CN105119735B - A kind of method and apparatus for determining discharge pattern - Google Patents
A kind of method and apparatus for determining discharge pattern Download PDFInfo
- Publication number
- CN105119735B CN105119735B CN201510417436.5A CN201510417436A CN105119735B CN 105119735 B CN105119735 B CN 105119735B CN 201510417436 A CN201510417436 A CN 201510417436A CN 105119735 B CN105119735 B CN 105119735B
- Authority
- CN
- China
- Prior art keywords
- flow
- business
- recognition rule
- score value
- daily record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/32—Specific management aspects for broadband networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention provides a kind of method and apparatus for identifying discharge pattern, wherein, this method includes the following steps:Based on business relevant dimension, daily record is analyzed to determine flow recognition rule;Based on the flow recognition rule, the score value of flow is determined;Based on the score value and threshold value, the type of the flow is determined.Compared with prior art, the present invention can be based on business relevant dimension, flow recognition rule is determined by being analyzed daily record, and determine newly to arrive the score value of flow in real time based on flow recognition rule, so as to determine the type of the flow based on the score value and threshold value.The solution of the present invention can effectively identify discharge pattern, be conducive to server end and correctly handle different types of flow, to reduce the influence caused by flow attack etc., improve user experience.
Description
Technical field
The present invention relates to computer network field more particularly to a kind of method and apparatus for determining discharge pattern.
Background technology
With popularizing for network application, people are interacted provided by the server to obtain by network with server end
Service becomes increasingly prevalent.For server, typically a certain number of users provide clothes simultaneously by network
Business.It accesses except server except through manual operation approach, Connection Service device and can also be grasped automatically there are certain
The software of work.For server, need to handle the artificial flow from ordinary user and the machine from such as software
Flow.However when software existing defects or the intention with malicious attack, the flow for accessing server may be caused to increase suddenly,
Flow attack is caused to server-side system, in some instances it may even be possible to influence server and provide a user service.Therefore, how flow is identified
Type carries out different disposal, such as machine flow and artificial flow are carried out at shunting so as to be directed to different flow type
Reason, is a good problem to study.
Invention content
The object of the present invention is to provide a kind of method and apparatus for identifying discharge pattern.
According to an aspect of the present invention, a kind of method for identifying discharge pattern is provided, wherein, this method include with
Lower step:
Based on business relevant dimension, daily record is analyzed to determine flow recognition rule;
Based on the flow recognition rule, the score value of flow is determined;
Based on the score value and threshold value, the type of the flow is determined.
According to another aspect of the present invention, a kind of device for being used to identify discharge pattern is provided, wherein, described device packet
It includes:
It is used to that based on business relevant dimension, daily record to be analyzed to determine the device of flow recognition rule;
It is used to, based on the flow recognition rule, determine the device of the score value of flow;
It is used to, based on the score value and threshold value, determine the device of the type of the flow.
Compared with prior art, the present invention can be based on business relevant dimension, and stream is determined by being analyzed daily record
Recognition rule is measured, and determine newly to arrive the score value of flow in real time based on flow recognition rule, so as to based on the score value and threshold value
To determine the type of the flow.The solution of the present invention can effectively identify discharge pattern, be conducive to server end and correctly handle not
The flow of same type to reduce the influence caused by flow attack etc., improves user experience.
Description of the drawings
By reading the detailed description made to non-limiting example made with reference to the following drawings, of the invention is other
Feature, objects and advantages will become more apparent upon:
Fig. 1 shows the flow chart for being used to identify the method for discharge pattern of the embodiment according to one aspect of the invention;
Fig. 2 shows embodiments according to a further aspect of the present invention for identifying the schematic diagram of the device of discharge pattern.
The same or similar reference numeral represents the same or similar component in attached drawing.
Specific embodiment
It should be mentioned that some exemplary embodiments are described as before exemplary embodiment is discussed in greater detail
The processing described as flow chart or method.Although operations are described as the processing of sequence by flow chart, therein to be permitted
Multioperation can be implemented concurrently, concomitantly or simultaneously.In addition, the sequence of operations can be rearranged.When it
The processing can be terminated when operation is completed, it is also possible to have the additional step being not included in attached drawing.The processing
It can correspond to method, function, regulation, subroutine, subprogram etc..
Alleged within a context " computer equipment ", also referred to as " computer ", referring to can be by running preset program or referring to
Enable performing the intelligent electronic device of the predetermined process process such as numerical computations and/or logical calculated, can include processor with
Memory, instructed by the survival that prestores in memory of processor execution perform predetermined process process or by ASIC,
The hardware such as FPGA, DSP perform predetermined process process or are realized by said two devices combination.Computer equipment includes but unlimited
In server, PC, laptop, tablet computer, smart mobile phone etc..
The computer equipment includes user equipment and the network equipment.Wherein, the user equipment includes but not limited to electricity
Brain, smart mobile phone, PDA etc.;The network equipment includes but not limited to single network server, multiple network servers form
Server group or the cloud being made of a large amount of computers or network server based on cloud computing (Cloud Computing), wherein,
Cloud computing is one kind of Distributed Calculation, a super virtual computer being made of the computer collection of a group loose couplings.Its
In, the computer equipment can isolated operation realize the present invention, also can access network and by with other calculating in network
The present invention is realized in the interactive operation of machine equipment.Wherein, the network residing for the computer equipment include but not limited to internet,
Wide area network, Metropolitan Area Network (MAN), LAN, VPN network etc..
It should be noted that the user equipment, the network equipment and network etc. are only for example, other are existing or from now on may be used
The computer equipment or network that can occur such as are applicable to the present invention, should also be included within the scope of the present invention, and to draw
It is incorporated herein with mode.
Method (some of them are illustrated by flow) discussed hereafter can be by hardware, software, firmware, centre
Part, microcode, hardware description language or its arbitrary combination are implemented.Implement when with software, firmware, middleware or microcode
When, to implement the program code of necessary task or code segment can be stored in machine or computer-readable medium and (for example deposit
Storage media) in.(one or more) processor can implement necessary task.
Specific structure and function details disclosed herein are only representative, and are for describing showing for the present invention
The purpose of example property embodiment.But the present invention can be implemented, and be not interpreted as by many alternative forms
It is limited only by the embodiments set forth herein.
Although it should be understood that may have been used term " first ", " second " etc. herein to describe each unit,
But these units should not be limited by these terms.The use of these items is only for by a unit and another unit
It distinguishes.For example, in the case of the range without departing substantially from exemplary embodiment, it is single that first unit can be referred to as second
Member, and similarly second unit can be referred to as first unit.Term "and/or" used herein above include one of them or
The arbitrary and all combination of more listed associated items.
It should be understood that when a unit is referred to as " connecting " or during " coupled " to another unit, can directly connect
It connects or is coupled to another unit or there may be temporary location.In contrast, when a unit is referred to as " directly connecting
Connect " or " direct-coupling " to another unit when, then there is no temporary locations.It should explain in a comparable manner and be used to retouch
State the relationship between unit other words (such as " between being in ... " compared to " between being directly in ... ", " and with ... it is adjacent
Closely " compared to " with ... be directly adjacent to " etc.).
Term used herein above is not intended to limit exemplary embodiment just for the sake of description specific embodiment.Unless
Context clearly refers else, otherwise singulative used herein above "one", " one " also attempt to include plural number.Should also
When understanding, term " comprising " and/or "comprising" used herein above provide stated feature, integer, step, operation,
The presence of unit and/or component, and do not preclude the presence or addition of other one or more features, integer, step, operation, unit,
Component and/or a combination thereof.
It should further be mentioned that in some replaces realization modes, the function/action being previously mentioned can be according to different from attached
The sequence indicated in figure occurs.For example, depending on involved function/action, the two width figures shown in succession actually may be used
Substantially simultaneously to perform or can perform in a reverse order sometimes.
The present invention is described in further detail below in conjunction with the accompanying drawings.
Fig. 1 shows the flow chart for being used to identify the method for discharge pattern of the embodiment according to one aspect of the invention.
Wherein, the method for the present embodiment is mainly realized by the network equipment;The network equipment includes but not limited to single
A network server, multiple network servers composition server group or based on cloud computing (Cloud Computing) by big
The cloud that computer or network server are formed is measured, wherein, cloud computing is one kind of Distributed Calculation, by the meter of a group loose couplings
One super virtual computer of calculation machine collection composition.
It should be noted that the network equipment is only for example, other network equipments that are existing or being likely to occur from now on
The present invention is such as applicable to, should also be included within the scope of the present invention, and is incorporated herein by reference.
First, in step s 11, business relevant dimension can be based on, daily record is analyzed to determine flow recognition rule.
Herein, flow means to access any network flow of server by network.
Business relevant dimension means with user access server with the relevant dimension of the business carried out.Wherein, business means
The various types of services or the various types of tasks that can be completed that server is capable of providing.Such as shopping at network service
Device, the business that can be provided are, for example, the business such as login, inquiry, purchase.It, can be in another example for promotion server of bidding
It is, for example, the business such as login, inquiry, price adjustment to promote the business that quotient provides.It will be understood by those skilled in the art that herein, for business
Associated description be merely illustrative and non-limiting description, there are other various businesses without departing from the present invention spirit or model
Farmland, and be incorporated herein by reference.
In one embodiment, business relevant dimension include it is following at least any one:
User identifier;
Type of service;
Business performs step;
Business performs frequency;
Service executing result;
Business performs the time;
Region where user.
Wherein, user identifier refers to the mark with the relevant user of the business, such as user name, User ID etc..For example, for
Registering service, user identifier can be the user name for the user for performing registering service.
Type of service refers to the concrete type of the business, such as registering service, price adjustment business etc..
Business performs each step performed by step fingering row business, may also include the sequence of each step.Example
Business such as certain user execution price adjustment business performs step and is:Click " price adjustment " button->The input price adjustment amount of money->It clicks " determining "
Button.
Business performs frequency and refers to the frequency for performing certain business namely the number for performing certain business within a certain period of time.
Service executing result refer to perform certain business as a result, such as running succeeded, perform unsuccessfully.Service executing result is also
It can include the implementing result that each business performs step.
Business performs the time or period for the time referring to certain business of execution.The business execution time, which may also include, performs certain business
Duration.
Region where user refers to the user present position/region for performing certain business.Region where user may also include the use
Family switches to the information in other positions/region.
It will be understood by those skilled in the art that herein, the associated description of business relevant dimension is merely illustrative rather than limited
Qualitative description there are other various businesses relevant dimensions without departing from the spirit or scope of the present invention, and wraps by reference
Contained in this.
Herein, daily record can be any kind of daily record.For example, daily record may include the access access day of server end
Will, the business that may also include server end perform correlation log etc..In general, can include accessing the flow of server in daily record
Various relevant informations.
In step s 11, specifically, can be based on any one of or appoint multinomial business relevant dimension, daily record is analyzed with
Determine flow recognition rule.
For example, daily record can be analyzed to determine flow recognition rule based on this business relevant dimension of user identifier.
For example, flow associated with each user in daily record can be counted respectively according to user identifier.For in a timing
Between in section its flow be more than a certain threshold value user, such as user A, it may be determined that flow recognition rule is R1:Stream from user A
Amount, score value 1;And within the period its flow be less than the other users of a certain threshold value, it may be determined that flow identifies
Rule is R2:Flow from other users, score value 0.
For another example, user identifier and type of service this two business relevant dimensions can be based on, daily record is analyzed with true
Constant flow recognition rule.It for example, can be according to user identifier and type of service to the various businesses class with each user in daily record
The associated flow of type is counted respectively.In the case of the flow is more than a certain threshold value in certain period of time, such as with
The flow of the type of service X of family A, it may be determined that flow recognition rule is R1:The flow of type of service X from user A, score value
It is 1;In the case of the flow is less than a certain threshold value in certain period of time, such as the flow of the type of service Y of user B,
Can determine flow recognition rule is R2:The flow of type of service Y from user B, score value 0.
For another example, user identifier and business can be based on and perform step this two business relevant dimensions, daily record is analyzed
To determine flow recognition rule.For example, it can come first according to user identifier respectively to stream associated with each user in daily record
Amount is counted.Then in certain period of time its traffic statistics value be more than a certain threshold value user, such as user A, point
Analysis daily record in the user A business perform step whether meet predetermined rule, such as analyze the user A whether perform repeatedly it is certain
Business perform step, such as perform repeatedly click " price adjustment " button->The input price adjustment amount of money->Click " determining " button.As existed
The above situation, then can determine flow recognition rule is R1:Flow from user A, score value 1.
For another example, daily record can be analyzed to determine that flow identifies based on this business relevant dimension of business execution frequency
Rule.For example, can be counted to each business recorded in daily record, and analyze the execution frequency for obtaining each business.It is right
In business of the execution frequency more than certain a certain threshold value, such as business X, it may be determined that flow recognition rule is R1:For business X phases
The flow of pass, score value 1.
For another example, daily record can be analyzed to determine that flow identifies based on this business relevant dimension of service executing result
Rule.For example, can be counted to each business recorded in daily record, and analyze the implementing result for obtaining each business.It is right
It is more than unsuccessfully a certain proportion of business in performing within a certain period of time, such as business Y, it may be determined that flow recognition rule is R1:It is right
In the relevant flows of business Y, score value 1.
For another example, business can be based on and perform frequency and this two business relevant dimensions of business execution time, daily record is carried out
Analysis is with determining flow recognition rule.For example, can be counted first to each business recorded in daily record, and analyze and obtain
The execution frequency of each business.Then for performing the business that frequency is more than a certain threshold value, such as business X, daily record can be carried out
It analyzes and the distribution situation of time is performed with the business for obtaining the business.If it exceeds during the execution of the business X of certain proportion threshold value
Between be in a certain threshold time period, such as 7:00AM-7:15AM, then can determine flow recognition rule is R1:For business X
Relevant flow, if current time is 7:00AM-7:Between 15AM, score value 1, otherwise its score value is 0.
For another example, this two business relevant dimensions of region where being based on user identifier and user, analyze daily record
To determine flow recognition rule.For example, it can come first according to user identifier respectively to stream associated with each user in daily record
Amount is counted.For in certain period of time its flow be more than a certain threshold value user, such as user A, it may be determined that flow is known
Rule is not R1:Flow from user A, score value 1;And within the period its flow be less than a certain threshold value
User, such as user B, it may be determined that flow recognition rule is R2:Flow from user B, score value 0.Then day can be analyzed
Will to count in certain period of time, each user whether from multiple regions come access and multiple region between
Whether distance is more than a certain threshold value.For user of the distance more than a certain threshold value, such as user A, it may be determined that flow identification rule
It is then R3:Flow from user A, score value 1;And for the distance and it is less than the user of the threshold value, such as user B,
Can determine flow recognition rule is R4:Flow from user B, score value 0.
It will be understood by those skilled in the art that herein, for being based on business relevant dimension, daily record is analyzed to determine stream
The associated description of amount recognition rule is merely illustrative and non-limiting description, there are various other ways without departing from the present invention's
Spirit or scope, and be incorporated herein by reference.
In a preferred embodiment, business relevant dimension and the unrelated dimension of business are also based on, daily record is carried out
Analysis is with determining flow recognition rule.
Herein, the unrelated dimension of business means with accessing server with the unrelated dimension of the business carried out.In one embodiment
In, the unrelated dimension of business includes any one of following:
Visitor's IP address;
Visitor user agent;
Target URL;
Browser type used in visitor;
Visitor's source-information.
Herein, visitor's IP address mean access server flow from IP address.
Visitor user agent mean access server flow from user agent (User Agent).
Target URL means the visitor URL to be accessed.
Browser type used in visitor means visitor using which type of browser, such as Firefox,
Chrome etc., to access server.
Visitor's source-information means the traffic source of visitor, for example, flow from source station address.
Specifically, one or more business relevant dimensions and the unrelated dimension of one or more business can be based on, to day
Will is analyzed to determine flow recognition rule.
In one embodiment, business relevant dimension dimension unrelated with business can be combined, daily record is analyzed
To determine one or more flow recognition rule.For example, first can according to type of service in daily record with various businesses type
Associated discharge record is counted to determine that its flow is more than the service class of a certain threshold value in certain period of time respectively
Type.Then, for above-mentioned type of service, such as type of service X, can come according to the unrelated dimension of this business of visitor's IP address pair
The discharge record of type of service X is counted.If from some visitor's IP address, such as 58.33.19.88, service class
The flow of type X is more than a certain threshold value, then can determine discharge pattern recognition rule R1:For the service class from 58.33.19.88
The flow of type X, score value 1.
In another embodiment, business relevant dimension dimension unrelated with business can be based respectively on, daily record is analyzed
To determine one or more flow recognition rule.That is, method that can be as described above, based on business relevant dimension to daily record
It is analyzed to determine one or more flow recognition rule.And daily record is analyzed based on business unrelated dimension to determine one
Item or a plurality of flow recognition rule.
For example, method that can be as described above, based on business relevant dimension, determines regular R1:For business X correlations
Flow, if current time is 7:00AM-7:Between 15AM, score value 1, otherwise its score value is 0.And visitor can be based on and used
The unrelated dimension of this business is acted on behalf of at family, and the discharge record in daily record is counted according to each visitor user agent.
If from some visitor user agent, such as 58.33.19.88, flow be more than a certain threshold value, then can determine class of traffic
Type recognition rule R2:For the flow of the type of service X from 58.33.19.88, score value 1.It may also be combined with visitor IP
Address, target URL, the unrelated dimension of the business such as browser type and visitor's source-information used in visitor, to daily record
It is analyzed.For example, for coming from some visitor's IP address, such as 58.11.22.33, flow be more than a certain threshold value, and
And ratio of the flow from 58.11.22.33 from certain browser is higher than a certain threshold value, and its target URL is largely
Same URL, and visitor's source-information is certain website W, then can determine discharge pattern recognition rule R3:For coming from
58.11.22.33 flow, score value 1.
It will be understood by those skilled in the art that herein, for being based on business relevant dimension and the unrelated dimension of business, to daily record
It is analyzed and is merely illustrative and non-limiting description with the associated description for determining flow recognition rule, there are various other ways
Without departing from the spirit or scope of the present invention, and it is incorporated herein by reference.
It is moreover observed that each threshold value described above can be preset or can also be according to actual needs respectively
To adjust into Mobile state respectively.
In a preferred embodiment, the first business relevant dimension can be primarily based on, to the day in the range of first time
Will is analyzed to determine first flow recognition rule;Then based on the second business relevant dimension, in the second time range
Daily record is analyzed to determine second flow recognition rule;Then to the first flow recognition rule and the second flow
Recognition rule is weighted processing to determine flow recognition rule.
Herein, the first business relevant dimension can be identical or different with the second business relevant dimension.For example, the first industry
Business relevant dimension can be type of service, and the second business relevant dimension can be business execution frequency.
It may range from the time model such as 1 day in the past, past 1 week with relatively long time span at the first time
It encloses.Second time range can be such as nearest 5 minutes, it is 10 minutes nearest comparatively real-time time range.
It will be understood by those skilled in the art that herein, for the first business relevant dimension, the second business relevant dimension, first
Time range, the associated description of the second time range are merely illustrative and non-limiting description, and there are other various realization methods
Without departing from the spirit or scope of the present invention, and it is incorporated herein by reference.
Specifically, method that can be as described above is based on the first business relevant dimension, in the range of first time
Daily record is analyzed, and determines first flow recognition rule, for example,:
R1:For the relevant flows of business X from user A, score value 1, otherwise its score value is 0.
R2:For the relevant flows of business X from 58.11.22.33, score value 1, otherwise its score value is 0.
And can be as described above method be based on the second business relevant dimension, in the second time range daily record carry out
Analysis is to determine second flow recognition rule, for example,:
R3:For the relevant flows of business X from user A, score value 1, otherwise its score value is 0.
R4:For the relevant flows of business Y, score value 1, otherwise its score value is 0.
Herein, second flow recognition rule R3 is identical with first flow recognition rule R1.
Then, processing is weighted to the first flow recognition rule and the second flow recognition rule to determine
Flow recognition rule.In an example, the weights of first flow recognition rule and second flow recognition rule can be set, such as
Respectively 0.5 and 1.After being then weighted processing to above-mentioned first flow recognition rule and second flow recognition rule, determine
Flow recognition rule is:
R1:For the relevant flows of business X from user A, score value is 1.5 (namely 1x0.5+1x1), otherwise its point
Be worth is 0.
R2:For the relevant flows of business X from 58.11.22.33, score value is 0.5 (namely 1x0.5), otherwise its
Score value is 0.
R3:For the relevant flows of business Y, score value is 1 (namely 1x1), and otherwise its score value is 0.
It will be understood by those skilled in the art that herein, for the first flow recognition rule and the second flow
Recognition rule is weighted processing to determine that the associated description of flow recognition rule is merely illustrative and non-limiting description, exists
Other various realization methods are incorporated herein by reference without departing from spirit or scope of the invention.
Then, in step s 12, flow recognition rule can be based on, to determine the score value of flow.It specifically, can be according to stream
Recognition rule is measured to check flow, for can correspondingly set its point with the matched flow of flow recognition rule
Value.For example, flow recognition rule is R1:For the flow of the type of service X from 58.33.19.88, score value 1.Then may be used
Flow is checked whether from 58.33.19.88, whether the type of service of the flow is X, if so, then the flow is advised with flow identification
Then R1 is matched, then the score value of the flow is set as 1.
In a preferred embodiment, the one or more flow recognition rule can be based on, determine one of flow or
Multiple first score values, wherein each first score value is corresponding with each flow recognition rule respectively;It then can be to the flow
One or more first score values are weighted processing to determine the score value of the flow.
For example it is assumed that identified flow recognition rule includes in step s 11:
R1:For the flow of type of service X, if current time is 7:00AM-7:Between 15AM, score value 1, otherwise its
Score value is 0.
R2:For the flow of the type of service X from 58.33.19.88, score value 1.
R3:For the flow from 58.11.22.33, score value 1.
R4:For other flows, score value 0.
Then flow is checked based on above-mentioned each flow recognition rule, for can be with certain flow recognition rule
Matched flow can correspondingly set itself and corresponding first score value of the flow recognition rule.
For example, detect the flow that flow is type of service X, and current time is 7:05AM, then itself and flow identify
Regular R1 matchings, and it is 1 that can set with corresponding first score values of R1.In addition, also detect that the flow comes from
58.33.19.88, then it is 1 that can set with corresponding first score values of R2.Then can to above-mentioned first score value of the flow into
Row weighting processing is with the score value of the determining flow.In an example, the weights of each flow recognition rule can be set, then can be pressed
Summation is weighted to each first score value according to weights.For example, the weights of above-mentioned flow recognition rule R1 can be set as 2, R2's
Weights are 0.5.The score value that then can determine the flow is 1x2+1x0.5=2.5.
Herein, the weights of flow recognition rule can dynamically be set or can be preset in S11 steps, may be used also
To carry out dynamic regulation according to actual needs.
Then, in step s 13, the score value and threshold value can be based on, determines the type of the flow.Herein, threshold value can be by
It presets, dynamic regulation can also be carried out according to actual needs.
Herein, the type of flow can include following any:
Machine flow;
Artificial flow;
Abnormal flow;
Common discharge.
Wherein, machine flow namely from flow caused by the unartificial operation such as software.Abnormal flow refers to such as malice
Attack traffic etc. may lead to the flow of exception or performance issue.
For example, it is assumed that threshold value is 2.Then when the score value is more than or equal to 2, it may be determined that the type of the flow is machine flow;
When the score value is less than 2, it may be determined that the flow is artificial flow.
For another example, it is assumed that threshold value includes the second threshold that the first threshold that value is 2 and value are 5.Then when the score value be more than etc.
When second threshold 5, it may be determined that the type of the flow is abnormal flow;When the score value is more than or equal to first threshold 2, but less than the
During two threshold values 5, it may be determined that the type of the flow is machine flow;When the score value is less than first threshold 2, it may be determined that the flow
Type is common discharge.
It will be understood by those skilled in the art that herein, for being based on score value and threshold value, determine that the correlation of the type of the flow is retouched
It states and is merely illustrative and non-limiting description, there are other various realization methods without departing from the spirit or scope of the present invention, and
It is incorporated herein by reference.
In one embodiment, the type of flow is also based on, shunting processing is carried out to flow.For example, can will not
The flow of same type is respectively sent to different servers to be handled, such as the flow of machine type is sent to server
The flow of machine type is sent to server S 2 to handle by S1, thus by the isolation of different types of flow, to reduce
Influence to each other.In another example the flow of Exception Type can be shielded, so as to which it be avoided to influence for other types stream
The service of amount.
It will be understood by those skilled in the art that herein, for the type based on flow, the correlation of shunting processing is carried out to flow
Description be merely illustrative and non-limiting description, there are other various realization methods without departing from the present invention spirit or scope,
And it is incorporated herein by reference.
In another embodiment, daily record can also be obtained, and processing is formatted to the daily record.For example, it can pass through
Special interface obtains daily record, and be formatted processing by network, so as to can subsequently be carried out to formatted daily record
Analysis is in order to determining flow recognition rule.
Fig. 2 shows embodiments according to a further aspect of the present invention for identifying the schematic diagram of the device of discharge pattern.
As shown in Fig. 2, this is used to identify that the device of discharge pattern includes being used for based on business relevant dimension, daily record is analyzed with true
The device 21 of constant flow recognition rule, the hereinafter referred to as first regular determining device 21;For being based on the flow recognition rule, really
The device 22 of the score value of constant flow, hereinafter referred to as the first determining device 22;And for being based on the score value and threshold value, determine institute
State the device 23 of the type of flow, hereinafter referred to as type determination device 23.
The device of the present embodiment is mainly realized in the network device;The network equipment includes but not limited to single network clothes
Be engaged in device, multiple network servers composition server group or based on cloud computing (Cloud Computing) by a large amount of computers
Or the cloud that network server is formed, wherein, cloud computing is one kind of Distributed Calculation, by the computer collection group of a group loose couplings
Into a super virtual computer.
It should be noted that the network equipment is only for example, other network equipments that are existing or being likely to occur from now on
The present invention is such as applicable to, should also be included within the scope of the present invention, and is incorporated herein by reference.
First, the first regular determining device 21 can be based on business relevant dimension, and daily record is analyzed to determine that flow is known
Not rule.
Herein, flow means to access any network flow of server by network.
Business relevant dimension means with user access server with the relevant dimension of the business carried out.Wherein, business means
The various types of services or the various types of tasks that can be completed that server is capable of providing.Such as shopping at network service
Device, the business that can be provided are, for example, the business such as login, inquiry, purchase.It, can be in another example for promotion server of bidding
It is, for example, the business such as login, inquiry, price adjustment to promote the business that quotient provides.It will be understood by those skilled in the art that herein, for business
Associated description be merely illustrative and non-limiting description, there are other various businesses without departing from the present invention spirit or model
Farmland, and be incorporated herein by reference.
In one embodiment, business relevant dimension include it is following at least any one:
User identifier;
Type of service;
Business performs step;
Business performs frequency;
Service executing result;
Business performs the time;
Region where user.
Wherein, user identifier refers to the mark with the relevant user of the business, such as user name, User ID etc..For example, for
Registering service, user identifier can be the user name for the user for performing registering service.
Type of service refers to the concrete type of the business, such as registering service, price adjustment business etc..
Business performs each step performed by step fingering row business, may also include the sequence of each step.Example
Business such as certain user execution price adjustment business performs step and is:Click " price adjustment " button->The input price adjustment amount of money->It clicks " determining "
Button.
Business performs frequency and refers to the frequency for performing certain business namely the number for performing certain business within a certain period of time.
Service executing result refer to perform certain business as a result, such as running succeeded, perform unsuccessfully.Service executing result is also
It can include the implementing result that each business performs step.
Business performs the time or period for the time referring to certain business of execution.The business execution time, which may also include, performs certain business
Duration.
Region where user refers to the user present position/region for performing certain business.Region where user may also include the use
Family switches to the information in other positions/region.
It will be understood by those skilled in the art that herein, the associated description of business relevant dimension is merely illustrative rather than limited
Qualitative description there are other various businesses relevant dimensions without departing from the spirit or scope of the present invention, and wraps by reference
Contained in this.
Herein, daily record can be any kind of daily record.For example, daily record may include the access access day of server end
Will, the business that may also include server end perform correlation log etc..In general, can include accessing the flow of server in daily record
Various relevant informations.
Specifically, the first regular determining device 21 can be based on any one or appoint multinomial business relevant dimension, and daily record is carried out
Analysis is with determining flow recognition rule.
For example, the first regular determining device 21 can be analyzed daily record based on this business relevant dimension of user identifier
To determine flow recognition rule.For example, the first regular determining device 21 can come according to user identifier respectively in daily record with it is each
The associated flow of user is counted.For in certain period of time its flow be more than a certain threshold value user, such as user
A, the first regular determining device 21 can determine that flow recognition rule is R1:Flow from user A, score value 1;And for
Its flow is less than the other users of a certain threshold value in the period, and the first regular determining device 21 can determine flow recognition rule
For R2:Flow from other users, score value 0.
For another example, the first regular determining device 21 can be based on user identifier and type of service this two business relevant dimensions,
Daily record is analyzed to determine flow recognition rule.For example, the first regular determining device 21 can be according to user identifier and industry
Service type counts flow associated with the various businesses type of each user in daily record respectively.For in certain time
The flow is more than the situation of a certain threshold value in section, such as the flow of the type of service X of user A, the first regular determining device 21 can
It is R1 to determine flow recognition rule:The flow of type of service X from user A, score value 1;For in certain period of time
The flow is less than the situation of a certain threshold value, such as the flow of the type of service Y of user B, and the first regular determining device 21 can be true
Constant flow recognition rule is R2:The flow of type of service Y from user B, score value 0.
For another example, the first regular determining device 21 can be based on user identifier and business performs step this two business correlations dimensions
Degree analyzes daily record to determine flow recognition rule.For example, the first first regular determining device 21 can be according to user identifier
To be counted respectively to flow associated with each user in daily record.Then for its traffic statistics in certain period of time
It is worth the user more than a certain threshold value, such as user A, the business that the first regular determining device 21 analyzes the user A in daily record perform
Whether step meets predetermined rule, such as analyzes whether the user A performs certain business execution steps repeatedly, such as performs repeatedly
Click " price adjustment " button->The input price adjustment amount of money->Click " determining " button.Such as there are the above situations, then the first rule is determining fills
It puts 21 and can determine that flow recognition rule is R1:Flow from user A, score value 1.
For another example, the first regular determining device 21 can carry out daily record based on this business relevant dimension of business execution frequency
Analysis is with determining flow recognition rule.For example, the first regular determining device 21 can carry out each business recorded in daily record
Statistics, and analyze the execution frequency for obtaining each business.For performing the business that frequency is more than certain a certain threshold value, such as business
X, the first regular determining device 21 can determine that flow recognition rule is R1:For the relevant flows of business X, score value 1.
For another example, the first regular determining device 21 can carry out daily record based on this business relevant dimension of service executing result
Analysis is with determining flow recognition rule.For example, the first regular determining device 21 can carry out each business recorded in daily record
Statistics, and analyze the implementing result for obtaining each business.It is more than unsuccessfully a certain proportion of business for performing within a certain period of time,
Such as business Y, the first regular determining device 21 can determine that flow recognition rule is R1:For the relevant flows of business Y, score value
It is 1.
For another example, the first regular determining device 21 can be based on business and perform frequency and this two business phases of business execution time
Dimension is closed, daily record is analyzed to determine flow recognition rule.For example, the first regular determining device 21 can be first in daily record
The each business recorded is counted, and analyzes the execution frequency for obtaining each business.Then it is more than certain for performing frequency
The business of one threshold value, such as business X, the first regular determining device 21 can analyze daily record to be held with the business for obtaining the business
The distribution situation of row time.If it exceeds the execution time of the business X of certain proportion threshold value is in a certain threshold time period,
Such as 7:00AM-7:15AM, then the first regular determining device 21 can determine that flow recognition rule is R1:It is relevant for business X
Flow, if current time is 7:00AM-7:Between 15AM, score value 1, otherwise its score value is 0.
For another example, this two business correlation dimensions of region where the first regular determining device 21 can be based on user identifier and user
Degree analyzes daily record to determine flow recognition rule.For example, the first first regular determining device 21 can be according to user identifier
To be counted respectively to flow associated with each user in daily record.For in certain period of time its flow be more than it is a certain
The user of threshold value, such as user A, the first regular determining device 21 can determine that flow recognition rule is R1:Stream from user A
Amount, score value 1;And within the period its flow be less than the user of a certain threshold value, such as user B, the first rule
Determining device 21 can determine that flow recognition rule is R2:Flow from user B, score value 0.Then the first rule determines dress
Daily record can be analyzed to count in certain period of time by putting 21, and whether each user accesses and this is more from multiple regions
Whether the distance between a region is more than a certain threshold value.It is more than the user of a certain threshold value for the distance, such as user A, first
Regular determining device 21 can determine that flow recognition rule is R3:Flow from user A, score value 1;And for the distance simultaneously
The user of the threshold value is less than, such as user B, the first regular determining device 21 can determine that flow recognition rule is R4:To use by oneself
The flow of family B, score value 0.
It will be understood by those skilled in the art that herein, the associated description of the first regular determining device 21 is merely illustrative
And non-limiting description, there are various other ways without departing from the spirit or scope of the present invention, and include by reference
In this.
In a preferred embodiment, the first regular determining device 21 includes being used for based on business relevant dimension and business
Unrelated dimension analyzes daily record in the device to determine flow recognition rule, hereinafter referred to as Second Rule determining device 211
(not shown).
Second Rule determining device 211 can be based on business relevant dimension and the unrelated dimension of business, and daily record is divided
Analysis is with determining flow recognition rule.
Herein, the unrelated dimension of business means with accessing server with the unrelated dimension of the business carried out.In one embodiment
In, the unrelated dimension of business includes any one of following:
Visitor's IP address;
Visitor user agent;
Target URL;
Browser type used in visitor;
Visitor's source-information.
Herein, visitor's IP address mean access server flow from IP address.
Visitor user agent mean access server flow from user agent (User Agent).
Target URL means the visitor URL to be accessed.
Browser type used in visitor means visitor using which type of browser, such as Firefox,
Chrome etc., to access server.
Visitor's source-information means the traffic source of visitor, for example, flow from source station address.
Specifically, Second Rule determining device 211 can be based on one or more business relevant dimensions and one or more
The item unrelated dimension of business analyzes daily record to determine flow recognition rule.
In one embodiment, Second Rule determining device 211 can carry out business relevant dimension dimension unrelated with business
With reference to, daily record is analyzed with determine one or more flow recognition rule.For example, Second Rule determining device 211 is first
Discharge record associated with various businesses type in daily record can respectively be counted to determine according to type of service
Its flow is more than the type of service of a certain threshold value in certain period of time.Then, for above-mentioned type of service, such as type of service X,
Second Rule determining device 211 can be according to the unrelated dimension of this business of visitor's IP address come the discharge record to type of service X
It is counted.If from some visitor's IP address, such as 58.33.19.88, the flow of type of service X be more than a certain threshold
Value, then Second Rule determining device 211 can determine discharge pattern recognition rule R1:For the service class from 58.33.19.88
The flow of type X, score value 1.
In another embodiment, it is unrelated with business can be based respectively on business relevant dimension for Second Rule determining device 211
Dimension analyzes daily record to determine one or more flow recognition rule.That is, Second Rule determining device 211 can press
According to method as discussed above, daily record is analyzed based on business relevant dimension to determine one or more flow recognition rule.
And daily record is analyzed based on business unrelated dimension to determine one or more flow recognition rule.
For example, Second Rule determining device 211 can be as described above method, based on business relevant dimension, determine
Regular R1:For the relevant flows of business X, if current time is 7:00AM-7:Between 15AM, score value 1, otherwise its score value
It is 0.Also, Second Rule determining device 211 can be based on the unrelated dimension of this business of visitor user agent, in daily record
Discharge record is counted according to each visitor user agent.If from some visitor user agent, such as
58.33.19.88, flow is more than a certain threshold value, then Second Rule determining device 211 can determine discharge pattern recognition rule R2:
For the flow of the type of service X from 58.33.19.88, score value 1.Second Rule determining device 211 may also be combined with visit
The person's of asking IP address, target URL, the unrelated dimension of the business such as browser type and visitor's source-information used in visitor,
Daily record is analyzed.For example, for coming from some visitor's IP address, such as 58.11.22.33, flow be more than a certain threshold
Value, and ratio of the flow from 58.11.22.33 from certain browser is higher than a certain threshold value, and its target URL is big
Part is same URL, and visitor's source-information is certain website W, then Second Rule determining device 211 can determine discharge pattern
Recognition rule R3:For the flow from 58.11.22.33, score value 1.
It will be understood by those skilled in the art that herein, the associated description of Second Rule determining device 211 is merely illustrative
And non-limiting description, there are various other ways without departing from the spirit or scope of the present invention, and include by reference
In this.
It is moreover observed that each threshold value described above can be preset or can also be according to actual needs respectively
To adjust into Mobile state respectively.
In a preferred embodiment, the first regular determining device 21 includes being used for based on the first business relevant dimension, right
The device to determine first flow recognition rule is analyzed in daily record in the range of first time, and hereinafter referred to as third rule determines
212 (not shown) of device;For being based on the second business relevant dimension, the daily record in the second time range is analyzed to determine
The device of second flow recognition rule, the hereinafter referred to as the 4th 213 (not shown) of regular determining device;And for described first
Flow recognition rule and the second flow recognition rule are weighted processing to determine the device of flow recognition rule, below
Referred to as the 5th 214 (not shown) of regular determining device.
Third rule determining device 212 can be primarily based on the first business relevant dimension, to the day in the range of first time
Will is analyzed to determine first flow recognition rule;Then the 4th regular determining device 213 is based on the second business relevant dimension,
Daily record in second time range is analyzed to determine second flow recognition rule;Then the 5th regular determining device 214
Processing is weighted to the first flow recognition rule and the second flow recognition rule to determine flow recognition rule.
Herein, the first business relevant dimension can be identical or different with the second business relevant dimension.For example, the first industry
Business relevant dimension can be type of service, and the second business relevant dimension can be business execution frequency.
It may range from the time model such as 1 day in the past, past 1 week with relatively long time span at the first time
It encloses.Second time range can be such as nearest 5 minutes, it is 10 minutes nearest comparatively real-time time range.
It will be understood by those skilled in the art that herein, for the first business relevant dimension, the second business relevant dimension, first
Time range, the associated description of the second time range are merely illustrative and non-limiting description, and there are other various realization methods
Without departing from the spirit or scope of the present invention, and it is incorporated herein by reference.
Specifically, the method that third rule determining device 212 can be as described above is based on the first business relevant dimension,
Daily record in the range of first time is analyzed, determines first flow recognition rule, for example,:
R1:For the relevant flows of business X from user A, score value 1, otherwise its score value is 0.
R2:For the relevant flows of business X from 58.11.22.33, score value 1, otherwise its score value is 0.
Also, the 4th regular determining device 213 can be as described above method be based on the second business relevant dimension, to the
Daily record in two time ranges is analyzed to determine second flow recognition rule, for example,:
R3:For the relevant flows of business X from user A, score value 1, otherwise its score value is 0.
R4:For the relevant flows of business Y, score value 1, otherwise its score value is 0.
Herein, second flow recognition rule R3 is identical with first flow recognition rule R1.
Then, the 5th regular determining device 214 is to the first flow recognition rule and second flow identification rule
Processing is then weighted to determine flow recognition rule.In an example, the 5th regular determining device 214 can be set first-class
Measure the weights of recognition rule and second flow recognition rule, such as respectively 0.5 and 1.Then the 5th regular determining device 214 is to upper
It states first flow recognition rule and after second flow recognition rule is weighted processing, determines that flow recognition rule is:
R1:For the relevant flows of business X from user A, score value is 1.5 (namely 1x0.5+1x1), otherwise its point
Be worth is 0.
R2:For the relevant flows of business X from 58.11.22.33, score value is 0.5 (namely 1x0.5), otherwise its
Score value is 0.
R3:For the relevant flows of business Y, score value is 1 (namely 1x1), and otherwise its score value is 0.
It will be understood by those skilled in the art that herein, the associated description of the 5th regular determining device 214 is merely illustrative
And non-limiting description, there are other various realization methods without departing from the spirit or scope of the present invention, and by reference
It is incorporated herein.
Then, the first determining device 22 can be based on flow recognition rule, to determine the score value of flow.Specifically, first really
Flow can be checked according to flow recognition rule by determining device 22, for can with the matched flow of flow recognition rule,
Its score value can be correspondingly set.For example, flow recognition rule is R1:For the stream of the type of service X from 58.33.19.88
Amount, score value 1.Then whether the first determining device 22 can check flow from 58.33.19.88, and the type of service of the flow is
No is X, if so, then the flow is matched with flow recognition rule R1, then the score value of the flow is set as by the first determining device 22
1。
In a preferred embodiment, the first determining device 22 includes being used for based on the one or more flow identification rule
Then, the device of the first score value of one or more of flow, 221 (not shown) of hereinafter referred to as the second determining device are determined;And it uses
Processing is weighted to determine the device of the request of the score value of the flow in the first score value of one or more to the flow,
Hereinafter referred to as 222 (not shown) of third determining device.
Second determining device 221 can be based on the one or more flow recognition rule, determine the one or more of flow
First score value, wherein each first score value is corresponding with each flow recognition rule respectively;Then third determining device 222 can be right
The first score value of one or more of the flow is weighted processing to determine the score value of the flow.
For example it is assumed that flow recognition rule determined by the first regular determining device 21 includes:
R1:For the flow of type of service X, if current time is 7:00AM-7:Between 15AM, score value 1, otherwise its
Score value is 0.
R2:For the flow of the type of service X from 58.33.19.88, score value 1.
R3:For the flow from 58.11.22.33, score value 1.
R4:For other flows, score value 0.
Then the second determining device 221 checks flow based on above-mentioned each flow recognition rule, for can be with
Certain the matched flow of flow recognition rule can correspondingly set itself and corresponding first score value of the flow recognition rule.
For example, the second determining device 221 detects the flow that flow is type of service X, and current time is 7:05AM,
Then it is matched with flow recognition rule R1, and it is 1 that can set with corresponding first score values of R1.In addition, the second determining device 221
The flow is also detected from 58.33.19.88, then it is 1 that can set with corresponding first score values of R2.Then third determines to fill
Above-mentioned first score value of the flow can be weighted processing to determine the score value of the flow by putting 222.In an example,
Third determining device 222 can set the weights of each flow recognition rule, then third determining device 222 can be according to weights to each
One score value is weighted summation.For example, third determining device 222 can set the weights of above-mentioned flow recognition rule R1 as 2, R2's
Weights are 0.5.Then third determining device 222 can determine that the score value of the flow is 1x2+1x0.5=2.5.
Herein, the weights of flow recognition rule can dynamically be set by the first regular determining device 21 or can be true by third
Determine device 222 to preset, third determining device 222 can also carry out dynamic regulation according to actual needs.
Then, type determination device 23 can be based on the score value and threshold value, determine the type of the flow.Herein, threshold value can be with
It is preset by type determination device 23, type determination device 23 can also carry out the dynamic regulation threshold value according to actual needs.
Herein, the type of flow can include following any:
Machine flow;
Artificial flow;
Abnormal flow;
Common discharge.
Wherein, machine flow namely from flow caused by the unartificial operation such as software.Abnormal flow refers to such as malice
Attack traffic etc. may lead to the flow of exception or performance issue.
For example, it is assumed that threshold value is 2.Then when the score value is more than or equal to 2, type determination device 23 can determine the class of the flow
Type is machine flow;When the score value is less than 2, type determination device 23 can determine that the flow is artificial flow.
For another example, it is assumed that threshold value includes the second threshold that the first threshold that value is 2 and value are 5.Then when the score value be more than etc.
When second threshold 5, type determination device 23 can determine that the type of the flow is abnormal flow;When the score value is more than or equal to first
Threshold value 2, but less than second threshold 5 when, type determination device 23 can determine the flow type be machine flow;When the score value is small
When first threshold 2, type determination device 23 can determine that the type of the flow is common discharge.
It will be understood by those skilled in the art that herein, the associated description of type determination device 23 is merely illustrative rather than
Limited description there are other various realization methods without departing from the spirit or scope of the present invention, and includes by reference
In this.
In one embodiment, this is used to identify that the device of discharge pattern to be further included for the type based on the flow,
The device of shunting processing, hereinafter referred to as 24 (not shown) of part flow arrangement are carried out to the flow.
Part flow arrangement 24 can the type based on flow, shunting processing is carried out to flow.For example, part flow arrangement 24 can incite somebody to action
Different types of flow is respectively sent to different servers to be handled, such as the flow of machine type is sent to service
The flow of machine type is sent to server S 2 to handle by device S1, thus by the isolation of different types of flow, to subtract
Few influence to each other.In another example part flow arrangement 24 can shield the flow of Exception Type, so as to avoid its influence pair
In the service of other types flow.
It will be understood by those skilled in the art that herein, the associated description of part flow arrangement 24 is merely illustrative and non-limiting
Property description, there are other various realization methods without departing from the spirit or scope of the present invention, and are incorporated herein by reference.
In another embodiment, this is used to identify that the device of discharge pattern to further include the device for obtaining daily record, with
Lower 25 (not shown) of abbreviation acquisition device;And the device for being formatted processing to the daily record, hereinafter referred to as form
26 (not shown) are put in makeup.
Acquisition device 25 can obtain daily record, and formatting mechanism 26 can be formatted the daily record processing.For example,
Acquisition device 25 can obtain daily record, and formatting mechanism 26 can carry out lattice to the daily record by special interface or by network
Formulaization processing, so as to which the follow-up first regular determining device 21 can be analyzed to formatted daily record in determining that flow knows
Not rule.
It should be noted that the present invention can be carried out in the assembly of software and/or software and hardware, for example, this hair
Application-specific integrated circuit (ASIC) can be used in bright each device or any other is realized similar to hardware device.In one embodiment
In, software program of the invention can perform to realize steps described above or function by processor.Similarly, it is of the invention
Software program can be stored in computer readable recording medium storing program for performing (including relevant data structure), for example, RAM memory,
Magnetic or optical driver or floppy disc and similar devices.In addition, hardware can be used to realize in some steps or function of the present invention, example
Such as, as coordinating with processor so as to perform the circuit of each step or function.
It is obvious to a person skilled in the art that the present invention is not limited to the details of above-mentioned exemplary embodiment, Er Qie
In the case of without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter
From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended power
Profit requirement rather than above description limit, it is intended that all by what is fallen within the meaning and scope of the equivalent requirements of the claims
Variation includes within the present invention.Any reference numeral in claim should not be considered as to the involved claim of limitation.This
Outside, it is clear that one word of " comprising " is not excluded for other units or step, and odd number is not excluded for plural number.That is stated in system claims is multiple
Unit or device can also be realized by a unit or device by software or hardware.The first, the second grade words are used for table
Show title, and do not represent any particular order.
Claims (16)
1. a kind of method for identifying discharge pattern, wherein, the method includes:
Based on business relevant dimension, daily record is analyzed to determine flow recognition rule, wherein, including:
Based on the first business relevant dimension, the daily record in the range of first time is analyzed to determine first flow identification rule
Then;
Based on the second business relevant dimension, the daily record in the second time range is analyzed to determine second flow identification rule
Then;
Processing is weighted to the first flow recognition rule and the second flow recognition rule to determine that flow identifies
Rule;
Based on the flow recognition rule, the score value of flow is determined;
Based on the score value and threshold value, the type of the flow is determined.
2. it is described based on business relevant dimension according to the method described in claim 1, wherein, daily record is analyzed to determine
The step of flow recognition rule, includes:
Based on business relevant dimension and the unrelated dimension of business, daily record is analyzed to determine flow recognition rule.
3. method according to any one of claim 1 to 2, wherein, it is described based on the flow recognition rule, determine stream
The step of score value of amount, includes:
Based on the one or more flow recognition rule, the first score value of one or more of flow is determined, wherein each first
Score value is corresponding with each flow recognition rule respectively;
Processing is weighted to the first score value of one or more of the flow to determine the score value of the flow.
4. method according to any one of claim 1 to 2, wherein, the method further includes:
Based on the type of the flow, shunting processing is carried out to the flow.
5. method according to any one of claim 1 to 2, wherein, the method further includes:
Obtain daily record;
Processing is formatted to the daily record.
6. method according to any one of claim 1 to 2, wherein, the business relevant dimension is at least appointed including following
One:
User identifier;
Type of service;
Business performs step;
Business performs frequency;
Service executing result;
Business performs the time;
Region where user.
7. method according to any one of claim 1 to 2, wherein, the unrelated dimension of business is at least appointed including following
One:
Visitor's IP address;
Visitor user agent;
Target URL;
Browser type used in visitor;
Visitor's source-information.
8. method according to any one of claim 1 to 2, wherein, the type of the flow is including following any:
Machine flow;
Artificial flow;
Abnormal flow;
Common discharge.
9. it is a kind of for identifying the device of discharge pattern, wherein, described device includes:
It is used to based on business relevant dimension, analyze daily record to determine the device of flow recognition rule, wherein, including:
It is used for based on the first business relevant dimension, the daily record in the range of first time is analyzed to determine that first flow is known
Not regular device;
It is used for based on the second business relevant dimension, the daily record in the second time range is analyzed to determine that second flow is known
Not regular device;
It is used to be weighted the first flow recognition rule and the second flow recognition rule processing to determine flow
The device of recognition rule;
It is used to, based on the flow recognition rule, determine the device of the score value of flow;
It is used to, based on the score value and threshold value, determine the device of the type of the flow.
10. device according to claim 9, wherein, it is described to be used for based on business relevant dimension, daily record is analyzed with
Determine that the device of flow recognition rule includes:
It is used for based on business relevant dimension and the unrelated dimension of business, daily record is analyzed to determine flow recognition rule
Device.
11. the device according to any one of claim 9 to 10, wherein, it is described to be used for based on the flow recognition rule,
Determine that the device of the score value of flow includes:
It is used to, based on the one or more flow recognition rule, determine the device of the first score value of one or more of flow,
In each first score value it is corresponding with each flow recognition rule respectively;
It is used to be weighted the first score value of one or more of the flow processing to determine the dress of the score value of the flow
It puts.
12. the device according to any one of claim 9 to 10, wherein, described device further includes:
For the type based on the flow, the device of shunting processing is carried out to the flow.
13. the device according to any one of claim 9 to 10, wherein, described device further includes:
For obtaining the device of daily record;
For being formatted the device of processing to the daily record.
14. the device according to any one of claim 9 to 10, wherein, the business relevant dimension include it is following at least
Any one:
User identifier;
Type of service;
Business performs step;
Business performs frequency;
Service executing result;
Business performs the time;
Region where user.
15. the device according to any one of claim 9 to 10, wherein, the unrelated dimension of business include it is following at least
Any one:
Visitor's IP address;
Visitor user agent;
Target URL;
Browser type used in visitor;
Visitor's source-information.
16. the device according to any one of claim 9 to 10, wherein, the type of the flow is including following any:
Machine flow;
Artificial flow;
Abnormal flow;
Common discharge.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510417436.5A CN105119735B (en) | 2015-07-15 | 2015-07-15 | A kind of method and apparatus for determining discharge pattern |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510417436.5A CN105119735B (en) | 2015-07-15 | 2015-07-15 | A kind of method and apparatus for determining discharge pattern |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105119735A CN105119735A (en) | 2015-12-02 |
| CN105119735B true CN105119735B (en) | 2018-07-06 |
Family
ID=54667633
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510417436.5A Active CN105119735B (en) | 2015-07-15 | 2015-07-15 | A kind of method and apparatus for determining discharge pattern |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105119735B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| SG11201807734YA (en) * | 2016-03-31 | 2018-10-30 | Bitdefender Ipr Man Ltd | System and methods for automatic device detection |
| CN107707509B (en) * | 2016-08-08 | 2020-09-29 | 阿里巴巴集团控股有限公司 | Method, device and system for identifying and assisting in identifying false traffic |
| CN106572486B (en) * | 2016-10-17 | 2020-11-27 | 湖北大学 | Handheld terminal flow identification method and system based on machine learning |
| CN106791251B (en) * | 2016-12-27 | 2019-11-19 | 中国建设银行股份有限公司 | Service parameter recording method and system |
| CN106844150A (en) * | 2016-12-30 | 2017-06-13 | 晶赞广告(上海)有限公司 | Flow rate testing methods, device and mobile terminal for mobile terminal |
| CN107948015B (en) * | 2017-11-29 | 2019-03-19 | 中国联合网络通信集团有限公司 | A kind of Analysis on Quality of Service method, apparatus and network system |
| CN109167698A (en) * | 2018-07-10 | 2019-01-08 | 百度在线网络技术(北京)有限公司 | Man-machine flow discrimination method, device, computer equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101369897A (en) * | 2008-07-31 | 2009-02-18 | 成都市华为赛门铁克科技有限公司 | Method and equipment for detecting network attack |
| CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| CN101895521A (en) * | 2009-05-22 | 2010-11-24 | 中国科学院研究生院 | Network worm detection and characteristic automatic extraction method and system |
| CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
| CN104486324A (en) * | 2014-12-10 | 2015-04-01 | 北京百度网讯科技有限公司 | Method and system for identifying network attack |
-
2015
- 2015-07-15 CN CN201510417436.5A patent/CN105119735B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101369897A (en) * | 2008-07-31 | 2009-02-18 | 成都市华为赛门铁克科技有限公司 | Method and equipment for detecting network attack |
| CN101895521A (en) * | 2009-05-22 | 2010-11-24 | 中国科学院研究生院 | Network worm detection and characteristic automatic extraction method and system |
| CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
| CN104486324A (en) * | 2014-12-10 | 2015-04-01 | 北京百度网讯科技有限公司 | Method and system for identifying network attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105119735A (en) | 2015-12-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105119735B (en) | A kind of method and apparatus for determining discharge pattern | |
| CN109241415B (en) | Project recommendation method and device, computer equipment and storage medium | |
| US7533179B2 (en) | Method and system for characterization of online behavior | |
| RU2628127C2 (en) | Method and device for identification of user behavior | |
| CN103368917B (en) | A kind of risk control method and system of network virtual user | |
| US8751184B2 (en) | Transaction based workload modeling for effective performance test strategies | |
| US20080189281A1 (en) | Presenting web site analytics associated with search results | |
| CN108304410A (en) | A kind of detection method, device and the data analysing method of the abnormal access page | |
| JP2003523578A (en) | System and method for determining the validity of an interaction on a network | |
| CN110390584A (en) | A kind of recognition methods of abnormal user, identification device and readable storage medium storing program for executing | |
| CN107423613A (en) | The method, apparatus and server of device-fingerprint are determined according to similarity | |
| CN108112038B (en) | Method and device for controlling access flow | |
| US10621641B2 (en) | Method and device for pushing information | |
| WO2016127632A1 (en) | Method, system, and computer device for electronic payment behavior-based data processing | |
| WO2020257991A1 (en) | User identification method and related product | |
| WO2014026429A1 (en) | Method and device for data determining in thermodynamic chart | |
| CN111242318A (en) | Business model training method and device based on heterogeneous feature library | |
| CN109214647B (en) | Method for analyzing overflow effect among online access channels based on network access log data | |
| TW201828200A (en) | Data processing method and apparatus increasing the overall display efficiency of the object display environment and decreasing the waste of display resources of each object display environment | |
| CN108512822B (en) | Risk identification method and device for data processing event | |
| CN111414410A (en) | Data processing method, device, equipment and storage medium | |
| CN116015842A (en) | Network attack detection method based on user access behaviors | |
| US20130205010A1 (en) | Workload patterns for realistic load recreation in performance testing | |
| US20130173382A1 (en) | Conversion attribution for earned media | |
| JP6383284B2 (en) | Server apparatus, system, information processing method, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |