CN104618328A - Network security protection method and device - Google Patents
Network security protection method and device Download PDFInfo
- Publication number
- CN104618328A CN104618328A CN201410834975.4A CN201410834975A CN104618328A CN 104618328 A CN104618328 A CN 104618328A CN 201410834975 A CN201410834975 A CN 201410834975A CN 104618328 A CN104618328 A CN 104618328A
- Authority
- CN
- China
- Prior art keywords
- network address
- access
- log
- incredible
- access number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a network security protection method and device. the method comprises recording a web access log through a server, wherein the web access log comprises accessed network addresses of the server each time; obtaining the log content in the access log within preset period; calculating the access number corresponding to network addresses identical in at least part of fields in the log content and determining the network addresses with the access number larger than the reference number are incredible network addresses, wherein the reference number is the Nth value after sequencing the access number corresponding to the network addresses identical in at least part of identical fields, and N is a preset value; sealing the determined incredible network addresses. By means of the method and the device, the accessed network addresses which do not meet the specification are sealed automatically, and the stability and the safety of websites are guaranteed.
Description
Technical field
The present invention relates to computer network security technology field, particularly relate to a kind of network safety protection method and device.
Background technology
Computer network is the of paramount importance information facility of society, and the development of network service has promoted the development of entire society greatly, and industry-by-industry adopts network to carry out information communication all to some extent.But the network service of current address ip Network Based does not take into full account safety factor at the beginning of design, and therefore the network equipment is often subject to the attack of automatic network, and these attacks cause very large harm.Because do not take into full account safety factor at the beginning of IP network Protocol Design, network IP packet self does not have believable mark, easily occurs by forging or distort IP packet to escape network security defence installation, and then reaches the phenomenon of attacking object.
Summary of the invention
The technical problem that the present invention mainly solves is to provide a kind of network safety protection method and device, and automatic sealing package falls the address, the network address of access against regulation, ensures stability and the fail safe of website.
For solving the problems of the technologies described above, the technical scheme that the present invention adopts is: provide a kind of network safety protection method, described method comprises: the daily record of server record web page access; Wherein, described access log comprises the network address at every turn accessing described server; Obtain the log content in predetermined amount of time in described access log; Calculate the access number that the network address that in the described log content obtained, at least partly field is identical is corresponding, and determine that the network address that access number is greater than benchmark quantity is the incredible network address; Wherein, described benchmark quantity is the N number of value after the access number corresponding to the network address that described at least part of field is identical sorts, and N is the value preset; And seal the described incredible network address falling to determine.
Wherein, the access number that the network address that in the described log content that described calculating obtains, field is identical is at least partly corresponding, and determine that the network address that access number is greater than benchmark quantity is that the step of the incredible network address is specially: classified according to field in the overall network address in the described log content obtained, identical for the field network address is classified as a class, and the access number that the network address adding up each classification is corresponding; Access number corresponding for the network address adding up each classification obtained is arranged according to descending order; Determine that access number corresponding to the network address of N number of classification is described benchmark quantity; And determine that the network address that access number is greater than described benchmark quantity is the incredible network address.
Wherein, describedly determine that access number corresponding to the network address of N number of classification is that the step of described benchmark quantity is specially: according to following formulae discovery N to determine the access number that the network address of described N number of classification is corresponding: R/m × 50=N; Wherein, R is the daily record total number comprised in the described log content obtained, and m is the sum of described network address classification.
Wherein, before the step of the described incredible network address that described envelope is fallen to determine, described method also comprises: judge whether the described incredible network address determined is included in a network address white list; Wherein, described network address white list is used for recording the believable network address; If so, then bag filter is contained in the incredible network address in described white list, otherwise does not deal with the described incredible network address; The step of the described incredible network address that described envelope is fallen to determine is specially: seal the described incredible network address falling not deal with.
Wherein, the step of the log content in the described access log of described acquisition in predetermined amount of time is specially: the interval very first time checks described access log, and obtain with the log content checked in the second time that the current time of described access log is terminal, to obtain the log content in described access log in predetermined amount of time.
Wherein, after the step of the log content in the described access log of described acquisition in predetermined amount of time, described method also comprises: judge whether comprise the access with believable search engine mark in the described access log obtained; If so, then filter the access with described believable search engine mark, otherwise described access is not dealt with; Wherein, described access log comprises described search engine mark; The access number that the network address that in the described log content that described calculating obtains, field is identical is at least partly corresponding, and determine that the network address that access number is greater than benchmark quantity is that the step of the incredible network address is specially: calculate the access number that the network address that in not processed described log content, at least part of field is identical is corresponding, to determine that the network address that access number is greater than benchmark quantity is the incredible network address.
For solving the problems of the technologies described above, another technical solution used in the present invention is: provide a kind of network safety prevention device, described device comprises: logging modle, for recording web page access daily record; Wherein, described web page access daily record comprises the network address at every turn accessing described server; Acquisition module, for obtain described logging modle record described access log in log content in predetermined amount of time; Computing module, for calculating access number corresponding to the network address that in described log content that described acquisition module obtains, at least partly field is identical, and determines that the network address that access number is greater than benchmark quantity is the incredible network address; Wherein, described benchmark quantity is the N number of value after the access number corresponding to the network address that described at least part of field is identical sorts, and N is the value preset; And Executive Module, for sealing the described incredible network address determined.
Wherein, described computing module comprises: statistics submodule, classify according to field for the overall network address in the described log content that obtains described acquisition module, identical for the field network address is classified as a class, and the access number that the network address adding up each classification is corresponding; Sorting sub-module, access number corresponding to the network address for described statistics submodule being added up each classification obtained arranges according to descending order; Determining submodule, for determining that according to the sequence of described sorting sub-module to access number access number corresponding to the network address of N number of classification is described benchmark quantity, and determining that access number is greater than the network address of described benchmark quantity.
Wherein, described device also comprises: the first filtering module, and for judging whether the described incredible network address is included in a network address white list, and bag filter is contained in the incredible network address in described white list; Wherein, described network address white list is used for recording the believable network address; Described Executive Module does not also make the described incredible network address of filtration treatment for sealing described first filtering module.
Wherein, described device also comprises: the second filtering module, for judging whether to comprise in the described access log that described acquisition module obtains the access with believable search engine mark, and filters the access with described believable search engine mark; Wherein, described access log comprises described search engine mark; Described computing module also for calculating the quantity of not corresponding by the network address that field at least part of in the access of described second filtering module process is identical access, to determine that the network address that access number is greater than described benchmark quantity is the incredible network address.
The invention has the beneficial effects as follows: the present invention is by the daily record of server record web page access, and calculate access number corresponding to the network address that in the log content in predetermined amount of time, at least part of field is identical, and determine that the network address that access number is greater than benchmark quantity is the incredible network address, seal this incredible network address falling to determine.This benchmark quantity is the N number of value after the access number corresponding to the network address that this at least part of field is identical sorts, and N is the value preset.In this way, the address, the network address of access against regulation can be fallen by automatic sealing package, ensure stability and the fail safe of website.
Accompanying drawing explanation
Fig. 1 is the flow chart of network safety protection method first execution mode of the present invention;
Fig. 2 is the flow chart of network safety protection method second execution mode of the present invention;
Fig. 3 is the flow chart of network safety protection method of the present invention 3rd execution mode;
Fig. 4 is the flow chart of network safety protection method of the present invention 4th execution mode;
Fig. 5 is the structural representation that the first execution mode is put in network safety prevention of the present invention;
Fig. 6 is the structural representation that the second execution mode is put in network safety prevention of the present invention;
Fig. 7 is the structural representation that the 3rd execution mode is put in network safety prevention of the present invention;
Fig. 8 is the structural representation that the 4th execution mode is put in network safety prevention of the present invention.
Embodiment
Below in conjunction with drawings and embodiments, the present invention is described in detail.
Refer to Fig. 1, be the flow chart of network safety protection method first execution mode of the present invention, the method comprises:
Step S10: server record web page access daily record.This access log comprises the network address at every turn accessing this server.
Server can in all web page access daily record of assigned catalogue record, comprise to I haven't seen you for ages in this access log accessed this server at every turn the network address (User IP), the webpage of request access, request access time, access the browser mark of this server.
Step S11, obtains the log content in predetermined amount of time in this access log.
Particularly, this access log of server regular check, and the log content in a period of time is extracted randomly when checking access log, or extract the log content in predetermined amount of time.Such as, server checked once this access log every 5 minutes, and before extracting from the access log of record record a period of time (10: 20 assign to 10: 30) in log content, this time point and time period length can be random and without specific rule.Server can also extract the log content in predetermined amount of time, and such as, with current time forward 5 minutes for predetermined amount of time, this time can be that monitor staff is pre-set, can also modify according to the visit capacity of server.Such as, be the rush hour of access to netwoks between usual 8 o'clock to 11 o'clock evening, then this predetermined amount of time is then set to 2 minutes.
Step S12, calculates the access number that the network address that in this log content obtained, at least partly field is identical is corresponding, and determines that the network address that access number is greater than benchmark quantity is the incredible network address.
Wherein, this benchmark quantity is the N number of value after the access number corresponding to the network address that this at least part of field is identical sorts, and N is the value preset.
Particularly, each network address has corresponding field, and field form is generally xxx.xxx.xxx.xxx.So, can judge that whether the network address is identical according to field.
In the present embodiment, whole field is identical, determines that the network address is identical, that is, consolidated network address.
In other embodiments, can set field portions identical, determine that the network address is identical, such as, the network address that the first two field is identical is defined as the identical network address.The quantity of same field and position can set accordingly according to the access log of record.
By adding up the visit capacity of the network address identical within a predetermined period of time and sorting, thus elect N number of value as this benchmark quantity according to ranking results.Wherein, N is the value preset.After benchmark quantity is determined, total amount and this benchmark quantity of the access same network address calculated initiated compare, and determine that the network address that access total amount is greater than this benchmark quantity is the incredible network address.
Due to, some Viruses are usually initiated a large amount of access to server at short notice and take server resource, and server is paralysed at short notice.Therefore, whether the network address of determining to initiate this access by judging the access number initiated the network address identical in the scheduled time whether to be greater than certain threshold value is malice, unsafe.
Step S13, seals this incredible network address falling to determine.
Utilize embodiment of the present invention, by adding up the access number of the identical network address of field at least part of in the web page access daily record of recording in the scheduled time, and determine that whether corresponding access is abnormal according to benchmark quantity, thus determine whether the network address of initiating this access is the incredible network address, and envelope falls the incredible network address further.
Refer to Fig. 2, be the flow chart of the second execution mode of network safety protection method of the present invention, the method comprises:
Step S20, the daily record of server record web page access.This access log comprises the network address at every turn accessing this server.
Wherein, comprise to I haven't seen you for ages in this access log accessed this server at every turn the network address (User IP), the webpage of request access, request access time, access the browser mark of this server.
Step S21: obtain the log content in predetermined amount of time in this access log.
Particularly, the interval very first time checks this access log, and obtains with the log content checked in the second time that the current time of this access log is terminal, to obtain the log content in this access log in predetermined amount of time.
Such as, server checks once this access log every 5 minutes (very first time), and with current time 5 minutes (the second times) forward for predetermined amount of time, this time can be that monitor staff is pre-set, can also modify according to the visit capacity of server.
In other embodiments, server extracts the log content in a period of time randomly when checking access log, or extracts the log content in predetermined amount of time.Such as, server checked once this access log every 5 minutes, and before extracting from the access log of record record a period of time (10: 20 assign to 10: 30) in log content, this time point and time period length can be random and without specific rule.
Step S22, classifies according to field to the overall network address in this log content obtained, identical for the field network address is classified as a class, and the access number that the network address adding up each classification is corresponding.
Each network address has corresponding field, and field form is generally xxx.xxx.xxx.xxx.In the present embodiment, whole field is identical, determines that whether the network address is identical.
In other embodiments, can set field portions identical, determine that the network address is identical, such as, the network address that the first two field is identical is defined as the identical network address.
Such as, the identical network address conducted interviews after quantitative statistics obtain following result:
| Access total amount | The network address |
| 5 | 192.168.0.1 |
| 150 | 218.17.162.153 |
| 55 | 202.100.10.9 |
| 200 | 202.168.110.120 |
Table 1
Step S23, arranges access number corresponding for the network address adding up each classification obtained according to descending order.
Further, the visit capacity of the network address identical within a predetermined period of time added up and sort, such as, the visit capacity of the network address in table one being carried out sequence and obtains following result:
| Access total amount | The network address |
| 200 | 202.168.110.120 |
| 150 | 218.17.162.153 |
| 55 | 202.100.10.9 |
| 5 | 192.168.0.1 |
Table two
Therefore, the ranking results of the visit capacity that the network address is corresponding can be found out clearly from table two.
Step S24, determines that access number corresponding to the network address of N number of classification is this benchmark quantity.
Particularly, according to following formulae discovery N to determine the access number that the network address of described N number of classification is corresponding:
R/m×50=N;
Wherein, R is the daily record total number comprised in the described log content obtained, and m is the sum of described network address classification.
Such as, daily record number is 20000, and the quantity of network address classification is 5000, then can calculate N=20000/5000 × 50=200, therefore determines that access number corresponding to the network address of the 200th classification after sorting is this benchmark quantity.
Above-mentionedly determine that the method for this benchmark quantity uses usually in the very large situation of visit capacity, dynamically determine benchmark quantity according to above-mentioned formula.Under visit capacity is not very large situation, the value of N can also be considered normal visit capacity by monitor staff and preset, and such as, sets everyone access per second element, then people's access per minute 60 elements, a people 5 minutes (predetermined amount of time) accesses 300 points of elements.Therefore, the access number can initiated within a predetermined period of time according to normal condition people determines the value of N, such as, and N=50.In such cases, because visit capacity is not very large, it is too large that the value of N not easily sets, and prevents the data of taking out too many and that the too much network address is judged as is incredible, occurred the situation of erroneous judgement.
In other embodiments, monitor staff directly arranges the value of this benchmark quantity according to network access quantity, such as, is the rush hour of access to netwoks, then this benchmark quantity is set to 500 times between usual 8 o'clock to 11 o'clock evening.Before 5 o'clock to 7 o'clock morning, network access quantity is lower, then this benchmark quantity is set to 30 times.
Step S25, determines that the network address that access number is greater than this benchmark quantity is the incredible network address.
Step S26, seals the incredible network address falling to determine.
Please refer to Fig. 3, before step S13, that is, before sealing the step of this incredible network address falling to determine, the method also comprises:
Step S33, judges whether the incredible network address determined is included in a network address white list.If so, step S34 is entered, otherwise, enter step S35, that is, perform the step of this incredible network address sealing to fall to determine.
Wherein, this network address white list is used for recording the believable network address, such as, and the network address of server oneself or be configured to the network address of the trust not limiting visit capacity in advance.
Step S34, bag filter is contained in the incredible network address in this white list.Then, step S35 is entered.
When determining that the incredible network address is in this network address white list, then bag filter is contained in the incredible network address in this white list, then do not deal with for not being included in the network address in this white list, therefore after filtering, the remaining network address is just the real incredible network address, then perform step S35, the incredible network address envelope that these are real is fallen.
Further, also record the remaining network address after filtering, and check the network address that these network address request are accessed, and a fairly large number of for request access network address is recorded.After incredible network address envelope being fallen, according to the network address of request, monitor staff by checking the network address of these incredible network address request access, and can also judge whether that the network address to having sealed is recovered.Such as, web ticket reselling website has user in peak time festivals or holidays and accesses this website at short notice continually to rush to purchase ticket.Now, when determining that this network address is the network address of ticket reselling website, if fall according to the network address envelope of method as above by the user of this network address of access, the network address that this envelope is fallen can also be recovered after checking, thus the situation reducing erroneous judgement occurs.
Other step in Fig. 3 refers to Fig. 1 and corresponding explanatory note.
In other embodiments, other step in Fig. 3 can also refer to Fig. 2 and corresponding explanatory note, does not add repeat at this.
Refer to Fig. 4, step S11, that is, after obtaining the step of the log content in this access log in predetermined amount of time, the method also comprises:
Step S42, judges whether comprise the access with believable search engine mark in the access log obtained.If, then enter step S43, otherwise enter step S44, namely, perform the access number that the network address that in this log content calculating and obtain, at least partly field is identical is corresponding, and determine that the network address that access number is greater than benchmark quantity is the step of the incredible network address.
Wherein, comprise to I haven't seen you for ages in this access log accessed this server at every turn the network address (User IP), the webpage of request access, request access time, access the browser mark of this server and access the search engine mark of this server.
Step S43, filters the access with this believable search engine mark.
When the access determining to record in access log has this search engine mark, then filter the access with this search engine mark, the access not comprising this search engine mark is not then dealt with.
Step S12, namely, calculate the access number that the network address that in this log content obtained, at least partly field is identical is corresponding, and determine that the network address that access number is greater than benchmark quantity is the step of the incredible network address, can also realize especially by following steps:
Step S44, calculates the corresponding access number in the network address that in not processed log content, at least part of field is identical, to determine that the network address that access number is greater than benchmark quantity is the incredible network address.
Other step in Fig. 4 refers to Fig. 1 and corresponding explanatory note.
In other embodiments, other step in Fig. 4 can also refer to Fig. 2 or Fig. 3 and corresponding explanatory note, does not add repeat at this.
Refer to Fig. 5, be the structural representation of the first execution mode of network safety prevention device of the present invention, this device 50 comprises: logging modle 51, acquisition module 52, computing module 53 and Executive Module 54.
This logging modle 51 is for recording web page access daily record.Wherein, this web page access daily record comprises the network address at every turn accessing this server.
Further, comprise to I haven't seen you for ages in this access log accessed this server at every turn the network address (User IP), the webpage of request access, request access time, access the browser mark of this server.
This acquisition module 52 for obtain this logging modle record this access log in log content in predetermined amount of time.
Particularly, the interval very first time checks this access log, and obtains with the log content checked in the second time that the current time of this access log is terminal, to obtain the log content in this access log in predetermined amount of time.Such as, server checks once this access log every 5 minutes (very first time), and with current time 5 minutes (the second times) forward for predetermined amount of time, this time can be that monitor staff is pre-set, can also modify according to the visit capacity of server.
In other embodiments, server extracts the log content in a period of time randomly when checking access log, or extracts the log content in predetermined amount of time.Such as, server checked once this access log every 5 minutes, and before extracting from the access log of record record a period of time (10: 20 assign to 10: 30) in log content, this time point and time period length can be random and without specific rule.
This computing module 53 for access number corresponding to the network address that in this log content of calculating this acquisition module and obtaining, at least partly field is identical, and determines that the network address that access number is greater than benchmark quantity is the incredible network address.
Wherein, this benchmark quantity is the N number of value after the access number corresponding to the network address that this at least part of field is identical sorts, and N is the value preset.
In the present embodiment, whole field is identical, determines that the network address is identical, that is, consolidated network address.
In other embodiments, can set field portions identical, determine that the network address is identical, such as, the network address that the first two field is identical is defined as the identical network address.
This Executive Module 54 is for sealing this incredible network address determined.
Utilize embodiment of the present invention, by adding up the access number of the identical network address of field at least part of in the web page access daily record of recording in the scheduled time, and determine that whether corresponding access is abnormal according to benchmark quantity, thus determine whether the network address of initiating this access is the incredible network address, and envelope falls the incredible network address further.
Refer to Fig. 6, this computing module 63 comprises: add up submodule 630, sorting sub-module 631 and determine submodule 632.
This statistics submodule 630 is classified according to field for the overall network address in this log content of obtaining this acquisition module 62, and identical for the field network address is classified as a class, and the access number that the network address adding up each classification is corresponding.
This sorting sub-module 631 arranges according to descending order for the access number that the network address of this statistics submodule 630 being added up each classification obtained is corresponding.
This determines that submodule 632 is for determining that according to the sequence of this sorting sub-module 631 pairs of access numbers access number corresponding to the network address of N number of classification is this benchmark quantity, and determines that access number is greater than the network address of this benchmark quantity.
Particularly, this determines submodule 632 according to following formulae discovery N to determine the access number that the network address of described N number of classification is corresponding:
R/m×50=N;
Wherein, R is the daily record total number comprised in the described log content obtained, and m is the sum of described network address classification.
Such as, daily record number is 20000, and the quantity of network address classification is 5000, then can calculate N=20000/5000 × 50=200, therefore determines that access number corresponding to the network address of the 200th classification after sorting is this benchmark quantity.
In other embodiments, monitor staff directly arranges the value of this benchmark quantity according to network access quantity, such as, is the rush hour of access to netwoks, then this benchmark quantity is set to 500 times between usual 8 o'clock to 11 o'clock evening.Before 5 o'clock to 7 o'clock morning, network access quantity is lower, then this benchmark quantity is set to 30 times.
Other module in Fig. 6 refers to Fig. 5 and corresponding explanatory note.
Refer to Fig. 7, this device 70 also comprises the first filtering module 75, and for judging whether this incredible network address is included in a network address white list, and bag filter is contained in the incredible network address in this white list.Wherein, this network address white list is used for recording the believable network address.For not to be included in this white list the network address then this first filtering module 75 do not deal with, after therefore filtering, the remaining network address is just the real incredible network address,
This Executive Module 74 does not also make this incredible network address of filtration treatment for sealing this first filtering module 75.
Other module in Fig. 7 refers to Fig. 5 and corresponding explanatory note.
In other embodiments, other module in Fig. 7 can also refer to Fig. 6 and corresponding explanatory note, does not add repeat at this.
Refer to Fig. 8, this device 80 also comprises the second filtering module 86, for judging whether to comprise in this access log that this acquisition module 82 obtains the access with believable search engine mark, and filters the access with this believable search engine mark.Wherein, this access log comprises this search engine mark.For do not comprise this search engine mark access then this second filtering module 86 do not deal with.
This computing module 84 also for calculating the quantity of access corresponding to the network address that in the access that do not processed by this second filtering module 86, field is identical at least partly, to determine that the network address that access number is greater than this benchmark quantity is the incredible network address.
Other module in Fig. 8 refers to Fig. 5 and corresponding explanatory note.
In other embodiments, other module in Fig. 8 can also refer to Fig. 6 or Fig. 7 and corresponding explanatory note, does not add repeat at this.
Network safety protection method provided by the invention and device, by the daily record of server record web page access, and calculate access number corresponding to the network address that in the log content in predetermined amount of time, at least part of field is identical, and determine that the network address that access number is greater than benchmark quantity is the incredible network address, seal this incredible network address falling to determine.This benchmark quantity is the N number of value after the access number corresponding to the network address that this at least part of field is identical sorts, and N is the value preset.In this way, the address, the network address of access against regulation can be fallen by automatic sealing package, ensure stability and the fail safe of website.
The foregoing is only embodiments of the present invention; not thereby the scope of the claims of the present invention is limited; every utilize specification of the present invention and accompanying drawing content to do equivalent structure or equivalent flow process conversion; or be directly or indirectly used in other relevant technical fields, be all in like manner included in scope of patent protection of the present invention.
Claims (10)
1. a network safety protection method, is characterized in that, described method comprises:
The daily record of server record web page access; Wherein, described access log comprises the network address at every turn accessing described server;
Obtain the log content in predetermined amount of time in described access log;
Calculate the access number that the network address that in the described log content obtained, at least partly field is identical is corresponding, and determine that the network address that access number is greater than benchmark quantity is the incredible network address; Wherein, described benchmark quantity is the N number of value after the access number corresponding to the network address that described at least part of field is identical sorts, and N is the value preset; And
Seal the described incredible network address falling to determine.
2. network safety protection method according to claim 1, it is characterized in that, describedly calculate access number corresponding to the network address that in the described log content obtained, at least partly field is identical, and determine that the network address that access number is greater than benchmark quantity is that the step of the incredible network address is specially:
Classified according to field in overall network address in the described log content obtained, identical for the field network address is classified as a class, and the access number that the network address adding up each classification is corresponding;
Access number corresponding for the network address adding up each classification obtained is arranged according to descending order;
Determine that access number corresponding to the network address of N number of classification is described benchmark quantity; And
Determine that the network address that access number is greater than described benchmark quantity is the incredible network address.
3. network safety protection method according to claim 2, is characterized in that, describedly determines that access number corresponding to the network address of N number of classification is that the step of described benchmark quantity is specially:
According to following formulae discovery N to determine the access number that the network address of described N number of classification is corresponding:
R/m×50=N;
Wherein, R is the daily record total number comprised in the described log content obtained, and m is the sum of described network address classification.
4. network safety protection method according to claim 1 and 2, is characterized in that, before the step of the described incredible network address that described envelope is fallen to determine, described method also comprises:
Judge whether the described incredible network address determined is included in a network address white list; Wherein, described network address white list is used for recording the believable network address; If so, then bag filter is contained in the incredible network address in described white list, otherwise does not deal with the described incredible network address;
The step of the described incredible network address that described envelope is fallen to determine is specially: seal the described incredible network address falling not deal with.
5. network safety protection method according to claim 1 and 2, is characterized in that, the step of the log content in the described access log of described acquisition in predetermined amount of time is specially:
The interval very first time checks described access log, and obtains with the log content checked in the second time that the current time of described access log is terminal, to obtain the log content in described access log in predetermined amount of time.
6. network safety protection method according to claim 1 and 2, is characterized in that, after the step of the log content in the described access log of described acquisition in predetermined amount of time, described method also comprises:
Judge in the described access log obtained, whether to comprise the access with believable search engine mark; If so, then filter the access with described believable search engine mark, otherwise described access is not dealt with; Wherein, described access log comprises described search engine mark;
The access number that the network address that in the described log content that described calculating obtains, field is identical is at least partly corresponding, and determine that the network address that access number is greater than benchmark quantity is that the step of the incredible network address is specially: calculate the access number that the network address that in not processed described log content, at least part of field is identical is corresponding, to determine that the network address that access number is greater than benchmark quantity is the incredible network address.
7. a network safety prevention device, is characterized in that, described device comprises:
Logging modle, for recording web page access daily record; Wherein, described web page access daily record comprises the network address at every turn accessing described server;
Acquisition module, for obtain described logging modle record described access log in log content in predetermined amount of time;
Computing module, for calculating access number corresponding to the network address that in described log content that described acquisition module obtains, at least partly field is identical, and determines that the network address that access number is greater than benchmark quantity is the incredible network address; Wherein, described benchmark quantity is the N number of value after the access number corresponding to the network address that described at least part of field is identical sorts, and N is the value preset; And
Executive Module, for sealing the described incredible network address determined.
8. network safety prevention device according to claim 7, is characterized in that, described computing module comprises:
Statistics submodule, classifies according to field for the overall network address in the described log content that obtains described acquisition module, identical for the field network address is classified as a class, and the access number that the network address adding up each classification is corresponding;
Sorting sub-module, access number corresponding to the network address for described statistics submodule being added up each classification obtained arranges according to descending order;
Determining submodule, for determining that according to the sequence of described sorting sub-module to access number access number corresponding to the network address of N number of classification is described benchmark quantity, and determining that access number is greater than the network address of described benchmark quantity.
9. the network safety prevention device according to claim 7 or 8, is characterized in that, described device also comprises:
First filtering module, for judging whether the described incredible network address is included in a network address white list, and bag filter is contained in the incredible network address in described white list; Wherein, described network address white list is used for recording the believable network address;
Described Executive Module does not also make the described incredible network address of filtration treatment for sealing described first filtering module.
10. the network safety prevention device according to claim 7 or 8, is characterized in that, described device also comprises:
Second filtering module, for judging whether to comprise in the described access log that described acquisition module obtains the access with believable search engine mark, and filters the access with described believable search engine mark; Wherein, described access log comprises described search engine mark;
Described computing module also for calculating the quantity of not corresponding by the network address that field at least part of in the access of described second filtering module process is identical access, to determine that the network address that access number is greater than described benchmark quantity is the incredible network address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410834975.4A CN104618328A (en) | 2014-12-29 | 2014-12-29 | Network security protection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410834975.4A CN104618328A (en) | 2014-12-29 | 2014-12-29 | Network security protection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104618328A true CN104618328A (en) | 2015-05-13 |
Family
ID=53152604
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410834975.4A Pending CN104618328A (en) | 2014-12-29 | 2014-12-29 | Network security protection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104618328A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254092A (en) * | 2016-07-14 | 2016-12-21 | 浪潮电子信息产业股份有限公司 | A kind of method for early warning, Apparatus and system |
| CN108255868A (en) * | 2016-12-29 | 2018-07-06 | 北京国双科技有限公司 | Check the method and apparatus linked in website |
| CN112165466A (en) * | 2020-09-16 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Method and device for false alarm identification, electronic device and storage medium |
| CN113094250A (en) * | 2021-05-12 | 2021-07-09 | 成都新希望金融信息有限公司 | Log early warning method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
| CN103379099A (en) * | 2012-04-19 | 2013-10-30 | 阿里巴巴集团控股有限公司 | Hostile attack identification method and system |
| CN103581180A (en) * | 2013-10-28 | 2014-02-12 | 深信服网络科技(深圳)有限公司 | Method and device for adjusting target hitting characteristics according to attacking logs |
| CN103701793A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for identifying server broiler chicken |
| CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
-
2014
- 2014-12-29 CN CN201410834975.4A patent/CN104618328A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
| CN103379099A (en) * | 2012-04-19 | 2013-10-30 | 阿里巴巴集团控股有限公司 | Hostile attack identification method and system |
| CN103581180A (en) * | 2013-10-28 | 2014-02-12 | 深信服网络科技(深圳)有限公司 | Method and device for adjusting target hitting characteristics according to attacking logs |
| CN103701793A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for identifying server broiler chicken |
| CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254092A (en) * | 2016-07-14 | 2016-12-21 | 浪潮电子信息产业股份有限公司 | A kind of method for early warning, Apparatus and system |
| CN108255868A (en) * | 2016-12-29 | 2018-07-06 | 北京国双科技有限公司 | Check the method and apparatus linked in website |
| CN112165466A (en) * | 2020-09-16 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Method and device for false alarm identification, electronic device and storage medium |
| CN112165466B (en) * | 2020-09-16 | 2022-06-17 | 杭州安恒信息技术股份有限公司 | Method and device for false alarm identification, electronic device and storage medium |
| CN113094250A (en) * | 2021-05-12 | 2021-07-09 | 成都新希望金融信息有限公司 | Log early warning method and device, electronic equipment and storage medium |
| CN113094250B (en) * | 2021-05-12 | 2023-08-18 | 成都新希望金融信息有限公司 | Log early warning method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104391979B (en) | Network malice reptile recognition methods and device | |
| US9894094B2 (en) | Method, server, and system for automatically rating reputation of a web site | |
| CN105577608B (en) | Network attack behavior detection method and device | |
| CN105357195B (en) | Go beyond one's commission leak detection method and the device of web access | |
| CN106295349B (en) | Account stolen risk identification method, identification device and prevention and control system | |
| CN104618328A (en) | Network security protection method and device | |
| CN101834846B (en) | Minor health website authentication system and method | |
| CN104301302A (en) | Unauthorized attack detection method and device | |
| CN110851839B (en) | Risk-based asset scoring method and system | |
| CN109274632B (en) | Website identification method and device | |
| CN111600865B (en) | Abnormal communication detection method and device, electronic equipment and storage medium | |
| CN106453403B (en) | A kind of determining method and system of loophole rectification sequence based on attack chain | |
| US9021085B1 (en) | Method and system for web filtering | |
| CN106657057A (en) | Anti-crawler system and method | |
| RU2017105709A (en) | DETECTION OF BEHAVIOR OF AGENTS OF Malicious Software | |
| CN103905372A (en) | Method and device for removing false alarm of phishing website | |
| CN107682341A (en) | The means of defence and device of CC attacks | |
| CN109428857A (en) | A kind of detection method and device of malice detection behavior | |
| CN110875907A (en) | Access request control method and device | |
| CN102185788A (en) | Method and system for searching vice accounts on basis of temporary mailbox | |
| CN103905421A (en) | Suspicious event detection method and system based on URL heterogeneity | |
| CN107172033B (en) | WAF misjudgment identification method and device | |
| CN106572056A (en) | Risk monitoring method and device | |
| CN104219219B (en) | A kind of method of data processing, server and system | |
| CN101901307B (en) | Method and device for detecting whether database is attacked by cross-site script |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150513 |