CN107172064A - Data access control method, device and server - Google Patents

Data access control method, device and server Download PDF

Info

Publication number
CN107172064A
CN107172064A CN201710428519.3A CN201710428519A CN107172064A CN 107172064 A CN107172064 A CN 107172064A CN 201710428519 A CN201710428519 A CN 201710428519A CN 107172064 A CN107172064 A CN 107172064A
Authority
CN
China
Prior art keywords
destination address
history
accessed
terminal
time intervals
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710428519.3A
Other languages
Chinese (zh)
Other versions
CN107172064B (en
Inventor
马立伟
蔡晨
王森
王月强
李志豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201710428519.3A priority Critical patent/CN107172064B/en
Publication of CN107172064A publication Critical patent/CN107172064A/en
Application granted granted Critical
Publication of CN107172064B publication Critical patent/CN107172064B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This application discloses a kind of data access control method, device and server, by obtaining at least data access request that terminal is sent in setting time section, determine the destination address that each data access request is accessed, obtain an at least destination address, and then determine each destination address in history setting time section by successful access number of times, number of times is accessed as history, number of times is accessed according to the history of each destination address, whether be illegal scanning probe terminal, to decide whether that the data access request to terminal is controlled if determining terminal.The application method is set for the scanning probe behavioural trait of illegal scanning probe terminal, therefore, it is possible to effectively solve malice scanning probe behavior, and will not be as prior art, and data access substantial amounts of to normal terminal produces malice and reported by mistake.

Description

Data access control method, device and server
Technical field
The application is related to Internet technical field, more specifically to a kind of data access control method, device and clothes Business device.
Background technology
With the fast development of internet, user can realize amusement, office, communication etc. by internet, greatly convenient The life of user.
Along with the development of internet, some unauthorized persons are invaded other systems by internet, brought to network security Very big hidden danger, unauthorized person as our general journeys is hacker.The conventional means of hacker attacks infiltration is scanning probe, that is, is led to Cross a station terminal to initiate to access to substantial amounts of server, the server accessed with scanning probe.In order to judge whether to dislike Anticipate scanning probe, the means currently mainly used in the industry are:Count the visit initiated in the same terminal unit time to same address Ask whether number of times exceedes given threshold, if, it is determined that the terminal is malice scanning probe terminal.But, due to some business Need, normal terminal may initiate multiple access to same address in a short time, and access times exceed given threshold, cause existing There is technology to produce wrong report.
The content of the invention
In view of this, this application provides a kind of data access control method, device and server, for solving existing skill Art determines whether terminal is that malice is swept according in the terminal unit time to whether initiation access times in same address exceed threshold value The mode of terminal is retouched, the big normal access end-error of visit capacity is easily determined as the problem of malice scans whole.
To achieve these goals, it is proposed that scheme it is as follows:
A kind of data access control method, including:
Obtain at least data access request that terminal is sent in setting time section;
The destination address that each data access request is accessed is determined, an at least destination address is obtained;
Determine that each destination address, by successful access number of times, is accessed secondary in history setting time section as history Number;
Number of times is accessed according to the history of each destination address, whether determine the terminal is that illegal scanning probe is whole End, to decide whether to be controlled the data access request of the terminal.
A kind of data access control device, including:
Data access request acquiring unit, please for obtaining at least data access that terminal is sent in setting time section Ask;
Destination address determining unit, for determining the destination address that each data access request is accessed, obtain to A few destination address;
History is accessed number of times determining unit, for determining each destination address in history setting time section by success Access times, number of times is accessed as history;
Terminal type determining unit, for being accessed number of times according to the history of each destination address, determines the terminal Whether it is illegal scanning probe terminal, to decide whether to be controlled the data access request of the terminal.
A kind of server, including memory and processor, the memory are used for storage program, and the processor calls institute Program is stated, described program is used for:
Obtain at least data access request that terminal is sent in setting time section;
The destination address that each data access request is accessed is determined, an at least destination address is obtained;
Determine that each destination address, by successful access number of times, is accessed secondary in history setting time section as history Number;
Number of times is accessed according to the history of each destination address, whether determine the terminal is that illegal scanning probe is whole End, to decide whether to be controlled the data access request of the terminal.
The data access control method that the embodiment of the present application is provided, is sent extremely by obtaining terminal in setting time section A few data access request, determines the destination address that each data access request is accessed, obtains an at least destination address, and then Determine that each destination address, by successful access number of times, is accessed number of times, according to each purpose in history setting time section as history The history of address is accessed number of times, and whether determine terminal is illegal scanning probe terminal, to decide whether the data visit to terminal Ask that request is controlled.Because the scanning destination address of illegal scanning probe terminal is randomly generated, wherein may be comprising big Amount is not present or remote destination address, and this part destination address is limited, this Shen by the quantity of normal terminal successful access It please determine that the history for the destination address that each request is accessed is interviewed for the terminal profile period interior each data access request sent Number of times is asked, and then number of times can be accessed according to the history of each destination address and determines whether terminal is illegal scanning probe to analyze Terminal, this kind of method is more fitted the scanning probe behavior of illegal scanning probe terminal, is scanned therefore, it is possible to effectively solve malice Detection behavior, and will not be as prior art, data access substantial amounts of to normal terminal produces malice and reported by mistake.
Brief description of the drawings
, below will be to embodiment or existing in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are only this The embodiment of application, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis The accompanying drawing of offer obtains other accompanying drawings.
Fig. 1 is a kind of server hardware structural representation disclosed in the embodiment of the present application;
Fig. 2 is a kind of processor system configuration diagram of the application example;
Fig. 3 is a kind of data access control method flow chart disclosed in the embodiment of the present application;
Fig. 4 is that a kind of determination destination address history is accessed number of times method flow diagram disclosed in the embodiment of the present application;
Fig. 5 is a kind of reference address list generation method flow chart disclosed in the embodiment of the present application;
Fig. 6 be disclosed in the embodiment of the present application it is a kind of determine terminal whether be illegal scanning probe terminal method flow Figure;
Fig. 7 is a kind of data access control device structural representation disclosed in the embodiment of the present application.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is carried out clear, complete Site preparation is described, it is clear that described embodiment is only some embodiments of the present application, rather than whole embodiments.It is based on Embodiment in the application, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of the application protection.
The embodiment of the present application provides a kind of data access control program, and the program can apply to server.The service Device can be the server cluster of a server or multiple servers composition.The hardware configuration of server can be computer, pen Remember the processing equipment such as this, before the data access control method of the application is introduced, the hardware knot of server is introduced first Structure.As shown in figure 1, the server can include:
Processor 1, communication interface 2, memory 3, communication bus 4, and display screen 5;
Wherein processor 1, communication interface 2, memory 3 and display screen 5 complete mutual communication by communication bus 4.
Optionally, communication interface 2 can be the interface of communication module, the interface of such as gsm module.
Optionally, processor 1 is probably a central processor CPU, or specific integrated circuit ASIC (Application Specific Integrated Circuit), or be arranged to implement the one of the embodiment of the present application Individual or multiple integrated circuits.
Program storage into memory 3, and by processor 1 can be called the journey by the application beforehand through communication interface 2 Sequence, described program is used for:
Obtain at least data access request that terminal is sent in setting time section;
The destination address that each data access request is accessed is determined, an at least destination address is obtained;
Determine that each destination address, by successful access number of times, is accessed secondary in history setting time section as history Number;
Number of times is accessed according to the history of each destination address, whether determine the terminal is that illegal scanning probe is whole End, to decide whether to be controlled the data access request of the terminal.
Wherein, processor can be made up of multiple system modules, and Fig. 2 illustrates a kind of system tray of optional processor Structure, wherein can include:
Log system module 11, reference address list determining module 12, legitimacy determining module 13, warning system module 14。
Wherein, log system module 11 can be IDS (Intrusion Detection Systems, intrusion detection system System) etc. it is similar record transmitted data on network bag module.Log system module can be arranged on core switch, to get The packet transmitted in the whole network, and carry out the parsing of packet, format, obtain the destination address of data access.
Reference address list determining module 12 is used to receive to be obtained in the history setting time section of the transmission of log system module 11 The network log data taken, the network log data include the corresponding destination address of each data access request.According to the network day Will data, generate reference address list, and record belongs to setting time intervals in history setting time section by successful access number of times Destination address, such as log history setting time section in by successful access number of times be more than 0 destination address.Wherein, number of times is set Interval can be set by the user, and it can be a time intervals or multiple time intervals.Optionally, if many Individual time intervals, then reference address list can include several reference address sublist, different access address sublist correspondence Different time intervals.
Legitimacy determining module 13 is used for queried access address list, and obtains nearest the one of the transmission of log system module 11 Data access request in the section time, the destination address accessed according to data access request in nearest a period of time is being accessed Determine that each destination address, by successful access number of times, number of times is accessed as history in history setting time section in address list. And then number of times is accessed according to the history of each destination address, whether determine the terminal is illegal scanning probe terminal.
Warning system module 14 is used for the result determined according to legitimacy determining module 13, decides whether to the terminal Data access request is controlled or alarmed.Such as, when it is determined that terminal is illegal scanning invasion detecting terminal, sent out to staff Go out alarm.
Next, we combine server hardware structure, the data access control method of the application is introduced, such as schemed Shown in 3, this method includes:
Step S100, at least data access request for obtaining terminal transmission in setting time section;
Specifically, in order to determine whether terminal is illegal scanning probe terminal, it is necessary to obtain terminal in setting time section At least data access request sent.The data access request by data packet group into.Wherein, setting time section can be by user Setting, such as presets detection cycle, at the end of each detection cycle, for sending data access request in the detection cycle Each terminal, count an each terminal at least data access request transmitted in the detection cycle.The length of detection cycle Degree is setting time segment length, such as 10 minutes or other time length.
Step S110, the destination address that each data access request is accessed is determined, obtain an at least destination address;
Specifically, the corresponding packet of data access request can be parsed, is obtained by parsing:Time, source Location, destination address, whether succeed.Wherein, source address can include source IP and source port, destination address can include purpose IP and Destination interface.
In this step, by being parsed to the corresponding packet of each data access request, it may be determined that data access Corresponding destination address is asked, an at least destination address is obtained.
Step S120, determine that each destination address, by successful access number of times, is used as history in history setting time section Accessed number of times;
Specifically, the data access request that terminal is sent in setting time section is obtained in step S100, with setting time Exemplified by section is the t1-t2 periods, the history setting time section described in this step is a period of time before the t1 moment, and The total length of this time is identical with setting time section.In a kind of optional mode, it is assumed that step S100 is in TxDetection cycle The terminal that finish time obtains is in TxThe data access request sent in detection cycle.Then in this step, each mesh can be to determine Address in Tx-1By successful access number of times, or T in detection cyclex-n(n may be greater than zero arbitrary integer) detection week By successful access number of times in phase.
The history of each destination address is accessed number of times determined by this step, is by counting all terminal-pair mesh of the whole network The access of address draw, normal terminal can be embodied the access number of each destination address is distributed.
Step S130, according to the history of each destination address be accessed number of times, whether determine the terminal is illegally to sweep Detecting terminal is retouched, to decide whether to be controlled the data access request of the terminal.
Specifically, had determined in previous step terminal accessed in setting time section each destination address history it is interviewed Number of times is asked, the history based on each destination address is accessed number of times, can analyze whether determination terminal is illegal scanning probe terminal.
Show for example, the accessed number of times of the history of each destination address is extremely low, it may be determined that the destination address of the terminal access The destination address that most of normal terminal is accessed is deviate from, namely the terminal is probably to determine that multiple destination addresses are carried out at random Access, these destination addresses are not largely the addresses accessed by masses that opens, and therefore, the terminal is particularly likely that Illegal scanning probe terminal.
The data access control method that the embodiment of the present application is provided, is sent extremely by obtaining terminal in setting time section A few data access request, determines the destination address that each data access request is accessed, obtains an at least destination address, and then Determine that each destination address, by successful access number of times, is accessed number of times, according to each purpose in history setting time section as history The history of address is accessed number of times, and whether determine terminal is illegal scanning probe terminal, to decide whether the data visit to terminal Ask that request is controlled.Because the scanning destination address of illegal scanning probe terminal is randomly generated, wherein may be comprising big Amount is not present or remote destination address, and this part destination address is limited, this Shen by the quantity of normal terminal successful access It please determine that the history for the destination address that each request is accessed is interviewed for the terminal profile period interior each data access request sent Number of times is asked, and then number of times can be accessed according to the history of each destination address and determines whether terminal is illegal scanning probe to analyze Terminal, this kind of method is more fitted the scanning probe behavior of illegal scanning probe terminal, is scanned therefore, it is possible to effectively solve malice Detection behavior, and will not be as prior art, data access substantial amounts of to normal terminal produces malice and reported by mistake.
Application scheme can generate reference address list using historical data access request, be deposited in the reference address list The destination address for being belonged to setting time intervals by successful access number of times in history setting time section is contained, wherein the setting time The lower bound of number interval is zero, not comprising zero.Based on this, above-mentioned each destination address of determination in history setting time section by into Work(access times, the process of number of times is accessed as history, is referred to shown in Fig. 4, including:
The reference address list that step S200, acquisition are prestored;
Wherein, it is stored with the reference address list in history setting time section and setting is belonged to by successful access number of times The destination address of time intervals, the lower bound for setting time intervals is zero, not comprising zero.
Step S210, the destination address for being stored in the reference address list, determine it in history setting time By the time intervals belonging to successful access number of times in section, time intervals are accessed as history;
Step S220, the destination address for being not stored in the reference address list, determine its history accessed time Number interval is zero.
Based on this, number of times is accessed according to the history of each destination address in above-mentioned steps, whether the terminal is determined For the process of illegal scanning probe terminal, it can include:
Time intervals are accessed according to the history of each destination address, whether determine the terminal is illegal scanning probe Terminal.
Show for example, each destination address history be accessed time intervals be less time intervals, then can determine institute Terminal is stated for illegal detection scanning terminal.
Further, the generating process to above-mentioned reference address list is introduced, referring particularly to shown in Fig. 5 flows, including:
Step S300, several historical data access requests obtained in history setting time section;
Specifically, the historical data access request that each terminal is initiated in history setting time section is obtained in this step.
Step S310, destination address and access result that each historical data access request accessed are determined, it is described Access result and show whether access succeeds;
Specifically, if the destination address that historical data access request is accessed is not present, or do not open, then the number Can not possibly be successful according to the access result of access request.Whether access result successfully reflects correspondence and accesses opening for destination address Put state.
Step S320, according to access result show to access successful historical data access request, it is determined that accessing each purpose The accessed number of times of address;
Show for example, history accesses successful historical data access request in 10 minutes include request 1-9 respectively.Each history number It is as shown in table 1 below according to the destination address of access request:
Table 1
As seen from the above table, the accessed number of times of accessed each destination address is respectively:The accessed number of times of destination address 1 For 5, the accessed number of times of destination address 3 is 3, and the accessed number of times of destination address 4 is 1.
Step S330, determine setting time intervals belonging to the accessed number of times of each destination address;
Wherein, setting time intervals can be set by the user, and setting time intervals can be one or more, wherein minimum The lower bound of time intervals is set as zero, and not comprising zero.
Example is such as:Set time intervals only one of which when, its interval size for (0 ,+∞];For another example, time intervals are set Can be respectively to be multiple such as two:(0,4] and (4 ,+∞].
If it is understood that setting time intervals to be multiple, being not present and occuring simultaneously between each setting time intervals.
Step S340, by each destination address according to it is affiliated setting time intervals corresponding relation, store to reference address row In table.
Optionally, for each setting time intervals, a reference address sublist can be correspondingly arranged, it is interviewed for storing Ask that number of times belongs to the destination address of the setting time intervals.Each each self-corresponding reference address sublist composition of setting time intervals Reference address list.Time intervals are respectively set in the absence of common factor and minimum sets the lower bound of time intervals as zero, not comprising zero.
Example is such as:Reference address list includes:Reference address sublist 1 and reference address sublist 2.Reference address row Table 1 is corresponding set time intervals as (0,4], reference address sublist 2 is corresponding set time intervals as (4 ,+∞].Then pin To each destination address in upper table 1, wherein the accessed number of times of destination address 1 is 5, therefore is stored into reference address sublist 2, The accessed number of times of destination address 3 and 4 belong to (0,4], therefore store into reference address sublist 1.Reference address sublist 1 Reference address list is constituted with reference address sublist 2.
On this basis, above-mentioned steps S210, for the destination address being stored in the reference address list, determines it By the time intervals belonging to successful access number of times in history setting time section, the process of time intervals is accessed as history, It can specifically include:
The reference address sublist where the destination address is determined, the reference address sublist correspondence where destination address Setting time intervals as destination address history be accessed time intervals.
By different set time intervals correspondence different access address sublist, subsequently it is determined that destination address is gone through History be accessed time intervals when, the reference address sublist that can directly inquire about where the destination address, it is determined that place visit It is the accessed time intervals of history of the destination address to ask the corresponding setting time intervals of address sublist.Certainly, if mesh Address not in any one reference address sublist, then can determine the destination address history be accessed time intervals be Zero.
It is further alternative, in above-mentioned steps, being accessed time intervals according to the history of each destination address, really The fixed terminal whether be illegal scanning probe terminal process, its implementation process is referred to shown in Fig. 6, including:
Step S400, for each destination address, it is determined that being accessed time intervals pair with the history of the destination address The offset weight value answered, is used as the corresponding offset weight value of the destination address;
Specifically, destination address can be purpose IP, or purpose IP and destination interface combination.For different type Destination address, the difference of time intervals can be accessed according to history, different offset weight values are set.
Wherein, offset weight value is related to the accessed number of times of history, and the floor value that history is accessed time intervals is smaller, right The offset weight value answered is bigger.It is understood that offset weight value shows to deviate the degree of normal reference address, the value is got over Greatly, represent that corresponding access terminal is more likely to be illegal scanning probe terminal.And if the destination address of terminal access is gone through The accessed number of times of history is smaller, represents that the degree of its normal reference address of deviation is higher, therefore set corresponding offset weight value to get over Greatly.
By the agency of, time intervals can be accessed for different history and set corresponding reference address row above Table.Based on this, the application can set different offset weight values for different reference address sublist.History is accessed number of times Interval floor value is smaller, and the offset weight value of correspondence reference address sublist is bigger, and the offset weight value is accessed as correspondence The offset weight value of each destination address stored in the sublist of address.
Step S410, the corresponding offset weight value of each destination address summed, obtain offset weight and value;
If step S420, the offset weight and value exceed setting offset weight threshold value, it is determined that the terminal is illegal Scanning probe terminal.
Specifically, if obtain terminal setting time section in send each data access request destination address it is inclined Move weight and value exceedes setting offset weight threshold value, then it represents that the terminal is illegal scanning probe terminal, otherwise, it may be determined that should Terminal is not illegal scanning probe terminal.
By the agency of mistake in above-described embodiment, destination address can be determined by carrying out parsing to data access request, the purpose Address can include purpose IP, or purpose IP and destination interface combination.According to the different type of destination address, access Location list is also different, is next introduced in detail.
If the destination address only includes purpose IP.Successfully visited in the historical time section that is then stored with reference address list Ask that number of times belongs to the purpose IP of setting time intervals.
Certainly, reference address list can include several reference address sublist, the different setting time intervals of correspondence. Show for example, reference address list includes two reference address sublist, respectively:
Reference address sublist 1:
Purpose IP
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5
Table 2
Reference address sublist 2:
Purpose IP
6.6.6.6
7.7.7.7
Table 3
Wherein, the destination address stored in reference address sublist 1 going through by successful access in history setting time section History be accessed number of times belong to (10 ,+∞], the destination address stored in reference address sublist 2 quilt in history setting time section The history of successful access be accessed number of times belong to (0,10].
The corresponding offset weight value of reference address sublist 1 is the first offset weight value, and reference address sublist 2 is corresponding Offset weight value is the second offset weight value.It is for being accessed number of times by the history of successful access in history setting time section 0 destination address, it is not necessary to extra to set reference address sublist, it is the directly to determine the offset weight value of such destination address Three offset weight values, wherein the 3rd offset weight value is more than the second offset weight value, the second offset weight value is more than the first skew Weighted value.
Optionally, the offset weight value of the corresponding reference address sublist of floor value highest time intervals could be arranged to 0, the first offset weight value of reference address sublist 1 is set to 0 by above example explanation.
It is understood that reference address sublist 1 and 2 is for the data access in certain phase of history setting time section Request is determined that over time, the destination address in reference address sublist 1 and 2 can produce change, in such as T1 cycles Destination address 2.2.2.2 is located in reference address sublist 1, destination address 2.2.2.2 accessed number of times reduction in the T2 cycles To (0,10] it is interval, therefore stored into reference address sublist 2.
Further, if the destination address includes purpose IP and destination interface, reference address list includes two subclasses, Setting time intervals are belonged to by successful access number of times in the history that is stored with first subclass reference address list setting time section Purpose IP;Setting number of times is belonged to by successful access number of times in the history that is stored with second subclass reference address list setting time section Interval purpose IP and destination interface combination.
Example is such as:
First subclass reference address list:
Table 4
The purpose IP stored in first subclass reference address list is in history setting time section by the history of successful access Accessed number of times is more than 0.
Second subclass reference address list:
Purpose IP Destination interface set
2.2.2.2 8888
3.3.3.3 12345,4354,6756
4.4.4.4 80,8081
5.5.5.5 9999,7777
Table 5
The purpose IP and destination interface that are stored in second subclass reference address list combination are in history setting time section Number of times is accessed by the history of successful access and is more than 0.Such as:Accessed time of the history of purpose IP3.3.3.3+ destination interfaces 12345 Number is more than 0, and the history of purpose IP3.3.3.3+ destination interfaces 4354 is accessed number of times and is more than 0 etc..
Optionally, can be the first subclass reference address list skew different with the second subclass reference address list setting Weighted value, such as the offset weight value of the first subclass reference address list are more than the offset weight of the second subclass reference address list Value.
Explanation is needed further exist for, if each subclass reference address list can also be divided into according to setting time intervals Dry reference address sublist.Included with setting time intervals (0,10] and (10 ,+∞] exemplified by two intervals, show with reference to upper table 4 First subclass reference address list of example is illustrated:
Assuming that the IP of preceding 3 entry wherein recorded history be accessed number of times be more than 10 times, behind 2 entries IP history Accessed number of times is less than 10 times, then the first subclass reference address list can be divided into the He of the first subclass reference address sublist 1 First subclass reference address sublist 2 is as follows respectively:
First subclass reference address sublist 1:
Purpose IP
2.2.2.2
3.3.3.3
4.4.4.4
Table 6
Wherein, the first subclass reference address sublist 1 storage be history be accessed number of times belong to (10 ,+∞] purpose IP。
First subclass reference address sublist 2:
Purpose IP
5.5.5.5
6.6.6.6
Table 7
Wherein, the first subclass reference address sublist 2 storage be history be accessed number of times belong to (0,10] purpose IP.
For the purpose IP being not stored in the first subclass reference address sublist, it may be determined that its history is accessed quantity For 0, therefore such purpose IP offset weight value is set to be more than the offset weight value of the first subclass reference address sublist 2, the The offset weight value of one subclass reference address sublist 2 is more than the offset weight value of the first subclass reference address sublist 1.
Further, included with setting time intervals (0,10] and (10 ,+∞] exemplified by two intervals, with reference to the example of upper table 5 The second subclass reference address list illustrate:
For the ease of statement, purpose IP is represented in (A, B) form:A and destination interface:B combination.
It is more than 10 times assuming that the history of (2.2.2.2,8888) is accessed number of times, the history of (3.3.3.3,12345) is interviewed Ask that number of times is more than 10 times, the history of (3.3.3.3,4354) is accessed number of times and is less than 10 times, the history quilt of (3.3.3.3,6756) Access times are less than 10 times, and the history of (4.4.4.4,80) is accessed number of times and is more than 10 times, the history quilt of (4.4.4.4,8081) Access times are less than 10 times, and the history of (5.5.5.5,9999) is accessed number of times and is less than 10 times, the history of (5.5.5.5,7777) Accessed number of times is less than 10 times.
Second subclass reference address list can be divided into the second subclass reference address sublist 1 and the second subclass access Location sublist 2 is as follows respectively:
Second subclass reference address sublist 1:
Purpose IP Destination interface set
2.2.2.2 8888
3.3.3.3 12345
4.4.4.4 80
Table 8
Wherein, the second subclass reference address sublist 1 storage be history be accessed number of times belong to (10 ,+∞] purpose IP and destination interface combination.
Second subclass reference address sublist 2:
Purpose IP Destination interface set
3.3.3.3 4354,6756
4.4.4.4 8081
5.5.5.5 9999,7777
Table 9
Wherein, the second subclass reference address sublist 2 storage be history be accessed number of times belong to (0,10] purpose IP And the combination of destination interface.
For the purpose IP and destination interface that are not stored in the second subclass reference address sublist combination, it may be determined that It is 0 that its history, which is accessed quantity, therefore the offset weight value of the combination of such purpose IP and destination interface can be set to be more than the The offset weight value of two subclass reference address sublist 2, the offset weight value of the second subclass reference address sublist 2 is more than second The offset weight value of subclass reference address sublist 1.
Illustrated followed by an instantiation.
The destination address of terminal actual access is as shown in table 10 below in setting time section:
Purpose IP Destination interface set
2.2.2.2 8888
5.5.5.5 8081,9999
7.7.7.7 9999
Table 10
Assuming that address access list includes the first subclass reference address sublist 1 and 2, Yi Jishang of upper table 6 and the example of table 7 Second subclass reference address sublist 1 and 2 of table 8 and the example of table 9.
The offset weight value for the purpose IP being not stored in the first subclass reference address sublist 1 and 2 is 2, the first subclass The offset weight value of reference address sublist 2 is 1, and the offset weight value of the first subclass reference address sublist 1 is 0.
The skew power of the purpose IP and destination interface that are not stored in the second subclass reference address sublist 1 and 2 combination Weight values are 0.7, and the offset weight value of the second subclass reference address sublist 2 is 0.4, the second subclass reference address sublist 1 Offset weight value is 0.
The offset weight threshold value set is 5.
The destination address of user's actual access is analyzed one by one:
The address (2.2.2.2,8888) of first entry:By the purpose IP that this destination address is included is located at the first son In class reference address sublist 1, it is thus determined that the first offset weight value is 0;
The address (2.2.2.2,8888) of first entry:The purpose IP and destination interface included by this destination address Combination be located at the second subclass reference address sublist 1 in, it is thus determined that the second offset weight value be 0;
Article 2 destination address (5.5.5.5,8081):By the purpose IP that this destination address is included is located at the first son In class reference address sublist 2, it is thus determined that the 3rd offset weight value is 1;
Article 2 destination address (5.5.5.5,8081):The purpose IP and destination interface included by this destination address Combination be not stored in the second subclass reference address sublist 1 and 2, it is thus determined that the 4th offset weight value be 0.7;
Article 3 destination address (5.5.5.5,9999):By the purpose IP that this destination address is included is located at the first son In class reference address sublist 2, it is thus determined that the 5th offset weight value is 1;
Article 3 destination address (5.5.5.5,9999):The purpose IP and destination interface included by this destination address Combination be stored in the second subclass reference address sublist 2, it is thus determined that the 6th offset weight value be 0.4;
Article 4 destination address (7.7.7.7,9999):By the purpose IP that this article of destination address is included is not stored in In one subclass reference address sublist 1 and 2, it is thus determined that the 7th offset weight value is 2;
Article 4 destination address (7.7.7.7,9999):The purpose IP and destination interface included by this destination address Combination be not stored in the second subclass reference address sublist 1 and 2, it is thus determined that the 8th offset weight value be 0.7.
It regard the summation of the first to the 8th offset weight value, and value result as offset weight and value:0+0+1+0.7+1+0.4+2 + 0.7=5.8
It is 5 because offset weight and value 5.8 are more than offset weight threshold value, it is thus determined that the terminal is that illegal scanning probe is whole End, can carry out alarm prompt.
The data access control device that the embodiment of the present application is provided is described below, data access control described below Device processed can be mutually to should refer to above-described data access control method.
Referring to Fig. 7, Fig. 7 is a kind of data access control device structural representation disclosed in the embodiment of the present application.
As shown in fig. 7, the device includes:
Data access request acquiring unit 71, for obtaining at least data access that terminal is sent in setting time section Request;
Destination address determining unit 72, for determining the destination address that each data access request is accessed, is obtained An at least destination address;
History is accessed number of times determining unit 73, for determine each destination address in history setting time section by into Work(access times, number of times is accessed as history;
Terminal type determining unit 74, for being accessed number of times according to the history of each destination address, determines the end Whether end is illegal scanning probe terminal, to decide whether to be controlled the data access request of the terminal.
The data access control device that the embodiment of the present application is provided, is sent extremely by obtaining terminal in setting time section A few data access request, determines the destination address that each data access request is accessed, obtains an at least destination address, and then Determine that each destination address, by successful access number of times, is accessed number of times, according to each purpose in history setting time section as history The history of address is accessed number of times, and whether determine terminal is illegal scanning probe terminal, to decide whether the data visit to terminal Ask that request is controlled.Because the scanning destination address of illegal scanning probe terminal is randomly generated, wherein may be comprising big Amount is not present or remote destination address, and this part destination address is limited, this Shen by the quantity of normal terminal successful access It please determine that the history for the destination address that each request is accessed is interviewed for the terminal profile period interior each data access request sent Number of times is asked, and then number of times can be accessed according to the history of each destination address and determines whether terminal is illegal scanning probe to analyze Terminal, this kind of method is more fitted the scanning probe behavior of illegal scanning probe terminal, is scanned therefore, it is possible to effectively solve malice Detection behavior, and will not be as prior art, data access substantial amounts of to normal terminal produces malice and reported by mistake.
Optionally, the history is accessed number of times determining unit and can included:
Reference address list acquiring unit, for obtaining the reference address list prestored, the reference address list In be stored with and belonged to the destination address of setting time intervals, the setting time by successful access number of times in history setting time section The lower bound of number interval is zero, not comprising zero;
First interval determining unit, for the destination address for being stored in the reference address list, determine its By the time intervals belonging to successful access number of times in history setting time section, time intervals are accessed as history;
Second interval determining unit, for the destination address for being not stored in the reference address list, determines it It is zero that history, which is accessed time intervals,.
Optionally, the terminal type determining unit can include:
Terminal type determination subelement, for being accessed time intervals according to the history of each destination address, determines institute Whether state terminal is illegal scanning probe terminal.
Optionally, the reference address list can include several reference address sublist, different access address son row The different time intervals of table correspondence, common factor is not present for each time intervals and the interval lower bound of minimum number is zero, not comprising zero.Base In this, the first interval determining unit can include:
Reference address sublist determining unit, for determining the reference address sublist where the destination address, purpose Corresponding time intervals of reference address sublist where address are accessed time intervals as the history of destination address.
Optionally, the terminal type determination subelement can include:
Offset weight value determining unit, for for each destination address, it is determined that the history quilt with the destination address The interval corresponding offset weight value of access times, is used as the corresponding offset weight value of the destination address;Wherein, accessed time of history The floor value of number interval is smaller, and corresponding offset weight value is bigger;
Offset weight value sum unit, for the corresponding offset weight value of each destination address to be summed, is offset Weight and value;
Offset weight and value judging unit, if exceeding setting offset weight threshold value for the offset weight and value, really The fixed terminal is illegal scanning probe terminal.
The application device can also include reference address list generation unit, for generating reference address list, the generation Process can include:
Obtain several historical data access requests in history setting time section;
Determine destination address and access result, the access result table that each historical data access request accessed Whether bright access succeeds;Explanation:Success can determine to be in open state.
Show to access successful historical data access request according to result is accessed, it is determined that accessing the interviewed of each destination address Ask number of times;
Determine the setting time intervals belonging to the accessed number of times of each destination address;
Corresponding relation of each destination address according to affiliated setting time intervals is stored into reference address list.
Wherein, the content for being referred to above method embodiment part is discussed in detail in step performed by above-mentioned each unit.
Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relational terms be used merely to by One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these entities or operation Between there is any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant meaning Covering including for nonexcludability, so that process, method, article or equipment including a series of key elements not only include that A little key elements, but also other key elements including being not expressly set out, or also include be this process, method, article or The intrinsic key element of equipment.In the absence of more restrictions, the key element limited by sentence "including a ...", is not arranged Except also there is other identical element in the process including the key element, method, article or equipment.
The embodiment of each in this specification is described by the way of progressive, and what each embodiment was stressed is and other Between the difference of embodiment, each embodiment identical similar portion mutually referring to.
The foregoing description of the disclosed embodiments, enables professional and technical personnel in the field to realize or use the application. A variety of modifications to these embodiments will be apparent for those skilled in the art, as defined herein General Principle can in other embodiments be realized in the case where not departing from spirit herein or scope.Therefore, the application The embodiments shown herein is not intended to be limited to, and is to fit to and principles disclosed herein and features of novelty phase one The most wide scope caused.

Claims (15)

1. a kind of data access control method, it is characterised in that including:
Obtain at least data access request that terminal is sent in setting time section;
The destination address that each data access request is accessed is determined, an at least destination address is obtained;
Determine that each destination address, by successful access number of times, number of times is accessed as history in history setting time section;
Number of times is accessed according to the history of each destination address, whether determine the terminal is illegal scanning probe terminal, with Decide whether to be controlled the data access request of the terminal.
2. according to the method described in claim 1, it is characterised in that described to determine each destination address in history setting time By successful access number of times in section, number of times is accessed as history, including:
Obtain the reference address list that prestores, be stored with the reference address list in history setting time section by into Work(access times belong to the destination address of setting time intervals, and the lower bound for setting time intervals is zero, not comprising zero;
For the destination address being stored in the reference address list, determine it in history setting time section by successful access Time intervals belonging to number of times, time intervals are accessed as history;
For the destination address being not stored in the reference address list, it is zero to determine that its history is accessed time intervals.
3. method according to claim 2, it is characterised in that accessed time of the history according to each destination address Number, whether determine the terminal is illegal scanning probe terminal, including:
Time intervals are accessed according to the history of each destination address, whether determine the terminal is that illegal scanning probe is whole End.
4. method according to claim 2, it is characterised in that the reference address list includes several reference address List, the different time intervals of different access address sublist correspondence, each time intervals, which are not present, occurs simultaneously and minimum number interval Lower bound be zero, not comprising zero;
The destination address for being stored in the reference address list, determines it in history setting time section by success Time intervals belonging to access times, time intervals are accessed as history, including:
The reference address sublist where the destination address is determined, corresponding time of the reference address sublist where destination address Number interval is accessed time intervals as the history of destination address.
5. method according to claim 3, it is characterised in that accessed time of the history according to each destination address Number interval, whether determine the terminal is illegal scanning probe terminal, including:
For each destination address, it is determined that offset weight corresponding with the accessed time intervals of the history of the destination address Value, is used as the corresponding offset weight value of the destination address;Wherein, the floor value of the accessed time intervals of history is smaller, corresponding Offset weight value is bigger;
By the corresponding offset weight value summation of each destination address, offset weight and value are obtained;
If the offset weight and value exceed setting offset weight threshold value, it is determined that the terminal is illegal scanning probe terminal.
6. method according to claim 2, it is characterised in that the generating process of the reference address list, including:
Obtain several historical data access requests in history setting time section;
Destination address and access result that each historical data access request accessed are determined, the access result shows to visit Ask whether succeed;
Show to access successful historical data access request according to result is accessed, it is determined that accessing accessed time of each destination address Number;
Determine the setting time intervals belonging to the accessed number of times of each destination address;
Corresponding relation of each destination address according to affiliated setting time intervals is stored into reference address list.
7. the method according to claim any one of 1-6, it is characterised in that the destination address includes purpose IP, or mesh IP and destination interface.
8. method according to claim 2, it is characterised in that if the destination address includes purpose IP and destination interface, Then the reference address list includes quilt in two subclasses, the history that is stored with the first subclass reference address list setting time section Successful access number of times belongs to the purpose IP of setting time intervals;Be stored with history setting time in second subclass reference address list Belonged to the purpose IP and destination interface of setting time intervals combination in section by successful access number of times.
9. a kind of data access control device, it is characterised in that including:
Data access request acquiring unit, for obtaining at least data access request that terminal is sent in setting time section;
Destination address determining unit, for determining the destination address that each data access request is accessed, obtains at least one Destination address;
History is accessed number of times determining unit, for determining each destination address in history setting time section by successful access Number of times, number of times is accessed as history;
Whether terminal type determining unit, for being accessed number of times according to the history of each destination address, determine the terminal For illegal scanning probe terminal, to decide whether to be controlled the data access request of the terminal.
10. device according to claim 9, it is characterised in that the history, which is accessed number of times determining unit, to be included:
Reference address list acquiring unit, for obtaining the reference address list prestored, is deposited in the reference address list Contain the destination address for being belonged to setting time intervals by successful access number of times in history setting time section, the setting number of times area Between lower bound be zero, not comprising zero;
First interval determining unit, for the destination address for being stored in the reference address list, determines it in history By the time intervals belonging to successful access number of times in setting time section, time intervals are accessed as history;
Second interval determining unit, for the destination address for being not stored in the reference address list, determines its history Accessed time intervals are zero.
11. device according to claim 10, it is characterised in that the terminal type determining unit includes:
Terminal type determination subelement, for being accessed time intervals according to the history of each destination address, determines the end Whether end is illegal scanning probe terminal.
12. device according to claim 10, it is characterised in that the reference address list includes several reference address Sublist, the different time intervals of different access address sublist correspondence, each time intervals, which are not present, occurs simultaneously and minimum number area Between lower bound be zero, not comprising zero;
The first interval determining unit includes:
Reference address sublist determining unit, for determining the reference address sublist where the destination address, destination address The corresponding time intervals of reference address sublist at place are accessed time intervals as the history of destination address.
13. device according to claim 11, it is characterised in that the terminal type determination subelement includes:
Offset weight value determining unit, for for each destination address, it is determined that being accessed with the history of the destination address The corresponding offset weight value of time intervals, is used as the corresponding offset weight value of the destination address;Wherein, history is accessed number of times area Between floor value it is smaller, corresponding offset weight value is bigger;
Offset weight value sum unit, for the corresponding offset weight value of each destination address to be summed, obtains offset weight And value;
Offset weight and value judging unit, if exceeding setting offset weight threshold value for the offset weight and value, it is determined that institute Terminal is stated for illegal scanning probe terminal.
14. device according to claim 10, it is characterised in that also including reference address list generation unit, for giving birth to Into reference address list, the generating process includes:
Obtain several historical data access requests in history setting time section;
Destination address and access result that each historical data access request accessed are determined, the access result shows to visit Ask whether succeed;
Show to access successful historical data access request according to result is accessed, it is determined that accessing accessed time of each destination address Number;
Determine the setting time intervals belonging to the accessed number of times of each destination address;
Corresponding relation of each destination address according to affiliated setting time intervals is stored into reference address list.
15. a kind of server, it is characterised in that including memory and processor, the memory is used for storage program, the place Reason device calls described program, and described program is used for:
Obtain at least data access request that terminal is sent in setting time section;
The destination address that each data access request is accessed is determined, an at least destination address is obtained;
Determine that each destination address, by successful access number of times, number of times is accessed as history in history setting time section;
Number of times is accessed according to the history of each destination address, whether determine the terminal is illegal scanning probe terminal, with Decide whether to be controlled the data access request of the terminal.
CN201710428519.3A 2017-06-08 2017-06-08 Data access control method and device and server Active CN107172064B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710428519.3A CN107172064B (en) 2017-06-08 2017-06-08 Data access control method and device and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710428519.3A CN107172064B (en) 2017-06-08 2017-06-08 Data access control method and device and server

Publications (2)

Publication Number Publication Date
CN107172064A true CN107172064A (en) 2017-09-15
CN107172064B CN107172064B (en) 2020-08-04

Family

ID=59826078

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710428519.3A Active CN107172064B (en) 2017-06-08 2017-06-08 Data access control method and device and server

Country Status (1)

Country Link
CN (1) CN107172064B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259473A (en) * 2017-12-29 2018-07-06 西安交大捷普网络科技有限公司 Web server scan protection method
CN110191004A (en) * 2019-06-18 2019-08-30 北京搜狐新媒体信息技术有限公司 A kind of port detecting method and system
CN111447201A (en) * 2020-03-24 2020-07-24 深信服科技股份有限公司 Scanning behavior recognition method and device, electronic equipment and storage medium
CN111897869A (en) * 2020-10-09 2020-11-06 北京志翔科技股份有限公司 Data display method and device and readable storage medium
CN112153011A (en) * 2020-09-01 2020-12-29 杭州安恒信息技术股份有限公司 Detection method and device for machine scanning, electronic equipment and storage medium
CN112218131A (en) * 2019-07-09 2021-01-12 中国移动通信集团吉林有限公司 Set top box working method and device, electronic equipment and computer readable storage medium
CN113542310A (en) * 2021-09-17 2021-10-22 上海观安信息技术股份有限公司 Network scanning detection method and device and computer storage medium
CN114070613A (en) * 2021-11-15 2022-02-18 北京天融信网络安全技术有限公司 Vulnerability scanning identification method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883017A (en) * 2009-05-04 2010-11-10 北京启明星辰信息技术股份有限公司 System and method for evaluating network safe state
CN102868669A (en) * 2011-07-08 2013-01-09 上海寰雷信息技术有限公司 Protection method and device aiming to attacks continuously changing prefix domain name
CN106603555A (en) * 2016-12-29 2017-04-26 杭州迪普科技股份有限公司 Method and device for preventing library-hit attacks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883017A (en) * 2009-05-04 2010-11-10 北京启明星辰信息技术股份有限公司 System and method for evaluating network safe state
CN102868669A (en) * 2011-07-08 2013-01-09 上海寰雷信息技术有限公司 Protection method and device aiming to attacks continuously changing prefix domain name
CN106603555A (en) * 2016-12-29 2017-04-26 杭州迪普科技股份有限公司 Method and device for preventing library-hit attacks

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259473A (en) * 2017-12-29 2018-07-06 西安交大捷普网络科技有限公司 Web server scan protection method
CN110191004A (en) * 2019-06-18 2019-08-30 北京搜狐新媒体信息技术有限公司 A kind of port detecting method and system
CN110191004B (en) * 2019-06-18 2022-05-27 北京搜狐新媒体信息技术有限公司 Port detection method and system
CN112218131A (en) * 2019-07-09 2021-01-12 中国移动通信集团吉林有限公司 Set top box working method and device, electronic equipment and computer readable storage medium
CN111447201A (en) * 2020-03-24 2020-07-24 深信服科技股份有限公司 Scanning behavior recognition method and device, electronic equipment and storage medium
CN112153011A (en) * 2020-09-01 2020-12-29 杭州安恒信息技术股份有限公司 Detection method and device for machine scanning, electronic equipment and storage medium
CN111897869A (en) * 2020-10-09 2020-11-06 北京志翔科技股份有限公司 Data display method and device and readable storage medium
CN113542310A (en) * 2021-09-17 2021-10-22 上海观安信息技术股份有限公司 Network scanning detection method and device and computer storage medium
CN114070613A (en) * 2021-11-15 2022-02-18 北京天融信网络安全技术有限公司 Vulnerability scanning identification method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN107172064B (en) 2020-08-04

Similar Documents

Publication Publication Date Title
CN107172064A (en) Data access control method, device and server
CN108427956B (en) A kind of clustering objects method and apparatus
US7877493B2 (en) Method of validating requests for sender reputation information
CN100469032C (en) Method and system for catching connection information of network auxiliary request part
CN106302346A (en) The safety certifying method of API Calls, device, system
CN109981653B (en) Web vulnerability scanning method
CN107360184B (en) Terminal equipment authentication method and device
CN110099059A (en) A kind of domain name recognition methods, device and storage medium
CN108259432A (en) A kind of management method of API Calls, equipment and system
CN1701293A (en) Systems and methods for authenticating a user to a web server
CN104219069B (en) access frequency control method, device and control system
CN107707683B (en) A kind of method and apparatus for reducing DNS message lengths
CN107659934A (en) A kind of control method and wireless network access device of wireless network connection
CN112596874A (en) Information processing method and electronic equipment
CN106209907A (en) A kind of method and device detecting malicious attack
CN104967603B (en) Using account number safety verification method and device
CN111740982A (en) Server anti-attack method and system based on computing power certification
CN107360198A (en) Suspicious domain name detection method and system
CN107294931A (en) The method and apparatus of adjustment limitation access frequency
CN108965318A (en) Detect the method and device of unauthorized access device IP in industrial control network
JP2007527639A (en) Mobile data device access system and method
CN107547563A (en) A kind of authentication method and device
CN110417800A (en) The detection method and device of LDAP injection loophole
JP2001175600A (en) Method and device for reporting illegal access
CN102957581A (en) Network access detection system and network access detection method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant