the model training, the prediction model is obtained after the initial prediction model is trained, the prediction model can distinguish the malicious URL from the goodwill URL, and therefore the prediction model can complete the prediction of the malicious URL.
The initial prediction model adopts Logistic Regression, Decision Trees and Random Forest, and specifically can derive Logistic Regression module, Decision Trees and Random Forest from SKLearn as the initial prediction model, and inputs the data in the training set into the initial prediction model for training by using a model.fit function, and the prediction model is obtained after the training is completed, and the model.fit function returns to the History object, and the History attribute records the condition that the numerical values of the loss function and other indexes change along with the epoch (indicating the total number of rounds of training).
After the training of the prediction model is completed, the accuracy of the prediction model needs to be verified. Therefore, the model prediction function is used for inputting the data in the test set into the prediction model to obtain a prediction result, the model prediction function also returns a scalar value of the test error, and if the prediction model has other evaluation indexes, the scalar list is returned.
In this embodiment, according to a scalar quantity of a test error and a prediction result returned by a model.
In other embodiments of the present invention, a honeypot with a Low interaction client may also be used to detect a malicious website through signature, exception and pattern matching techniques, that is, a honeypot similar to yalih (yet internet Low interactionhoneylient) is used to capture a malicious URL to form a malicious URL blacklist, and then a blacking process is performed on the URL matched to the malicious URL blacklist, but the malicious URL blacklist still has an update period.
Example 2
The embodiment discloses a device corresponding to the malicious IP and malicious URL intercepting method of embodiment 1, which is a virtual structure device, and can understand a client application program, please refer to fig. 2, where the malicious IP and malicious URL intercepting device includes:
a data receiving module 210, configured to receive an IP data set and a URL data set;
a malicious IP determining module 220, configured to analyze and process the IP data set to obtain a malicious IP in the IP data set, and add the malicious IP to an IP blacklist;
a malicious URL prediction module 230, configured to input the URL data set into a prediction model, and output a malicious URL through the prediction model;
and the intercepting module 240 is used for blacking the IP blacklist and the malicious URL.
Collecting IP from an IP information base to form the IP data set, and receiving the IP data set by the data receiving module 210; the URL obtained by analyzing the IP and/or the URL collected from the malicious URL database is subjected to validity test, the valid URLs are combined into the URL data set, and the data receiving module 210 receives the URL data set to predict the subsequent malicious URL.
The IP information base comprises but is not limited to honeypots, Anti-CC, Game-CC and WAF logs.
In the malicious IP determining module 220, the specific steps of analyzing and processing the IP data set to obtain the malicious IP in the IP data set include:
comparing the IP data set with an IP blacklist to obtain an IP failed in comparison;
and calculating the scores of the IP failed in comparison according to a judgment scoring rule, judging a malicious IP according to the scores of the IP failed in comparison, acquiring the malicious IP, and adding the malicious IP into the IP blacklist.
Wherein the scoring rule is as follows: y is kx + b; wherein y represents the fraction of the IP, x represents the attack times launched by the IP in the effective time, k represents the attack behavior type coefficient, and b represents the value of the IP self-owned attribute, the IP open port information and the IP vulnerability condition.
The prediction model in the malicious URL prediction module 230 is a pre-trained model, and the malicious URL prediction module 230 only needs to call the trained prediction model to perform malicious URL prediction.
Example 3
Fig. 3 is a schematic structural diagram of an electronic device according to embodiment 3 of the present invention, as shown in fig. 3, the electronic device includes a processor 310, a memory 320, an input device 330, and an output device 340; the number of the processors 310 in the computer device may be one or more, and one processor 310 is taken as an example in fig. 3; the processor 310, the memory 320, the input device 330 and the output device 340 in the electronic apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 3.
The memory 320 serves as a computer-readable storage medium for storing software programs, computer-executable programs, and modules, in this embodiment, the memory 320 is used for storing program instructions/modules corresponding to the malicious IP and malicious URL intercepting method in embodiment 1 of the present invention, that is, the memory 320 stores the data receiving module 210, the malicious IP determining module 220, the malicious URL predicting module 230, and the intercepting module 240 in the malicious IP and malicious URL intercepting apparatus in this embodiment.
In a specific embodiment, the memory 320 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for implementing at least one function; the storage data area can store data created during the use of the client and the like. Further, in another particular embodiment, the memory 320 may include not only high speed random access memory, but also non-volatile memory, wherein the non-volatile memory may be at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In other particular embodiments, the memory 320 may further include memory located remotely from the processor 310, which may be connected to the electronic device via a network. The network for connecting the remote storage and the electronic device includes, but is not limited to, the internet, an intranet, a local area network, a mobile communication network, and a combination thereof.
The processor 310 implements the malicious IP and malicious URL intercepting method of embodiment 1 by executing various functional applications of the electronic device and data processing by executing software programs, instructions, and modules stored in the memory 320, namely, the data receiving module 210, the malicious IP determining module 220, the malicious URL predicting module 230, and the intercepting module 240 in the above-described malicious IP and malicious URL intercepting apparatus.
The input device 330 is used for receiving input data, and may specifically include a keyboard and other devices. The output device 340 may include a display screen or the like.
Example 4
The present embodiments also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to implement a malicious IP and malicious URL interception method, the method comprising:
receiving an IP data set and a URL data set;
analyzing and processing the IP data set to obtain a malicious IP in the IP data set, and adding the malicious IP into an IP blacklist;
inputting the URL data set into a prediction model, and outputting a malicious URL through the prediction model;
and black-out the IP blacklist and the malicious URL.
Of course, the storage medium provided in this embodiment contains computer-executable instructions, and the computer-executable instructions are not limited to the method operations described above, and may also perform related operations in the malicious IP and malicious URL blocking method provided in this embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes instructions for enabling an electronic device (which may be a mobile phone, a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the method or the apparatus for intercepting a malicious IP and a malicious URL, each unit and each module included in the embodiment are only divided according to functional logic, but are not limited to the above division as long as corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
Various other modifications and changes may be made by those skilled in the art based on the above-described technical solutions and concepts, and all such modifications and changes should fall within the scope of the claims of the present invention.
Claims (10)
1. A malicious IP and malicious URL intercepting method is characterized by comprising the following steps:
receiving an IP data set and a URL data set;
analyzing and processing the IP data set to obtain a malicious IP in the IP data set, and adding the malicious IP into an IP blacklist;
inputting the URL data set into a prediction model, and outputting a malicious URL through the prediction model;
and black-out the IP blacklist and the malicious URL.
2. The method of claim 1, wherein the IP data set is formed by collecting IP from an IP information base; and analyzing the IP to obtain the URL and/or the URL acquired from the malicious URL database, carrying out validity test, and forming the valid URL into the URL data set.
3. The method as claimed in claim 1, wherein the step of analyzing and processing the IP dataset to obtain the malicious IP in the IP dataset comprises:
comparing the IP data set with an IP blacklist to obtain an IP failed in comparison;
and calculating the scores of the IP failed in comparison by using a judgment scoring rule, judging a malicious IP according to the scores of the IP failed in comparison, acquiring the malicious IP, and adding the malicious IP into the IP blacklist.
4. The method according to claim 3, wherein the step of determining a malicious IP according to the score of the IP with failed comparison, obtaining the malicious IP, and adding the malicious IP to the IP blacklist specifically comprises: and ranking the scores of the IPs failed in comparison in a descending order, taking the n-bit top-ranked IPs as malicious IPs, acquiring the malicious IPs and adding the malicious IPs into the IP blacklist.
5. The malicious IP and malicious URL intercepting method according to claim 3, wherein the decision score rule is: y is kx + b; wherein y represents the fraction of the IP, x represents the attack times launched by the IP in the effective time, k represents the attack behavior type coefficient, and b represents the value of any one or more items in the IP self-owned attribute, the IP open port information or the IP vulnerability condition.
6. The malicious IP and malicious URL intercepting method according to any one of claims 1 to 5, wherein the URL data is input into a prediction model, and the malicious URL is output through the prediction model, comprising:
establishing an initial prediction model, and training the initial prediction model to obtain the prediction model; wherein training the initial prediction model comprises:
collecting related URL;
dividing the related URLs into a training set and a test set according to a proportion;
inputting the total character length, the number and the special symbol length of the URL in the training set and whether the IP can be analyzed to be used as training parameters, and inputting the training set into the initial prediction model for training to obtain the prediction model;
and inputting the test set into the prediction model to obtain a scalar value of a test error, and verifying the prediction accuracy of the prediction model on the test set according to the scalar value.
7. The method of claim 2, wherein the IP information base comprises honeypot, Anti-CC, Game-CC, WAF logs.
8. An interception apparatus for malicious IP and malicious URL, comprising:
the data receiving module is used for receiving the IP data set and the URL data set;
the malicious IP judging module is used for analyzing and processing the IP data set to obtain a malicious IP in the IP data set and adding the malicious IP into an IP blacklist;
the malicious URL prediction module is used for inputting the URL data set into a prediction model and outputting a malicious URL through the prediction model;
and the intercepting module is used for blacking the IP blacklist and the malicious URL.
9. An electronic device comprising a processor, a storage medium, and a computer program stored in the storage medium, wherein the computer program, when executed by the processor, implements the malicious IP and malicious URL intercepting method of any of claims 1 to 7.
10. A computer-readable storage medium on which a computer program is stored, the computer program, when being executed by a processor, implementing the malicious IP and malicious URL intercepting method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910913986.4A CN110602137A (en) | 2019-09-25 | 2019-09-25 | Malicious IP and malicious URL intercepting method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910913986.4A CN110602137A (en) | 2019-09-25 | 2019-09-25 | Malicious IP and malicious URL intercepting method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110602137A true CN110602137A (en) | 2019-12-20 |
Family
ID=68863545
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910913986.4A Pending CN110602137A (en) | 2019-09-25 | 2019-09-25 | Malicious IP and malicious URL intercepting method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110602137A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112417324A (en) * | 2020-05-12 | 2021-02-26 | 上海哔哩哔哩科技有限公司 | Chrome-based URL (Uniform resource locator) interception method and device and computer equipment |
| CN112804374A (en) * | 2021-01-06 | 2021-05-14 | 光通天下网络科技股份有限公司 | IP identification method, device, equipment and medium |
| CN112836213A (en) * | 2021-02-18 | 2021-05-25 | 联动优势科技有限公司 | Anti-brushing method and device based on API (application program interface) |
| CN113497793A (en) * | 2020-04-03 | 2021-10-12 | 中移动信息技术有限公司 | Model optimization method, alarm event detection method, device and equipment |
| CN113596058A (en) * | 2021-08-13 | 2021-11-02 | 广东电网有限责任公司 | Malicious address processing method and device, computer equipment and storage medium |
| CN113810362A (en) * | 2021-07-28 | 2021-12-17 | 中国人寿保险股份有限公司上海数据中心 | Safety risk detection and disposal system and method thereof |
| CN113965403A (en) * | 2021-11-02 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Method and device for processing IP (Internet protocol) blacklist and storage medium |
| CN114238965A (en) * | 2021-11-17 | 2022-03-25 | 北京华清信安科技有限公司 | Detection analysis method and system for malicious access |
| CN114499917A (en) * | 2021-10-25 | 2022-05-13 | 中国银联股份有限公司 | CC attack detection method and CC attack detection device |
| CN115168848A (en) * | 2022-09-08 | 2022-10-11 | 南京鼎山信息科技有限公司 | Interception feedback processing method based on big data analysis interception |
| CN117040777A (en) * | 2023-06-13 | 2023-11-10 | 五矿国际信托有限公司 | Method for detecting and filtering malicious request behaviors of data interface |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120158626A1 (en) * | 2010-12-15 | 2012-06-21 | Microsoft Corporation | Detection and categorization of malicious urls |
| US20140041048A1 (en) * | 2010-12-30 | 2014-02-06 | Ensighten, Inc. | Online Privacy Management |
| CN104065657A (en) * | 2014-06-26 | 2014-09-24 | 北京思特奇信息技术股份有限公司 | Method for dynamically controlling user behavior based on IP access and system thereof |
| CN107888616A (en) * | 2017-12-06 | 2018-04-06 | 北京知道创宇信息技术有限公司 | The detection method of construction method and Webshell the attack website of disaggregated model based on URI |
| CN108347430A (en) * | 2018-01-05 | 2018-07-31 | 国网山东省电力公司济宁供电公司 | Network invasion monitoring based on deep learning and vulnerability scanning method and device |
| CN109885749A (en) * | 2019-02-28 | 2019-06-14 | 安徽腾策网络科技有限公司 | A kind of anti-grasping system of webpage information data |
-
2019
- 2019-09-25 CN CN201910913986.4A patent/CN110602137A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120158626A1 (en) * | 2010-12-15 | 2012-06-21 | Microsoft Corporation | Detection and categorization of malicious urls |
| US20140041048A1 (en) * | 2010-12-30 | 2014-02-06 | Ensighten, Inc. | Online Privacy Management |
| CN104065657A (en) * | 2014-06-26 | 2014-09-24 | 北京思特奇信息技术股份有限公司 | Method for dynamically controlling user behavior based on IP access and system thereof |
| CN107888616A (en) * | 2017-12-06 | 2018-04-06 | 北京知道创宇信息技术有限公司 | The detection method of construction method and Webshell the attack website of disaggregated model based on URI |
| CN108347430A (en) * | 2018-01-05 | 2018-07-31 | 国网山东省电力公司济宁供电公司 | Network invasion monitoring based on deep learning and vulnerability scanning method and device |
| CN109885749A (en) * | 2019-02-28 | 2019-06-14 | 安徽腾策网络科技有限公司 | A kind of anti-grasping system of webpage information data |
Non-Patent Citations (1)
| Title |
|---|
| 冯国震: "大数据环境下基于决策树的恶意URL检测模型_冯国震", 《计算机工程应用技术》 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113497793A (en) * | 2020-04-03 | 2021-10-12 | 中移动信息技术有限公司 | Model optimization method, alarm event detection method, device and equipment |
| CN113497793B (en) * | 2020-04-03 | 2024-04-19 | 中移动信息技术有限公司 | Model optimization method, alarm event detection method, device and equipment |
| CN112417324A (en) * | 2020-05-12 | 2021-02-26 | 上海哔哩哔哩科技有限公司 | Chrome-based URL (Uniform resource locator) interception method and device and computer equipment |
| CN112804374B (en) * | 2021-01-06 | 2023-11-03 | 光通天下网络科技股份有限公司 | Threat IP identification method, threat IP identification device, threat IP identification equipment and threat IP identification medium |
| CN112804374A (en) * | 2021-01-06 | 2021-05-14 | 光通天下网络科技股份有限公司 | IP identification method, device, equipment and medium |
| CN112836213A (en) * | 2021-02-18 | 2021-05-25 | 联动优势科技有限公司 | Anti-brushing method and device based on API (application program interface) |
| CN113810362A (en) * | 2021-07-28 | 2021-12-17 | 中国人寿保险股份有限公司上海数据中心 | Safety risk detection and disposal system and method thereof |
| CN113810362B (en) * | 2021-07-28 | 2024-02-13 | 中国人寿保险股份有限公司上海数据中心 | Safety risk detection and treatment method |
| CN113596058A (en) * | 2021-08-13 | 2021-11-02 | 广东电网有限责任公司 | Malicious address processing method and device, computer equipment and storage medium |
| CN114499917A (en) * | 2021-10-25 | 2022-05-13 | 中国银联股份有限公司 | CC attack detection method and CC attack detection device |
| CN114499917B (en) * | 2021-10-25 | 2024-01-09 | 中国银联股份有限公司 | CC attack detection method and CC attack detection device |
| CN113965403B (en) * | 2021-11-02 | 2023-11-14 | 北京天融信网络安全技术有限公司 | Processing method and device of IP blacklist and storage medium |
| CN113965403A (en) * | 2021-11-02 | 2022-01-21 | 北京天融信网络安全技术有限公司 | Method and device for processing IP (Internet protocol) blacklist and storage medium |
| CN114238965A (en) * | 2021-11-17 | 2022-03-25 | 北京华清信安科技有限公司 | Detection analysis method and system for malicious access |
| CN115168848B (en) * | 2022-09-08 | 2022-12-16 | 南京鼎山信息科技有限公司 | Interception feedback processing method based on big data analysis interception |
| CN115168848A (en) * | 2022-09-08 | 2022-10-11 | 南京鼎山信息科技有限公司 | Interception feedback processing method based on big data analysis interception |
| CN117040777A (en) * | 2023-06-13 | 2023-11-10 | 五矿国际信托有限公司 | Method for detecting and filtering malicious request behaviors of data interface |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110602137A (en) | Malicious IP and malicious URL intercepting method, device, equipment and medium | |
| CN107645503B (en) | Rule-based method for detecting DGA family to which malicious domain name belongs | |
| US11574047B2 (en) | Cyberanalysis workflow acceleration | |
| US9154516B1 (en) | Detecting risky network communications based on evaluation using normal and abnormal behavior profiles | |
| CN108833186B (en) | Network attack prediction method and device | |
| CN109274632B (en) | Website identification method and device | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| Marchal et al. | Proactive discovery of phishing related domain names | |
| CN107659583A (en) | A kind of method and system attacked in detection thing | |
| CN106992981B (en) | Website backdoor detection method and device and computing equipment | |
| CN106850647B (en) | Malicious domain name detection algorithm based on DNS request period | |
| CN105072214A (en) | C&C domain name identification method based on domain name feature | |
| CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
| CN107888606B (en) | Domain name credit assessment method and system | |
| De Silva et al. | Compromised or {Attacker-Owned}: A large scale classification and study of hosting domains of malicious {URLs} | |
| EP3913888A1 (en) | Detection method for malicious domain name in domain name system and detection device | |
| Le Page et al. | Domain classifier: Compromised machines versus malicious registrations | |
| CN106790025B (en) | Method and device for detecting link maliciousness | |
| CN108804501B (en) | Method and device for detecting effective information | |
| CN106850632B (en) | Method and device for detecting abnormal combined data | |
| Nishitha et al. | Phishing detection using machine learning techniques | |
| CN112583827A (en) | Data leakage detection method and device | |
| CN114363002B (en) | Method and device for generating network attack relation diagram | |
| CN107332856B (en) | Address information detection method and device, storage medium and electronic device | |
| CN115643044A (en) | Data processing method, device, server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191220 |