CN106027577A - Exception access behavior detection method and device - Google Patents
Exception access behavior detection method and device Download PDFInfo
- Publication number
- CN106027577A CN106027577A CN201610631276.9A CN201610631276A CN106027577A CN 106027577 A CN106027577 A CN 106027577A CN 201610631276 A CN201610631276 A CN 201610631276A CN 106027577 A CN106027577 A CN 106027577A
- Authority
- CN
- China
- Prior art keywords
- access
- sequence
- behavior
- data
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention provides an exception access behavior detection method and device, and belongs to the field of network security. The exception access behavior detection method comprises the following steps: acquiring an access request of a user, wherein the access request comprises label information corresponding to an access behavior of the access request of the user; adding the label information in a historic access sequence of the user to obtain the current access sequence; matching the current access behavior of the user with a preset exception access sequence table, when the matching meets a first preset rule, judging that the current access behavior of the user is the exception access behavior. The exception access behavior detection method and device provided by the invention can detect the exception access behavior of the user in real time; the accuracy and reliability of a detection result are effectively improve in comparison with the traditional protection measurement.
Description
Technical field
The invention belongs to network safety filed, in particular to a kind of abnormal access behavior inspection
Survey method and device.
Background technology
Website protection is one of emphasis problem of information security circle research all the time, along with network
The proposition of the concept that the development of society and the Internet add, increasing information and product
Starting to incorporate the Internet, people are more and more higher to the safety requirements of network, how to promote and to tie up
The safety protecting the Internet becomes a topic of all circles' researchers' common concern.
The existing preventive means to invasion is all based on rule and goes to mate and detect
, their flow process is as follows: securing software can be to the keyword in network log or flow
Carry out characteristic matching, once match and meet attack sample keyword and be considered as user website is entered
Go and once invaded.This detection mode can cause higher rate of false alarm.And along with assailant
The continuous of attack means promotes, and a lot of behaviors can be walked around the WAF of website and go to invade,
This causes no small impact to web portal security, also makes a lot of websites securing software start to become
Unreliable.
Summary of the invention
In consideration of it, the invention provides a kind of abnormal access behavioral value method and device, it is possible to
Effectively improve the problems referred to above.
To achieve these goals, the technical scheme that the embodiment of the present invention provides is as follows:
First aspect, embodiments provides a kind of abnormal access behavioral value method, institute
The method of stating includes: obtaining the access request of user, described access request includes corresponding to described use
The label information accessing behavior of the access request at family;Add described label information to described use
The history access sequence at family obtains current accessed sequence;By described current accessed sequence with default
Abnormal access sequence table mate, when coupling meet the first preset rules time, it is determined that described
The current accessed behavior of user is abnormal access behavior.
Second aspect, the embodiment of the present invention additionally provides a kind of abnormal access behavioral value device.
Described device includes: the first acquiring unit, second acquisition unit and matching unit.First obtains
Unit is for obtaining the access request of user, and described access request includes corresponding to described user's
The label information accessing behavior of access request;Second acquisition unit, for believing described labelling
Breath adds to and obtains current accessed sequence in the history access sequence of described user;Matching unit,
For described current accessed sequence being mated with the abnormal access sequence table preset, work as coupling
When meeting the first preset rules, it is determined that the current accessed behavior of described user is abnormal access row
For.
The abnormal access behavioral value method and device that the embodiment of the present invention provides is taken by agency
Business device obtains the access request of user, and includes the access corresponding to this user in access request
The label information accessing behavior of request.Further, by the labelling included by current access request
Information is added in the history access sequence of this user and is obtained currently with more new historical access sequence
Access sequence.Current accessed sequence is mated with the abnormal access sequence table preset, when full
During foot the first preset rules, i.e. can detect that the access behavior of this user is abnormal access in real time
Behavior.Compared to traditional rule-based preventive means going to carry out mating and detect, this enforcement
Based on the interactive information between reversed proxy server monitoring user and web server, with user
Access behavior mate with the abnormal access sequence table preset as data source, with in real time inspection
Survey the abnormal access behavior of user, be effectively improved accuracy and the reliability of testing result.
For making the above-mentioned purpose of the present invention, feature and advantage to become apparent, cited below particularly relatively
Good embodiment, and coordinate appended accompanying drawing, it is described in detail below.
Accompanying drawing explanation
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be in embodiment
The required accompanying drawing used is briefly described, it will be appreciated that the following drawings illustrate only this
Some bright embodiment, is therefore not construed as the restriction to scope, common for this area
From the point of view of technical staff, on the premise of not paying creative work, it is also possible to according to these accompanying drawings
Obtain other relevant accompanying drawings.
Fig. 1 is user terminal, proxy server and the web that present pre-ferred embodiments provides
The schematic diagram that server interacts;
Fig. 2 is the structured flowchart of the proxy server that present pre-ferred embodiments provides;
Fig. 3 is a kind of abnormal access behavioral value method that present pre-ferred embodiments provides
Flow chart;
Fig. 4 is the another kind of abnormal access behavioral value method that present pre-ferred embodiments provides
Flow chart;
Fig. 5 is the another kind of abnormal access behavioral value method that present pre-ferred embodiments provides
The flow chart of middle step S470;
Fig. 6 is a kind of abnormal access behavioral value device that present pre-ferred embodiments provides
Structured flowchart;
Fig. 7 is the another kind of abnormal access behavioral value device that present pre-ferred embodiments provides
Structured flowchart;
Fig. 8 is the another kind of abnormal access behavioral value device that present pre-ferred embodiments provides
Structured flowchart.
Detailed description of the invention
Below in conjunction with accompanying drawing in the embodiment of the present invention, to the technical scheme in the embodiment of the present invention
It is clearly and completely described, it is clear that described embodiment is only a present invention part
Embodiment rather than whole embodiments.Generally herein described in accompanying drawing and illustrate this
The assembly of bright embodiment can be arranged with various different configurations and design.Therefore, the most right
The detailed description of the embodiments of the invention provided in the accompanying drawings is not intended to limit claimed
The scope of the present invention, but be merely representative of the selected embodiment of the present invention.Based on the present invention
Embodiment, the institute that those skilled in the art are obtained on the premise of not making creative work
There are other embodiments, broadly fall into the scope of protection of the invention.
It should also be noted that similar label and letter expression similar terms in following accompanying drawing, therefore,
The most a certain Xiang Yi accompanying drawing is defined, then need not it is carried out in accompanying drawing subsequently
Definition and explanation further.Meanwhile, in describing the invention, term " first ", " second "
Describe etc. being only used for distinguishing, and it is not intended that indicate or hint relative importance.
The following each embodiment of the present invention the most all can be applicable to ring as shown in Figure 1
In border, as it is shown in figure 1, user terminal 100, proxy server 200 and web server
Data interaction is carried out by network 400 between 300.Described proxy server 200 can be net
Network server, database server etc..Wherein, user terminal 100 may include that
The terminals such as PC (personal computer) computer, panel computer, mobile phone, notebook computer set
Standby.Proxy server 200 is set between user terminal 100 and web server 300
Purpose is effectively to detect the interactive information between user and web server 300, in real time
The flowing of access of monitoring user.
User terminal 100 is for sending the access request of user.Proxy server 200 is used for obtaining
Taking the access request at family, described access request includes the access request corresponding to described user
The label information of access behavior, the history that described label information adds to described user accesses sequence
Row obtain current accessed sequence, by described current accessed sequence and the abnormal access sequence preset
Table mates, when coupling meets the first preset rules, it is determined that the current accessed of described user
Behavior is abnormal access behavior, when coupling is unsatisfactory for the first preset rules, access request is sent out
Give web server 300.Access in order to be applicable to send multiple user terminals 100 please
Asking and be monitored and forward, proxy server 200 can also have multiple.
As in figure 2 it is shown, be the block diagram of described proxy server 200.Described agency's clothes
Business device 200 includes abnormal access behavioral value device 210, memorizer 220, storage control
230, processor 240 and Peripheral Interface 250.
Described memorizer 220, storage control 230, processor 240, Peripheral Interface 250
Each element is electrically connected with the most directly or indirectly, to realize the transmission of data or mutual.
Such as, these elements can realize electricity by one or more communication bus or holding wire each other
Property connect.Described abnormal access behavioral value device 210 includes that at least one can be with software or solid
The form of part (firmware) is stored in described memorizer 220 or is solidificated in described agency's clothes
Software function module in the operating system (operating system, OS) of business device 200.
Described processor 240 is for performing the executable module of storage in memorizer 220, such as described
Software function module that abnormal access behavioral value device 210 includes or computer program.
Wherein, memorizer 220 may be, but not limited to, random access memory (Random
Access Memory, RAM), read only memory (Read Only Memory, ROM),
Programmable read only memory (Programmable Read-Only Memory, PROM), can
Erasable read only memorizer (Erasable Programmable Read-Only Memory,
EPROM), electricallyerasable ROM (EEROM) (Electric Erasable Programmable
Read-Only Memory, EEPROM) etc..Wherein, memorizer 220 is used for storing journey
Sequence, described processor 240, after receiving execution instruction, performs described program, sends out for aforementioned
The method performed by the server flowing through Cheng Dingyi that bright embodiment any embodiment discloses is permissible
It is applied in processor 240, or is realized by processor 240.
Processor 240 is probably a kind of IC chip, has the disposal ability of signal.On
The processor 240 stated can be general processor, including central processing unit (Central
Processing Unit, be called for short CPU), network processing unit (Network Processor, be called for short
NP) etc.;Can also is that digital signal processor (DSP), special IC (ASIC), show
Become programmable gate array (FPGA) or other PLDs, discrete gate or crystal
Pipe logical device, discrete hardware components.Can realize or perform the public affairs in the embodiment of the present invention
Each method, step and the logic diagram opened.General processor can be microprocessor or this at
Reason device 240 can also be the processor etc. of any routine.
Described Peripheral Interface 250 various input/output devices are coupled to processor 240 and
Memorizer 220.In certain embodiments, Peripheral Interface 250, processor 240 and storage
Controller 230 can realize in one single chip.In some other example, they can divide
Do not realized by independent chip.
Fig. 3 shows a kind of abnormal access behavioral value method that the embodiment of the present invention provides
Flow chart.As it is shown on figure 3, described method includes:
Step S310, obtain user access request, described access request include corresponding to
The label information accessing behavior of the access request at family;
Proxy server 200 obtain access request that user sent by user terminal 100 it
Before, the content in web server 300 needs to be divided into previously according to the access behavior of user
Multiple modules, each module is respectively corresponding to a label information.Such as, certain web
Server 300 be divided into user registration module, user log-in block, news browsing module and
Making comments module, label information corresponding to user registration module is 1, user log-in block pair
The label information answered is 2, and label information corresponding to news browsing module is 3, mould of making comments
The label information that block is corresponding is 4.When the access behavior of user occurs in user registration module,
The access request of user includes label information 1, when the access behavior of user occurs to step on user
During record module, the access request of user includes label information 2.
Step S320, adds to described label information in the history access sequence of user and obtains
Current accessed sequence;
Before proxy server 200 gets the current access request of user, this user is little
May carry out repeatedly accessing to web server 300 in default time interval, i.e. to
Web server 300 have issued repeatedly access request.Above-mentioned repeatedly access request includes respectively
Label information constitute the history access sequence of this user according to time order and function order.
When proxy server 200 gets the current access request of user, obtain current accessed
Label information included by request, adds to this label information in above-mentioned history access sequence,
More new historical access sequence obtains current accessed sequence.Such as, proxy server 200 gets
Label information included by the current access request of user is 3, and now, corresponding history accesses
Sequence is that { 1,2}, the current accessed sequence after renewal is { 1,2,3};Proxy server 200
The next access adjacent with current access request got in above-mentioned prefixed time interval
Label information included by request is 4, now, corresponding history access sequence be 1,2,
3}, the current accessed sequence after renewal is { 1,2,3,4}.It is understood that as agency
Before server 200 gets the current access request of user, this user less than preset time
Between do not access record in interval, then corresponding history access sequence does not has label information, more
Current accessed sequence after Xin is { 3}.
Step S330, mates current accessed sequence with the abnormal access sequence table preset,
Judge whether coupling meets the first preset rules?
Wherein, abnormal access sequence table can be set in advance in proxy server 200, including
Multiple abnormal access sequences, each abnormal access sequence both corresponds to a kind of abnormal access row
For.Such as, corresponding to the Module Division example in above-mentioned steps S310, abnormal access sequence
Table can include sequence 1,2,4,4,4 ..., 4}, 2,2,2,2 ..., 2}
Deng abnormal model essay sequence.After proxy server 200 obtains current accessed sequence, will currently visit
Ask that sequence is mated with abnormal access sequence.When current accessed sequence and abnormal access sequence table
Coupling when meeting the first preset rules, perform step S340.When current accessed sequence is with pre-
If the coupling of abnormal access sequence table when being unsatisfactory for the first preset rules, perform step S350.
Concrete, the first preset rules can be: exists and described current visit in abnormal access sequence table
Ask the sequence that sequence is consistent.In addition, it is necessary to explanation, above-mentioned abnormal access sequence table except
It is stored in outside proxy server 200, it is also possible to be stored in other storage device.
Step S340, it is determined that the current accessed behavior of described user is abnormal access behavior.
In an embodiment of the present invention, when judging that the current accessed behavior of user is as abnormal visit
When asking behavior, proxy server 200 can intercept the current access request of this user, and to this
The identity information of user is marked, and the identity information of the user after labelling is sent to web
Server 300, in order to website service and processing.Wherein, described identity information is permissible
For domain-name information.
Step S350, is sent to web server 300 by access request.
After above-mentioned steps S320 and step S330, when current accessed sequence with preset
When the coupling of abnormal access sequence table is unsatisfactory for above-mentioned first preset rules, it is possible to determine that this user
Current accessed behavior for normally to access behavior, now, the access request of this user is sent to
Web server 300.
Based on above-mentioned abnormal access behavioral value method, it is possible to achieve user's abnormal access behavior
Detection in real time.In order to improve the accuracy of detection further, in addition it is also necessary to above-mentioned abnormal access sequence
List is updated, to be adapted to emerging aggressive behavior.For abnormal access sequence table more
New departure will describe in detail in the following embodiments.
Fig. 4 shows the another kind of abnormal access behavioral value method that the embodiment of the present invention provides.
As shown in Figure 4, described method includes:
Step S410, obtains the access request of user, and described access request includes corresponding to institute
State the label information accessing behavior of the access request of user;
Step S420, adds to described label information in the history access sequence of described user
Obtain current accessed sequence;
Step S430, is carried out described current accessed sequence with the abnormal access sequence table preset
Coupling, it is judged that whether coupling meets the first preset rules?
When current accessed sequence and abnormal access sequence table mate meet the first preset rules time,
Perform step S440.When current accessed sequence and the mating not of abnormal access sequence table preset
When meeting the first preset rules, perform step S450.
Step S440, it is determined that the current accessed behavior of described user is abnormal access behavior.
Step S450, is sent to web server 300 by described access request.
Step S410 is referred to step S310 to step to the embodiment of step S450
S350, here is omitted.
Step S460, obtains according to described access request and accesses data and store.
After proxy server 200 gets the current access request of user, on the one hand perform above-mentioned
Step S420, to step S450, detects the visit of this user according to the current access request of this user
Ask whether behavior is abnormal access behavior;On the other hand obtain according to the current access request of user
Accessing data accordingly, described access data include above-mentioned label information.
Concrete, first described access request can be carried out data cleansing and obtain that there is preset format
Access data;Again obtained access data are stored in data base.Data cleansing is right
The process that data again examine and verify, it is therefore intended that delete duplicate message, correct existence
Mistake, it is ensured that the longer-term storage of data consistency, beneficially data and inquiry.Such as, visit
Ask data can include domain-name information, current access request send time, label information etc..
Certainly, the process of data cleansing can occur at proxy server 200.Or, it is also possible to it is
Current access request is transmitted to data cleansing server by proxy server 200, and data cleansing takes
The access data obtained are sent back after described current access request is carried out data cleansing by business device
Proxy server 200, the access data obtained are stored by proxy server 200 again.For
Being easy to the management of obtained access data, proxy server 200 can preferably will obtain
Access data to be stored in data base.Wherein, data base can be provided in proxy server
In 200, it is also possible to be arranged in other storage devices.
The access data stored are analyzed by step S470 according to the second preset rules,
Generate multiple abnormal access sequence.
Proxy server 200 is by access number corresponding for the access request of all users got
According to storing, it is preferably stored in data base.Data when the access data of database purchase
When amount is more than preset value, can be the most to storage according to the second preset rules
Individual access data are analyzed, and generate multiple abnormal access sequence, above-mentioned for dynamically updating
Abnormal access sequence table.Wherein, preset value can rule of thumb be arranged.
As it is shown in figure 5, step S470 specifically includes step S471 to step S473.
Step S471, corresponding according to user's repeatedly access request within a preset time interval
Multiple access data that label information will be stored in data base are divided into multiple behavior sequence.
Web server 300 can be sent by user a certain less than in prefixed time interval
Repeatedly access request is as connected reference behavior.Therefore, it can according to this user at Preset Time
Multiple access data corresponding to the repeatedly access request that sends in interval will be stored in data base
Multiple access data be divided into multiple behavior sequence.Each behavior sequence is by same use
The repeatedly access that web server 300 is successively sent in less than prefixed time interval by family please
Seek the label information composition in the access data of correspondence.It should be noted that it is described less than presetting
When being spaced apart the interval of adjacent two access request that web server 300 is sent by this user
Between less than prefixed time interval.Wherein, prefixed time interval is rule of thumb arranged.
Such as, a certain user visit to web server 300 in less than prefixed time interval
The behavior of asking is followed successively by: user registration → user logs in → browse news → make comments, now,
In data base, the corresponding behavior sequence divided is { 1,2,3,4}.The most such as, a certain user exists
It is followed successively by less than access behavior to web server 300 in prefixed time interval: user notes
Volume → user logs in → browses news → →... of making comments ... → make comments, wherein, omit
N times comment has been delivered in number expression, and N is positive integer, now, corresponding in data base divides
Behavior sequence be 1,2,3,4 ..., 4}.
Multiple behavior sequences are carried out classification based training according to default clustering algorithm by step S472
Obtain multiple behavior sequence class.
After execution of step S471, i.e. can will be stored in the visit of each user in data base
Ask that data are divided into multiple behavior sequence.With the plurality of behavior sequence for analyzing object, according to
The clustering algorithm preset carries out cluster analysis to multiple behavior sequences and can be divided into multiple
Behavior sequence class, wherein, all corresponding output probability of each behavior sequence class.This enforcement
In example, the clustering algorithm preset can be HMM (Hidden Markov
Model, HMM), or other is with observation sequence for analyzing the Clustering Model of object.
As a example by HMM, concrete analysis process can be to include that preliminary classification walks
Rapid and iteration updates step.
Initial division step:
Utilize TPSDTW distance and default classification number K that multiple behavior sequences are divided into K
Initial behavior sequence class.Such as, multiple behavior sequences include D1、D2、D3、…、Dn,
Behavior sequence collection D={D can be built according to multiple behavior sequences1, D2, D3..., Dn}。
According to default classification number K, multiple behavior sequences can be divided into K initial behavior sequence
Class, builds sorting sequence collection C={C1, C2..., CK(such as: C1={ D1, D2, D3,
D5, D8})。
Iteration renewal step:
Step 1: be trained K initial behavior sequence class, obtains K HMM model ginseng
Number λ1, λ2..., λK, obtain the HMM model corresponding with each initial behavior sequence class
{HMM1, HMM2..., HMMK}。
Step 2: according to the HMM model calculating target function that each initial behavior sequence class is corresponding
Functional value.In the present embodiment, object function can be joint likelihood function, is shown below:Wherein, L (Di|λk)=P (Di|λk), P represents output probability function.
Step 3: judge whether the functional value of object function meets the condition of convergence.Concrete, can
Whether to be less than predetermined threshold value by the functional value obtained by relatively adjacent twice iteration, described pre-
If threshold value can be the less value rule of thumb pre-set.
When current function value meets the condition of convergence, export current initial behavior sequence class conduct
Optimal classification result, terminates iteration, obtains multiple behavior sequence class.
When current function value is unsatisfactory for the condition of convergence, any sequence D that behavior sequence is concentratedi
Distribute to the model HMM that output probability is maximumjCorresponding initial behavior sequence class, with to initially
Behavior sequence class is updated, and the initial behavior sequence class after renewal can be expressed as C '={ C1',
C2' ..., CK′}.Initial behavior sequence class after updating is repeated step 1 to step 3 until working as
Front functional value meets the condition of convergence.
It should be noted that the initial behavior sequence class obtained according to initial division step is corresponding
The functional value of the be calculated object function of the HMM model functional value that iteration obtains the most for the first time
Can directly be judged to be unsatisfactory for the condition of convergence, i.e. iterations be more than or equal to 2.
Step S473, by the output probability of each behavior sequence class and the probability threshold value preset
Contrast, using output probability less than probability threshold value behavior sequence apoplexy due to endogenous wind behavior sequence as
Abnormal access sequence.
Multiple behavior sequence classes above-mentioned steps S472 obtained are divided into corresponding to normal access line
For behavior sequence class and the behavior sequence class of corresponding abnormal access behavior.It can be understood that
It is that the access behavior of most of users is normal access behavior, therefore, it can according to gained
To output probability multiple behavior sequence class of each behavior sequence class divide.Specifically
, output probability is all visited as corresponding extremely less than the behavior sequence class of the probability threshold value preset
Ask the behavior sequence class of behavior.Behavior sequence by the behavior sequence apoplexy due to endogenous wind of corresponding abnormal access behavior
Row are all as abnormal access sequence, for carrying out the abnormal azimuth sequence table pre-set more
Newly.Certainly, output probability is more than or equal to the equal conduct of behavior sequence class of the probability threshold value preset
The corresponding normal behavior sequence class accessing behavior.Wherein, probability threshold value can rule of thumb be arranged.
Step S480, adds the multiple abnormal access sequences generated to abnormal access sequence
In table.
By a large amount of data that access of storage are carried out the multiple abnormal visit of big data analysis generation
Ask that the abnormal access sequence table that sequence pair is preset dynamically updates so that the exception after renewal is visited
Ask that sequence table can adapt to emerging abnormal access behavior, be conducive to improving the embodiment of the present invention and carry
The accuracy of the abnormal access behavioral value method of confession.
It should be noted that step S460 to step S480 can occur step S420 it
Before, it is also possible to occur between step S420 to step S450, or be to occur at step
After S440 or step S450.
In an embodiment of the present invention, can be using abnormal access sequence table as a scene
Storehouse.Each abnormal access sequence is all as a kind of scene.Wherein, scene can be understood as one
Plant rule of conduct, a kind of access module can be annotated.For a forum website, to commonly
For user, if you wish to message of posting, then the normal track that accesses is enrollment page → send out
The note page → deliver model → browse other models;And for assailant, assailant removes note
Volume user is often intended merely to find and uploads or other can trigger the interface of cross site scripting, then
His access track is likely to enrollment page → ceaselessly amendment forum head portrait → ceaselessly send out
Note.Either assailant or domestic consumer, both behaviors pass all without triggering in itself
The detected rule of the Web application firewall (Web Application Firewall, WAF) of system.
But, assailant perhaps can simulate the access request of normal users, but does not simulates normal
The access behavior of user, as long as the access behavior of above-mentioned assailant is recorded in proxy server
In the scene library of 200, the abnormal access behavioral value side that i.e. can be provided by the embodiment of the present invention
Method detects, thus intercept attack request effectively.
In sum, embodiment of the present invention data acquisition technology based on reverse proxy, user
Proxy server 200 it is provided with, to obtain in real time between terminal 100 and web server 300
The access request of user.Compared to traditional preventive means, the exception that the embodiment of the present invention provides
Access behavior detection method, using the behavior that accesses of user as data source and the abnormal access preset
Sequence table mates, and to detect the abnormal access behavior of user in real time, is effectively improved inspection
Survey accuracy and the reliability of result.Additionally, by the user's accessed by storage analysis
Access request, generates multiple abnormal access sequence, carries out default abnormal access sequence table more
Newly, be conducive to improving further accuracy and the reliability of detection.
As shown in Figure 6, the embodiment of the present invention additionally provides a kind of abnormal access behavioral value device
210, run on proxy server 200.This abnormal access behavioral value device 210 includes:
First acquiring unit 211, second acquisition unit 212 and matching unit 213.
Wherein, the first acquiring unit 211 is for obtaining the access request of user, and described access please
Seek the label information accessing behavior of the access request included corresponding to described user.
Second acquisition unit 212 for adding the history of described user to by described label information
Access sequence obtains current accessed sequence.
Matching unit 213 is for by described current accessed sequence and the abnormal access sequence preset
Table mates, when coupling meets the first preset rules, it is determined that the current accessed of described user
Behavior is abnormal access behavior.Additionally, matching unit 213 is additionally operable to when coupling is unsatisfactory for first
During preset rules, described access request is sent to web server 300.
As it is shown in fig. 7, the embodiment of the present invention additionally provides another kind of abnormal access behavioral value dress
Put 210, run on proxy server 200.Described abnormal access behavioral value device 210 removes
Include outside the first acquiring unit 211, second acquisition unit 212 and matching unit 213,
Also include: memory element 214, abnormal access sequence generating unit 215 and updating block 216.
Wherein, memory element 214 accesses data for obtaining according to described access request and deposits
Storage, described access data include described label information.
Abnormal access sequence generating unit 215 for according to the second preset rules to being stored
Access data are analyzed, and generate multiple abnormal access sequence.
Updating block 216 is for adding the plurality of abnormal access sequence generated to institute
State in abnormal access sequence table, to update described abnormal access sequence table.
Concrete, as shown in Figure 8, memory element 214 includes data cleansing subelement 2141
With access data storage subunit operable 2142.
Data cleansing subelement 2141 must be visited for described access request is carried out data cleansing
Ask data.
Access data storage subunit operable 2142 for described access data are stored data base
In.
Now, described abnormal access sequence generating unit 215 is specifically for as described data stock
When the data volume of the access data of storage is more than preset value, according to the second preset rules to being stored in
The multiple access data stated in data base are analyzed, and generate multiple abnormal access sequence.
Concrete, it is single that described abnormal access sequence generating unit 215 includes that behavior sequence divides son
Unit 2151, behavior sequence class divide subelement 2152 and abnormal access retrieval subelement
2153。
Wherein, behavior sequence division subelement 2151 is used for according to described user at Preset Time
Label information corresponding to repeatedly access request in interval will be stored in described data base many
Individual access data are divided into multiple behavior sequence.
Behavior sequence class divides subelement 2152 and is used for according to the clustering algorithm preset described many
Individual behavior sequence carries out classification based training and obtains multiple behavior sequence class, wherein, each behavior sequence
The all corresponding output probability of row class.
Abnormal access retrieval subelement 2153 is for by each described behavior sequence class
Output probability contrasts with the probability threshold value preset, by described output probability less than described probability
The behavior sequence of the behavior sequence apoplexy due to endogenous wind of threshold value is as abnormal access sequence.
Those skilled in the art is it can be understood that arrive, for convenience and simplicity of description,
The device of foregoing description and the specific works process of unit, be referred in preceding method embodiment
Corresponding process, do not repeat them here.
In several embodiments provided herein, it should be understood that disclosed device and
Method, it is also possible to realize by another way.Device embodiment described above is only
Schematically, such as, the flow chart in accompanying drawing and block diagram show the multiple realities according to the present invention
Execute the device of example, the architectural framework in the cards of method and computer program product, function and
Operation.In this, each square frame in flow chart or block diagram can represent module, a journey
Sequence section or a part for code, a part for described module, program segment or code comprise one or
The executable instruction of multiple logic functions for realizing regulation.It should also be noted that make at some
In implementation for replacement, the function marked in square frame can also be to be different from accompanying drawing institute
The order of mark occurs.Such as, two continuous print square frames can essentially perform substantially in parallel,
They can also perform sometimes in the opposite order, and this is depending on involved function.Also to note
In meaning, each square frame in block diagram and/or flow chart and block diagram and/or flow chart
The combination of square frame, can be by function or the special hardware based system of action performing regulation
Realize, or can realize with the combination of specialized hardware with computer instruction.
It addition, each functional module in each embodiment of the present invention can integrate formation
One independent part, it is also possible to be modules individualism, it is also possible to two or two with
Upper module is integrated to form an independent part.
If described function realizes and as independent product pin using the form of software function module
When selling or use, can be stored in a computer read/write memory medium.Based on such
Understand, part that prior art is contributed by technical scheme the most in other words or
The part of this technical scheme of person can embody with the form of software product, this computer software
Product is stored in a storage medium, including some instructions with so that a computer equipment
(can be personal computer, server, or the network equipment etc.) performs the present invention, and each is real
Execute all or part of step of method described in example.And aforesaid storage medium includes: USB flash disk, shifting
Dynamic hard disk, read only memory (ROM, Read-Only Memory), random access memory
(RAM, Random Access Memory), magnetic disc or CD etc. are various can store journey
The medium of sequence code.It should be noted that in this article, such as first and second or the like
Relational terms is used merely to separate an entity or operation with another entity or operating space
Come, and there is any this reality between not necessarily requiring or imply these entities or operating
Relation or order.And, term " includes ", " comprising " or its any other variant are intended to
Contain comprising of nonexcludability, so that include the process of a series of key element, method, article
Or equipment not only includes those key elements, but also includes other key elements being not expressly set out,
Or also include the key element intrinsic for this process, method, article or equipment.Do not having
In the case of having more restriction, statement " including ... " key element limited, it is not excluded that
Other identical want is there is also in including the process of described key element, method, article or equipment
Element.
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is also
Being not limited to this, any those familiar with the art is at the technology model that the invention discloses
In enclosing, change can be readily occurred in or replace, all should contain within protection scope of the present invention.
Therefore, protection scope of the present invention should described be as the criterion with scope of the claims.
Claims (10)
1. an abnormal access behavioral value method, it is characterised in that described method includes:
Obtaining the access request of user, described access request includes the access corresponding to described user
The label information accessing behavior of request;
Described label information is added to the history access sequence of described user obtains current visit
Ask sequence;
Described current accessed sequence is mated with the abnormal access sequence table preset, works as coupling
When meeting the first preset rules, it is determined that the current accessed behavior of described user is abnormal access row
For.
Method the most according to claim 1, it is characterised in that described obtains user's
After the step of access request, also include:
Obtaining according to described access request and access data and store, described access data include described
Label information;
According to the second preset rules, the access data stored are analyzed, generate multiple exception
Access sequence;
Add the plurality of abnormal access sequence generated to described abnormal access sequence table
In, to update described abnormal access sequence table.
Method the most according to claim 2, it is characterised in that described according to described visit
The request of asking obtains the step accessing data and storing, including:
Described access request carries out data cleansing obtain accessing data;
Described access data are stored in data base;
Described according to the second preset rules, the access data stored are analyzed, generate multiple
Abnormal access sequence, including:
When the data volume of the access data of described database purchase is more than preset value, according to second
The multiple access data stored in the database are analyzed by preset rules, generate multiple
Abnormal access sequence.
Method the most according to claim 3, it is characterised in that described is pre-according to second
If the multiple access data stored in the database are analyzed by rule, generate multiple different
The often step of access sequence, including:
According to the labelling letter that described user repeatedly access request within a preset time interval is corresponding
Multiple access data that breath will be stored in described data base are divided into multiple behavior sequence;
According to default clustering algorithm, the plurality of behavior sequence is carried out classification based training and obtain many
Individual behavior sequence class, wherein, all corresponding output probability of each behavior sequence class;
It is right the output probability of each described behavior sequence class and the probability threshold value preset to be carried out
Ratio, makees described output probability less than the behavior sequence of the behavior sequence apoplexy due to endogenous wind of described probability threshold value
For abnormal access sequence.
Method the most according to claim 1, it is characterised in that described by described currently
Access sequence carries out the step mated with the abnormal access sequence table preset, and also includes: work as coupling
When being unsatisfactory for the first preset rules, described access request is sent to web server.
6. an abnormal access behavioral value device, it is characterised in that described device includes:
First acquiring unit, for obtaining the access request of user, it is right that described access request includes
The label information accessing behavior of the access request of user described in Ying Yu;
Second acquisition unit, accesses for described label information adds to the history of described user
Sequence obtains current accessed sequence;
Matching unit, for entering described current accessed sequence with the abnormal access sequence table preset
Row coupling, when coupling meets the first preset rules, it is determined that the current accessed behavior of described user
For abnormal access behavior.
Device the most according to claim 6, it is characterised in that also include:
Memory element, accesses data for obtaining according to described access request and stores, described visit
Ask that data include described label information;
Abnormal access sequence generating unit, for according to the access to being stored of second preset rules
Data are analyzed, and generate multiple abnormal access sequence;
Updating block, for adding to described different by the plurality of abnormal access sequence generated
Frequentation is asked in sequence table, to update described abnormal access sequence table.
Device the most according to claim 7, it is characterised in that described memory element includes:
Data cleansing subelement, obtains accessing number for described access request carries out data cleansing
According to;
Access data storage subunit operable, for described access data being stored in data base;
Described abnormal access sequence generating unit is specifically for when the access of described database purchase
When the data volume of data is more than preset value, according to the second preset rules to being stored in described data base
In multiple access data be analyzed, generate multiple abnormal access sequence.
Device the most according to claim 8, it is characterised in that described abnormal access sequence
Signal generating unit includes:
Behavior sequence divides subelement, for the most according to described user
Label information corresponding to secondary access request will be stored in the multiple access data in described data base
It is divided into multiple behavior sequence;
Behavior sequence class divides subelement, is used for according to the clustering algorithm preset the plurality of row
Carry out classification based training for sequence and obtain multiple behavior sequence class, wherein, each behavior sequence class
The most corresponding output probability;
Abnormal access retrieval subelement, for by the output of each described behavior sequence class
Probability contrasts with the probability threshold value preset, by described output probability less than described probability threshold value
The behavior sequence of behavior sequence apoplexy due to endogenous wind as abnormal access sequence.
Device the most according to claim 6, it is characterised in that described matching unit is also
For when coupling is unsatisfactory for the first preset rules, described access request is sent to web clothes
Business device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610631276.9A CN106027577B (en) | 2016-08-04 | 2016-08-04 | A kind of abnormal access behavioral value method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610631276.9A CN106027577B (en) | 2016-08-04 | 2016-08-04 | A kind of abnormal access behavioral value method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106027577A true CN106027577A (en) | 2016-10-12 |
| CN106027577B CN106027577B (en) | 2019-04-30 |
Family
ID=57134356
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610631276.9A Active CN106027577B (en) | 2016-08-04 | 2016-08-04 | A kind of abnormal access behavioral value method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106027577B (en) |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106570404A (en) * | 2016-11-03 | 2017-04-19 | 惠州Tcl移动通信有限公司 | Method and system for preventing unexpected modification of LCD setting |
| CN106570131A (en) * | 2016-10-27 | 2017-04-19 | 北京途美科技有限公司 | Sensitive data exception access detection method based on clustering analysis |
| CN106789885A (en) * | 2016-11-17 | 2017-05-31 | 国家电网公司 | User's unusual checking analysis method under a kind of big data environment |
| CN108076032A (en) * | 2016-11-15 | 2018-05-25 | 中国移动通信集团广东有限公司 | A kind of abnormal behaviour user identification method and device |
| CN108156141A (en) * | 2017-12-14 | 2018-06-12 | 北京奇艺世纪科技有限公司 | A kind of real time data recognition methods, device and electronic equipment |
| CN108270727A (en) * | 2016-12-30 | 2018-07-10 | 北京国双科技有限公司 | Abnormal data analysis method and device |
| CN108304410A (en) * | 2017-01-13 | 2018-07-20 | 阿里巴巴集团控股有限公司 | A kind of detection method, device and the data analysing method of the abnormal access page |
| CN108494860A (en) * | 2018-03-28 | 2018-09-04 | 百度在线网络技术(北京)有限公司 | WEB accesses system, WEB access methods and device for client |
| CN108667797A (en) * | 2017-03-28 | 2018-10-16 | 罗德施瓦兹两合股份有限公司 | System for sending audio and/or video data and the method accessed for authorizing secure |
| CN109413047A (en) * | 2018-09-29 | 2019-03-01 | 武汉极意网络科技有限公司 | Determination method, system, server and the storage medium of Behavior modeling |
| CN109450869A (en) * | 2018-10-22 | 2019-03-08 | 杭州安恒信息技术股份有限公司 | A kind of service security means of defence based on user feedback |
| CN109543404A (en) * | 2018-12-03 | 2019-03-29 | 北京芯盾时代科技有限公司 | A kind of methods of risk assessment and device of access behavior |
| CN109739806A (en) * | 2018-12-28 | 2019-05-10 | 安谋科技(中国)有限公司 | Memory pool access method, internal storage access controller and system on chip |
| CN109962855A (en) * | 2017-12-14 | 2019-07-02 | 深圳市融汇通金科技有限公司 | A kind of current-limiting method of WEB server, current-limiting apparatus and terminal device |
| CN110290148A (en) * | 2019-07-16 | 2019-09-27 | 深圳乐信软件技术有限公司 | A kind of defence method, device, server and the storage medium of WEB firewall |
| CN110611683A (en) * | 2019-09-29 | 2019-12-24 | 国家计算机网络与信息安全管理中心 | Method and system for alarming attack source |
| CN110728583A (en) * | 2019-10-11 | 2020-01-24 | 支付宝(杭州)信息技术有限公司 | Method and system for identifying cheating claim behaviors |
| CN110933069A (en) * | 2019-11-27 | 2020-03-27 | 上海明耿网络科技有限公司 | Network protection method, device and storage medium |
| CN111143838A (en) * | 2019-12-27 | 2020-05-12 | 北京科东电力控制系统有限责任公司 | Database user abnormal behavior detection method |
| CN111221722A (en) * | 2019-09-23 | 2020-06-02 | 平安科技(深圳)有限公司 | Behavior detection method and device, electronic equipment and storage medium |
| WO2020134790A1 (en) * | 2018-12-26 | 2020-07-02 | 中兴通讯股份有限公司 | Data abnormality detection method and apparatus, and terminal device |
| CN111476610A (en) * | 2020-04-16 | 2020-07-31 | 腾讯科技(深圳)有限公司 | Information detection method and device and computer readable storage medium |
| CN112104625A (en) * | 2020-09-03 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Process access control method and device |
| CN112242984A (en) * | 2019-07-19 | 2021-01-19 | 伊姆西Ip控股有限责任公司 | Method, electronic device and computer program product for detecting abnormal network requests |
| CN112445785A (en) * | 2019-08-30 | 2021-03-05 | 深信服科技股份有限公司 | Account blasting detection method and related device |
| CN113569949A (en) * | 2021-07-28 | 2021-10-29 | 广州博冠信息科技有限公司 | Abnormal user identification method and device, electronic equipment and storage medium |
| CN113949560A (en) * | 2021-10-15 | 2022-01-18 | 海尔数字科技(青岛)有限公司 | Network security identification method, device, server and storage medium |
| CN115314252A (en) * | 2022-07-06 | 2022-11-08 | 北京神州慧安科技有限公司 | Protection method, system, terminal and storage medium applied to industrial firewall |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1588889A (en) * | 2004-09-24 | 2005-03-02 | 清华大学 | Abnormal detection method for user access activity in attached net storage device |
| US20050203881A1 (en) * | 2004-03-09 | 2005-09-15 | Akio Sakamoto | Database user behavior monitor system and method |
| CN102176698A (en) * | 2010-12-20 | 2011-09-07 | 北京邮电大学 | Method for detecting abnormal behaviors of user based on transfer learning |
| CN102238047A (en) * | 2011-07-15 | 2011-11-09 | 山东大学 | Distributed denial-of-service attack detection method based on external connection behaviors of Web communication group |
| CN102438025A (en) * | 2012-01-10 | 2012-05-02 | 中山大学 | Indirect distributed denial of service attack defense method and system based on Web agency |
| CN102664771A (en) * | 2012-04-25 | 2012-09-12 | 浙江工商大学 | Network agent action detection system and detection method based on SVM (Support Vector Machine) |
| CN105187451A (en) * | 2015-10-09 | 2015-12-23 | 携程计算机技术(上海)有限公司 | Website flow abnormity detection method and system |
-
2016
- 2016-08-04 CN CN201610631276.9A patent/CN106027577B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050203881A1 (en) * | 2004-03-09 | 2005-09-15 | Akio Sakamoto | Database user behavior monitor system and method |
| CN1588889A (en) * | 2004-09-24 | 2005-03-02 | 清华大学 | Abnormal detection method for user access activity in attached net storage device |
| CN102176698A (en) * | 2010-12-20 | 2011-09-07 | 北京邮电大学 | Method for detecting abnormal behaviors of user based on transfer learning |
| CN102238047A (en) * | 2011-07-15 | 2011-11-09 | 山东大学 | Distributed denial-of-service attack detection method based on external connection behaviors of Web communication group |
| CN102438025A (en) * | 2012-01-10 | 2012-05-02 | 中山大学 | Indirect distributed denial of service attack defense method and system based on Web agency |
| CN102664771A (en) * | 2012-04-25 | 2012-09-12 | 浙江工商大学 | Network agent action detection system and detection method based on SVM (Support Vector Machine) |
| CN105187451A (en) * | 2015-10-09 | 2015-12-23 | 携程计算机技术(上海)有限公司 | Website flow abnormity detection method and system |
Cited By (39)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106570131A (en) * | 2016-10-27 | 2017-04-19 | 北京途美科技有限公司 | Sensitive data exception access detection method based on clustering analysis |
| CN106570404B (en) * | 2016-11-03 | 2019-11-26 | Tcl移动通信科技(宁波)有限公司 | It is a kind of to prevent the unexpected method and system for modifying LCD setting |
| CN106570404A (en) * | 2016-11-03 | 2017-04-19 | 惠州Tcl移动通信有限公司 | Method and system for preventing unexpected modification of LCD setting |
| CN108076032A (en) * | 2016-11-15 | 2018-05-25 | 中国移动通信集团广东有限公司 | A kind of abnormal behaviour user identification method and device |
| CN108076032B (en) * | 2016-11-15 | 2020-11-06 | 中国移动通信集团广东有限公司 | Abnormal behavior user identification method and device |
| CN106789885A (en) * | 2016-11-17 | 2017-05-31 | 国家电网公司 | User's unusual checking analysis method under a kind of big data environment |
| CN106789885B (en) * | 2016-11-17 | 2021-11-16 | 国家电网公司 | User abnormal behavior detection and analysis method under big data environment |
| CN108270727A (en) * | 2016-12-30 | 2018-07-10 | 北京国双科技有限公司 | Abnormal data analysis method and device |
| CN108304410A (en) * | 2017-01-13 | 2018-07-20 | 阿里巴巴集团控股有限公司 | A kind of detection method, device and the data analysing method of the abnormal access page |
| CN108667797A (en) * | 2017-03-28 | 2018-10-16 | 罗德施瓦兹两合股份有限公司 | System for sending audio and/or video data and the method accessed for authorizing secure |
| CN109962855A (en) * | 2017-12-14 | 2019-07-02 | 深圳市融汇通金科技有限公司 | A kind of current-limiting method of WEB server, current-limiting apparatus and terminal device |
| CN108156141A (en) * | 2017-12-14 | 2018-06-12 | 北京奇艺世纪科技有限公司 | A kind of real time data recognition methods, device and electronic equipment |
| CN108494860A (en) * | 2018-03-28 | 2018-09-04 | 百度在线网络技术(北京)有限公司 | WEB accesses system, WEB access methods and device for client |
| CN108494860B (en) * | 2018-03-28 | 2021-08-27 | 百度在线网络技术(北京)有限公司 | WEB access system, WEB access method and device for client |
| CN109413047A (en) * | 2018-09-29 | 2019-03-01 | 武汉极意网络科技有限公司 | Determination method, system, server and the storage medium of Behavior modeling |
| CN109450869B (en) * | 2018-10-22 | 2022-02-08 | 杭州安恒信息技术股份有限公司 | Service safety protection method based on user feedback |
| CN109450869A (en) * | 2018-10-22 | 2019-03-08 | 杭州安恒信息技术股份有限公司 | A kind of service security means of defence based on user feedback |
| CN109543404A (en) * | 2018-12-03 | 2019-03-29 | 北京芯盾时代科技有限公司 | A kind of methods of risk assessment and device of access behavior |
| WO2020134790A1 (en) * | 2018-12-26 | 2020-07-02 | 中兴通讯股份有限公司 | Data abnormality detection method and apparatus, and terminal device |
| CN109739806A (en) * | 2018-12-28 | 2019-05-10 | 安谋科技(中国)有限公司 | Memory pool access method, internal storage access controller and system on chip |
| CN110290148A (en) * | 2019-07-16 | 2019-09-27 | 深圳乐信软件技术有限公司 | A kind of defence method, device, server and the storage medium of WEB firewall |
| CN110290148B (en) * | 2019-07-16 | 2022-05-03 | 深圳乐信软件技术有限公司 | Defense method, device, server and storage medium for WEB firewall |
| CN112242984A (en) * | 2019-07-19 | 2021-01-19 | 伊姆西Ip控股有限责任公司 | Method, electronic device and computer program product for detecting abnormal network requests |
| CN112445785A (en) * | 2019-08-30 | 2021-03-05 | 深信服科技股份有限公司 | Account blasting detection method and related device |
| WO2021056731A1 (en) * | 2019-09-23 | 2021-04-01 | 平安科技(深圳)有限公司 | Log data analysis-based behavior detection method, apparatus, device, and medium |
| CN111221722B (en) * | 2019-09-23 | 2024-01-30 | 平安科技(深圳)有限公司 | Behavior detection method, behavior detection device, electronic equipment and storage medium |
| CN111221722A (en) * | 2019-09-23 | 2020-06-02 | 平安科技(深圳)有限公司 | Behavior detection method and device, electronic equipment and storage medium |
| CN110611683A (en) * | 2019-09-29 | 2019-12-24 | 国家计算机网络与信息安全管理中心 | Method and system for alarming attack source |
| CN110728583A (en) * | 2019-10-11 | 2020-01-24 | 支付宝(杭州)信息技术有限公司 | Method and system for identifying cheating claim behaviors |
| CN110933069A (en) * | 2019-11-27 | 2020-03-27 | 上海明耿网络科技有限公司 | Network protection method, device and storage medium |
| CN111143838A (en) * | 2019-12-27 | 2020-05-12 | 北京科东电力控制系统有限责任公司 | Database user abnormal behavior detection method |
| CN111143838B (en) * | 2019-12-27 | 2022-04-12 | 北京科东电力控制系统有限责任公司 | Database user abnormal behavior detection method |
| CN111476610B (en) * | 2020-04-16 | 2023-06-09 | 腾讯科技(深圳)有限公司 | Information detection method, device and computer readable storage medium |
| CN111476610A (en) * | 2020-04-16 | 2020-07-31 | 腾讯科技(深圳)有限公司 | Information detection method and device and computer readable storage medium |
| CN112104625A (en) * | 2020-09-03 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Process access control method and device |
| CN113569949A (en) * | 2021-07-28 | 2021-10-29 | 广州博冠信息科技有限公司 | Abnormal user identification method and device, electronic equipment and storage medium |
| CN113949560A (en) * | 2021-10-15 | 2022-01-18 | 海尔数字科技(青岛)有限公司 | Network security identification method, device, server and storage medium |
| CN113949560B (en) * | 2021-10-15 | 2023-10-27 | 卡奥斯数字科技(青岛)有限公司 | Network security identification method, device, server and storage medium |
| CN115314252A (en) * | 2022-07-06 | 2022-11-08 | 北京神州慧安科技有限公司 | Protection method, system, terminal and storage medium applied to industrial firewall |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106027577B (en) | 2019-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106027577A (en) | Exception access behavior detection method and device | |
| Pacheco et al. | Uncovering coordinated networks on social media: methods and case studies | |
| CN108322473B (en) | User behavior analysis method and device | |
| Ruchansky et al. | Csi: A hybrid deep model for fake news detection | |
| WO2019091177A1 (en) | Risk identification model building method, apparatus and device and risk identification method, apparatus and device | |
| Lo et al. | SMArTIC: Towards building an accurate, robust and scalable specification miner | |
| Kaghazgaran et al. | Combating crowdsourced review manipulators: A neighborhood-based approach | |
| CN105590055B (en) | Method and device for identifying user credible behaviors in network interaction system | |
| CN110442712B (en) | Risk determination method, risk determination device, server and text examination system | |
| US20210112101A1 (en) | Data set and algorithm validation, bias characterization, and valuation | |
| CN105187242B (en) | A kind of user's anomaly detection method excavated based on variable-length pattern | |
| CN103778151A (en) | Method and device for identifying characteristic group and search method and device | |
| US20210136120A1 (en) | Universal computing asset registry | |
| CN105069036A (en) | Information recommendation method and apparatus | |
| Lee et al. | CAST: A context-aware story-teller for streaming social content | |
| Chen et al. | Bert-log: Anomaly detection for system logs based on pre-trained language model | |
| CN111754241A (en) | User behavior perception method, device, equipment and medium | |
| CN110457595A (en) | Emergency event alarm method, device, system, electronic equipment and storage medium | |
| CN110417751B (en) | Network security early warning method, device and storage medium | |
| CN112507230A (en) | Webpage recommendation method and device based on browser, electronic equipment and storage medium | |
| Rahman et al. | New biostatistics features for detecting web bot activity on web applications | |
| Wang et al. | A fake review identification framework considering the suspicion degree of reviews with time burst characteristics | |
| CN109711849B (en) | Ether house address portrait generation method and device, electronic equipment and storage medium | |
| CN111563527B (en) | Abnormal event detection method and device | |
| Li et al. | Fault diagnosis of PLC-based discrete event systems using Petri nets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |