Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
An embodiment of the present invention provides a kind of web log file safety analytical method based on cloud, as shown in Figure 1, this method bag
Include:
101st, cloud platform obtains the newest web log file of current site server side record in real time.
When outside access Website server, Website server side can record the access information on visitor (as accessed
IP (Internet Protocol, IP(Internet Protocol)) address of person, access time, browser type used in visitor etc.) with
And the web log file of Website server response message (such as return information).As visitor visits the continuous of Website server
Ask, the web log file of Website server sidelights record is also being constantly updated.Cloud platform can obtain each Website server side in real time
The newest web log file of record, and safety analysis is carried out to the web log file of acquisition.
Current site server in this step refers to the Website server of corresponding current newest web log file.It is if current
Only a Website server generates new web log file, then current site server is exactly the Website server;It is if current
There are at least two Website servers to generate new web log file, then current site server is at least two website service
Device.
102nd, newest web log file is matched with strong rule.
Wherein, strong rule is the rule that certain web log file is attack logs of laying down hard and fast rule.Current site server side is every
As soon as producing a new web log file, cloud platform obtains the web log file, and the detection of strong rule is carried out to it, newest to determine
Web log file whether be attack logs, so as to fulfill to the real time security of current site server monitor.
Specifically, strong rule can include attack signature, Prerequisite etc..For example, record access in certain web log file
Person have sent a data theft request to Website server, but since outside access person does not obtain the private of Website server side
The authority of ciphertext data, it is possible to the feature that will ask to steal data is classified as attack signature, strong rule detection to the attack signature,
It will determine the web log file and the success of strong rule match.
Mentioning current time in a step 101 can have at least two Website servers to produce new web log file, so
The quantity for the Website server that newest web log file is with current time produces new web log file is identical.Therefore, if currently
The quantity of Website server is at least two, then cloud platform needs to be carried out at the same time strong rule at least two newest web log files
Detection, safety detection is carried out to newest web log file caused by each Website server in real time to realize.
If the 103rd, newest web log file and the success of strong rule match, it is determined that newest web log file is obvious day of attack
Will.
Since strong rule is the rule that certain web log file is attack logs of laying down hard and fast rule, so when cloud platform will be newest
Web log file is matched with strong rule, and when matching result is successfully, it may be determined that the newest web log file is obvious
Attack logs.Correspondingly, if matching result is unsuccessful, cloud platform can determine that the newest web log file is not substantially to attack
Hit daily record.
Exemplary, the content of a web log file includes visitor please to Website server transmission portal management authority
Ask, strong rule includes portal management authority, then the web log file and the success of strong rule match, so the web log file is obvious
Attack logs.In addition, the content of another web log file includes visitor sends amplification picture request, strong rule to Website server
There is no related content in then, then the web log file and strong rule match are unsuccessful, so the web log file is not obvious day of attack
Will.
104th, attack source is determined according to obvious attack logs.
Due to be stored with web log file the IP address of visitor, access time, OS Type, browser type and
It is specific to access the information such as object (page), so cloud platform is after obvious attack logs are determined, can be according to obvious attack logs
In various information determine attack source.Specifically, it may be determined that the IP address in obvious attack logs is attack source, can also be true
Fixed IP address corresponding with OS Type, browser type etc. is attack source.
Exemplary, hence it is evident that IP address (such as 198.161.2.21), the browser class of visitor are stored with attack logs
Type (such as IE browser the 10th edition), website log account (such as mmmmnnn) and password (999888), then cloud platform can be straight
It is attack source to meet definite 198.161.2.21, and browser type can also will be met for IE browser the 10th edition, website log account
Number be mmmmnnn and web log file that password is 999888 corresponding to IP address be determined as attack source.
It should be noted that refer to that newest web log file may be at least two in a step 102, so obvious attack
Daily record may also be at least two.Again since attack source is determined according to obvious attack logs, so definite attack source
May be at least two.
105th, search attack source and access targeted website daily record caused by all Website servers, and by targeted website daily record
Matched with Exception Model.
In practical applications, hackers usually send some access requests to Website server, wherein being visited for each
Ask that for request be all normally to access, but these access requests integrally but cause Website server attack.For example,
From 1 day 8 May in 2015 in web log file:1 day 8 Mays of 00-2015:02, it have recorded 50000 successively and enter website second page
Request, each of which web log file is all normal access request, and it is a flow attacking that 50000 requests are overall.
Therefore, it is that cannot ensure can be by attack source to all websites to carry out the one-to-one matching of strong rule only for wall scroll web log file
It is that all attacks that server is done all detect, it is necessary on a timeline vertical analysis correspond to a plurality of website of the attack source
The relation of daily record can just detect more hidden attack logs with difference.
, can be (caused by current site server newest in history website daily record after cloud platform determines attack source
Except web log file) in search attack source and access targeted website daily record caused by all Website servers, and by targeted website
Daily record is matched with Exception Model.Wherein, all Website servers include current site server and other website services
Device, targeted website daily record are web log file corresponding with attack source.
It should be noted that the specific detection mode of Exception Model is:Cloud platform can analyze every target web log file institute
Difference between the normalization behavioural information that all targeted website daily records of the behavioural information of reflection and same website are reflected, if
Difference is more than predetermined threshold value, it is determined that corresponding targeted website daily record and Exception Model successful match, if difference is less than or equal to
Predetermined threshold value, it is determined that corresponding targeted website daily record matches unsuccessful with Exception Model.
Exemplary, cloud platform finds 5 target web log files in the history website daily record of a Website server,
The size of the Website server response bag wherein recorded in targeted website daily record 1 is 20kb, the net recorded in targeted website daily record 2
The size of site server response bag is 20.9kb, and the size of the Website server response bag recorded in targeted website daily record 3 is
1Mb, the size of the Website server response bag recorded in targeted website daily record 4 is 19.8kb, is recorded in targeted website daily record 5
The size of Website server response bag is 21.9kb.It follows that the normalization behavioural information that 5 target web log files are reflected
For Website server response bag size generally in 21kb or so, by the Website server response bag in each web log file
Size is compared with 21kb, it is known that in addition to 1Mb is much larger than 21kb, other are in 21kb or so.If predetermined threshold value is
100kb, then 1Mb (1024kb) differs 1003kb with 21kb, therefore the targeted website daily record 3 of corresponding 1Mb is and Exception Model
With successful web log file, and other 4 target web log files matched with Exception Model it is unsuccessful.
It should be noted that the Exception Model in this step is not necessarily identical, but each Exception Model is and oneself
The corresponding Exception Model of body Website server.For example, there is 5 Website servers, wherein Website server 1 corresponds to Exception Model
1st, Website server 2 corresponds to Exception Model 2, Website server 3 corresponds to Exception Model 3, Website server 4 corresponds to Exception Model 4,
Website server 5 corresponds to Exception Model 5, then Exception Model 1 to 5 can be differed, can also identical (such as Exception Model in part
1st, Exception Model 2 and Exception Model 5 are identical, and Exception Model 3 and Exception Model 4 are identical), can also all same.
In addition, when targeted website daily record is matched with Exception Model, targeted website daily record is corresponding website service
The web log file of device, and and not all Website server web log file.
In addition, if attack source is at least two, cloud platform was needed at the same time in the history website day of all Website servers
The targeted website daily record of corresponding attack source is searched in will.For example, cloud platform determines two attack sources (such as attack source 1 and attack
Source 2), then need to search the targeted website daily record of corresponding attack source 1 in the history website day of all Website servers, and it is right
Answer the targeted website daily record of attack source 2.
If the 106th, targeted website daily record and Exception Model successful match, it is determined that the targeted website daily record of corresponding attack source is
Concealed attack daily record.
After by the way that targeted website daily record is matched with Exception Model, if learning, matching result is successfully cloud
Platform can determine that the targeted website daily record of corresponding attack source is concealed attack daily record;If learning matching result to be unsuccessful,
Cloud platform can determine that the targeted website daily record of corresponding attack source is not concealed attack daily record.
For example, in the example of step 105, targeted website daily record 3 and Exception Model successful match, so targeted website day
Will 3 is concealed attack daily record, and targeted website daily record 1,2,4,5 matched with Exception Model it is unsuccessful, so targeted website daily record
1st, 2,4,5 be not concealed attack daily record.
Web log file safety analytical method based on cloud provided in an embodiment of the present invention, can will be obtained in real time by cloud platform
The newest web log file taken is matched with strong rule, and the newest web log file of successful match is determined as obvious day of attack
Will simultaneously finds attack source, and the target of corresponding attack source is then searched in history website daily record caused by all Website servers
Web log file, and it is matched with Exception Model, the targeted website daily record for determining successful match is concealed attack daily record.With
Can not detect that the prior art of concealed attack is compared, the present invention first pass through strong rule detection find obvious attack logs and
The targeted website daily record progress that attack source is corresponded in corresponding attack source, then the web log file produced to all Website servers is different
The detection of norm type, obvious attack and concealed attack so as to which each Website server is done in attack source all detect
Come, so that the webmaster of each website can take attack source defence to operate in time, to ensure Website server
Safety.
Further, can be with for the specific implementation for determining attack source according to obvious attack logs in above-described embodiment
For:Cloud platform searches default mark in obvious attack logs, and the IP address of the corresponding default mark is determined as attack source.
Specifically, default mark can be IP address, UA (User Agent, user agent) or Cookie.Wherein, UA
In generally comprise browser type, browser rendering engine, OS Type etc., the account of user is generally comprised in Cookie
With password, access the record (which content that such as have accessed which page at what time) etc. of website.
Under normal conditions, visitor can use fixed IP address to access Website server, therefore default mark can be
IP address, thus cloud platform can determine that IP address is attack source.However, hackers are sent out in order to avoid the attack that it is done
It is existing, attack operation often is carried out to Website server using different IP address, therefore directly by obvious attack logs
IP address is determined as attack source, is often only able to find the attack that the corresponding multiple attack sources of multiple IP address are done, is but difficult to send out
The corresponding web log file of these IP address is now combined into hidden attack.For example, hacker with first IP address 16:
00-16:02 have sent 800 to Website server (referring both to same Website server below) opens website homepage request, uses
Second IP address is 16:02-16:04 have sent 800 to Website server opens website homepage request, with the 3rd IP
Location is 16:04-16:06 have sent 800 to Website server opens website homepage request, with the 4th IP address 16:06-
16:08 have sent 800 to Website server opens website homepage request, show that these requests are from an IP address analysis
Normal request, but it is a flow attacking that all IP address are connected analysis.Therefore, in order to further determine attack
Source, can use following scheme:
Cloud platform searches Cookie and/or UA in obvious attack logs, and the IP address of corresponding Cookie and/or UA is true
It is set to attack source.
In practical applications, Cookie includes account, password and accesses access record of website etc. first, and in these
Appearance will not become under normal circumstances, so default mark can be Cookie.Cloud platform is found in obvious attack logs
, can be in the history website daily record of all Website servers by Cookie contents and obvious attack logs after Cookie
IP address corresponding to the identical Cookie of Cookie contents is determined as attack source.
It is similar with Cookie, due to visitor using same computer to access website when, used browser
Type, operating system, search engine are usually what will not be become, so default mark can also be UA.Cloud platform is substantially being attacked
, can be in the history website daily record of all Website servers by UA contents and the UA of obvious attack logs after finding UA in daily record
IP address corresponding to the identical UA of content is determined as attack source.
In addition, in practical applications, due to Cookie, either there is the possibility changed so only with Cookie or UA in UA
Mark as definite attack source has omission, but it is usually what is be not present that Cookie and UA changes at the same time, therefore, in order to
Avoid the web log file of corresponding attack source from searching to omit, can be using Cookie and UA at the same time as default mark, by the pre- bidding
Know corresponding IP address and be determined as attack source.That is, every web log file identical with the Cookie of obvious attack logs,
Or the web log file identical with the UA of obvious attack logs, it is targeted website daily record.
Exemplary, it is obvious attack logs in definite newest web log file (by taking a newest web log file as an example)
Afterwards, corresponding Cookie and UA can be found from obvious attack logs, then (is taken in all Website servers with 3 websites
Be engaged in exemplified by device) history website daily record in search the web log file identical with the Cookie or the UA respectively, and to these nets
Daily record of standing carries out the detection of Exception Model.Wherein, found in the history website daily record of Website server 1 50 only with substantially
Identical the Cookie of attack logs web log file, 20 web log files only identical with the UA of obvious attack logs and 15
With the web log file of Cookie, UA all same of obvious attack logs;Found in the history website daily record of Website server 2
30 web log files only identical with the Cookie of obvious attack logs, 15 websites only identical with the UA of obvious attack logs
Daily record and 5 and the web log file of Cookie, UA all same of obvious attack logs;In the history website of Website server 3
Found in daily record 100 web log files only identical with the Cookie of obvious attack logs, 45 only with obvious attack logs
The identical web log files of UA and 35 with the web log file of Cookie, UA all same of obvious attack logs.At this time, Yun Ping
Platform is respectively passed through 85 web log files of Website server 1 by 50 web log files of Exception Model 1, Website server 2
Exception Model 2,180 web log files of Website server 3 carry out safety detection by Exception Model 3, to determine wherein to be
It is no that there are concealed attack daily record.
Further, in practical applications, since the attack that not only each website is subjected to will be different, and even if by
The attack received is identical, and the Exception Model of each website is there is also difference, so cloud platform is directed to the website of each Website server
Often there is difference in the result of daily record detection.However, each website can optimize itself according to the attack information of other websites
Exception Model, so that the concealed attack that can not be detected originally be detected, and then webmaster can attack against each other in time
Hit the later attack in source and take defensive measure, to ensure the safety of Website server.
Specifically, cloud platform is after the targeted website daily record to each Website server is detected, can be to each net
Site server sends the attack information of other websites, so that each website is according to the attack Advance data quality itself of other websites
Exception Model, and the Exception Model after optimization is reported into cloud platform.
Optimal way for Exception Model can be the parameter or addition new model of the existing model of change.For example, cloud
Platform, which is directed in the testing result of the web log file of this website, a flow attacking per second for sending 10000 access requests,
Preset flow attack threshold value is 9000 access requests per second in the parameter of this website Exception Model, and this Website server receives
Into the attack information of other websites there are a flow attacking per second for sending 8000 access requests, and it is different with this website
Norm type will not be judged as flow attacking, so in order to optimize the Exception Model of Home Network, can be by the different of this website
The preset flow attack threshold value of norm type is changed to 8000 access requests per second, so that cloud platform can be directed to the net of this website
Daily record of standing detects the flow attacking more than or equal to 8000 access requests per second.
And for example, cloud platform is for the attack letter existed in the testing result of the web log file of other websites on loophole attack
Breath, and not any information on loophole attack in the Exception Model of this website, therefore can be in the Exception Model of this website
Model (including parameter) of the middle addition on loophole attack, and new Exception Model is reported to cloud platform, so as to cloud platform pin
The detection of loophole attack can be carried out to the web log file of this website.
Further, cloud platform can be classified according to default class condition to each website (be such as divided into business website,
Personal website and government website etc.), targetedly to be handled the web log file for belonging to similar website, so as to improve peace
Full property detection efficiency.Specifically, after to websites collection, targetedly processing can be related to following two situations:
Situation one:If cloud platform is classified each website, when cloud platform determines that newest web log file is
After obvious attack logs, attack source can be determined according to obvious attack logs, then search attack source and access current site service
Targeted website daily record caused by device and similar Website server.Wherein, similar Website server is similar with current site
Website corresponding to server.
Since same attack source often carries out various attacks just for similar website in practical applications, so determining
After attack source, the detection of Exception Model can be carried out only for the targeted website daily record of current site and similar website, to carry
High detection efficiency.For example, current site is shopping website, then cloud platform can carry out the inspection of Exception Model just for shopping website
Survey.
If in addition, there are at least two attack sources, target that can be to current site and with each similar website
Web log file carries out the detection of Exception Model.
Situation two:If cloud platform is classified each website, in cloud platform by targeted website daily record and exception
When model is matched, targeted website daily record can be matched with the Exception Model of corresponding website, and similar website pair
Same Exception Model should be used.
The type for the attack being subjected to by the website of same type is all often identical, so carrying out Exception Model
Detection when, similar website can use same Exception Model, so that the detection efficiency of cloud platform can be improved.
In addition, in order to further improve efficiency of the cloud platform to web log file safety analysis, can be by situation one and situation
Two are combined, i.e., can be examined when carrying out the detection of Exception Model only for the web log file of current site and similar website
Survey, and used Exception Model can be same.
Further, due in practical applications, being often added with periodically in the malicious attack code that hackers are write
(or other times rule) performs the code of malicious attack, thus by analysis of history web log file can predict it is following certain
Specific time Website server will be subject to certain attack, if the information of forecasting is sent to Website server, portal management
Member can carry out defense work in advance, so as to so that Website server safety is guaranteed.
Specifically, the attack information for the attack that cloud platform can carry out all Website servers attack source is united
Meter and analysis, will then believe the attack attacked each Website server according to analysis result Forecast attack source future
Breath, and send the corresponding attack information of itself to each Website server.
Wherein, IP address of the information including attack source, attack type, attack time, the ownership place of IP address, attack are attacked
Feature etc., can be to day of attack after cloud platform detects attack logs (obvious attack logs and/or concealed attack daily record)
Attack time, attack type and attack signature in the attack information of will are analyzed, and search identical attack type or identical
Rule of the attack signature on attack time, so as to will be attacked according to the following attack source of the law forecasting to Website server
The attack information hit, and send it to Website server.Wherein, attack information includes attack time, attack class
Type and attack source.When webmaster was informed in following a certain moment or certain period, Website server will be under attack
Source to its certain attack when, webmaster can carry out defense work in advance and Website server is immune against attacks.
In specific implementation, attack of the attack source to each website can be carried out attack laws respectively by cloud platform
Analysis, but individually the attack to each website carries out analysis and might have loophole, i.e., combines presence for multiple websites
Rule can not analyze come.Therefore, attack information of the attack source to all websites can also be combined progress by cloud platform
Regularity Analysis.
Exemplary, there are 5 Website servers, wherein 3 Website servers (such as Website servers 1, Website server 3
With Website server 4) attack of the data theft in source all under attack, then the attack logs of 5 Website servers are combined
It was found that Website server 1 is respectively 3 days 17 March in 2015:00th, 17 days 17 March in 2015:00th, 7 days 17 April in 2015:00
The data theft attack in source under attack, Website server 3 is respectively 10 days 17 March in 2015:00th, 14 days 17 April in 2015:
00th, 21 days 17 April in 2015:The data theft attack in 00 source under attack, Website server 4 is respectively on March 24th, 2015
17:00th, 31 days 17 March in 2015:00th, 28 days 17 April in 2015:The data theft attack in 00 source under attack.By by three
Person combines it can be found that attack source is successively in March 3, March 10, March 17, March 24, March 31, April 7, April 14
Day, April 21 and April 28 attack Website server, although for each Website server, do not deposit
In the regularity attacked by attack source data theft, but triplicity is got up to find that attack source is nondirectional every 7 days
3 Website servers are attacked.Therefore, cloud platform can predict Website server 1,3 and 4 on May 5th, 2015
17:00 is possible to the data theft attack in source under attack, the message thus is informed this 3 Website servers, so as to right
The webmaster answered can do defence operation in advance, in order to avoid attacked by attack source.
Further, cloud platform can be regularly or irregular to all attack sources for being detected in each website
Attack information is counted, and statistical result is sent to each Website server, so that each webmaster is to each in the recent period
The attack that a website is subjected to is checked and analyzed, and to this website not by and the attack source of attack that other websites are subjected to
Be on the defensive operation, so that safety is guaranteed for each Website server.
Specifically, the attack information in this step includes IP address, IP address ownership place (country, provinces and cities and county etc.), attacks
Hit type and number of times of attack etc..Cloud platform to it is each attack information count when, can by the IP address of each attack source,
Country and province, attack time, the IP address for the Website server attacked and to each Website server belonging to IP address
Number of times of attack etc. shown with form, figure or other forms, and be sent to each Website server.
It should be noted that the initial parameter of the Exception Model referred in above-mentioned each embodiment all can be portal management
Member is according to default exclusive Allocation Analysis strategy setting.In webmaster the ginseng of Exception Model is set in Website server side
After number, Website server can report the Exception Model and its parameter to cloud platform, so that cloud platform is carried out using Exception Model
The safety detection of web log file.Wherein, preset exclusive Allocation Analysis strategy can by selection project, fill in parameter etc. in the form of supply
Webmaster selects and fills in.For example, webmaster can select to search flow attacking option, corresponding stream is filled in afterwards
Amount attack threshold value.
It should be noted that the present invention can be applicable to gateway in addition to it can be adapted for cloud platform, i.e., can be with
Operated, be not limited thereto by executive agent of gateway.
Further, according to above method embodiment, an alternative embodiment of the invention additionally provides a kind of based on cloud
Web log file safety analysis device, as shown in Fig. 2, the device includes:Acquiring unit 21, matching unit 22,23 and of determination unit
Searching unit 24.Wherein,
Acquiring unit 21, the newest web log file of current site server side record is obtained for cloud platform in real time;
Matching unit 22, the newest web log file for acquiring unit 21 to be obtained are matched with strong rule;
Determination unit 23, for being newest web log file and the success of strong rule match when the matching result of matching unit 22
When, it is obvious attack logs to determine newest web log file;
Determination unit 23, is additionally operable to determine attack source according to obvious attack logs;
Searching unit 24, mesh caused by all Website servers is accessed for searching the definite attack source of determination unit 23
Mark web log file;
Matching unit 22, the targeted website daily record for searching unit 24 to be searched are matched with Exception Model;
Determination unit 23, is additionally operable to when the matching result of matching unit 22 is matched into for targeted website daily record with Exception Model
During work(, the targeted website daily record for determining corresponding attack source is concealed attack daily record.
Further, as shown in figure 3, determination unit 23, including:
Searching module 231, for searching default mark in obvious attack logs;
Determining module 232, the IP(Internet Protocol) IP address of the default mark for corresponding searching module 231 to be searched are determined as
Attack source.
Specifically, searching module 231, for searching Cookie and/or user agent UA in obvious attack logs.
Further, as shown in figure 3, the device further includes:
First transmitting element 25, for sending the attack information of other websites to each Website server, so that each
Website according to other websites attack Advance data quality itself Exception Model.
Further, as shown in figure 3, the device further includes:
Taxon 26, for being classified according to default class condition to each website.
Further, searching unit 24, current site server and similar website service are accessed for searching attack source
Targeted website daily record caused by device, server of the similar Website server corresponding to the website similar with current site.
Matching unit 22, is additionally operable to be matched targeted website daily record with the Exception Model of corresponding website, wherein similar
Website, which corresponds to, uses same Exception Model.
Further, as shown in figure 3, the device further includes:
First statistic unit 27, the attack information of the attack for being carried out to attack source to all Website servers carry out
Statistics and analysis;
Predicting unit 28, will be to each website service according to the analysis result Forecast attack source future of the first statistic unit 27
The attack information that device is attacked, and send the corresponding attack information of itself to each Website server.
Further, as shown in figure 3, the device further includes:
Second statistic unit 29, for counting the attack information of all attack sources detected in each website;
Second transmitting element 210, for each Website server send the second statistic unit 29 statistics in each net
The attack information of all attack sources detected in standing.
Further, 22 matched Exception Model of matching unit is according to default exclusive Allocation Analysis strategy setting.
Web log file safety analysis device based on cloud provided in an embodiment of the present invention, can will be obtained in real time by cloud platform
The newest web log file taken is matched with strong rule, and the newest web log file of successful match is determined as obvious day of attack
Will simultaneously finds attack source, and the target of corresponding attack source is then searched in history website daily record caused by all Website servers
Web log file, and it is matched with Exception Model, the targeted website daily record for determining successful match is concealed attack daily record.With
Can not detect that the prior art of concealed attack is compared, the present invention first pass through strong rule detection find obvious attack logs and
The targeted website daily record progress that attack source is corresponded in corresponding attack source, then the web log file produced to all Website servers is different
The detection of norm type, obvious attack and concealed attack so as to which each Website server is done in attack source all detect
Come, so that the webmaster of each website can take attack source defence to operate in time, to ensure Website server
Safety.
Further, according to above device embodiment, an alternative embodiment of the invention additionally provides a kind of based on cloud
Web log file Safety Analysis System, as shown in figure 4, the system includes cloud platform 31 and Website server 32, wherein cloud platform 31
Including device as shown in figures 2 and 3;
Website server 32, for reporting the newest web log file of local record to cloud platform 31 in real time.
Web log file Safety Analysis System based on cloud provided in an embodiment of the present invention, can will be obtained in real time by cloud platform
The newest web log file taken is matched with strong rule, and the newest web log file of successful match is determined as obvious day of attack
Will simultaneously finds attack source, and the target of corresponding attack source is then searched in history website daily record caused by all Website servers
Web log file, and it is matched with Exception Model, the targeted website daily record for determining successful match is concealed attack daily record.With
Can not detect that the prior art of concealed attack is compared, the present invention first pass through strong rule detection find obvious attack logs and
The targeted website daily record progress that attack source is corresponded in corresponding attack source, then the web log file produced to all Website servers is different
The detection of norm type, obvious attack and concealed attack so as to which each Website server is done in attack source all detect
Come, so that the webmaster of each website can take attack source defence to operate in time, to ensure Website server
Safety.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion being described in detail in some embodiment
Point, it may refer to the associated description of other embodiment.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment
" first ", " second " etc. be to be used to distinguish each embodiment, and do not represent the quality of each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, details are not described herein.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself
Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and attached drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit requires, summary and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization, or to be run on one or more processor
Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice
Microprocessor or digital signal processor (DSP) realize the state of accompanied electronic anti-theft device according to embodiments of the present invention
The some or all functions of some or all components in detection method, equipment, server and system equipment.The present invention is also
Some or all equipment by performing method as described herein or program of device be can be implemented as (based on for example,
Calculation machine program and computer program product).Such program for realizing the present invention can store on a computer-readable medium, or
Person can have the form of one or more signal.Such signal can be downloaded from internet website and obtained, Huo Zhe
There is provided on carrier signal, or provided in the form of any other.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real
It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.