CN116846676A - Abnormal IP determination method and device, electronic equipment and storage medium - Google Patents
Abnormal IP determination method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116846676A CN116846676A CN202310996900.5A CN202310996900A CN116846676A CN 116846676 A CN116846676 A CN 116846676A CN 202310996900 A CN202310996900 A CN 202310996900A CN 116846676 A CN116846676 A CN 116846676A
- Authority
- CN
- China
- Prior art keywords
- access
- rule
- address
- log information
- access rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 108
- 238000000034 method Methods 0.000 title claims abstract description 68
- 230000004044 response Effects 0.000 claims description 37
- 238000012545 processing Methods 0.000 claims description 15
- 238000005516 engineering process Methods 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 101100264195 Caenorhabditis elegans app-1 gene Proteins 0.000 description 4
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000003190 augmentative effect Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The application provides an abnormal IP determination method, an abnormal IP determination device, electronic equipment and a storage medium, relates to the technical field of computers, and solves the problems that a hardware network firewall or a WAF firewall in the related technology is high in price and low in flexibility, and an abnormal IP address can not be determined conveniently and rapidly. The method comprises the following steps: acquiring a plurality of pieces of log information, wherein one piece of log information comprises an IP address; determining a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and the access condition included in each access rule in the at least one access rule, wherein the plurality of IP addresses are IP addresses included in the plurality of log information; determining an access score corresponding to each IP address based on the rule score of each IP address in each access rule; and determining the IP address with the corresponding access score larger than or equal to the score threshold value as an abnormal IP address.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and apparatus for determining abnormal IP, an electronic device, and a storage medium.
Background
Currently, the process of determining an abnormal IP address is typically implemented by a hardware network firewall or a website application level intrusion prevention system (web application firewall, WAF) firewall, thereby blocking access to the abnormal IP address.
However, in the above method, the hardware network firewall or the WAF firewall is expensive, and has low flexibility, and may not be able to conveniently and rapidly determine the abnormal IP address.
Disclosure of Invention
The application provides an abnormal IP determination method, an abnormal IP determination device, electronic equipment and a storage medium, which solve the technical problems that a hardware network firewall or a WAF firewall in the related technology is high in price and low in flexibility, and an abnormal IP address can not be conveniently and rapidly determined.
In a first aspect, the present application provides an abnormal IP determination method, including: acquiring a plurality of pieces of log information, wherein one piece of log information comprises an IP address; determining a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and the access condition included in each access rule in the at least one access rule, wherein the plurality of IP addresses are IP addresses included in the plurality of log information; determining an access score corresponding to each IP address based on the rule score of each IP address in each access rule; and determining the IP address with the corresponding access score larger than or equal to the score threshold value as an abnormal IP address.
Optionally, the at least one access rule includes one or more of a keyword access rule, a time access rule, a service type access rule, a request method access rule, a domain name access rule, a response code access rule, and a data size access rule, where the access condition included in the keyword access rule is used to determine whether a predetermined keyword is included in one piece of log information, the access condition included in the time access rule is used to determine whether an access time included in one piece of log information is within an abnormal time interval, the access condition included in the service type access rule is used to determine the number of service types corresponding to one piece of log information, the access condition included in the request method access rule is used to determine whether a request method corresponding to one piece of log information is wrong, the access condition included in the domain name access rule is used to determine whether a domain name included in one piece of log information is an abnormal domain name, the access condition included in the response code access rule is used to determine whether a response code corresponding to one piece of log information is an abnormal response code, and the access condition included in the data size access rule is used to determine the data size corresponding to one piece of log information.
Optionally, the at least one access rule includes the data size access rule, and determining, based on the plurality of IP addresses and the access condition included in each access rule in the at least one access rule, a rule score of each IP address in the plurality of IP addresses in each access rule specifically includes: when the data size corresponding to the first log information is greater than a first data size threshold and the data size corresponding to the first log information is less than or equal to a second data size threshold, determining that a rule score of a first IP address in the data size access rule is a first value, wherein the first log information is one of the log information, the first IP address is an IP address included in the first log information, and the first data size threshold is less than the second data size threshold; and when the data size corresponding to the first log information is larger than the second numerical threshold, determining that the rule score of the first IP address in the data size access rule is a second numerical value, wherein the second numerical value is larger than the first numerical value.
Optionally, the determining the access score corresponding to each IP address based on the rule score of each IP address in each access rule specifically includes: assigning a weight parameter to each access rule; and determining the access score corresponding to each IP address based on the rule score of each IP address in each access rule and the weight parameter corresponding to each access rule.
In a second aspect, the present application provides an abnormal IP determination apparatus, comprising: an acquisition module and a determination module; the acquisition module is used for acquiring a plurality of pieces of log information, wherein one piece of log information comprises an IP address; the determining module is configured to determine a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and an access condition included in each access rule in the at least one access rule, where the plurality of IP addresses are IP addresses included in the plurality of log information; the determining module is further configured to determine an access score corresponding to each IP address based on a rule score of the IP address in the access rule; the determining module is further configured to determine an IP address, of the plurality of IP addresses, for which the corresponding access score is greater than or equal to the score threshold, as an abnormal IP address.
Optionally, the at least one access rule includes one or more of a keyword access rule, a time access rule, a service type access rule, a request method access rule, a domain name access rule, a response code access rule, and a data size access rule, where the access condition included in the keyword access rule is used to determine whether a predetermined keyword is included in one piece of log information, the access condition included in the time access rule is used to determine whether an access time included in one piece of log information is within an abnormal time interval, the access condition included in the service type access rule is used to determine the number of service types corresponding to one piece of log information, the access condition included in the request method access rule is used to determine whether a request method corresponding to one piece of log information is wrong, the access condition included in the domain name access rule is used to determine whether a domain name included in one piece of log information is an abnormal domain name, the access condition included in the response code access rule is used to determine whether a response code corresponding to one piece of log information is an abnormal response code, and the access condition included in the data size access rule is used to determine the data size corresponding to one piece of log information.
Optionally, the at least one access rule includes the data size access rule; the determining module is specifically configured to determine that a rule score of a first IP address in the data size access rule is a first numerical value when a data size corresponding to first log information is greater than a first data size threshold and the data size corresponding to the first log information is less than or equal to a second data size threshold, where the first log information is one of the plurality of log information, the first IP address is an IP address included in the first log information, and the first data size threshold is less than the second data size threshold; the determining module is further specifically configured to determine that a rule score of the first IP address in the data size access rule is a second value when the data size corresponding to the first log information is greater than the second value threshold, where the second value is greater than the first value.
Optionally, the abnormal IP determination apparatus further includes a processing module; the processing module is used for distributing weight parameters to each access rule; the determining module is specifically configured to determine an access score corresponding to each IP address based on a rule score of each IP address in each access rule and a weight parameter corresponding to each access rule.
In a third aspect, the present application provides an electronic device comprising: a processor and a memory configured to store processor-executable instructions; wherein the processor is configured to execute the instructions to implement any of the above-described optionally abnormal IP determination methods of the first aspect.
In a fourth aspect, the present application provides a computer readable storage medium having instructions stored thereon which, when executed by an electronic device, enable the electronic device to perform any one of the above-described optionally abnormal IP determination methods of the first aspect.
The abnormal IP determination method, the device, the electronic equipment and the storage medium electronic equipment provided by the application can acquire a plurality of pieces of log information, and determine rule scores of each IP address in a plurality of IP addresses in each access rule based on the plurality of IP addresses (namely the IP addresses included in the plurality of pieces of log information) and the access conditions included in each access rule in at least one access rule; the electronic device can then determine an access score corresponding to each IP address based on the rule score of each IP address in each access rule; and finally, determining the IP address with the corresponding access score larger than or equal to the score threshold value in the plurality of IP addresses as an abnormal IP address. In the present application, when an access score corresponding to one IP address of a plurality of IP addresses is greater than or equal to a score threshold, it is indicated that the rule score of the IP address in at least one access rule is greater, that is, the IP address may have hit more access rules (specifically, access conditions included in the access rules) in the at least one access rule. At the moment, the electronic equipment determines the IP address as an abnormal IP address, so that the abnormal IP address can be conveniently and rapidly determined, and the effectiveness of abnormal IP determination is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
Fig. 1 is a schematic flow chart of an abnormal IP determination method according to an embodiment of the present application;
fig. 2 is a flow chart of another abnormal IP determination method according to an embodiment of the present application;
fig. 3 is a flowchart of another abnormal IP determination method according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a specific flow for determining an abnormal IP address according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an abnormal IP determination apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of another abnormal IP determination apparatus according to an embodiment of the present application.
Detailed Description
The method, the device, the electronic equipment and the storage medium for determining abnormal IP provided by the embodiment of the application are described in detail below with reference to the accompanying drawings.
The terms "first" and "second" and the like in the description and the drawings of the present application are used for distinguishing between different objects and not for describing a particular sequence of objects, e.g., a first data size threshold and a second data size threshold and the like are used for distinguishing between different data size thresholds and not for describing a particular sequence of data size thresholds.
Furthermore, references to the terms "comprising" and "having" and any variations thereof in the description of the present application are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed but may optionally include other steps or elements not listed or inherent to such process, method, article, or apparatus.
It should be noted that, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment of the present application is not to be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
The term "and/or" as used herein includes the use of either or both of these methods.
In the description of the present application, unless otherwise indicated, the meaning of "a plurality" means two or more.
Based on the description in the background art, since the hardware network firewall or WAF firewall is expensive and has low flexibility in the related art, it may not be possible to conveniently and rapidly determine the abnormal IP address. Based on this, the embodiment of the application provides an abnormal IP determination method, apparatus, electronic device and storage medium, where when an access score corresponding to one of a plurality of IP addresses is greater than or equal to a score threshold, it is indicated that a rule score of the IP address in at least one access rule is greater, that is, the IP address may have hit more access rules (specifically, access conditions included in the access rules) in the at least one access rule. At the moment, the electronic equipment determines the IP address as an abnormal IP address, so that the abnormal IP address can be conveniently and rapidly determined, and the effectiveness of abnormal IP determination is improved.
For example, the electronic device performing the abnormal IP determination method provided by the embodiment of the present application may be a mobile phone, a tablet computer, a desktop, a laptop, a handheld computer, a notebook, an ultra-mobile personal computer (UMPC), a netbook, a cellular phone, a personal digital assistant (personal digital assistant, PDA), an augmented reality (augmented reality, AR) \virtual reality (VR) device, and the embodiment of the present application does not limit the specific form of the electronic device. The system can perform man-machine interaction with a user through one or more modes of a keyboard, a touch pad, a touch screen, a remote controller, voice interaction or handwriting equipment and the like.
Optionally, the electronic device may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, network acceleration services (content delivery network, CDN), basic cloud computing services such as big data and an artificial intelligence platform.
As shown in fig. 1, the abnormal IP determination method provided by the embodiment of the present application may include S101-S104.
S101, the electronic equipment acquires a plurality of pieces of log information.
Wherein a log information includes an internet protocol (internet protocol, IP) address.
In an alternative implementation, a log forwarding function may be provided in the reverse proxy server to enable the electronic device to obtain the plurality of log information from the reverse proxy server.
Specifically, an nginx configuration file/etc/nginx. Conf may be edited, and a log format may be set in http, server, or location.
log_format myformat'$remote_addr-[$time_local]"$host""$request"''$status$body_bytes_sent"$http_user_agent""$http_x_forwarded_for";
access_log syslog:server=192.168.1.100:514,tag=nginx,severity=info myformat;
Where 192.168.1.100 is the log preprocessing server address.
S102, the electronic equipment determines rule scores of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and the access conditions included in each access rule in the at least one access rule.
Wherein the plurality of IP addresses are IP addresses included in the plurality of log information.
In connection with the description of the above embodiments, it should be understood that one log information includes one IP address. The IP addresses included in different log information may be the same or different for different log information among the plurality of log information.
In one implementation of the embodiment of the present application, the at least one access rule includes one or more of a keyword access rule, a time access rule, a service type access rule, a request method access rule, a domain name access rule, a response code access rule, and a data size access rule.
Specifically, the access condition included in the keyword access rule is used for determining whether a preset keyword is included in one piece of log information, the access condition included in the time access rule is used for determining whether the access time included in one piece of log information is within an abnormal time interval, the access condition included in the service type access rule is used for determining the number of service types corresponding to one piece of log information, the access condition included in the request method access rule is used for determining whether a request method corresponding to one piece of log information is wrong, the access condition included in the domain name access rule is used for determining whether a domain name included in one piece of log information is an abnormal domain name, the access condition included in the response code access rule is used for determining whether a response code corresponding to one piece of log information is an abnormal response code, and the access condition included in the data size access rule is used for determining the data size corresponding to one piece of log information.
Referring to fig. 1, as shown in fig. 2, in an implementation manner of the embodiment of the present application, the at least one access rule includes a data size access rule, and the electronic device determines a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and an access condition included in each access rule in the at least one access rule, which may specifically include S1021-S1022.
S1021, when the data size corresponding to the first log information is larger than a first data size threshold value and the data size corresponding to the first log information is smaller than or equal to a second data size threshold value, the electronic device determines that the rule score of the first IP address in the data size access rule is a first numerical value.
The first log information is one of the plurality of log information, the first IP address is an IP address included in the first log information, and the first data size threshold is smaller than the second data size threshold.
And S1022, when the data size corresponding to the first log information is larger than a second data size threshold, the electronic equipment determines that the rule score of the first IP address in the data size access rule is a second numerical value.
Wherein the second value is greater than the first value.
It should be understood that when the data size corresponding to the first log information is greater than the first data size threshold and the data size corresponding to the first log information is less than or equal to the second data size threshold, it is indicated that the data size corresponding to the first log information is smaller, and it may also be understood that the first IP address is less likely to be abnormal, and the electronic device may assign a lower access score (i.e. the first value) to the first IP address. When the data size corresponding to the first log information is greater than the second data size threshold, it is indicated that the data size corresponding to the first log information is greater, and it may also be understood that the first IP address has a greater possibility of abnormality, and at this time, the electronic device may assign a higher access score (i.e., the second value) to the first IP address. The rule score of each IP address in the data size access rule can be accurately and effectively determined.
For example, the first data size threshold may be 10M (megabytes), the second data size threshold may be 50M, the first value may be 1 minute, and the second value may be 2 minutes.
In another implementation manner of the embodiment of the present application, the at least one access rule further includes a keyword access rule, and the electronic device determines a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and an access condition included in each access rule in the at least one access rule, which may specifically include step a.
And step A, when the first log information comprises a preset keyword, the electronic equipment determines that the rule score of the first IP address in the keyword access rule is a third numerical value.
It should be understood that when the first log information includes the preset keyword, it indicates that the first IP address is more likely to be an abnormal IP address, and the electronic device may assign a third value to the first IP address.
Illustratively, the third value may be 1.
The third value may be the same as the first value (or the second value), or may be different from the first value (or the second value). The magnitude of the third numerical value is not particularly limited in the embodiment of the present application.
For example, the preset keyword may include passwd and the like.
Alternatively, when a preset keyword is included in the first log information, the electronic device may determine that a rule score of the first IP address in the keyword access rule is 0.
In another implementation manner of the embodiment of the present application, the at least one access rule further includes a time access rule, and the electronic device determines a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and an access condition included in each access rule in the at least one access rule, which may specifically include step B.
And B, when the access time included in the first log information is within the abnormal time interval, the electronic equipment determines that the rule score of the first IP address in the time access rule is a fourth numerical value.
It should be appreciated that when the access time included in the first log information is within the abnormal time interval, which indicates that the first IP address is more likely to be an abnormal IP address, the electronic device may assign a fourth value to the first IP address.
Illustratively, the anomaly time interval may be 23:00-06:00.
Optionally, when the access time included in the first log information is outside the abnormal time interval, which indicates that the first IP address is less likely to be an abnormal IP address, the electronic device may determine that the rule score of the first IP address in the time access rule is 0, or it may be understood that the electronic device need not assign an access score to the first IP address at this time.
In another implementation manner of the embodiment of the present application, the at least one access rule further includes a service type access rule, and the electronic device determines a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and an access condition included in each access rule in the at least one access rule, which may specifically include step C.
And C, the electronic equipment determines the number of the service types corresponding to the first log information as a rule score of the first IP address in the service type access rule.
It should be understood that the number of service types corresponding to one log information (e.g., the first log information) may also be understood as the number of partitions corresponding to the first log information.
In another implementation manner of the embodiment of the present application, the at least one access rule further includes a request method access rule, and the electronic device determines a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and an access condition included in each access rule in the at least one access rule, which may specifically include step D.
And D, when the request method corresponding to the first log information is wrong, the electronic equipment determines that the rule score of the first IP address in the request method access rule is a fifth value.
It should be understood that, when the request method corresponding to the first log information is wrong, it indicates that the first IP address is more likely to be an abnormal IP address, and the electronic device may determine that the rule score of the first IP address in the request method access rule is a fifth value.
For example, the request method in the embodiment of the present application may include GET, POST, DELETE, PUT, HEAD, OPTIONS and PRROFIND.
In another implementation manner of the embodiment of the present application, the at least one access rule further includes a domain name access rule, and the electronic device determines a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and an access condition included in each access rule in the at least one access rule, which may specifically include step E.
And E, when the domain name included in the first log information is an abnormal domain name, the electronic equipment determines that the rule score of the first IP address in the domain name access rule is a sixth numerical value.
It should be understood that when the domain name included in the first log information is an abnormal domain name, it is explained that the first IP address is more likely to be an abnormal IP address, and the electronic device may determine that the rule score of the first IP address in the domain name access rule is a sixth numerical value.
Specifically, the electronic device may determine whether a domain name included in a certain log information (for example, the first log information) is stored in the electronic device. When the domain name included in the first log information is not stored in the electronic device, the electronic device may determine that the domain name included in the first log information is an abnormal domain name.
In another implementation manner of the embodiment of the present application, the at least one access rule further includes a response code access rule, and the electronic device determines a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and an access condition included in each access rule in the at least one access rule, which may specifically include step F.
And F, when the response code corresponding to the first log information is an abnormal response code, the electronic equipment determines that the rule score of the first IP address in the response code access rule is a seventh numerical value.
It should be understood that, when the response code corresponding to the first log information is an abnormal response code, which indicates that the first IP address is more likely to be an abnormal IP address, the electronic device may determine that the rule score of the first IP address in the response code access rule is a seventh numerical value.
For example, when the response code corresponding to a certain log information (for example, the first log information) is greater than 399, the electronic device may determine that the response code corresponding to the first log information is an abnormal response code.
S103, the electronic equipment determines the access score corresponding to each IP address based on the rule score of each IP address in each access rule.
Referring to fig. 1 and fig. 3, in an implementation manner of the embodiment of the present application, the determining, by the electronic device, an access score corresponding to each IP address based on a rule score of each IP address in each access rule may specifically include S1031-S1032.
S1031, the electronic equipment distributes weight parameters for each access rule.
Optionally, the weight parameters assigned by the electronic device for each access rule may be the same or different.
For example, the weight parameters of each of the 7 access rules (i.e., keyword access rule, time access rule, service type access rule, request method access rule, domain name access rule, response code access rule, and data size access rule) may be 200, 100, 300, 500, 100, and 200, respectively.
S1032, the electronic equipment determines the access score corresponding to each IP address based on the rule score of each IP address in each access rule and the weight parameter corresponding to each access rule.
Specifically, for an IP address, the electronic device may determine a product between a rule score of the IP address in each access rule and a weight parameter corresponding to each access rule, and then determine a sum of products corresponding to each access rule in at least one access rule as an access score corresponding to each IP address.
In an alternative implementation, before the electronic device determines the rule score for each IP address in each access rule, the electronic device may first convert each log information of the plurality of log information into a text format (e.g., JSON format) to facilitate subsequent statistics, processing, and storage processes.
Exemplary, the following is a log information provided in the embodiments of the present application:
121.96.244.15-[01/May/2023:15:36:54+0800]"app1.example.com""GET/login.apsx/../../etc/passwd HTTP/1.1"200 21534"Mozilla/5.0(Windows NT 10.0;Win64;x64)AppleWebKit/537.36(KHTML,like Gecko)Chrome/81.0.4044.138Safari/537.36""-"
wherein, "121.96.244.15" is that the log information includes an IP address; "[01/May/2023:15:36:54+0800]" is the access time and access time zone included in the log information; "app1.Example. Com" is a domain name included in the log information; the request method corresponding to the log information when the GET/login.apsx/. The/etc/passwd HTTP/1.1 is the request resource path, specifically, "/login.apsx/. The/etc/passwd" is the request resource path, and "HTTP/1.1" is the version of the HTTP protocol; "200" is the response code corresponding to the log information; "21534" is the data size corresponding to the log information, which is about 21M; "Mozilla/5.0 (Windows NT 10.0; win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138Safari/537.36" refers to the browser and operating system used by the client.
The following is an example of the electronic device converting the above log information into JSON format:
{
"client_IP_address":"121.96.244.15",
"datetime":"01/May/2023:15:36:54+0800",
"server_name":"app1.example.com",
"app_name":"app1",
"request":{
"method":"GET",
"url":"/login.apsx/../../etc/passwd",
"http_version":"HTTP/1.1"
},
"status_code":"200",
"body_bytes_sent":"21534",
"user_agent":"Mozilla/5.0(Windows NT 10.0;Win64;x64)AppleWebKit/537.36(KHTML,like Gecko)Chrome/81.0.4044.138Safari/537.36",
"http_x_forwarded_for":"-"
s104, the electronic equipment determines the IP address with the access score larger than or equal to the score threshold value corresponding to the IP addresses as the abnormal IP address.
It should be appreciated that when the access score corresponding to a certain IP address of the plurality of IP addresses is greater than or equal to the score threshold, it is indicated that the rule score of the IP address in the at least one access rule is greater, i.e., the IP address may have hit more of the at least one access rule (specifically, the access condition included in the access rule). At the moment, the electronic equipment determines the IP address as an abnormal IP address, so that the abnormal IP address can be conveniently and rapidly determined, and the effectiveness of abnormal IP determination is improved.
Alternatively, the electronic device may add the abnormal IP address to the IP address blacklist (or blacklist IP pool) and issue an alert message after determining the abnormal IP address.
The technical scheme provided by the embodiment at least has the following beneficial effects: from S101 to S104, it is known that: the electronic device may obtain a plurality of log information, and determine a rule score of each of the plurality of IP addresses in each of the access rules based on the plurality of IP addresses (i.e., the IP addresses included in the plurality of log information) and the access condition included in each of the at least one access rule; the electronic device can then determine an access score corresponding to each IP address based on the rule score of each IP address in each access rule; and finally, determining the IP address with the corresponding access score larger than or equal to the score threshold value in the plurality of IP addresses as an abnormal IP address. In the embodiment of the present application, when the access score corresponding to one IP address of the plurality of IP addresses is greater than or equal to the score threshold, it is indicated that the rule score of the IP address in at least one access rule is greater, that is, the IP address may have hit more access rules (specifically, access conditions included in the access rules) in the at least one access rule. At the moment, the electronic equipment determines the IP address as an abnormal IP address, so that the abnormal IP address can be conveniently and rapidly determined, and the effectiveness of abnormal IP determination is improved.
The abnormal IP determination method provided by the embodiment of the present application is described below in an example.
As shown in fig. 4, a user may send an access request to a reverse proxy server, which may send the access request to a backend server.
The reverse proxy server can forward the log information to a log preprocessing module in the electronic equipment, and then the analysis processing module in the electronic equipment analyzes and processes the log information, in particular to determine whether the IP address included in the log information is an abnormal IP address.
In the case that the IP address included in the log information is an abnormal IP address, the analysis processing module may feed back a blocking instruction to the reverse proxy server, that is, prohibit the IP address included in the log information from accessing the corresponding server. And the analysis processing module can also send an alarm instruction to the alarm processing center, namely only the alarm processing center sends alarm information.
After receiving the alarm instruction, the alarm processing center can notify the operation and maintenance personnel in the modes of short messages, mails, weChats and the like.
The embodiment of the application can divide the functional modules of the electronic equipment and the like according to the method example, for example, each functional module can be divided corresponding to each function, and two or more functions can be integrated in one processing module. The integrated modules may be implemented in hardware or in software functional modules. It should be noted that, in the embodiment of the present application, the division of the modules is schematic, which is merely a logic function division, and other division manners may be implemented in actual implementation.
In the case of dividing the respective functional modules with the respective functions, fig. 5 shows a schematic diagram of one possible configuration of the abnormal IP determination apparatus involved in the above-described embodiment, as shown in fig. 5, the abnormal IP determination apparatus 10 may include: an acquisition module 101 and a determination module 102.
The obtaining module 101 is configured to obtain a plurality of log information, where one log information includes one IP address.
A determining module 102, configured to determine a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and an access condition included in each access rule in the at least one access rule, where the plurality of IP addresses are IP addresses included in the plurality of log information.
The determining module 102 is further configured to determine an access score corresponding to each IP address based on the rule score of each IP address in each access rule.
The determining module 102 is further configured to determine an IP address, of the plurality of IP addresses, for which the corresponding access score is greater than or equal to the score threshold, as an abnormal IP address.
Optionally, the at least one access rule includes one or more of a keyword access rule, a time access rule, a service type access rule, a request method access rule, a domain name access rule, a response code access rule, and a data size access rule, where the access condition included in the keyword access rule is used to determine whether a predetermined keyword is included in one piece of log information, the access condition included in the time access rule is used to determine whether an access time included in one piece of log information is within an abnormal time interval, the access condition included in the service type access rule is used to determine the number of service types corresponding to one piece of log information, the access condition included in the request method access rule is used to determine whether a request method corresponding to one piece of log information is wrong, the access condition included in the domain name access rule is used to determine whether a domain name included in one piece of log information is an abnormal domain name, the access condition included in the response code access rule is used to determine whether a response code corresponding to one piece of log information is an abnormal response code, and the access condition included in the data size access rule is used to determine the data size corresponding to one piece of log information.
Optionally, the at least one access rule includes the data size access rule.
The determining module 102 is specifically configured to determine that a rule score of a first IP address in the data size access rule is a first value when a data size corresponding to a first log information is greater than a first data size threshold and the data size corresponding to the first log information is less than or equal to a second data size threshold, where the first log information is one of the plurality of log information, the first IP address is an IP address included in the first log information, and the first data size threshold is less than the second data size threshold.
The determining module 102 is further specifically configured to determine that the rule score of the first IP address in the data size access rule is a second value when the data size corresponding to the first log information is greater than the second value threshold, where the second value is greater than the first value.
Optionally, the abnormal IP determination apparatus 10 further includes a processing module 103.
A processing module 103, configured to assign a weight parameter to each access rule.
The determining module 102 is specifically configured to determine an access score corresponding to each IP address based on a rule score of the IP address in each access rule and a weight parameter corresponding to each access rule.
In the case of employing an integrated unit, fig. 6 shows a possible structural diagram of the abnormal IP determination apparatus involved in the above-described embodiment. As shown in fig. 6, the abnormal IP determination apparatus 20 may include: a processing module 201 and a communication module 202. The processing module 201 may be configured to control and manage the operation of the abnormal IP determination apparatus 20. The communication module 202 may be used to support communication of the anomalous IP determination device 20 with other entities. Alternatively, as shown in fig. 6, the abnormal IP determining apparatus 20 may further include a storage module 203 for storing program codes and data of the abnormal IP determining apparatus 20.
Wherein the processing module 201 may be a processor or a controller. The communication module 202 may be a transceiver, a transceiver circuit, a communication interface, or the like. The storage module 203 may be a memory.
When the processing module 201 is a processor, the communication module 202 is a transceiver, and the storage module 203 is a memory, the processor, the transceiver, and the memory may be connected through a bus. The bus may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, or the like. The buses may be divided into address buses, data buses, control buses, etc.
It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using a software program, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber terminal line (Digital Subscriber Line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more servers, data centers, etc. that can be integrated with the medium. The usable medium may be a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method for determining abnormal IP, the method comprising:
acquiring a plurality of pieces of log information, wherein one piece of log information comprises an IP address;
determining a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and the access condition included in each access rule in at least one access rule, wherein the plurality of IP addresses are IP addresses included in the plurality of log information;
determining an access score corresponding to each IP address based on the rule score of each IP address in each access rule;
and determining the IP address with the corresponding access score larger than or equal to the score threshold value in the plurality of IP addresses as an abnormal IP address.
2. The abnormal IP determination method according to claim 1, wherein the at least one access rule includes one or more of a keyword access rule, a time access rule, a service type access rule, a request method access rule, a domain name access rule, a response code access rule, and a data size access rule, the access condition included in the keyword access rule is used for determining whether a preset keyword is included in one log information, the access condition included in the time access rule is used for determining whether an access time included in one log information is within an abnormal time interval, the access condition included in the service type access rule is used for determining the number of service types corresponding to one log information, the access condition included in the request method access rule is used for determining whether a request method corresponding to one log information is wrong, the access condition included in the domain name access rule is used for determining whether a domain name included in one log information is an abnormal domain name, the access condition included in the response code access rule is used for determining whether a response code corresponding to one log information is an abnormal response code, and the access condition included in the data size access rule is used for determining the corresponding data size of one log information.
3. The abnormal IP determination method according to claim 2, wherein the at least one access rule includes the data size access rule, and wherein determining the rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and the access condition included in each access rule in the at least one access rule includes:
when the data size corresponding to the first log information is larger than a first data size threshold value and the data size corresponding to the first log information is smaller than or equal to a second data size threshold value, determining that a rule score of a first IP address in the data size access rule is a first numerical value, wherein the first log information is one of the log information, the first IP address is an IP address included in the first log information, and the first data size threshold value is smaller than the second data size threshold value;
and when the data size corresponding to the first log information is larger than the second numerical threshold, determining that the rule score of the first IP address in the data size access rule is a second numerical value, wherein the second numerical value is larger than the first numerical value.
4. The abnormal IP determination method according to any one of claims 1 to 3, wherein the determining the access score corresponding to each IP address based on the rule score of each IP address in each access rule includes:
assigning a weight parameter to each access rule;
and determining the access score corresponding to each IP address based on the rule score of each IP address in each access rule and the weight parameter corresponding to each access rule.
5. An abnormal IP determination apparatus, comprising: an acquisition module and a determination module;
the acquisition module is used for acquiring a plurality of pieces of log information, wherein one piece of log information comprises an IP address;
the determining module is configured to determine a rule score of each IP address in the plurality of IP addresses in each access rule based on the plurality of IP addresses and an access condition included in each access rule in at least one access rule, where the plurality of IP addresses are IP addresses included in the plurality of log information;
the determining module is further configured to determine an access score corresponding to each IP address based on a rule score of each IP address in each access rule;
The determining module is further configured to determine an IP address, of the plurality of IP addresses, for which the corresponding access score is greater than or equal to the score threshold, as an abnormal IP address.
6. The abnormal IP determination apparatus according to claim 5, wherein the at least one access rule includes one or more of a keyword access rule for determining whether a preset keyword is included in one log information, a time access rule for determining whether an access time included in one log information is within an abnormal time interval, a service type access rule for determining the number of service types to which one log information corresponds, a request method access rule for determining whether a request method to which one log information corresponds is wrong, a response code access rule for determining whether a domain name included in one log information is an abnormal domain name, and a data size access rule for determining whether a response code to which one log information corresponds is an abnormal response code, the access condition included in the response code access rule for determining whether the response code to which one log information corresponds is used for determining the data size to which one log information corresponds.
7. The abnormal IP determination apparatus of claim 6, wherein the at least one access rule includes the data size access rule;
the determining module is specifically configured to determine that a rule score of a first IP address in the data size access rule is a first value when a data size corresponding to first log information is greater than a first data size threshold and the data size corresponding to the first log information is less than or equal to a second data size threshold, where the first log information is one of the plurality of log information, the first IP address is an IP address included in the first log information, and the first data size threshold is less than the second data size threshold;
the determining module is further specifically configured to determine that a rule score of the first IP address in the data size access rule is a second value when a data size corresponding to the first log information is greater than the second value threshold, where the second value is greater than the first value.
8. The abnormal IP determination apparatus according to any one of claims 5 to 7, wherein the abnormal IP determination apparatus further comprises a processing module;
The processing module is used for distributing weight parameters to each access rule;
the determining module is specifically configured to determine an access score corresponding to each IP address based on a rule score of each IP address in each access rule and a weight parameter corresponding to each access rule.
9. An electronic device, the electronic device comprising:
a processor;
a memory configured to store the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement the abnormal IP determination method of any of claims 1-4.
10. A computer readable storage medium having instructions stored thereon, which, when executed by an electronic device, cause the electronic device to perform the abnormal IP determination method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310996900.5A CN116846676A (en) | 2023-08-08 | 2023-08-08 | Abnormal IP determination method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310996900.5A CN116846676A (en) | 2023-08-08 | 2023-08-08 | Abnormal IP determination method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116846676A true CN116846676A (en) | 2023-10-03 |
Family
ID=88165330
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310996900.5A Pending CN116846676A (en) | 2023-08-08 | 2023-08-08 | Abnormal IP determination method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116846676A (en) |
-
2023
- 2023-08-08 CN CN202310996900.5A patent/CN116846676A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8578504B2 (en) | System and method for data leakage prevention | |
| CN108353079A (en) | Detection to the Cyberthreat for application based on cloud | |
| US11089024B2 (en) | System and method for restricting access to web resources | |
| US9412096B2 (en) | Techniques to filter electronic mail based on language and country of origin | |
| US9942255B1 (en) | Method and system for detecting abusive behavior in hosted services | |
| US20200267181A1 (en) | Early detection of potentially-compromised email accounts | |
| CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN102664913B (en) | Method and device for webpage access control | |
| US11258768B2 (en) | Optimization of the isolation and disabling of unauthorized applications by detection of false positives | |
| US9032514B1 (en) | Potential data leakage reporting system, method, and computer program product | |
| CN116980186A (en) | Abnormality determination method and device, electronic equipment and storage medium | |
| CN116846676A (en) | Abnormal IP determination method and device, electronic equipment and storage medium | |
| CN107733908B (en) | Data packet processing method and device, network equipment and readable storage medium | |
| EP3984186A1 (en) | Executing real-time message monitoring to identify potentially malicious messages and generate instream alerts | |
| CN111431764B (en) | Node determining method, device, system and medium | |
| US10027702B1 (en) | Identification of malicious shortened uniform resource locators | |
| US11134062B1 (en) | Isolating and disabling unauthorized applications | |
| KR101370511B1 (en) | Method and apparatus for inspecting packet by using meta-data classification | |
| US11425100B2 (en) | Optimization of redundant usage patterns based on historical data and security constraints | |
| US20220210189A1 (en) | Mitigation of phishing risk | |
| CN115412359B (en) | Web application security protection method and device, electronic equipment and storage medium | |
| US11356481B1 (en) | Preventing phishing attempts of one-time passwords | |
| CN113452647B (en) | Feature identification method, feature identification device, electronic equipment and computer-readable storage medium | |
| CN114598524A (en) | Method, device, equipment and storage medium for detecting agent tool | |
| CN116208872A (en) | Abnormality determination method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |