CN104883363A - Method and device for analyzing abnormal access behaviors - Google Patents
Method and device for analyzing abnormal access behaviors Download PDFInfo
- Publication number
- CN104883363A CN104883363A CN201510236271.1A CN201510236271A CN104883363A CN 104883363 A CN104883363 A CN 104883363A CN 201510236271 A CN201510236271 A CN 201510236271A CN 104883363 A CN104883363 A CN 104883363A
- Authority
- CN
- China
- Prior art keywords
- access
- user
- behavior
- abnormal
- forwarding unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and device for analyzing abnormal access behaviors and belongs to the field of network security. The method for analyzing abnormal access behaviors comprises: acquiring the characteristic information of a data packet when a user gets access, wherein the characteristic information is key information extracted by an access forwarding device from the data packet and a first parameter transmitted by the access forwarding device and used for indicating whether the user carries out exceed authority access or a second parameter transmitted by the access forwarding device and used for indicating whether the user registers at an abnormal location; determining whether the access behavior of the user is an abnormal access behavior according to the characteristic information; and if yes, adjusting a reputation value of the user according to an adjusting manner corresponding to the type of the abnormal access behavior. The method and the device solves a problem that only pertinent service is provided for the user in service management achieved in the prior art, and achieve effects of determining a newest access grade for the user in real time and guaranteeing the access security of the user.
Description
Technical field
The present invention relates to network safety filed, particularly a kind of abnormal access behavior analysis method and device.
Background technology
Network is divided into Access Network and backbone network by integrated identification network, introduce Access Network mark (AccessIdentifier, AID) with Route Distinguisher (Routing Identifier, RID), fundamentally solve the problem of Internet protocol address (Internet Protocol Address, IP) double attribute.Integrated identification network can well merge with existing the Internet and the network architecture, has especially become a new research direction with the fusion of traditional communication network.
In integrated identification network, in order to management during access to netwoks can be realized, integrated identification network can be described the different attribute of user ID (UID) and be summarized in user property label (U_TAG), the different attribute of service identifiers (SID) be described and be summarized in Service Properties label (S_TAG), and setting policing rule based on U_TAG and S_TAG.The each access resources of user can be inquired about respectively and be obtained U_TAG and S_TAG that in request service, UID and SID is corresponding, then obtains Policy Result by the corresponding policing rule of inquiry, thus realizes Service Management.
Realizing in process of the present invention, inventor finds that prior art at least exists following problem: above-mentioned when realizing Service Management, service is divided according to attribute, and be only limitted to as user provides pertinent service, limitation is compared in this Service Management.
Summary of the invention
In order to solve in prior art when realizing Service Management, be only limitted to as user provides pertinent service, the problem of Comparison of Management limitation, embodiments provides a kind of abnormal access behavior analysis method and device.Described technical scheme is as follows:
First aspect, provide a kind of abnormal access behavior analysis method, described method comprises:
Obtain the characteristic information of user's packet when accessing, described characteristic information be key message, described access forwarding unit that access forwarding unit extracts from described packet send be used to indicate described user whether the first parameter of unauthorized access or described access forwarding unit send be used to indicate described user the second parameter whether out-of-the way position logs in;
Whether the access behavior determining described user according to described characteristic information is abnormal access behavior, and described abnormal access behavior comprises attack, unauthorized access behavior or out-of-the way position and logs in behavior;
If the access behavior of described user is abnormal access behavior, then adjust the credit value of described user according to the adjustment mode corresponding with the type of described abnormal access behavior, the credit value of described user is for limiting the access level of described user;
Wherein, described key message comprises the user ID of described user, source Access Network mark, target access network mark, protocol type, source port and target port.
Optionally, the characteristic information of packet when described acquisition user accesses, comprising:
When described characteristic information is described key message, receive stream summary info and the flow template of the transmission of described access forwarding unit, every bar stream summary info is that described access forwarding unit is shunted each packet after receiving described packet, obtain after key message corresponding to arbitrary group of stream is added into described flow template, the packet often in group stream has identical key message;
Described in every bar, flow summary info, from described stream summary info, extract key message described in one group according to described flow template;
Described key message is stored as a stream summary record.
Optionally, describedly determine whether the access behavior of described user is abnormal access behavior, comprising according to described characteristic information:
When described characteristic information is described key message, entropy quantification is carried out to flowing summary record described in the predetermined bar stored, the entropy vector obtained after quantification is inputed to grader, obtain the behavior type corresponding with described access behavior, described behavior type comprises normal access behavior and various attack, and described attack comprises TCP behavior, denial of service dos attack behavior and distributed Denial of Service (DDOS) attack behavior.
Optionally, the described basis adjustment mode corresponding with the type of described abnormal access behavior adjusts the credit value of described user, comprising:
According to the type of described abnormal access behavior, the abnormal access behavior quantity of the same type with described abnormal access behavior of described user is added up, according to cumulative after adjustment parameter adjustment corresponding to numerical value described in the credit value of user.
Optionally, the adjustment mode corresponding with the type of described abnormal access behavior in described basis also comprises after adjusting the credit value of described user:
Detect the whether corresponding new access level of credit value after adjustment;
If the corresponding new access level of the credit value after adjustment, then the access level of described user is adjusted to adjust after access level corresponding to credit value.
Optionally, described method also comprises:
The described access level obtained after adjustment is sent to described access forwarding unit, to notify that described access forwarding unit utilizes the described access level after adjusting to upgrade the access level of described user;
Or,
When receiving the acquisition request of described access forwarding unit for the access level of user described in acquisition request, the described access level obtained after adjustment is sent to described access forwarding unit.
Second aspect, provide a kind of abnormal access behavioural analysis device, described device comprises:
Characteristic information acquisition module, for obtaining the characteristic information of packet when user accesses, described characteristic information be key message, described access forwarding unit that access forwarding unit extracts from described packet send be used to indicate described user whether the first parameter of unauthorized access or described access forwarding unit send be used to indicate described user the second parameter whether out-of-the way position logs in;
Abnormal behaviour determination module, described characteristic information for obtaining according to described characteristic information acquisition module determines whether the access behavior of described user is abnormal access behavior, and described abnormal access behavior comprises attack, unauthorized access behavior or out-of-the way position and logs in behavior;
Credit value adjusting module, for when the access behavior that described abnormal behaviour determination module determines described user is abnormal access behavior, adjust the credit value of described user according to the adjustment mode corresponding with the type of described abnormal access behavior, the credit value of described user is for limiting the access level of described user;
Wherein, described key message comprises the user ID of described user, source Access Network mark, target access network mark, protocol type, source port and target port.
Optionally, described characteristic information acquisition module, comprising:
Receiving element, for when described characteristic information is described key message, receive stream summary info and the flow template of the transmission of described access forwarding unit, every bar stream summary info is that described access forwarding unit is shunted each packet after receiving described packet, obtain after key message corresponding to arbitrary group of stream is added into described flow template, the packet often in group stream has identical key message;
Key message extraction unit, for flowing summary info described in every bar, extracts one group of key message according to described flow template from described stream summary info;
Memory cell, the described key message for being extracted by described key message extraction unit is stored as a stream summary record.
Optionally, described abnormal behaviour determination module, also for:
When described characteristic information is described key message, entropy quantification is carried out to flowing summary record described in the predetermined bar of described cell stores, the entropy vector obtained after quantification is inputed to grader, obtain the behavior type corresponding with described access behavior, described behavior type comprises normal access behavior and various attack, and described attack comprises TCP behavior, denial of service dos attack behavior and distributed Denial of Service (DDOS) attack behavior.
Optionally, described credit value adjusting module, also for:
According to the type of described abnormal access behavior, the abnormal access behavior quantity of the same type with described abnormal access behavior of described user is added up, according to cumulative after adjustment parameter adjustment corresponding to numerical value described in the credit value of user.
Optionally, described device also comprises:
Detection module, for detecting the whether corresponding new access level of credit value after the adjustment of described credit value adjusting module;
Access level adjusting module, after the corresponding new access level of the credit value after described detection module detects adjustment, the access level of described user is adjusted to adjust after access level corresponding to credit value.
Optionally, described device also comprises:
First sending module, for the described access level obtained after adjustment is sent to described access forwarding unit, to notify that described access forwarding unit utilizes the described access level after adjusting to upgrade the access level of described user;
Or,
Second sending module, for when receiving the acquisition request of described access forwarding unit for the access level of user described in acquisition request, is sent to described access forwarding unit by the described access level obtained after adjustment.
The beneficial effect that the technical scheme that the embodiment of the present invention provides is brought is:
The characteristic information of packet when accessing by obtaining user, determines whether the access behavior of user is abnormal access behavior, if the access behavior of user is abnormal access behavior, then adjusts the credit value of user according to the adjustment mode corresponding with abnormal access behavior; Due to the credit value of the adjustment of the abnormal access behavior according to user user that can be real-time, so that determine the access level of user, and then according to the access level of user for user provides the service of mating with access level, therefore solving in prior art when realizing Service Management, being only limitted to as user provides the problem of pertinent service; Reach and in real time for user determines up-to-date access level, the effect of the fail safe that user accesses can be ensure that.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic diagram of the UNE involved by abnormal access behavior analysis method provided in section Example of the present invention;
Fig. 2 is the method flow diagram of the abnormal access behavior analysis method provided in one embodiment of the invention;
Fig. 3 is the method flow diagram of the abnormal access behavior analysis method provided in another embodiment of the present invention;
Fig. 4 is the method flow diagram of the abnormal access behavior analysis method provided in another embodiment of the present invention;
Fig. 5 is the structural representation of the abnormal access behavioural analysis device provided in one embodiment of the invention;
Fig. 6 is the structural representation of the abnormal access behavioural analysis device provided in another embodiment of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, embodiment of the present invention is described further in detail.
Shown in Figure 1, it is the UNE schematic diagram involved by abnormal access behavior analysis method provided in section Example of the present invention, and this UNE is the network obtained after access network 110 and integrated identification network 120 merge.
Here access network 110 is general packet radio service (Chinese: General Packet RadioService, English: GPRS) network.
Access network 110 comprises the mobile terminal 111 that at least one user holds, and mobile terminal 111 said here can comprise smart mobile phone, has the panel computer of functionality mobile communication, multimedia player or Wearable device etc.
(English: Serving GPRS SupportNode is called for short: SGSN) 112 also to comprise Serving GPRS Support Node in access network 110.
Integrated identification network 120 comprises access forwarding unit 121, tactful equipment 122 and forwarding unit 124, this tactful equipment 122 can be a part for mapping/certificate server 123, also can be the equipment of containment mapping/certificate server 123, can also be the equipment independent of mapping/certificate server 123.Mapping/certificate server 123 can be the cluster of mapping server and certificate server, also can be an equipment.Obviously, mapping/certificate server 123 also can an equipment, or the cluster of at least two equipment.
Optionally, tactful equipment 122 can be an equipment, also can be the cluster of multiple equipment, and such as, tactful equipment 122 can also comprise user behavior analysis server 122a.
Here said forwarding unit 124 is generally router.
Here said access forwarding unit 121 is arranged in access network 110 and integrated identification network 120 simultaneously, and namely accessing forwarding unit 121 is access network 110 and integrated identification network 120 fringe nodes when merging.That is, the Gateway GPRS Support Node that access forwarding unit 121 has in access network 110 is (English: Gateway GPRS Support Node, be called for short: function GGSN), there is again the function of router in integrated identification network 120 simultaneously, thus achieve the fusion of access network 110 and integrated identification network 120.
General, access forwarding unit 121 is after the packet receiving mobile terminal 111 transmission, source access mark AID in packet can be replaced with the Route Distinguisher RID (i.e. the mark of forwarding unit 124) that can identify in integrated identification network 120, source RID is replaced with by the source AID in packet, similar, also the target AID in packet can be replaced with target RID, wherein the mark of router in the integrated marked network 120 of Route Distinguisher RID.Like this, packet, after replacing access mark through access forwarding unit 121, can forward by the forward-path corresponding to integrated identification network 120 internal condition source RID and target RID.
Optionally, access forwarding unit 121 after reception of the data packet, obtain the source AID in this packet and target AID, for the source AID of packet, access forwarding unit 121 determines a RID according to the address pool of this access forwarding unit 121, set up the mapping relations between this source AID and this RID determined, and these mapping relations are stored in the local mapping table of this access forwarding unit 121, these mapping relations set up are uploaded in mapping/certificate server 123 simultaneously and store.Finally utilize the source AID in this RID replacement data bag.
For the target AID of packet, first access forwarding unit 121 searches the opposite end mapping table stored in access forwarding unit 121, this opposite end mapping table comprise other each access forwarding unit RID and with the mapping relations between these AID accessing the access device that forwarding unit is connected.
In general, after an access forwarding unit A and this mobile terminal P establishes and once communicates to connect, then the mapping relations between the AID of this mobile terminal P and the RID of the access forwarding unit be connected with this mobile terminal P can be saved in the opposite end mapping table of this access forwarding unit A.
When access forwarding unit 121 does not find the mapping relations corresponding with this target AID in this opposite end mapping table, then send mapping request to mapping/certificate server 123, with the mapping relations that acquisition request is corresponding with this target AID, and the RID in the mapping relations of utilization acquisition replaces the target AID in this packet.
And when this access forwarding unit 121 with there is the access forwarding unit that this target AID is connected communicated, then can find the mapping relations corresponding with this target AID in this opposite end mapping table, and utilize the RID in the mapping relations that find to replace target AID in this packet.Optionally, the mapping relations of acquisition can also be stored in the far-end mapping table in access forwarding unit 121 this locality by this access forwarding unit 121.
Packet after access forwarding unit 121 docks inlet identity replacement forwards.
In order to ensure effectively to control the packet involved by attack, and be the access rights limiting user according to the access line of user, to ensure the fail safe of network, the attribute of the packet utilizing access forwarding unit 121 to receive in each embodiment of the present invention determines whether to adjust the credit value of user, and then the access rights of adjustment user, be illustrated below by the process of several embodiment to the abnormal access Behavior-Based control in integrated identification network.
Each embodiment of the present invention is all applied in the UNE of the Access Network 110 shown in Fig. 1 and integrated identification network 120 fusion.Following said UNE, if no special instructions, all should refer to that in Fig. 1, Access Network 110 and integrated identification network 120 merge the network obtained.
Shown in Figure 2, it is the method flow diagram of the abnormal access behavior analysis method provided in one embodiment of the invention, this abnormal access behavior analysis method is mainly illustrated to be applied in the tactful equipment 122 in UNE shown in Fig. 1, and this abnormal access behavior analysis method comprises:
Step 201, obtain the characteristic information of user's packet when accessing, characteristic information be key message, access forwarding unit that access forwarding unit extracts from this packet send be used to indicate user whether the first parameter of unauthorized access or access forwarding unit send be used to indicate user's the second parameter whether out-of-the way position logs in.
General; access forwarding unit is after the packet receiving SGSN transmission; can learn in order to tactful equipment can be made whether packet is the packet that attack produces; key message in the packet header received can extract by access forwarding unit usually, and the key message after extracting is sent to tactful equipment.
Optionally, in order to reduce the amount of communications between access forwarding unit and tactful equipment, to reduce bandwidth occupancy, the key message corresponding to multiple packet can be merged.Concrete, each packet obtained in unit interval can be shunted according to attribute by access forwarding unit, the packet with same alike result (i.e. key message) forms a stream, for each stream, the key message corresponding with this stream is packaged into one according to flow template and flows summary info.It can thus be appreciated that the quantity of the packet corresponding to each stream is uncertain.
In general; each stream summary info, except comprising the key message of correspondence, can also comprise the stream start time of this stream of composition, stream finish time, flows the total amount of byte protected, the packet flowing protection sum and flow the combination in any in the numbering (can be generally the territory ID accessing forwarding unit GGSN) of trapping module.
Here said key message generally includes source access mark AID, object access mark AID, source port number, destination slogan and protocol type, the five-tuple of namely what is often called packet.Optionally, the user ID of user can also be comprised in this key message.
Generally, usually can arrange a tactful equipment in same integrated identification network, now this tactful equipment can receive the stream summary info that in this integrated identification network, each access forwarding unit sends.Optionally, when the access forwarding unit existed in integrated identification network is many, in order to reduce the requirement to tactful device handler, two or more tactful equipment can also be set in integrated identification network, each tactful equipment receives the stream summary info that access forwarding unit corresponding to equipment tactful in this sends, these stream summary infos can be shared between each tactful equipment, or the result of determination in tactful equipment can be shared between each tactful equipment.
In the implementation that another kind is possible, access forwarding unit is after the packet receiving user, in order to determine that can this user utilize this packet to conduct interviews, access forwarding unit first determines the access level of this user from the access level of each user stored, and according to the target access mark in packet, determine the grade of service of asked server, if the access level of user is in the grade of service required by server, then determine the non-unauthorized access of this user; If the access level of user is not in the grade of service required by this server, then determine this user's unauthorized access.In order to inform tactful equipment, access forwarding unit can send to tactful equipment the first parameter being used to indicate this user whether unauthorized access.
In the implementation that another is possible, access forwarding unit is after the packet receiving user, in order to determine whether this user is that out-of-the way position logs in, access forwarding unit can obtain the mark of the SGSN sending this packet, and the mark of the mark of this SGSN or access forwarding unit is sent to tactful equipment as the second parameter.Because according to the mark of the mark of SGSN or access forwarding unit, tactful equipment can determine whether this user is the login carried out in conventional position.
Step 202, determines according to characteristic information whether the access behavior of user is abnormal access behavior, and abnormal access behavior comprises attack, unauthorized access behavior or out-of-the way position and logs in behavior.
In general, according to the value of the first parameter, tactful equipment, after receiving this first parameter, can learn whether this user is unauthorized access behavior.
Strategy equipment is after receiving this second parameter, strategy equipment Inspection this second parameter history second parameter corresponding with this user contrasts, when second parameter corresponding with the mark of this user is identical with history second parameter, tactful equipment then thinks that the access behavior of this user is not for out-of-the way position logs in behavior; When second parameter corresponding from the mark of this user is different with history second parameter, tactful equipment then thinks that the access behavior of this user is that out-of-the way position logs in behavior.
It should be added that, the user that history second parameter is here generally record commonly uses login position.Under normal circumstances; during strategy equipment initialization in the early stage; usually record can be carried out to each login position of user; the conventional login position of user is determined after statistics certain time; that is; when determining the conventional login position of user in the early stage, the change of user login position is not regarded as abnormal login.
Step 203, if the access behavior of user is abnormal access behavior, then adjust the credit value of user according to the adjustment mode corresponding with the type of this abnormal access behavior, the credit value of user is for limiting the access level of user.
In a first scenario, the adjustment mode of each abnormal access behavior is all identical, as long as now determine that the access behavior of user is abnormal access behavior, then utilizes this adjustment mode to adjust the credit value of user.
In the latter case, the adjustment mode that various types of abnormal access behavior is corresponding different respectively, now needs according to the adjustment mode corresponding with the type of this abnormal access behavior, the credit value of adjustment user.
Optionally, when the access behavior of user is abnormal access behavior, when utilizing adjustment mode to adjust the credit value of user, be all that the credit value of user is turned down.
The corresponding access level of credit value of user said here.A such as interval corresponding access level of credit value, when the credit value of user drops to lower interval from adjacent higher interval, now the access level of user is then reduced to the access level corresponding with this lower region from the access level of this upper zone.
In sum, the abnormal access behavior analysis method that the embodiment of the present invention provides, by in UNE, obtain the characteristic information of packet when user accesses, whether the access behavior determining user is abnormal access behavior, if the access behavior of user is abnormal access behavior, then adjust the credit value of user according to the adjustment mode corresponding with abnormal access behavior; Due to the credit value of the adjustment of the abnormal access behavior according to user user that can be real-time, so that determine the access level of user, and then according to the access level of user for user provides the service of mating with access level, therefore solving in prior art when realizing Service Management, being only limitted to as user provides the problem of pertinent service; Reach and in real time for user determines up-to-date access level, the effect of the fail safe that user accesses can be ensure that.
Because this abnormal access behavior analysis method is to the anomaly analysis that the access behavior of user in GPRS network is carried out in integrated identification network, do not need to change on a large scale existing GPRS network framework, therefore can effectively ensure the fail safe that GPRS user accesses and while reasonably optimizing is carried out to access privilege, greatly reduce and realize cost.
Shown in Figure 3, it is the method flow diagram of the abnormal access behavior analysis method provided in another embodiment of the present invention, this abnormal access behavior analysis method is mainly illustrated to be applied in the mapping/certificate server 122 in UNE shown in Fig. 1, and this abnormal access behavior analysis method comprises:
Step 301, obtain the characteristic information of user's packet when accessing, characteristic information be key message, access forwarding unit that access forwarding unit extracts from this packet send be used to indicate user whether the first parameter of unauthorized access or access forwarding unit send be used to indicate user's the second parameter whether out-of-the way position logs in.
Origin for the first parameter and the second parameter is described in detail in step 201, just repeats no more here.
When characteristic information is key message, tactful equipment obtain user access time packet characteristic information time, comprising:
First, when characteristic information is key message, receive stream summary info and the flow template of the transmission of access forwarding unit, every bar stream summary info is that access forwarding unit is shunted each packet after receiving packet, obtain after key message corresponding to arbitrary group of stream is added into flow template, the packet often in group stream has identical key message.
General; access forwarding unit is after the packet receiving SGSN transmission; can learn in order to tactful equipment can be made whether packet is the packet that attack produces; key message in the packet header received can extract by access forwarding unit usually, and the key message after extracting is sent to tactful equipment.
Optionally, in order to reduce the amount of communications between access forwarding unit and tactful equipment, to reduce bandwidth occupancy, the key message corresponding to multiple packet can be merged.Concrete, each packet obtained in unit interval can be shunted according to attribute by access forwarding unit, the packet with same alike result (i.e. key message) forms a stream, for each stream, the key message corresponding with this stream is packaged into one according to flow template and flows summary info.It can thus be appreciated that the quantity of the packet corresponding to each stream is uncertain.
In general, each stream summary info is except comprising corresponding key message, the moment of first packet received in each packet of this stream of composition can also be comprised, receive the moment of last packet, the byte etc. shared by each packet.
Generally, usually can arrange a tactful equipment in same integrated identification network, now this tactful equipment can receive the stream summary info that in this integrated identification network, each access forwarding unit sends.Optionally, when the access forwarding unit existed in integrated identification network is many, in order to reduce the requirement to tactful device handler, two or more tactful equipment can also be set in integrated identification network, each tactful equipment receives the stream summary info that access forwarding unit corresponding to equipment tactful in this sends, these stream summary infos can be shared between each tactful equipment, or the result of determination in tactful equipment can be shared between each tactful equipment.
The second, for every bar stream summary info, from this stream summary info, extract one group of key message according to flow template.
3rd, the key message of proposition is stored as a stream summary record.
Optionally, store often organizing key message as a stream summary record.
Or, optionally, from stream summary info, relevant parameter is extracted according to flow template, this relevant parameter comprises the moment of first packet received in each packet in stream corresponding to the key message corresponding with this stream summary info, this stream summary info, receive the moment of last packet, the parameters such as the byte shared by each packet.Store often organizing relevant parameter as a stream summary record.
Step 302, determines according to characteristic information whether the access behavior of user is abnormal access behavior, and abnormal access behavior comprises attack, unauthorized access behavior or out-of-the way position and logs in behavior.
When characteristic information is key message, strategy equipment carries out entropy quantification to the predetermined bar stream summary record stored, the entropy vector obtained after quantification is inputed to grader, obtain the behavior type corresponding with access behavior, behavior type comprises normal access behavior and various attack, and attack comprises TCP behavior, denial of service dos attack behavior and distributed Denial of Service (DDOS) attack behavior.
And according to the first parameter and the second parameter, tactful equipment is when determining whether the access behavior of user is abnormal access behavior, carried out detailed description in step 202, just repeated no more here.
Step 303, if the access behavior of user is abnormal access behavior, then the adjustment mode corresponding to abnormal access behavior adjusts the credit value of user, and the credit value of user is for limiting the access level of user.
Optionally, when the abnormal access behavior of user's same kind is more frequent, then can increase the adjusting range according to this abnormal access adjustment credit value.What such as out-of-the way position logged in is more frequent, then credit value reduction is faster.
Optionally, the abnormal access behavior quantity of the same type with abnormal access behavior of user according to the type of abnormal access behavior, can add up by tactful equipment, according to cumulative after the credit value of adjustment parameter adjustment user corresponding to numerical value.
Step 304, detects the whether corresponding new access level of credit value after adjustment.
The credit value that different access levels is corresponding different is interval.Refer to table 1:
| Prestige is interval | Access level |
| 0-100 | 5 grades |
| 100-200 | 4 grades |
| 200-400 | 3 grades |
| 400-500 | 4 grades |
| 500-1000 | 1 grade |
The scope in the prestige interval corresponding to each access level can be the same or different, and such as access level is 5 grades, and the prestige interval of its correspondence is 0-100, and when access level is 3 grades, the prestige interval of its correspondence is 200-400.
Above-mentioned table 1 is only schematic example, in practice, the value in prestige interval may and unlike so regular in table 1, two endpoint values in each prestige interval might not be whole hundred or integer.
When the original credit value of user is 506, corresponding access level is 1 grade, and when this user is 422 by the credit value after adjusting, then show the credit value correspondence of this user access level newly, namely new access level is 4 grades.
Obviously, larger at the threaten degree of attack, or user's different-place login is frequent especially, or during the frequent unauthorized access of user, the credit value access level of user is probably by directly to lower adjustment one, two or more grade.Also be, when abnormal access behavior is more serious, it is more responsive when access level is adjusted, like this, strategy equipment is informed after to access forwarding unit in the grade of service that user is nearest, and the promptness of access forwarding unit when the access level utilizing this nearest carrys out the part or all of service of limited subscriber is higher.
Step 305, if the corresponding new access level of the credit value after adjustment, then the access level of user is adjusted to adjust after access level corresponding to credit value.
Step 306, is sent to access forwarding unit by the access level obtained after adjustment, to notify that accessing forwarding unit utilizes the access level after adjustment to upgrade the access level of user; Or, when receiving the access acquisition request of forwarding unit for the access level of acquisition request user, the access level obtained after adjustment is sent to described access forwarding unit.
In a kind of situation, when the access level of user changes, the new access level of this user can initiatively be informed to access forwarding unit by strategy equipment, so that access turns mode equipment according to the up-to-date access level of this user for user provides access rights service.
In another case, access forwarding unit can every the scheduled time, or after each unlatching, obtain the access level of each user side to tactful device request, now the up-to-date access level of this user then can be sent to this access forwarding unit by tactful equipment.
In sum, the abnormal access behavior analysis method that the embodiment of the present invention provides, the characteristic information of packet when accessing by obtaining user, whether the access behavior determining user is abnormal access behavior, if the access behavior of user is abnormal access behavior, then adjust the credit value of user according to the adjustment mode corresponding with abnormal access behavior; Due to the credit value of the adjustment of the abnormal access behavior according to user user that can be real-time, so that determine the access level of user, and then according to the access level of user for user provides the service of mating with access level, therefore solving in prior art when realizing Service Management, being only limitted to as user provides the problem of pertinent service; Reach and in real time for user determines up-to-date access level, the effect of the fail safe that user accesses can be ensure that.
Because this abnormal access behavior analysis method is to the anomaly analysis that the access behavior of user in GPRS network is carried out in integrated identification network, do not need to change on a large scale existing GPRS network framework, therefore can effectively ensure the fail safe that GPRS user accesses and while reasonably optimizing is carried out to access privilege, greatly reduce and realize cost.
Possible realize in scene a kind of, above-mentioned tactful equipment 122 can be an equipment, also can be the cluster of two or more equipment, comprise user behavior analysis server 122a for this tactful equipment 122 below and mapping/certificate server 123 is illustrated.Specifically can see the description in Fig. 4.
Shown in Figure 4, it is the method flow diagram of the abnormal access behavior analysis method provided in another embodiment of the present invention, and this abnormal access behavior analysis method comprises:
Step 401, access forwarding unit receives the packet of user's access, shunts packet, and the packet often in group stream has identical key message.
General, access forwarding unit can receive the packet that in access network, SGSN sends.The mobile terminal that this packet is normally connected with SGSN sends when accessing.
Key message is generally arranged in the packet header of this packet, also namely accesses forwarding unit and can extract key message from the packet header of packet.
Concrete, each packet obtained in unit interval can divide into groups according to attribute by access forwarding unit, the packet with same alike result (i.e. key message) forms a stream, for each stream, the key message corresponding with this stream is packaged into one according to flow template and flows summary info.It can thus be appreciated that the quantity of the packet corresponding to each stream is uncertain.
In general, each stream summary info is except comprising corresponding key message, the moment of first packet received in each packet of this stream of composition can also be comprised, receive the moment of last packet, the byte etc. shared by each packet.
Step 402, for often organizing stream, the key message corresponding with this group stream is packaged into stream summary info according to flow template by access forwarding unit.
Step 403, stream summary info and flow template are sent to user behavior analysis server by access forwarding unit.
Step 404, user behavior analysis server receives stream summary info and the flow template of the transmission of access forwarding unit.
Step 405, user behavior analysis server extracts one group of key message according to flow template from every bar stream summary info, a stream summary record is stored as by often organizing key message, and entropy quantification is carried out to the predetermined bar stream summary record stored, the entropy vector obtained after quantification is inputed to grader, obtains the behavior type corresponding with access behavior.
Behavior type comprises normal access behavior and various attack, and described attack comprises TCP behavior, dos attack behavior and DDOS attack behavior.
In order to improve the accuracy of judgement, the key message of the packet of the same user that user behavior analysis server can extract from least two stream summary infos, and entropy quantification is carried out to these key messages, the entropy vector obtained after quantification is inputed to grader, obtains the behavior type corresponding with access behavior.
Step 406, the behavior type obtained is sent in mapping/certificate server by user behavior analysis server.
Step 407, access forwarding unit also determines this user whether unauthorized access according to the access level of this user stored, and obtains being used to indicate the first parameter of this user whether unauthorized access.
Such as, when the first parameter is assigned 1, then show this user's unauthorized access, when this first parameter is assigned 0, then show the non-unauthorized access of this user.
Step 408, access forwarding unit sends the first parameter to mapping/certificate server and is used to indicate user's the second parameter whether out-of-the way position logs in.
Here the second parameter can be the mark of SGSN, also can be the mark of access forwarding unit GGSN.
Step 409, mapping/certificate server receives the type of the abnormal access behavior that user behavior analysis server obtains and accesses the first parameter and second parameter of forwarding unit transmission.
Step 410, according to the first parameter, mapping/certificate server determines whether the access behavior of user is unauthorized access behavior, determine whether the access behavior of user is that out-of-the way position logs in behavior according to the second parameter.
Step 411, mapping/certificate server adjusts the credit value of user according to the adjustment mode corresponding with abnormal access behavior.
Step 411 is similar with step 203, specifically see the description to step 203, just can repeat no more here.
In sum, the abnormal access behavior analysis method that the embodiment of the present invention provides, the characteristic information of packet when accessing by obtaining user, whether the access behavior determining user is abnormal access behavior, if the access behavior of user is abnormal access behavior, then adjust the credit value of user according to the adjustment mode corresponding with abnormal access behavior; Due to the credit value of the adjustment of the abnormal access behavior according to user user that can be real-time, so that determine the access level of user, and then according to the access level of user for user provides the service of mating with access level, therefore solving in prior art when realizing Service Management, being only limitted to as user provides the problem of pertinent service; Reach and in real time for user determines up-to-date access level, the effect of the fail safe that user accesses can be ensure that.
It should be added that, in actual applications, the framework of strategy equipment is an autonomous device, or the cluster of multiple equipment, can be carried by the network complexity comprised of integrated identification network and equipment and determine, such as, when the access forwarding unit in integrated identification network is very many, and the terminal accessed outside access forwarding unit is also very many, now, then can multiple tactful equipment be set in this integrated identification network.Also such as, when the processor bearing ratio of mapping/certificate server is larger, tactful equipment can be divided into user behavior analysis server and mapping/certificate server.
Shown in Figure 5, it is the structural representation of the abnormal access behavioural analysis device provided in one embodiment of the invention, and this abnormal access behavioural analysis device can be applied in the certificate server in the integrated identification network in UNE shown in Fig. 1.This abnormal access behavioural analysis device comprises: characteristic information acquisition module 510, abnormal behaviour determination module 520 and credit value adjusting module 530.
Characteristic information acquisition module 510, for obtaining the characteristic information of packet when user accesses, described characteristic information be key message, described access forwarding unit that access forwarding unit extracts from described packet send be used to indicate described user whether the first parameter of unauthorized access or described access forwarding unit send be used to indicate described user the second parameter whether out-of-the way position logs in;
Abnormal behaviour determination module 520, described characteristic information for obtaining according to described characteristic information acquisition module determines whether the access behavior of described user is abnormal access behavior, and described abnormal access behavior comprises attack, unauthorized access behavior or out-of-the way position and logs in behavior;
Credit value adjusting module 530, for when the access behavior that described abnormal behaviour determination module determines described user is abnormal access behavior, adjustment mode corresponding to described abnormal access behavior adjusts the credit value of described user, and the credit value of described user is for limiting the access level of described user;
Wherein, described key message comprises the user ID of described user, source Access Network mark, target access network mark, protocol type, source port and target port.
In a kind of possible implementation, shown in Figure 6, this characteristic information acquisition module 510, comprising: receiving element 511, key message extraction unit 512 and memory cell 513.
Receiving element 511, for when described characteristic information is described key message, receive stream summary info and the flow template of the transmission of described access forwarding unit, every bar stream summary info is that described access forwarding unit is shunted each packet after receiving described packet, obtain after described key message corresponding to arbitrary group of stream is added into described flow template, the packet often in group stream has identical key message;
Key message extraction unit 512, for flowing summary info described in every bar, extracts key message described in a group according to described flow template from described stream summary info;
Memory cell 513, is stored as a stream summary record by the described key message that described key message extraction unit 512 extracts.
In a kind of possible implementation, this abnormal behaviour determination module 520, also for:
When described characteristic information is described key message, flowed to summary record described in the predetermined bar that described memory cell 513 is stored and carry out entropy quantification, the entropy vector obtained after quantification is inputed to grader, obtain the behavior type corresponding with described access behavior, described behavior type comprises normal access behavior and various attack, and described attack comprises TCP behavior, denial of service dos attack behavior and distributed Denial of Service (DDOS) attack behavior.
In a kind of possible implementation, credit value adjusting module 530, also for:
According to the type of described abnormal access behavior, the abnormal access behavior quantity of the same type with described abnormal access behavior of described user is added up, according to cumulative after adjustment parameter adjustment corresponding to numerical value described in the credit value of user.
In a kind of possible implementation, still shown in Figure 6, this abnormal access behavioural analysis device also comprises:
Detection module 540, for detecting the whether corresponding new access level of credit value after the adjustment of described credit value adjusting module;
Access level adjusting module 550, after the corresponding new access level of the credit value after described detection module detects adjustment, the access level of described user is adjusted to adjust after access level corresponding to credit value.
In a kind of possible implementation, still shown in Figure 6, this abnormal access behavioural analysis device also comprises: the first sending module 560, or, the second sending module 570.
First sending module 560, for the described access level obtained after adjustment is sent to described access forwarding unit, to notify that described access forwarding unit utilizes the described access level after adjusting to upgrade the access level of described user;
Or,
Second sending module 570, for when receiving the acquisition request of described access forwarding unit for the access level of user described in acquisition request, is sent to described access forwarding unit by the described access level obtained after adjustment.
In sum, the abnormal access behavioural analysis device that the embodiment of the present invention provides, by in UNE, obtain the characteristic information of packet when user accesses, whether the access behavior determining user is abnormal access behavior, if the access behavior of user is abnormal access behavior, then adjust the credit value of user according to the adjustment mode corresponding with abnormal access behavior; Due to the credit value of the adjustment of the abnormal access behavior according to user user that can be real-time, so that determine the access level of user, and then according to the access level of user for user provides the service of mating with access level, therefore solving in prior art when realizing Service Management, being only limitted to as user provides the problem of pertinent service; Reach and in real time for user determines up-to-date access level, the effect of the fail safe that user accesses can be ensure that.
Because this abnormal access behavioural analysis device is to the anomaly analysis that the access behavior of user in GPRS network is carried out in integrated identification network, do not need to change on a large scale existing GPRS network framework, therefore can effectively ensure the fail safe that GPRS user accesses and while reasonably optimizing is carried out to access privilege, greatly reduce and realize cost.
It should be added that, modules in Fig. 5 and Fig. 6 and the division of unit are not limited thereto, in actual applications, can also be according to actual needs, these modules or all or part of of unit are carried out combination in any or merging, also all or part of in these modules or unit can be split.
It should be noted that: when the abnormal behaviour of abnormal access behavioural analysis device when accessing user provided in above-described embodiment is analyzed, only be illustrated with the division of above-mentioned each functional module, in practical application, can distribute as required and by above-mentioned functions and be completed by different functional modules, internal structure by the certificate server in integrated network marked network is divided into different functional modules, to complete all or part of function described above.In addition, the abnormal access behavioural analysis device that above-described embodiment provides and abnormal access behavior analysis method embodiment belong to same design, and its specific implementation process refers to embodiment of the method, repeats no more here.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
One of ordinary skill in the art will appreciate that all or part of step realizing above-described embodiment can have been come by hardware, the hardware that also can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, the above-mentioned storage medium mentioned can be read-only memory, disk or CD etc.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (12)
1. an abnormal access behavior analysis method, is characterized in that, described method comprises:
Obtain the characteristic information of user's packet when accessing, described characteristic information be key message, described access forwarding unit that access forwarding unit extracts from described packet send be used to indicate described user whether the first parameter of unauthorized access or described access forwarding unit send be used to indicate described user the second parameter whether out-of-the way position logs in;
Whether the access behavior determining described user according to described characteristic information is abnormal access behavior, and described abnormal access behavior comprises attack, unauthorized access behavior or out-of-the way position and logs in behavior;
If the access behavior of described user is abnormal access behavior, then adjust the credit value of described user according to the adjustment mode corresponding with the type of described abnormal access behavior, the credit value of described user is for limiting the access level of described user;
Wherein, described key message comprises the user ID of described user, source Access Network mark, target access network mark, protocol type, source port and target port.
2. method according to claim 1, is characterized in that, the characteristic information of packet when described acquisition user accesses, comprising:
When described characteristic information is described key message, receive stream summary info and the flow template of the transmission of described access forwarding unit, every bar stream summary info is that described access forwarding unit is shunted each packet after receiving described packet, obtain after key message corresponding to arbitrary group of stream is added into described flow template, the packet often in group stream has identical key message;
Described in every bar, flow summary info, from described stream summary info, extract key message described in one group according to described flow template;
Described key message is stored as a stream summary record.
3. method according to claim 2, is characterized in that, describedly determines whether the access behavior of described user is abnormal access behavior, comprising according to described characteristic information:
When described characteristic information is described key message, entropy quantification is carried out to flowing summary record described in the predetermined bar stored, the entropy vector obtained after quantification is inputed to grader, obtain the behavior type corresponding with described access behavior, described behavior type comprises normal access behavior and various attack, and described attack comprises TCP behavior, denial of service dos attack behavior and distributed Denial of Service (DDOS) attack behavior.
4. method according to claim 1, is characterized in that, the described basis adjustment mode corresponding with the type of described abnormal access behavior adjusts the credit value of described user, comprising:
According to the type of described abnormal access behavior, the abnormal access behavior quantity of the same type with described abnormal access behavior of described user is added up, according to cumulative after adjustment parameter adjustment corresponding to numerical value described in the credit value of user.
5., according to described method arbitrary in Claims 1-4, it is characterized in that, the adjustment mode corresponding with the type of described abnormal access behavior in described basis also comprises after adjusting the credit value of described user:
Detect the whether corresponding new access level of credit value after adjustment;
If the corresponding new access level of the credit value after adjustment, then the access level of described user is adjusted to adjust after access level corresponding to credit value.
6. method according to claim 5, is characterized in that, described method also comprises:
The described access level obtained after adjustment is sent to described access forwarding unit, to notify that described access forwarding unit utilizes the described access level after adjusting to upgrade the access level of described user;
Or,
When receiving the acquisition request of described access forwarding unit for the access level of user described in acquisition request, the described access level obtained after adjustment is sent to described access forwarding unit.
7. an abnormal access behavioural analysis device, is characterized in that, described device comprises:
Characteristic information acquisition module, for obtaining the characteristic information of packet when user accesses, described characteristic information be key message, described access forwarding unit that access forwarding unit extracts from described packet send be used to indicate described user whether the first parameter of unauthorized access or described access forwarding unit send be used to indicate described user the second parameter whether out-of-the way position logs in;
Abnormal behaviour determination module, described characteristic information for obtaining according to described characteristic information acquisition module determines whether the access behavior of described user is abnormal access behavior, and described abnormal access behavior comprises attack, unauthorized access behavior or out-of-the way position and logs in behavior;
Credit value adjusting module, for when the access behavior that described abnormal behaviour determination module determines described user is abnormal access behavior, adjust the credit value of described user according to the adjustment mode corresponding with the type of described abnormal access behavior, the credit value of described user is for limiting the access level of described user;
Wherein, described key message comprises the user ID of described user, source Access Network mark, target access network mark, protocol type, source port and target port.
8. device according to claim 7, is characterized in that, described characteristic information acquisition module, comprising:
Receiving element, for when described characteristic information is described key message, receive stream summary info and the flow template of the transmission of described access forwarding unit, every bar stream summary info is that described access forwarding unit is shunted each packet after receiving described packet, obtain after key message corresponding to arbitrary group of stream is added into described flow template, the packet often in group stream has identical key message;
Key message extraction unit, for flowing summary info described in every bar, extracts one group of key message according to described flow template from described stream summary info;
Memory cell, the described key message for being extracted by described key message extraction unit is stored as a stream summary record.
9. device according to claim 8, is characterized in that, described abnormal behaviour determination module, also for:
When described characteristic information is described key message, entropy quantification is carried out to flowing summary record described in the predetermined bar of described cell stores, the entropy vector obtained after quantification is inputed to grader, obtain the behavior type corresponding with described access behavior, described behavior type comprises normal access behavior and various attack, and described attack comprises TCP behavior, denial of service dos attack behavior and distributed Denial of Service (DDOS) attack behavior.
10. device according to claim 7, is characterized in that, described credit value adjusting module, also for:
According to the type of described abnormal access behavior, the abnormal access behavior quantity of the same type with described abnormal access behavior of described user is added up, according to cumulative after adjustment parameter adjustment corresponding to numerical value described in the credit value of user.
11. according to described device arbitrary in claim 7 to 10, and it is characterized in that, described device also comprises:
Detection module, for detecting the whether corresponding new access level of credit value after the adjustment of described credit value adjusting module;
Access level adjusting module, after the corresponding new access level of the credit value after described detection module detects adjustment, the access level of described user is adjusted to adjust after access level corresponding to credit value.
12. devices according to claim 11, is characterized in that, described device also comprises:
First sending module, for the described access level obtained after adjustment is sent to described access forwarding unit, to notify that described access forwarding unit utilizes the described access level after adjusting to upgrade the access level of described user;
Or,
Second sending module, for when receiving the acquisition request of described access forwarding unit for the access level of user described in acquisition request, is sent to described access forwarding unit by the described access level obtained after adjustment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510236271.1A CN104883363A (en) | 2015-05-11 | 2015-05-11 | Method and device for analyzing abnormal access behaviors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510236271.1A CN104883363A (en) | 2015-05-11 | 2015-05-11 | Method and device for analyzing abnormal access behaviors |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104883363A true CN104883363A (en) | 2015-09-02 |
Family
ID=53950697
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510236271.1A Pending CN104883363A (en) | 2015-05-11 | 2015-05-11 | Method and device for analyzing abnormal access behaviors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104883363A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105808639A (en) * | 2016-02-24 | 2016-07-27 | 平安科技(深圳)有限公司 | Network access behavior recognizing method and device |
| CN106060043A (en) * | 2016-05-31 | 2016-10-26 | 北京邮电大学 | Abnormal flow detection method and device |
| CN106357434A (en) * | 2016-08-30 | 2017-01-25 | 国家电网公司 | Detection method, based on entropy analysis, of traffic abnormity of smart grid communication network |
| CN107306252A (en) * | 2016-04-21 | 2017-10-31 | 中国移动通信集团河北有限公司 | A kind of data analysing method and system |
| CN108769107A (en) * | 2018-04-12 | 2018-11-06 | 北京奇艺世纪科技有限公司 | A kind of video dispatching method, device and electronic equipment |
| CN110366009A (en) * | 2018-03-26 | 2019-10-22 | 优酷网络技术(北京)有限公司 | The recognition methods of multimedia resource request and device |
| WO2020012287A1 (en) * | 2018-07-09 | 2020-01-16 | International Business Machines Corporation | Cognitive fraud prevention |
| CN111310139A (en) * | 2020-01-21 | 2020-06-19 | 腾讯科技(深圳)有限公司 | Behavior data identification method and device and storage medium |
| CN113411353A (en) * | 2021-08-03 | 2021-09-17 | 广州汇图计算机信息技术有限公司 | Network security protection method and system |
| CN113535501A (en) * | 2020-04-15 | 2021-10-22 | 中移动信息技术有限公司 | Information auditing method, device, equipment and computer storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090287819A1 (en) * | 2008-05-16 | 2009-11-19 | Microsoft Corporation | System from reputation shaping a peer-to-peer network |
| CN101729321A (en) * | 2009-12-22 | 2010-06-09 | 北京理工大学 | Dynamic cross-domain access control method based on trust valuation mechanism |
| CN104168165A (en) * | 2014-07-02 | 2014-11-26 | 北京交通大学 | Access control method and device based on GPRS network and integrated identification network |
-
2015
- 2015-05-11 CN CN201510236271.1A patent/CN104883363A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090287819A1 (en) * | 2008-05-16 | 2009-11-19 | Microsoft Corporation | System from reputation shaping a peer-to-peer network |
| CN101729321A (en) * | 2009-12-22 | 2010-06-09 | 北京理工大学 | Dynamic cross-domain access control method based on trust valuation mechanism |
| CN104168165A (en) * | 2014-07-02 | 2014-11-26 | 北京交通大学 | Access control method and device based on GPRS network and integrated identification network |
Non-Patent Citations (5)
| Title |
|---|
| LINYING SU等: "Reputation Service and Reputation Based Access Control", 《E-PRODUCT E-SERVICE AND E-ENTERTAINMENT (ICEEE)》 * |
| SHUYING CHANG等: "A flow-based anomaly detection method using entropy and multiple traffic features", 《BROADBAND NETWORK AND MULTIMEDIA TECHNOLOGY (IC-BNMT)》 * |
| 孟庆媛: "基于信誉度的网络访问管理研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 杭静文: "一体化标识网络流量异常监测技术研究与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 雷维礼: "《接入网技术》", 30 September 2006 * |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105808639A (en) * | 2016-02-24 | 2016-07-27 | 平安科技(深圳)有限公司 | Network access behavior recognizing method and device |
| CN105808639B (en) * | 2016-02-24 | 2021-02-09 | 平安科技(深圳)有限公司 | Network access behavior identification method and device |
| CN107306252A (en) * | 2016-04-21 | 2017-10-31 | 中国移动通信集团河北有限公司 | A kind of data analysing method and system |
| CN106060043A (en) * | 2016-05-31 | 2016-10-26 | 北京邮电大学 | Abnormal flow detection method and device |
| CN106060043B (en) * | 2016-05-31 | 2019-06-07 | 北京邮电大学 | A kind of detection method and device of abnormal flow |
| CN106357434A (en) * | 2016-08-30 | 2017-01-25 | 国家电网公司 | Detection method, based on entropy analysis, of traffic abnormity of smart grid communication network |
| CN110366009A (en) * | 2018-03-26 | 2019-10-22 | 优酷网络技术(北京)有限公司 | The recognition methods of multimedia resource request and device |
| CN110366009B (en) * | 2018-03-26 | 2022-06-17 | 阿里巴巴(中国)有限公司 | Multimedia resource request identification method and device |
| CN108769107A (en) * | 2018-04-12 | 2018-11-06 | 北京奇艺世纪科技有限公司 | A kind of video dispatching method, device and electronic equipment |
| CN108769107B (en) * | 2018-04-12 | 2021-11-26 | 北京奇艺世纪科技有限公司 | Video scheduling method and device and electronic equipment |
| CN112368992A (en) * | 2018-07-09 | 2021-02-12 | 国际商业机器公司 | Cognitive fraud prevention |
| GB2590290A (en) * | 2018-07-09 | 2021-06-23 | Ibm | Cognitive fraud prevention |
| US11095632B2 (en) | 2018-07-09 | 2021-08-17 | International Business Machines Corporation | Cognitive fraud prevention |
| GB2590290B (en) * | 2018-07-09 | 2022-03-02 | Ibm | Cognitive fraud prevention |
| WO2020012287A1 (en) * | 2018-07-09 | 2020-01-16 | International Business Machines Corporation | Cognitive fraud prevention |
| CN112368992B (en) * | 2018-07-09 | 2023-04-04 | 国际商业机器公司 | Computer-implemented method, system and readable storage medium for preventing cognitive fraud |
| CN111310139A (en) * | 2020-01-21 | 2020-06-19 | 腾讯科技(深圳)有限公司 | Behavior data identification method and device and storage medium |
| CN113535501A (en) * | 2020-04-15 | 2021-10-22 | 中移动信息技术有限公司 | Information auditing method, device, equipment and computer storage medium |
| CN113411353A (en) * | 2021-08-03 | 2021-09-17 | 广州汇图计算机信息技术有限公司 | Network security protection method and system |
| CN113411353B (en) * | 2021-08-03 | 2021-11-09 | 广州汇图计算机信息技术有限公司 | Network security protection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104883363A (en) | Method and device for analyzing abnormal access behaviors | |
| AU2022263450B2 (en) | Internet of things services architecture | |
| CN105745870B (en) | Extend operation from for detecting the serial multistage filter flowed greatly removal nose filter to remove stream to realize | |
| CN101841442B (en) | Method for detecting network anomaly in name-address separated network | |
| DE112018008119T5 (en) | Modifying a resource allocation or strategy in response to control information from a virtual network function | |
| CN109271793B (en) | Internet of things cloud platform equipment category identification method and system | |
| CN106295349A (en) | Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen | |
| CN104488231A (en) | Real-time network monitoring and subscriber identification with an on-demand appliance | |
| CN105516165A (en) | Method, device and system for identifying illegal proxy for charging fraud | |
| CN101562558B (en) | Method, system and device for terminal grade classification | |
| CN105051696A (en) | An improved streaming method and system for processing network metadata | |
| DE102012220932A1 (en) | Mitigating effects of predicted weather related disturbances in a base station of a cellular network | |
| CN108416665B (en) | Data interaction method and device, computer equipment and storage medium | |
| CN109818820A (en) | Data on flows monitoring method, device, electronic equipment and storage medium | |
| US20190007326A1 (en) | Aggregating flows by endpoint category | |
| CN104702623B (en) | IP blockage method and system | |
| CN104883362A (en) | Method and device for controlling abnormal access behaviors | |
| CN110719286A (en) | Network optimization scheme sharing system and method based on big data | |
| CN105827629A (en) | Software definition safety guiding device under cloud computing environment and implementation method thereof | |
| CN107426132B (en) | The detection method and device of network attack | |
| CN102217248B (en) | Distributed packet flow checks and process | |
| CN108270753A (en) | The method and device of logging off users account | |
| CN106874423B (en) | Search control method and system | |
| CN106790411B (en) | The non-polymeric port cascade system and method for virtual switch and physical switches | |
| CN106257867A (en) | A kind of business recognition method encrypting flow and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150902 |
|
| RJ01 | Rejection of invention patent application after publication |