CN104954188B - Web log file safety analytical method based on cloud, device and system - Google Patents

Web log file safety analytical method based on cloud, device and system Download PDF

Info

Publication number
CN104954188B
CN104954188B CN201510375392.4A CN201510375392A CN104954188B CN 104954188 B CN104954188 B CN 104954188B CN 201510375392 A CN201510375392 A CN 201510375392A CN 104954188 B CN104954188 B CN 104954188B
Authority
CN
China
Prior art keywords
attack
website
log file
web log
daily record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510375392.4A
Other languages
Chinese (zh)
Other versions
CN104954188A (en
Inventor
王鹏
董方
何鑫鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qax Technology Group Inc
Original Assignee
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qianxin Technology Co Ltd filed Critical Beijing Qianxin Technology Co Ltd
Priority to CN201510375392.4A priority Critical patent/CN104954188B/en
Publication of CN104954188A publication Critical patent/CN104954188A/en
Application granted granted Critical
Publication of CN104954188B publication Critical patent/CN104954188B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of web log file safety analytical method based on cloud, device and system, it is related to Internet technical field, is capable of detecting when concealed attack daily record present in web log file.The method of the present invention includes:Cloud platform obtains the newest web log file of current site server side record in real time;The newest web log file is matched with strong rule;If the newest web log file and the strong rule match success, it is determined that the newest web log file is obvious attack logs;Attack source is determined according to the obvious attack logs;Search the attack source and access targeted website daily record caused by all Website servers, and the targeted website daily record is matched with Exception Model;If the targeted website daily record and the Exception Model successful match, it is determined that the targeted website daily record of the corresponding attack source is concealed attack daily record.The present invention is carried out the scene of safety analysis the web log file of each website suitable for cloud platform.

Description

Web log file safety analytical method based on cloud, device and system
Technical field
The present invention relates to Internet technical field, more particularly to a kind of web log file safety analytical method based on cloud, Device and system.
Background technology
Web log file (being also server log) occurs when being access request and the operation for recording Website server reception The file of the various raw informations such as mistake.Webmaster can check the IP (Internet of visitor by web log file Protocol, IP(Internet Protocol)) address, access time, OS Type, browser type, specifically access object (page) and Access the information such as success or not.Therefore, attack condition of the visitor to Website server can be analyzed by web log file.
Web log file analysis tool of the prior art, the web log file that can be directed under specified path are analyzed, and Make analysis report.However, although the obvious attack logs of attack signature can be analyzed by web log file analysis tool, And can determine attack source, but the concealed attack that the attack source carries out Website server can not but analyze.This In the case of, webmaster can not know that these do not measure the concealed attack come, so that can not be to the follow-on attack of attack source Defence operation is realized, so that the safety problem of Website server can not be protected.
The content of the invention
In view of this, the present invention provides a kind of web log file safety analytical method based on cloud, device and system, Neng Goujian Measure concealed attack daily record present in web log file.
In a first aspect, the present invention provides a kind of web log file safety analytical method based on cloud, the described method includes:
Cloud platform obtains the newest web log file of current site server side record in real time;
The newest web log file is matched with strong rule;
If the newest web log file and the strong rule match success, it is determined that the newest web log file is bright Aobvious attack logs;
Attack source is determined according to the obvious attack logs;
Search the attack source and access targeted website daily record caused by all Website servers, and by the targeted website Daily record is matched with Exception Model;
If the targeted website daily record and the Exception Model successful match, it is determined that the target network of the corresponding attack source Daily record of standing is concealed attack daily record.
Second aspect, the present invention provides a kind of web log file safety analysis device based on cloud, described device includes:
Acquiring unit, the newest web log file of current site server side record is obtained for cloud platform in real time;
Matching unit, the newest web log file for the acquiring unit to be obtained are matched with strong rule;
Determination unit, for being the newest web log file and the strong rule when the matching result of the matching unit During successful match, it is obvious attack logs to determine the newest web log file;
The determination unit, is additionally operable to determine attack source according to the obvious attack logs;
Searching unit, for searching produced by the attack source that the determination unit determines accesses all Website servers Targeted website daily record;
The matching unit, for the targeted website daily record and the Exception Model progress for searching the searching unit Match somebody with somebody;
The determination unit, be additionally operable to matching result when the matching unit for the targeted website daily record with it is described different During norm type successful match, the targeted website daily record for determining the corresponding attack source is concealed attack daily record.
The third aspect, the present invention provides a kind of web log file Safety Analysis System based on cloud, the system comprises cloud Platform and Website server, wherein the cloud platform includes the device as described in second aspect;
The Website server, for reporting the newest web log file of local record to the cloud platform in real time.
By above-mentioned technical proposal, web log file safety analytical method based on cloud provided by the invention, device and system, The newest web log file obtained in real time can be matched with strong rule by cloud platform, by the newest net of successful match Daily record of standing is determined as obvious attack logs and finds attack source, then in history website daily record caused by all Website servers It is middle to search the targeted website daily record of corresponding attack source, and it is matched with Exception Model, determine the target network of successful match Daily record of standing is concealed attack daily record.Compared with it can not detect the prior art of concealed attack, the present invention first passes through strong rule Detection is found correspondence in obvious attack logs and corresponding attack source, then the web log file produced to all Website servers and is attacked The targeted website daily record for hitting source carries out the detection of Exception Model, bright so as to which each Website server is done in attack source Aobvious attack and concealed attack all detect so that the webmaster of each website attack source can be taken in time it is anti- Imperial operation, to ensure the safety of Website server.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area Technical staff will be clear understanding.Attached drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole attached drawing, identical component is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of web log file safety analytical method based on cloud provided in an embodiment of the present invention;
Fig. 2 shows a kind of composition frame of web log file safety analysis device based on cloud provided in an embodiment of the present invention Figure;
Fig. 3 shows the composition frame of another kind provided in an embodiment of the present invention web log file safety analysis device based on cloud Figure;
Fig. 4 shows a kind of composition frame of web log file Safety Analysis System based on cloud provided in an embodiment of the present invention Figure.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.
An embodiment of the present invention provides a kind of web log file safety analytical method based on cloud, as shown in Figure 1, this method bag Include:
101st, cloud platform obtains the newest web log file of current site server side record in real time.
When outside access Website server, Website server side can record the access information on visitor (as accessed IP (Internet Protocol, IP(Internet Protocol)) address of person, access time, browser type used in visitor etc.) with And the web log file of Website server response message (such as return information).As visitor visits the continuous of Website server Ask, the web log file of Website server sidelights record is also being constantly updated.Cloud platform can obtain each Website server side in real time The newest web log file of record, and safety analysis is carried out to the web log file of acquisition.
Current site server in this step refers to the Website server of corresponding current newest web log file.It is if current Only a Website server generates new web log file, then current site server is exactly the Website server;It is if current There are at least two Website servers to generate new web log file, then current site server is at least two website service Device.
102nd, newest web log file is matched with strong rule.
Wherein, strong rule is the rule that certain web log file is attack logs of laying down hard and fast rule.Current site server side is every As soon as producing a new web log file, cloud platform obtains the web log file, and the detection of strong rule is carried out to it, newest to determine Web log file whether be attack logs, so as to fulfill to the real time security of current site server monitor.
Specifically, strong rule can include attack signature, Prerequisite etc..For example, record access in certain web log file Person have sent a data theft request to Website server, but since outside access person does not obtain the private of Website server side The authority of ciphertext data, it is possible to the feature that will ask to steal data is classified as attack signature, strong rule detection to the attack signature, It will determine the web log file and the success of strong rule match.
Mentioning current time in a step 101 can have at least two Website servers to produce new web log file, so The quantity for the Website server that newest web log file is with current time produces new web log file is identical.Therefore, if currently The quantity of Website server is at least two, then cloud platform needs to be carried out at the same time strong rule at least two newest web log files Detection, safety detection is carried out to newest web log file caused by each Website server in real time to realize.
If the 103rd, newest web log file and the success of strong rule match, it is determined that newest web log file is obvious day of attack Will.
Since strong rule is the rule that certain web log file is attack logs of laying down hard and fast rule, so when cloud platform will be newest Web log file is matched with strong rule, and when matching result is successfully, it may be determined that the newest web log file is obvious Attack logs.Correspondingly, if matching result is unsuccessful, cloud platform can determine that the newest web log file is not substantially to attack Hit daily record.
Exemplary, the content of a web log file includes visitor please to Website server transmission portal management authority Ask, strong rule includes portal management authority, then the web log file and the success of strong rule match, so the web log file is obvious Attack logs.In addition, the content of another web log file includes visitor sends amplification picture request, strong rule to Website server There is no related content in then, then the web log file and strong rule match are unsuccessful, so the web log file is not obvious day of attack Will.
104th, attack source is determined according to obvious attack logs.
Due to be stored with web log file the IP address of visitor, access time, OS Type, browser type and It is specific to access the information such as object (page), so cloud platform is after obvious attack logs are determined, can be according to obvious attack logs In various information determine attack source.Specifically, it may be determined that the IP address in obvious attack logs is attack source, can also be true Fixed IP address corresponding with OS Type, browser type etc. is attack source.
Exemplary, hence it is evident that IP address (such as 198.161.2.21), the browser class of visitor are stored with attack logs Type (such as IE browser the 10th edition), website log account (such as mmmmnnn) and password (999888), then cloud platform can be straight It is attack source to meet definite 198.161.2.21, and browser type can also will be met for IE browser the 10th edition, website log account Number be mmmmnnn and web log file that password is 999888 corresponding to IP address be determined as attack source.
It should be noted that refer to that newest web log file may be at least two in a step 102, so obvious attack Daily record may also be at least two.Again since attack source is determined according to obvious attack logs, so definite attack source May be at least two.
105th, search attack source and access targeted website daily record caused by all Website servers, and by targeted website daily record Matched with Exception Model.
In practical applications, hackers usually send some access requests to Website server, wherein being visited for each Ask that for request be all normally to access, but these access requests integrally but cause Website server attack.For example, From 1 day 8 May in 2015 in web log file:1 day 8 Mays of 00-2015:02, it have recorded 50000 successively and enter website second page Request, each of which web log file is all normal access request, and it is a flow attacking that 50000 requests are overall. Therefore, it is that cannot ensure can be by attack source to all websites to carry out the one-to-one matching of strong rule only for wall scroll web log file It is that all attacks that server is done all detect, it is necessary on a timeline vertical analysis correspond to a plurality of website of the attack source The relation of daily record can just detect more hidden attack logs with difference.
, can be (caused by current site server newest in history website daily record after cloud platform determines attack source Except web log file) in search attack source and access targeted website daily record caused by all Website servers, and by targeted website Daily record is matched with Exception Model.Wherein, all Website servers include current site server and other website services Device, targeted website daily record are web log file corresponding with attack source.
It should be noted that the specific detection mode of Exception Model is:Cloud platform can analyze every target web log file institute Difference between the normalization behavioural information that all targeted website daily records of the behavioural information of reflection and same website are reflected, if Difference is more than predetermined threshold value, it is determined that corresponding targeted website daily record and Exception Model successful match, if difference is less than or equal to Predetermined threshold value, it is determined that corresponding targeted website daily record matches unsuccessful with Exception Model.
Exemplary, cloud platform finds 5 target web log files in the history website daily record of a Website server, The size of the Website server response bag wherein recorded in targeted website daily record 1 is 20kb, the net recorded in targeted website daily record 2 The size of site server response bag is 20.9kb, and the size of the Website server response bag recorded in targeted website daily record 3 is 1Mb, the size of the Website server response bag recorded in targeted website daily record 4 is 19.8kb, is recorded in targeted website daily record 5 The size of Website server response bag is 21.9kb.It follows that the normalization behavioural information that 5 target web log files are reflected For Website server response bag size generally in 21kb or so, by the Website server response bag in each web log file Size is compared with 21kb, it is known that in addition to 1Mb is much larger than 21kb, other are in 21kb or so.If predetermined threshold value is 100kb, then 1Mb (1024kb) differs 1003kb with 21kb, therefore the targeted website daily record 3 of corresponding 1Mb is and Exception Model With successful web log file, and other 4 target web log files matched with Exception Model it is unsuccessful.
It should be noted that the Exception Model in this step is not necessarily identical, but each Exception Model is and oneself The corresponding Exception Model of body Website server.For example, there is 5 Website servers, wherein Website server 1 corresponds to Exception Model 1st, Website server 2 corresponds to Exception Model 2, Website server 3 corresponds to Exception Model 3, Website server 4 corresponds to Exception Model 4, Website server 5 corresponds to Exception Model 5, then Exception Model 1 to 5 can be differed, can also identical (such as Exception Model in part 1st, Exception Model 2 and Exception Model 5 are identical, and Exception Model 3 and Exception Model 4 are identical), can also all same.
In addition, when targeted website daily record is matched with Exception Model, targeted website daily record is corresponding website service The web log file of device, and and not all Website server web log file.
In addition, if attack source is at least two, cloud platform was needed at the same time in the history website day of all Website servers The targeted website daily record of corresponding attack source is searched in will.For example, cloud platform determines two attack sources (such as attack source 1 and attack Source 2), then need to search the targeted website daily record of corresponding attack source 1 in the history website day of all Website servers, and it is right Answer the targeted website daily record of attack source 2.
If the 106th, targeted website daily record and Exception Model successful match, it is determined that the targeted website daily record of corresponding attack source is Concealed attack daily record.
After by the way that targeted website daily record is matched with Exception Model, if learning, matching result is successfully cloud Platform can determine that the targeted website daily record of corresponding attack source is concealed attack daily record;If learning matching result to be unsuccessful, Cloud platform can determine that the targeted website daily record of corresponding attack source is not concealed attack daily record.
For example, in the example of step 105, targeted website daily record 3 and Exception Model successful match, so targeted website day Will 3 is concealed attack daily record, and targeted website daily record 1,2,4,5 matched with Exception Model it is unsuccessful, so targeted website daily record 1st, 2,4,5 be not concealed attack daily record.
Web log file safety analytical method based on cloud provided in an embodiment of the present invention, can will be obtained in real time by cloud platform The newest web log file taken is matched with strong rule, and the newest web log file of successful match is determined as obvious day of attack Will simultaneously finds attack source, and the target of corresponding attack source is then searched in history website daily record caused by all Website servers Web log file, and it is matched with Exception Model, the targeted website daily record for determining successful match is concealed attack daily record.With Can not detect that the prior art of concealed attack is compared, the present invention first pass through strong rule detection find obvious attack logs and The targeted website daily record progress that attack source is corresponded in corresponding attack source, then the web log file produced to all Website servers is different The detection of norm type, obvious attack and concealed attack so as to which each Website server is done in attack source all detect Come, so that the webmaster of each website can take attack source defence to operate in time, to ensure Website server Safety.
Further, can be with for the specific implementation for determining attack source according to obvious attack logs in above-described embodiment For:Cloud platform searches default mark in obvious attack logs, and the IP address of the corresponding default mark is determined as attack source.
Specifically, default mark can be IP address, UA (User Agent, user agent) or Cookie.Wherein, UA In generally comprise browser type, browser rendering engine, OS Type etc., the account of user is generally comprised in Cookie With password, access the record (which content that such as have accessed which page at what time) etc. of website.
Under normal conditions, visitor can use fixed IP address to access Website server, therefore default mark can be IP address, thus cloud platform can determine that IP address is attack source.However, hackers are sent out in order to avoid the attack that it is done It is existing, attack operation often is carried out to Website server using different IP address, therefore directly by obvious attack logs IP address is determined as attack source, is often only able to find the attack that the corresponding multiple attack sources of multiple IP address are done, is but difficult to send out The corresponding web log file of these IP address is now combined into hidden attack.For example, hacker with first IP address 16: 00-16:02 have sent 800 to Website server (referring both to same Website server below) opens website homepage request, uses Second IP address is 16:02-16:04 have sent 800 to Website server opens website homepage request, with the 3rd IP Location is 16:04-16:06 have sent 800 to Website server opens website homepage request, with the 4th IP address 16:06- 16:08 have sent 800 to Website server opens website homepage request, show that these requests are from an IP address analysis Normal request, but it is a flow attacking that all IP address are connected analysis.Therefore, in order to further determine attack Source, can use following scheme:
Cloud platform searches Cookie and/or UA in obvious attack logs, and the IP address of corresponding Cookie and/or UA is true It is set to attack source.
In practical applications, Cookie includes account, password and accesses access record of website etc. first, and in these Appearance will not become under normal circumstances, so default mark can be Cookie.Cloud platform is found in obvious attack logs , can be in the history website daily record of all Website servers by Cookie contents and obvious attack logs after Cookie IP address corresponding to the identical Cookie of Cookie contents is determined as attack source.
It is similar with Cookie, due to visitor using same computer to access website when, used browser Type, operating system, search engine are usually what will not be become, so default mark can also be UA.Cloud platform is substantially being attacked , can be in the history website daily record of all Website servers by UA contents and the UA of obvious attack logs after finding UA in daily record IP address corresponding to the identical UA of content is determined as attack source.
In addition, in practical applications, due to Cookie, either there is the possibility changed so only with Cookie or UA in UA Mark as definite attack source has omission, but it is usually what is be not present that Cookie and UA changes at the same time, therefore, in order to Avoid the web log file of corresponding attack source from searching to omit, can be using Cookie and UA at the same time as default mark, by the pre- bidding Know corresponding IP address and be determined as attack source.That is, every web log file identical with the Cookie of obvious attack logs, Or the web log file identical with the UA of obvious attack logs, it is targeted website daily record.
Exemplary, it is obvious attack logs in definite newest web log file (by taking a newest web log file as an example) Afterwards, corresponding Cookie and UA can be found from obvious attack logs, then (is taken in all Website servers with 3 websites Be engaged in exemplified by device) history website daily record in search the web log file identical with the Cookie or the UA respectively, and to these nets Daily record of standing carries out the detection of Exception Model.Wherein, found in the history website daily record of Website server 1 50 only with substantially Identical the Cookie of attack logs web log file, 20 web log files only identical with the UA of obvious attack logs and 15 With the web log file of Cookie, UA all same of obvious attack logs;Found in the history website daily record of Website server 2 30 web log files only identical with the Cookie of obvious attack logs, 15 websites only identical with the UA of obvious attack logs Daily record and 5 and the web log file of Cookie, UA all same of obvious attack logs;In the history website of Website server 3 Found in daily record 100 web log files only identical with the Cookie of obvious attack logs, 45 only with obvious attack logs The identical web log files of UA and 35 with the web log file of Cookie, UA all same of obvious attack logs.At this time, Yun Ping Platform is respectively passed through 85 web log files of Website server 1 by 50 web log files of Exception Model 1, Website server 2 Exception Model 2,180 web log files of Website server 3 carry out safety detection by Exception Model 3, to determine wherein to be It is no that there are concealed attack daily record.
Further, in practical applications, since the attack that not only each website is subjected to will be different, and even if by The attack received is identical, and the Exception Model of each website is there is also difference, so cloud platform is directed to the website of each Website server Often there is difference in the result of daily record detection.However, each website can optimize itself according to the attack information of other websites Exception Model, so that the concealed attack that can not be detected originally be detected, and then webmaster can attack against each other in time Hit the later attack in source and take defensive measure, to ensure the safety of Website server.
Specifically, cloud platform is after the targeted website daily record to each Website server is detected, can be to each net Site server sends the attack information of other websites, so that each website is according to the attack Advance data quality itself of other websites Exception Model, and the Exception Model after optimization is reported into cloud platform.
Optimal way for Exception Model can be the parameter or addition new model of the existing model of change.For example, cloud Platform, which is directed in the testing result of the web log file of this website, a flow attacking per second for sending 10000 access requests, Preset flow attack threshold value is 9000 access requests per second in the parameter of this website Exception Model, and this Website server receives Into the attack information of other websites there are a flow attacking per second for sending 8000 access requests, and it is different with this website Norm type will not be judged as flow attacking, so in order to optimize the Exception Model of Home Network, can be by the different of this website The preset flow attack threshold value of norm type is changed to 8000 access requests per second, so that cloud platform can be directed to the net of this website Daily record of standing detects the flow attacking more than or equal to 8000 access requests per second.
And for example, cloud platform is for the attack letter existed in the testing result of the web log file of other websites on loophole attack Breath, and not any information on loophole attack in the Exception Model of this website, therefore can be in the Exception Model of this website Model (including parameter) of the middle addition on loophole attack, and new Exception Model is reported to cloud platform, so as to cloud platform pin The detection of loophole attack can be carried out to the web log file of this website.
Further, cloud platform can be classified according to default class condition to each website (be such as divided into business website, Personal website and government website etc.), targetedly to be handled the web log file for belonging to similar website, so as to improve peace Full property detection efficiency.Specifically, after to websites collection, targetedly processing can be related to following two situations:
Situation one:If cloud platform is classified each website, when cloud platform determines that newest web log file is After obvious attack logs, attack source can be determined according to obvious attack logs, then search attack source and access current site service Targeted website daily record caused by device and similar Website server.Wherein, similar Website server is similar with current site Website corresponding to server.
Since same attack source often carries out various attacks just for similar website in practical applications, so determining After attack source, the detection of Exception Model can be carried out only for the targeted website daily record of current site and similar website, to carry High detection efficiency.For example, current site is shopping website, then cloud platform can carry out the inspection of Exception Model just for shopping website Survey.
If in addition, there are at least two attack sources, target that can be to current site and with each similar website Web log file carries out the detection of Exception Model.
Situation two:If cloud platform is classified each website, in cloud platform by targeted website daily record and exception When model is matched, targeted website daily record can be matched with the Exception Model of corresponding website, and similar website pair Same Exception Model should be used.
The type for the attack being subjected to by the website of same type is all often identical, so carrying out Exception Model Detection when, similar website can use same Exception Model, so that the detection efficiency of cloud platform can be improved.
In addition, in order to further improve efficiency of the cloud platform to web log file safety analysis, can be by situation one and situation Two are combined, i.e., can be examined when carrying out the detection of Exception Model only for the web log file of current site and similar website Survey, and used Exception Model can be same.
Further, due in practical applications, being often added with periodically in the malicious attack code that hackers are write (or other times rule) performs the code of malicious attack, thus by analysis of history web log file can predict it is following certain Specific time Website server will be subject to certain attack, if the information of forecasting is sent to Website server, portal management Member can carry out defense work in advance, so as to so that Website server safety is guaranteed.
Specifically, the attack information for the attack that cloud platform can carry out all Website servers attack source is united Meter and analysis, will then believe the attack attacked each Website server according to analysis result Forecast attack source future Breath, and send the corresponding attack information of itself to each Website server.
Wherein, IP address of the information including attack source, attack type, attack time, the ownership place of IP address, attack are attacked Feature etc., can be to day of attack after cloud platform detects attack logs (obvious attack logs and/or concealed attack daily record) Attack time, attack type and attack signature in the attack information of will are analyzed, and search identical attack type or identical Rule of the attack signature on attack time, so as to will be attacked according to the following attack source of the law forecasting to Website server The attack information hit, and send it to Website server.Wherein, attack information includes attack time, attack class Type and attack source.When webmaster was informed in following a certain moment or certain period, Website server will be under attack Source to its certain attack when, webmaster can carry out defense work in advance and Website server is immune against attacks.
In specific implementation, attack of the attack source to each website can be carried out attack laws respectively by cloud platform Analysis, but individually the attack to each website carries out analysis and might have loophole, i.e., combines presence for multiple websites Rule can not analyze come.Therefore, attack information of the attack source to all websites can also be combined progress by cloud platform Regularity Analysis.
Exemplary, there are 5 Website servers, wherein 3 Website servers (such as Website servers 1, Website server 3 With Website server 4) attack of the data theft in source all under attack, then the attack logs of 5 Website servers are combined It was found that Website server 1 is respectively 3 days 17 March in 2015:00th, 17 days 17 March in 2015:00th, 7 days 17 April in 2015:00 The data theft attack in source under attack, Website server 3 is respectively 10 days 17 March in 2015:00th, 14 days 17 April in 2015: 00th, 21 days 17 April in 2015:The data theft attack in 00 source under attack, Website server 4 is respectively on March 24th, 2015 17:00th, 31 days 17 March in 2015:00th, 28 days 17 April in 2015:The data theft attack in 00 source under attack.By by three Person combines it can be found that attack source is successively in March 3, March 10, March 17, March 24, March 31, April 7, April 14 Day, April 21 and April 28 attack Website server, although for each Website server, do not deposit In the regularity attacked by attack source data theft, but triplicity is got up to find that attack source is nondirectional every 7 days 3 Website servers are attacked.Therefore, cloud platform can predict Website server 1,3 and 4 on May 5th, 2015 17:00 is possible to the data theft attack in source under attack, the message thus is informed this 3 Website servers, so as to right The webmaster answered can do defence operation in advance, in order to avoid attacked by attack source.
Further, cloud platform can be regularly or irregular to all attack sources for being detected in each website Attack information is counted, and statistical result is sent to each Website server, so that each webmaster is to each in the recent period The attack that a website is subjected to is checked and analyzed, and to this website not by and the attack source of attack that other websites are subjected to Be on the defensive operation, so that safety is guaranteed for each Website server.
Specifically, the attack information in this step includes IP address, IP address ownership place (country, provinces and cities and county etc.), attacks Hit type and number of times of attack etc..Cloud platform to it is each attack information count when, can by the IP address of each attack source, Country and province, attack time, the IP address for the Website server attacked and to each Website server belonging to IP address Number of times of attack etc. shown with form, figure or other forms, and be sent to each Website server.
It should be noted that the initial parameter of the Exception Model referred in above-mentioned each embodiment all can be portal management Member is according to default exclusive Allocation Analysis strategy setting.In webmaster the ginseng of Exception Model is set in Website server side After number, Website server can report the Exception Model and its parameter to cloud platform, so that cloud platform is carried out using Exception Model The safety detection of web log file.Wherein, preset exclusive Allocation Analysis strategy can by selection project, fill in parameter etc. in the form of supply Webmaster selects and fills in.For example, webmaster can select to search flow attacking option, corresponding stream is filled in afterwards Amount attack threshold value.
It should be noted that the present invention can be applicable to gateway in addition to it can be adapted for cloud platform, i.e., can be with Operated, be not limited thereto by executive agent of gateway.
Further, according to above method embodiment, an alternative embodiment of the invention additionally provides a kind of based on cloud Web log file safety analysis device, as shown in Fig. 2, the device includes:Acquiring unit 21, matching unit 22,23 and of determination unit Searching unit 24.Wherein,
Acquiring unit 21, the newest web log file of current site server side record is obtained for cloud platform in real time;
Matching unit 22, the newest web log file for acquiring unit 21 to be obtained are matched with strong rule;
Determination unit 23, for being newest web log file and the success of strong rule match when the matching result of matching unit 22 When, it is obvious attack logs to determine newest web log file;
Determination unit 23, is additionally operable to determine attack source according to obvious attack logs;
Searching unit 24, mesh caused by all Website servers is accessed for searching the definite attack source of determination unit 23 Mark web log file;
Matching unit 22, the targeted website daily record for searching unit 24 to be searched are matched with Exception Model;
Determination unit 23, is additionally operable to when the matching result of matching unit 22 is matched into for targeted website daily record with Exception Model During work(, the targeted website daily record for determining corresponding attack source is concealed attack daily record.
Further, as shown in figure 3, determination unit 23, including:
Searching module 231, for searching default mark in obvious attack logs;
Determining module 232, the IP(Internet Protocol) IP address of the default mark for corresponding searching module 231 to be searched are determined as Attack source.
Specifically, searching module 231, for searching Cookie and/or user agent UA in obvious attack logs.
Further, as shown in figure 3, the device further includes:
First transmitting element 25, for sending the attack information of other websites to each Website server, so that each Website according to other websites attack Advance data quality itself Exception Model.
Further, as shown in figure 3, the device further includes:
Taxon 26, for being classified according to default class condition to each website.
Further, searching unit 24, current site server and similar website service are accessed for searching attack source Targeted website daily record caused by device, server of the similar Website server corresponding to the website similar with current site.
Matching unit 22, is additionally operable to be matched targeted website daily record with the Exception Model of corresponding website, wherein similar Website, which corresponds to, uses same Exception Model.
Further, as shown in figure 3, the device further includes:
First statistic unit 27, the attack information of the attack for being carried out to attack source to all Website servers carry out Statistics and analysis;
Predicting unit 28, will be to each website service according to the analysis result Forecast attack source future of the first statistic unit 27 The attack information that device is attacked, and send the corresponding attack information of itself to each Website server.
Further, as shown in figure 3, the device further includes:
Second statistic unit 29, for counting the attack information of all attack sources detected in each website;
Second transmitting element 210, for each Website server send the second statistic unit 29 statistics in each net The attack information of all attack sources detected in standing.
Further, 22 matched Exception Model of matching unit is according to default exclusive Allocation Analysis strategy setting.
Web log file safety analysis device based on cloud provided in an embodiment of the present invention, can will be obtained in real time by cloud platform The newest web log file taken is matched with strong rule, and the newest web log file of successful match is determined as obvious day of attack Will simultaneously finds attack source, and the target of corresponding attack source is then searched in history website daily record caused by all Website servers Web log file, and it is matched with Exception Model, the targeted website daily record for determining successful match is concealed attack daily record.With Can not detect that the prior art of concealed attack is compared, the present invention first pass through strong rule detection find obvious attack logs and The targeted website daily record progress that attack source is corresponded in corresponding attack source, then the web log file produced to all Website servers is different The detection of norm type, obvious attack and concealed attack so as to which each Website server is done in attack source all detect Come, so that the webmaster of each website can take attack source defence to operate in time, to ensure Website server Safety.
Further, according to above device embodiment, an alternative embodiment of the invention additionally provides a kind of based on cloud Web log file Safety Analysis System, as shown in figure 4, the system includes cloud platform 31 and Website server 32, wherein cloud platform 31 Including device as shown in figures 2 and 3;
Website server 32, for reporting the newest web log file of local record to cloud platform 31 in real time.
Web log file Safety Analysis System based on cloud provided in an embodiment of the present invention, can will be obtained in real time by cloud platform The newest web log file taken is matched with strong rule, and the newest web log file of successful match is determined as obvious day of attack Will simultaneously finds attack source, and the target of corresponding attack source is then searched in history website daily record caused by all Website servers Web log file, and it is matched with Exception Model, the targeted website daily record for determining successful match is concealed attack daily record.With Can not detect that the prior art of concealed attack is compared, the present invention first pass through strong rule detection find obvious attack logs and The targeted website daily record progress that attack source is corresponded in corresponding attack source, then the web log file produced to all Website servers is different The detection of norm type, obvious attack and concealed attack so as to which each Website server is done in attack source all detect Come, so that the webmaster of each website can take attack source defence to operate in time, to ensure Website server Safety.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiment.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment " first ", " second " etc. be to be used to distinguish each embodiment, and do not represent the quality of each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, details are not described herein.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and attached drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit requires, summary and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization, or to be run on one or more processor Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice Microprocessor or digital signal processor (DSP) realize the state of accompanied electronic anti-theft device according to embodiments of the present invention The some or all functions of some or all components in detection method, equipment, server and system equipment.The present invention is also Some or all equipment by performing method as described herein or program of device be can be implemented as (based on for example, Calculation machine program and computer program product).Such program for realizing the present invention can store on a computer-readable medium, or Person can have the form of one or more signal.Such signal can be downloaded from internet website and obtained, Huo Zhe There is provided on carrier signal, or provided in the form of any other.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.

Claims (21)

  1. A kind of 1. web log file safety analytical method based on cloud, it is characterised in that the described method includes:
    Cloud platform obtains the newest web log file of current site server side record in real time;
    The newest web log file is matched with strong rule, the strong rule is that certain web log file of hard and fast rule is to attack Hit the rule of daily record;
    If the newest web log file and the strong rule match success, it is determined that the newest web log file is substantially to attack Hit daily record;
    Attack source is determined according to the obvious attack logs;
    Search the attack source and access targeted website daily record caused by all Website servers, and by the targeted website daily record Matched with Exception Model;
    If the targeted website daily record and the Exception Model successful match, it is determined that the targeted website day of the corresponding attack source Will is concealed attack daily record.
  2. 2. according to the method described in claim 1, it is characterized in that, described determine attack source according to the obvious attack logs, Including:
    Default mark is searched in the obvious attack logs;
    The IP(Internet Protocol) IP address of the correspondence default mark is determined as the attack source.
  3. 3. according to the method described in claim 2, it is characterized in that, described search pre- bidding in the obvious attack logs Know, including:
    Cookie and/or user agent UA is searched in the obvious attack logs.
  4. 4. according to the method described in claim 1, it is characterized in that, the method further includes:
    The attack information of other websites is sent to each Website server, so that each website is believed according to the attack of other websites Breath optimizes the Exception Model of itself.
  5. 5. according to the method described in claim 1, it is characterized in that, the method further includes:
    Classified according to default class condition to each website.
  6. 6. according to the method described in claim 5, it is characterized in that, described search all Website servers of the attack source access Caused targeted website daily record, including:
    Search the attack source and access targeted website day caused by the current site server and similar Website server Will, server of the similar Website server corresponding to the website similar with current site.
  7. 7. method according to claim 5, it is characterised in that described by the targeted website daily record and Exception Model progress Match somebody with somebody, including:
    The targeted website daily record is matched with the Exception Model of corresponding website, wherein similar website is corresponded to using same Exception Model.
  8. 8. if according to the method described in claim 1, it is characterized in that, detect obvious attack logs and/or described hidden Attack logs are covered, then the method further includes:
    The attack information of the attack carried out to the attack source to all Website servers is counted and analyzed;
    The attack information that each Website server will be attacked according to the analysis result prediction attack source future, and The corresponding attack information of itself is sent to each Website server.
  9. 9. according to the method described in claim 1, it is characterized in that, the method further includes:
    Count the attack information of all attack sources detected in each website;
    To the attack information of all attack sources detected described in the transmission of each Website server in each website.
  10. 10. method according to any one of claim 1 to 9, it is characterised in that the Exception Model is according to default special Belong to Allocation Analysis strategy setting.
  11. 11. a kind of web log file safety analysis device based on cloud, it is characterised in that described device includes:
    Acquiring unit, the newest web log file of current site server side record is obtained for cloud platform in real time;
    Matching unit, the newest web log file for the acquiring unit to be obtained is matched with strong rule, described Strong rule is the rule that certain web log file is attack logs of laying down hard and fast rule;
    Determination unit, for being the newest web log file and the strong rule match when the matching result of the matching unit During success, it is obvious attack logs to determine the newest web log file;
    The determination unit, is additionally operable to determine attack source according to the obvious attack logs;
    Searching unit, mesh caused by all Website servers is accessed for searching the attack source that the determination unit determines Mark web log file;
    The matching unit, the targeted website daily record for the searching unit to be searched are matched with Exception Model;
    The determination unit, is additionally operable to when the matching result of the matching unit is the targeted website daily record and the abnormal mould During type successful match, the targeted website daily record for determining the corresponding attack source is concealed attack daily record.
  12. 12. according to the devices described in claim 11, it is characterised in that the determination unit, including:
    Searching module, for searching default mark in the obvious attack logs;
    Determining module, the IP(Internet Protocol) IP address of the default mark for the correspondence searching module to be searched are determined as institute State attack source.
  13. 13. device according to claim 12, it is characterised in that the searching module, in the obvious day of attack Cookie and/or user agent UA is searched in will.
  14. 14. according to the devices described in claim 11, it is characterised in that described device further includes:
    First transmitting element, for sending the attack information of other websites to each Website server, so that each website root According to the Exception Model of the attack Advance data quality itself of other websites.
  15. 15. according to the devices described in claim 11, it is characterised in that described device further includes:
    Taxon, for being classified according to default class condition to each website.
  16. 16. device according to claim 15, it is characterised in that the searching unit, is visited for searching the attack source Ask targeted website daily record caused by the current site server and similar Website server, the similar Website server For the server corresponding to the website similar with current site.
  17. 17. device according to claim 15, it is characterised in that the matching unit, is additionally operable to the targeted website Daily record is matched with the Exception Model of corresponding website, wherein similar website, which corresponds to, uses same Exception Model.
  18. 18. according to the devices described in claim 11, it is characterised in that described device further includes:
    First statistic unit, the attack information of the attack for being carried out to the attack source to all Website servers are united Meter and analysis;
    Predicting unit, predicts that the attack source future will be to each website service according to the analysis result of first statistic unit The attack information that device is attacked, and send the corresponding attack information of itself to each Website server.
  19. 19. according to the devices described in claim 11, it is characterised in that described device further includes:
    Second statistic unit, for counting the attack information of all attack sources detected in each website;
    Second transmitting element, for being sent to each Website server described in the second statistic unit statistics in each website In the attack information of all attack sources that detects.
  20. 20. the device according to any one of claim 11 to 19, it is characterised in that the matching unit is matched described Exception Model is according to default exclusive Allocation Analysis strategy setting.
  21. 21. a kind of web log file Safety Analysis System based on cloud, it is characterised in that the system comprises cloud platform and website to take Business device, wherein the cloud platform includes the device as any one of claim 11 to 20;
    The Website server, for reporting the newest web log file of local record to the cloud platform in real time.
CN201510375392.4A 2015-06-30 2015-06-30 Web log file safety analytical method based on cloud, device and system Active CN104954188B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510375392.4A CN104954188B (en) 2015-06-30 2015-06-30 Web log file safety analytical method based on cloud, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510375392.4A CN104954188B (en) 2015-06-30 2015-06-30 Web log file safety analytical method based on cloud, device and system

Publications (2)

Publication Number Publication Date
CN104954188A CN104954188A (en) 2015-09-30
CN104954188B true CN104954188B (en) 2018-05-01

Family

ID=54168562

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510375392.4A Active CN104954188B (en) 2015-06-30 2015-06-30 Web log file safety analytical method based on cloud, device and system

Country Status (1)

Country Link
CN (1) CN104954188B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106571971B (en) * 2015-10-08 2020-12-29 阿里巴巴集团控股有限公司 Method, device and system for detecting vacant website
CN105554007B (en) * 2015-12-25 2019-01-04 北京奇虎科技有限公司 A kind of web method for detecting abnormality and device
CN105827627A (en) * 2016-04-29 2016-08-03 北京网康科技有限公司 Method and apparatus for acquiring information
CN106027554A (en) * 2016-06-30 2016-10-12 北京网康科技有限公司 Hacker tool mining method, device and system
CN107707513B (en) * 2017-01-10 2019-05-17 北京数安鑫云信息技术有限公司 A kind of method and device of defending against network attacks
CN108512806A (en) * 2017-02-24 2018-09-07 中国移动通信集团公司 A kind of operation behavior analysis method and server based on virtual environment
CN107707516B (en) * 2017-04-01 2018-11-13 贵州白山云科技有限公司 A kind of IP address analysis method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8601586B1 (en) * 2008-03-24 2013-12-03 Google Inc. Method and system for detecting web application vulnerabilities
CN103746987A (en) * 2013-12-31 2014-04-23 东软集团股份有限公司 Method and system for detecting DoS attack in semantic Web application
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
CN104601556A (en) * 2014-12-30 2015-05-06 中国科学院信息工程研究所 Attack detection method and system for WEB

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8601586B1 (en) * 2008-03-24 2013-12-03 Google Inc. Method and system for detecting web application vulnerabilities
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
CN103746987A (en) * 2013-12-31 2014-04-23 东软集团股份有限公司 Method and system for detecting DoS attack in semantic Web application
CN104601556A (en) * 2014-12-30 2015-05-06 中国科学院信息工程研究所 Attack detection method and system for WEB

Also Published As

Publication number Publication date
CN104954188A (en) 2015-09-30

Similar Documents

Publication Publication Date Title
CN104954188B (en) Web log file safety analytical method based on cloud, device and system
US11792229B2 (en) AI-driven defensive cybersecurity strategy analysis and recommendation system
CN104901975B (en) Web log file safety analytical method, device and gateway
US20200296137A1 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US20220210200A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US11218499B2 (en) Network anomaly detection and profiling
US9154516B1 (en) Detecting risky network communications based on evaluation using normal and abnormal behavior profiles
US9838407B1 (en) Detection of malicious web activity in enterprise computer networks
CN107465651B (en) Network attack detection method and device
CN108696473B (en) Attack path restoration method and device
US9462009B1 (en) Detecting risky domains
Ni et al. Real‐time detection of application‐layer DDoS attack using time series analysis
CN110620759A (en) Network security event hazard index evaluation method and system based on multidimensional correlation
CN104935601B (en) Web log file safety analytical method based on cloud, apparatus and system
CN103701793B (en) The recognition methods of server broiler chicken and device
CN105491053A (en) Web malicious code detection method and system
US20210360032A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
CN103714119B (en) A kind for the treatment of method and apparatus of browser data
US20220014561A1 (en) System and methods for automated internet-scale web application vulnerability scanning and enhanced security profiling
CN105959371A (en) Webpage sharing system
US9621576B1 (en) Detecting malicious websites
CN103905372A (en) Method and device for removing false alarm of phishing website
CN105490925A (en) Verification method and apparatus of information validity
Marchal et al. On designing and evaluating phishing webpage detection techniques for the real world
CN105430001A (en) Detecting method, terminal device, server and system of APT (Advanced Persistent Threat) attack

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20170113

Address after: 100015 Chaoyang District Road, Jiuxianqiao, No. 10, building No. 3, floor 15, floor 17, 1701-26,

Applicant after: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park)

Applicant before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing

Patentee after: QAX Technology Group Inc.

Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing.

Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

CP03 Change of name, title or address