CN107172064B - Data access control method and device and server - Google Patents

Data access control method and device and server Download PDF

Info

Publication number
CN107172064B
CN107172064B CN201710428519.3A CN201710428519A CN107172064B CN 107172064 B CN107172064 B CN 107172064B CN 201710428519 A CN201710428519 A CN 201710428519A CN 107172064 B CN107172064 B CN 107172064B
Authority
CN
China
Prior art keywords
access
destination address
address
historical
destination
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710428519.3A
Other languages
Chinese (zh)
Other versions
CN107172064A (en
Inventor
马立伟
蔡晨
王森
王月强
李志豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201710428519.3A priority Critical patent/CN107172064B/en
Publication of CN107172064A publication Critical patent/CN107172064A/en
Application granted granted Critical
Publication of CN107172064B publication Critical patent/CN107172064B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a data access control method, a data access control device and a server, wherein at least one data access request sent by a terminal in a set time period is obtained, a destination address visited by each data access request is determined, at least one destination address is obtained, the number of times that each destination address is successfully visited in the set time period is further determined and used as the historical number of times that each destination address is visited, and whether the terminal is an illegal scanning detection terminal is determined according to the historical number of times that each destination address is visited so as to determine whether to control the data access request of the terminal. The method is set according to the characteristics of the scanning detection behaviors of the illegal scanning detection terminal, so that the malicious scanning detection behaviors can be effectively solved, and malicious misinformation on a large amount of data access of a normal terminal cannot be generated like the prior art.

Description

Data access control method and device and server
Technical Field
The present application relates to the field of internet technologies, and in particular, to a data access control method, apparatus, and server.
Background
With the rapid development of the internet, users can realize entertainment, office, communication and the like through the internet, and great convenience is brought to the life of the users.
Along with the development of the internet, some illegal persons invade other systems through the internet, great hidden dangers are brought to network security, and generally, the illegal persons are hackers. A common means for hacker intrusion penetration is scan probing, i.e. initiating access to a large number of servers through one terminal to scan probe the accessed servers. In order to determine whether malicious scanning detection exists, the current industry mainly adopts the following means: and counting whether the access times initiated to the same address in the unit time of the same terminal exceed a set threshold, and if so, determining that the terminal is a malicious scanning detection terminal. However, due to some service requirements, a normal terminal may initiate multiple accesses to the same address in a short time, and the number of accesses exceeds a set threshold, which causes a false alarm in the prior art.
Disclosure of Invention
In view of this, the present application provides a data access control method, an apparatus, and a server, which are used to solve the problem that in the prior art, a normal access terminal with a large access amount is easily determined as a malicious scanning terminal by determining whether a terminal is a malicious scanning terminal according to whether the number of times of initiating access to the same address in a unit time of the terminal exceeds a threshold.
In order to achieve the above object, the following solutions are proposed:
a data access control method, comprising:
acquiring at least one data access request sent by a terminal within a set time period;
determining a destination address accessed by each data access request to obtain at least one destination address;
determining the successful access times of each destination address in a historical set time period as historical access times;
and determining whether the terminal is an illegal scanning detection terminal according to the historical access times of each destination address so as to determine whether to control the data access request of the terminal.
A data access control device comprising:
the data access request acquisition unit is used for acquiring at least one data access request sent by the terminal within a set time period;
the destination address determining unit is used for determining a destination address accessed by each data access request to obtain at least one destination address;
a history access frequency determining unit, configured to determine the number of times that each destination address is successfully accessed within a history set time period, as a history access frequency;
and the terminal type determining unit is used for determining whether the terminal is an illegal scanning detection terminal according to the historical access times of the destination addresses so as to determine whether to control the data access request of the terminal.
A server comprising a memory for storing a program and a processor for invoking the program, the program for:
acquiring at least one data access request sent by a terminal within a set time period;
determining a destination address accessed by each data access request to obtain at least one destination address;
determining the successful access times of each destination address in a historical set time period as historical access times;
and determining whether the terminal is an illegal scanning detection terminal according to the historical access times of each destination address so as to determine whether to control the data access request of the terminal.
According to the data access control method provided by the embodiment of the application, at least one data access request sent by a terminal in a set time period is obtained, a destination address accessed by each data access request is determined, at least one destination address is obtained, the number of times that each destination address is successfully accessed in the set time period is further determined and used as the historical access number, and whether the terminal is an illegal scanning detection terminal is determined according to the historical access number of the destination address so as to determine whether to control the data access request of the terminal. Because the scanning destination address of the illegal scanning detection terminal is randomly generated and may contain a large number of nonexistent or remote destination addresses, and the number of successful accesses of the part of destination addresses by the normal terminal is limited, the method determines the historical access times of the destination addresses which are requested to be accessed according to each data access request sent within a set time period of the terminal, and further can analyze and determine whether the terminal is the illegal scanning detection terminal according to the historical access times of the destination addresses.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic diagram of a hardware structure of a server disclosed in an embodiment of the present application;
FIG. 2 is a schematic diagram of an exemplary processor system architecture;
fig. 3 is a flowchart of a data access control method disclosed in an embodiment of the present application;
FIG. 4 is a flowchart of a method for determining the number of times a destination address history is accessed according to an embodiment of the present disclosure;
fig. 5 is a flowchart of a method for generating an access address list according to an embodiment of the present disclosure;
fig. 6 is a flowchart of a method for determining whether a terminal is an illegal scanning detection terminal according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a data access control apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides a data access control scheme, which can be applied to a server. The server may be a single server or a server cluster composed of a plurality of servers. The hardware structure of the server may be a computer, a notebook, or other processing device, and before the data access control method of the present application is introduced, the hardware structure of the server is first introduced. As shown in fig. 1, the server may include:
a processor 1, a communication interface 2, a memory 3, a communication bus 4, and a display screen 5;
wherein the processor 1, the communication interface 2, the memory 3 and the display screen 5 are communicated with each other through a communication bus 4.
Alternatively, the communication interface 2 may be an interface of a communication module, such as an interface of a GSM module.
Alternatively, the processor 1 may be a central processing unit CPU, or an application Specific Integrated circuit asic, or one or more Integrated circuits configured to implement embodiments of the present application.
The present application may store a program in advance in the memory 3 through the communication interface 2, and call the program by the processor 1, the program being for:
acquiring at least one data access request sent by a terminal within a set time period;
determining a destination address accessed by each data access request to obtain at least one destination address;
determining the successful access times of each destination address in a historical set time period as historical access times;
and determining whether the terminal is an illegal scanning detection terminal according to the historical access times of each destination address so as to determine whether to control the data access request of the terminal.
Where the processor may be composed of a plurality of system modules, fig. 2 illustrates an alternative system architecture for the processor, which may include:
a log system module 11, an access address list determining module 12, a legality determining module 13 and an alarm system module 14.
The log system module 11 may be IDS (Intrusion Detection Systems) or other similar modules for recording network transmission data packets. The log system module can be arranged on a core switch to acquire data packets transmitted in the whole network, and analyze and format the data packets to obtain destination addresses of data access.
The access address list determining module 12 is configured to receive weblog data obtained in a historical set time period and sent by the log system module 11, where the weblog data includes destination addresses corresponding to data access requests. And generating an access address list according to the weblog data, and recording the destination addresses of which the number of times of successful access belongs to a set number of times interval in a history set time period, such as recording the destination addresses of which the number of times of successful access is greater than 0 in the history set time period. The set frequency interval may be set by a user, and may be one frequency interval or a plurality of frequency intervals. Optionally, if the number of times intervals is multiple, the access address list may include a plurality of access address sub-lists, and different access address sub-lists correspond to different number of times intervals.
The validity determining module 13 is configured to query the access address list, obtain the data access request sent by the log system module 11 in the latest period of time, and determine, according to the destination address accessed by the data access request in the latest period of time, the number of times that each destination address is successfully accessed in a history set time period in the access address list as the number of times that the destination address is accessed in history. And further determining whether the terminal is an illegal scanning detection terminal or not according to the historical access times of each destination address.
The alarm system module 14 is configured to determine whether to control or alarm the data access request of the terminal according to the result determined by the validity determining module 13. And if the terminal is determined to be the illegal scanning intrusion detection terminal, sending an alarm prompt to a worker.
Next, we will describe the data access control method of the present application in conjunction with the hardware structure of the server, as shown in fig. 3, the method includes:
step S100, acquiring at least one data access request sent by a terminal in a set time period;
specifically, in order to determine whether the terminal is an illegal scanning detection terminal, at least one data access request sent by the terminal within a set time period needs to be acquired. The data access request is comprised of a data packet. The set time period may be set by a user, for example, a detection period is set in advance, and at the end of each detection period, at least one data access request sent by each terminal in the detection period is counted for each terminal sending a data access request in the detection period. The length of the detection period is a set time period, such as 10 minutes or other time period.
Step S110, determining a destination address accessed by each data access request to obtain at least one destination address;
specifically, the data packet corresponding to the data access request may be analyzed, and the following information is obtained through the analysis: time, source address, destination address, success or failure. The source address may include a source IP and a source port, and the destination address may include a destination IP and a destination port.
In this step, by analyzing the data packet corresponding to each data access request, the destination address corresponding to the data access request can be determined, and at least one destination address is obtained.
Step S120, determining the number of times of successful access of each destination address in a history set time period as the number of times of history access;
specifically, in step S100, the data access request sent by the terminal in the set time period is obtained, taking the set time period as the time period from t1 to t2 as an example, the history set time period in this step is a time period before the time t1, and the total length of the time period is the same as the set time period. In an alternative manner, assume that step S100 is at TxTerminal T acquired at the end time of detection periodxData access requests sent in a period are detected. In this step, it may be determined that each destination address is at Tx-1Number of successful accesses within detection period, or Tx-n(n may be any integer greater than zero) number of successful accesses within the detection period.
The historical access times of each destination address determined in the step are obtained by counting the accesses of all terminals to the destination addresses in the whole network, and the distribution of the access number of the normal terminals to each destination address can be reflected.
Step S130, determining whether the terminal is an illegal scanning detection terminal according to the historical access times of each destination address, so as to determine whether to control the data access request of the terminal.
Specifically, the number of times of historical accesses to each destination address accessed by the terminal within a set time period has been determined in the previous step, and based on the number of times of historical accesses to each destination address, whether the terminal is an illegal scanning detection terminal can be analytically determined.
For example, the historical access times of each destination address are extremely low, it can be determined that the destination address accessed by the terminal deviates from the destination address accessed by most normal terminals, that is, the terminal may randomly determine a plurality of destination addresses for access, and most of the destination addresses are not addresses normally opened and accessed by the public, so that the terminal is very likely to be an illegal scanning detection terminal.
According to the data access control method provided by the embodiment of the application, at least one data access request sent by a terminal in a set time period is obtained, a destination address accessed by each data access request is determined, at least one destination address is obtained, the number of times that each destination address is successfully accessed in the set time period is further determined and used as the historical access number, and whether the terminal is an illegal scanning detection terminal is determined according to the historical access number of the destination address so as to determine whether to control the data access request of the terminal. Because the scanning destination address of the illegal scanning detection terminal is randomly generated and may contain a large number of nonexistent or remote destination addresses, and the number of successful accesses of the part of destination addresses by the normal terminal is limited, the method determines the historical access times of the destination addresses which are requested to be accessed according to each data access request sent within a set time period of the terminal, and further can analyze and determine whether the terminal is the illegal scanning detection terminal according to the historical access times of the destination addresses.
According to the scheme, the historical data access request can be utilized to generate an access address list, the destination address of which the number of successful access times belongs to a set number of times interval in a historical set time period is stored in the access address list, and the lower bound of the set number of times interval is zero and does not contain zero. Based on this, as a process of determining the number of times each of the destination addresses is successfully accessed within the history setting time period, as shown in fig. 4, the process includes:
s200, acquiring a pre-stored access address list;
the access address list stores destination addresses of which the number of times of successful access belongs to a set number of times interval within a historical set time period, and the lower bound of the set number of times interval is zero and does not contain zero.
Step S210, determining a frequency interval to which the successful access frequency of the destination address stored in the access address list belongs within a historical set time period as a historical access frequency interval;
step S220, for the destination address not stored in the access address list, determining that the historical access frequency interval is zero.
Based on this, the determining whether the terminal is an illegal scanning detection terminal according to the historical access times of each destination address in the above steps may include:
and determining whether the terminal is an illegal scanning detection terminal or not according to the historical accessed frequency interval of each destination address.
For example, if the historical visited time intervals of each destination address are smaller time intervals, it may be determined that the terminal is an illegal detection scanning terminal.
Further, describing the generation process of the access address list, referring to the flow shown in fig. 5 in detail, the method includes:
step S300, obtaining a plurality of historical data access requests in a historical set time period;
specifically, in this step, a history data access request initiated by each terminal within a history set time period is acquired.
Step S310, determining a destination address and an access result accessed by each historical data access request, wherein the access result indicates whether the access is successful;
specifically, if the destination address accessed by the historical data access request does not exist or is not open, the access result of the data access request may not be successful. Whether the access result successfully reflects the open state corresponding to the accessed destination address.
Step S320, according to the historical data access request of which the access result indicates successful access, determining the access times of each accessed destination address;
for example, historical data access requests that were successfully accessed within 10 minutes of history include requests 1-9, respectively. The destination address of each historical data access request is shown in table 1 below:
Figure BDA0001316813380000081
TABLE 1
As can be seen from the above table, the access times of each destination address are: the number of accesses to the destination address 1 is 5, the number of accesses to the destination address 3 is 3, and the number of accesses to the destination address 4 is 1.
Step S330, determining a set frequency interval to which the access frequency of each destination address belongs;
the set number of times interval may be set by a user, and the set number of times interval may be one or more, where the lower bound of the minimum set number of times interval is zero and does not include zero.
Examples are as follows: when there is only one set interval, the interval size is (0, + ∞), and for example, the set interval can be multiple, such as two, with (0, 4) and (4, + ∞) respectively.
It is understood that if there are a plurality of set order intervals, there is no intersection between the set order intervals.
And step S340, storing each destination address into an access address list according to the corresponding relation of the set frequency interval.
Optionally, for each set number of times interval, an access address sub-list may be correspondingly set, and is used to store the destination address of which the number of times of access belongs to the set number of times interval. And forming an access address list by the access address sub-lists corresponding to the set time intervals. There is no intersection in each set frequency interval and the lower bound of the minimum set frequency interval is zero and does not contain zero.
Examples are as follows: the access address list includes: access address sub-list 1 and access address sub-list 2. The access address sub-list 1 corresponds to a set number of times interval of (0, 4), and the access address sub-list 2 corresponds to a set number of times interval of (4, + ∞) for each destination address in table 1 above, where the number of times destination address 1 is accessed is 5, and therefore stored in the access address sub-list 2, the number of times destination addresses 3 and 4 are accessed belongs to (0, 4), and therefore stored in the access address sub-list 1, the access address sub-list 1 and the access address sub-list 2 constitute an access address list.
On this basis, in step S210, for the destination address stored in the access address list, determining a frequency interval to which the number of times of successful access within the history set time period belongs, as a process of the history accessed frequency interval, specifically, the process may include:
and determining an access address sub-list where the destination address is located, wherein a set frequency interval corresponding to the access address sub-list where the destination address is located is used as a historical access frequency interval of the destination address.
By corresponding different access address sub-lists to different set frequency intervals, when a historical access frequency interval of a destination address is determined, the access address sub-list where the destination address is located can be directly inquired, and the set frequency interval corresponding to the determined access address sub-list is the historical access frequency interval of the destination address. Of course, if the destination address is not in any of the access address sub-lists, it may be determined that the historical access times interval of the destination address is zero.
Further optionally, as to the above step, a process of determining whether the terminal is an illegal scanning detection terminal according to the historical visited time interval of each destination address may be implemented as shown in fig. 6, where the process includes:
step S400, aiming at each destination address, determining an offset weight value corresponding to the historical visited frequency interval of the destination address as the offset weight value corresponding to the destination address;
in particular, the destination address may be a destination IP, or a combination of a destination IP and a destination port. For different types of destination addresses, different offset weight values can be set according to different intervals of historical access times.
The offset weight value is related to the historical access times, and the smaller the lower bound value of the historical access time interval is, the larger the corresponding offset weight value is. It will be appreciated that the offset weight value indicates the degree of deviation from the normal access address, and the larger the value, the more likely the corresponding access terminal is to be an illegal scanning probe terminal. And if the history of the destination address accessed by the terminal is smaller in the number of times of accessing, the terminal is higher in the deviation degree from the normal access address, and therefore the corresponding offset weight value is set to be larger.
As already described above, the corresponding sub-list of access addresses may be set for different intervals of historical access times. Based on this, the present application may set different offset weight values for different access address sub-lists. The smaller the lower bound value of the historical accessed time interval is, the larger the offset weight value of the corresponding access address sub-list is, and the offset weight value is used as the offset weight value of each destination address stored in the corresponding access address sub-list.
Step S410, summing offset weight values corresponding to the destination addresses to obtain offset weight sum values;
step S420, if the offset weight sum exceeds a set offset weight threshold, determining that the terminal is an illegal scanning detection terminal.
Specifically, if the obtained offset weight sum value of the destination address of each data access request sent by the terminal within the set time period exceeds the set offset weight threshold, it indicates that the terminal is an illegal scanning detection terminal, otherwise, it may be determined that the terminal is not an illegal scanning detection terminal.
As described in the above embodiments, the parsing of the data access request may determine a destination address, which may include a destination IP or a combination of the destination IP and a destination port. The access address list is different according to different types of destination addresses, and will be described in detail below.
If the destination address only includes a destination IP. The destination IP whose number of times of successful access in the historical time period belongs to the set number of times interval is stored in the access address list.
Of course, the access address list may include a plurality of access address sub-lists corresponding to different set time intervals. For example, the access address list includes two sub-lists of access addresses, which are:
access address sublist 1:
destination IP
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5
TABLE 2
Access address sublist 2:
destination IP
6.6.6.6
7.7.7.7
TABLE 3
Among them, the number of historical accesses in which the destination address stored in the access address sub-list 1 is successfully accessed within the history set period belongs to (10, + ∞), and the number of historical accesses in which the destination address stored in the access address sub-list 2 is successfully accessed within the history set period belongs to (0, 10).
The offset weight value corresponding to the access address sub-list 1 is a first offset weight value, and the offset weight value corresponding to the access address sub-list 2 is a second offset weight value. For a destination address with the history access frequency of 0, which is successfully accessed within a history setting time period, an access address sublist is not required to be additionally set, and the offset weight value of the destination address is directly determined to be a third offset weight value, wherein the third offset weight value is greater than a second offset weight value, and the second offset weight value is greater than a first offset weight value.
Optionally, the offset weight value of the access address sub-list corresponding to the interval with the highest lower bound value may be set to 0, which is described in the above example, that is, the first offset weight value of the access address sub-list 1 is set to 0.
It is understood that the access address sub-lists 1 and 2 are determined for data access requests within a certain historical set time period, and the destination addresses in the access address sub-lists 1 and 2 will change with the passage of time, for example, the destination address 2.2.2.2 in the T1 cycle is located in the access address sub-list 1, and the number of times the destination address 2.2.2.2 is accessed in the T2 cycle is reduced to the (0, 10) interval, so that the destination address is stored in the access address sub-list 2.
Further, if the destination address comprises a destination IP and a destination port, the access address list comprises two subclasses, and the first subclass access address list stores the destination IP of which the number of times of successful access in the historical set time period belongs to the set number interval; the second sub-category access address list stores the combination of the destination IP and the destination port, the number of times of successful access of which belongs to the set number interval in the history set time period.
Examples are as follows:
first subclass access address list:
Figure BDA0001316813380000111
Figure BDA0001316813380000121
TABLE 4
The number of times of historical accesses that the destination IP stored in the first child access address list is successfully accessed within the history set time period is greater than 0.
Second subclass access address list:
destination IP Destination port set
2.2.2.2 8888
3.3.3.3 12345,4354,6756
4.4.4.4 80,8081
5.5.5.5 9999,7777
TABLE 5
The history number of times of access in which the combination of the destination IP and the destination port stored in the second child access address list is successfully accessed within the history set time period is greater than 0. Such as: destination IP3.3.3.3+ destination port 12345 have a historical number of accesses greater than 0, destination IP3.3.3.3+ destination port 4354 have a historical number of accesses greater than 0, and so on.
Optionally, different offset weight values may be set for the first subclass access address list and the second subclass access address list, for example, the offset weight value of the first subclass access address list is greater than the offset weight value of the second subclass access address list.
It should be further noted that each sub-category access address list may also be divided into a plurality of access address sub-lists according to a set number interval. Taking the set number of times interval including two intervals of (0, 10) and (10, + ∞) as an example, the description will be made with reference to the first sub-category access address list illustrated in table 4 below:
assuming that the historical number of times of accessing the IP of the first 3 entries recorded therein is greater than 10 times, and the historical number of times of accessing the IP of the second 2 entries is less than 10 times, the first sub-class access address list may be divided into a first sub-class access address sub-list 1 and a first sub-class access address sub-list 2, which are respectively as follows:
first subclass access address sublist 1:
destination IP
2.2.2.2
3.3.3.3
4.4.4.4
TABLE 6
Wherein, the first sub-category access address sub-list 1 stores the destination IP whose history accessed times belong to (10, + ∞).
First subclass access address sublist 2:
destination IP
5.5.5.5
6.6.6.6
TABLE 7
The first sub-category access address sub-list 2 stores destination IPs whose historical access times belong to (0, 10).
For a destination IP not stored in the first subclass access address sub-list, it may be determined that the number of historical accesses thereto is 0, and therefore the offset weight value of the destination IP is set to be greater than that of the first subclass access address sub-list 2, and the offset weight value of the first subclass access address sub-list 2 is set to be greater than that of the first subclass access address sub-list 1.
Further, taking the set number of times interval including two intervals of (0, 10) and (10, + ∞) as an example, the description will be given with reference to the second sub-category access address list illustrated in table 5 above:
for convenience of description, the destination IP is represented in the form of (a, B): a and destination port: and B is combined.
Assume that the historical access times of (2.2.2.2, 8888) are greater than 10, the historical access times of (3.3.3.3, 12345) are less than 10, the historical access times of (3.3.3.3, 6756) are less than 10, the historical access times of (4.4.4.4, 80) are greater than 10, the historical access times of (4.4.4, 8081) are less than 10, the historical access times of (5.5.5.5, 9999) are less than 10, and the historical access times of (5.5.5.5, 7777) are less than 10.
The second sub-category access address list can be divided into a second sub-category access address sub-list 1 and a second sub-category access address sub-list 2, which are respectively as follows:
second subclass access address sublist 1:
destination IP Destination port set
2.2.2.2 8888
3.3.3.3 12345
4.4.4.4 80
TABLE 8
The second sub-category access address sub-list 1 stores combinations of destination IP and destination port whose historical access times belong to (10, + ∞).
Second subclass access address sublist 2:
destination IP Destination port set
3.3.3.3 4354,6756
4.4.4.4 8081
5.5.5.5 9999,7777
TABLE 9
The second sub-category access address sub-list 2 stores the combination of the destination IP and the destination port whose historical access times belong to (0, 10).
For the combination of the destination IP and the destination port which is not stored in the second sub-category access address sub-list, it may be determined that the number of historical accesses is 0, and therefore, the offset weight value of the combination of the destination IP and the destination port may be set to be greater than the offset weight value of the second sub-category access address sub-list 2, and the offset weight value of the second sub-category access address sub-list 2 may be set to be greater than the offset weight value of the second sub-category access address sub-list 1.
This is explained below by way of a specific example.
The destination address actually accessed by the terminal within the set period is shown in table 10 below:
destination IP Destination port set
2.2.2.2 8888
5.5.5.5 8081,9999
7.7.7.7 9999
Watch 10
Assume that the address access list includes the first sub-category access address sub-lists 1 and 2 exemplified in tables 6 and 7 above, and the second sub-category access address sub-lists 1 and 2 exemplified in tables 8 and 9 above.
The offset weight value of the destination IP not stored in the first subclass access address sub-lists 1 and 2 is 2, the offset weight value of the first subclass access address sub-list 2 is 1, and the offset weight value of the first subclass access address sub-list 1 is 0.
The offset weight value of the combination of the destination IP and the destination port not stored in the second subclass access address sub-lists 1 and 2 is 0.7, the offset weight value of the second subclass access address sub-list 2 is 0.4, and the offset weight value of the second subclass access address sub-list 1 is 0.
The offset weight threshold is set to 5.
Analyzing the destination addresses actually accessed by the users one by one:
address of first entry (2.2.2.2, 8888): since the destination IP included in the address of the entry is located in the first sub-class access address sublist 1, it is determined that the first offset weight value is 0;
address of first entry (2.2.2.2, 8888): since the combination of the destination IP and the destination port included in the address of the entry is located in the second sub-class access address sublist 1, it is determined that the second offset weight value is 0;
address of second entry (5.5.5.5, 8081): since the destination IP included in the address of the entry is located in the first sub-class access address sub-list 2, it is determined that the third offset weight value is 1;
address of second entry (5.5.5.5, 8081): since the combination of the destination IP and the destination port included in the address of the entry is not stored in the second sub-class access address sub-lists 1 and 2, it is determined that the fourth offset weight value is 0.7;
third destination address (5.5.5.5, 9999): since the destination IP included in the address of the entry is located in the first sub-class access address sub-list 2, it is determined that the fifth offset weight value is 1;
third destination address (5.5.5.5, 9999): since the combination of the destination IP and the destination port included in the address of the entry is stored in the second child access address sublist 2, it is determined that the sixth offset weight value is 0.4;
fourth destination address (7.7.7.7, 9999): since the destination IP included in the address of the entry is not stored in the first sub-class access address sub-lists 1 and 2, it is determined that the seventh offset weight value is 2;
fourth destination address (7.7.7.7, 9999): since the combination of the destination IP and the destination port included in the address of the entry is not stored in the second child access address sub-lists 1 and 2, it is determined that the eighth offset weight value is 0.7.
Summing the first through eighth offset weight values, the sum result being the offset weight sum: 0+0+1+0.7+1+0.4+2+0.7 ═ 5.8
Since the offset weight sum value 5.8 is greater than the offset weight threshold value of 5, the terminal is determined to be an illegal scanning detection terminal, and alarm prompt can be performed.
The following describes the data access control device provided in the embodiments of the present application, and the data access control device described below and the data access control method described above may be referred to correspondingly.
Referring to fig. 7, fig. 7 is a schematic structural diagram of a data access control device disclosed in the embodiment of the present application.
As shown in fig. 7, the apparatus includes:
a data access request obtaining unit 71, configured to obtain at least one data access request sent by the terminal within a set time period;
a destination address determining unit 72, configured to determine a destination address accessed by each data access request, so as to obtain at least one destination address;
a history access number determining unit 73 for determining the number of times each of the destination addresses was successfully accessed within a history setting time period as a history access number;
a terminal type determining unit 74, configured to determine whether the terminal is an illegal scanning detection terminal according to the historical access times of each destination address, so as to determine whether to control a data access request of the terminal.
According to the data access control device provided by the embodiment of the application, at least one data access request sent by a terminal in a set time period is obtained, a destination address accessed by each data access request is determined, at least one destination address is obtained, the number of times that each destination address is successfully accessed in the set time period is further determined and used as the historical access number, and whether the terminal is an illegal scanning detection terminal is determined according to the historical access number of times of each destination address so as to determine whether to control the data access request of the terminal. Because the scanning destination address of the illegal scanning detection terminal is randomly generated and may contain a large number of nonexistent or remote destination addresses, and the number of successful accesses of the part of destination addresses by the normal terminal is limited, the method determines the historical access times of the destination addresses which are requested to be accessed according to each data access request sent within a set time period of the terminal, and further can analyze and determine whether the terminal is the illegal scanning detection terminal according to the historical access times of the destination addresses.
Optionally, the historical number-of-accesses determining unit may include:
the access address list acquisition unit is used for acquiring a pre-stored access address list, wherein a destination address of which the number of successful accesses belongs to a set number interval within a historical set time period is stored in the access address list, and the lower bound of the set number interval is zero and does not contain zero;
a first interval determination unit, configured to determine, as a history accessed number interval, a number interval to which the number of times of successful access to a destination address stored in the access address list belongs within a history set time period;
and the second interval determining unit is used for determining that the historical accessed time interval of the destination address which is not stored in the access address list is zero.
Optionally, the terminal type determining unit may include:
and the terminal type determining subunit is used for determining whether the terminal is an illegal scanning detection terminal or not according to the historical accessed frequency interval of each destination address.
Optionally, the access address list may include a plurality of access address sub-lists, different access address sub-lists correspond to different times intervals, no intersection exists between the times intervals, and the lower bound of the minimum time interval is zero and does not include zero. Based on this, the first section determining unit may include:
and the access address sub-list determining unit is used for determining the access address sub-list where the destination address is located, and the frequency interval corresponding to the access address sub-list where the destination address is located is used as the historical access frequency interval of the destination address.
Optionally, the terminal type determining subunit may include:
the offset weight value determining unit is used for determining an offset weight value corresponding to the historical visited frequency interval of the destination address as the offset weight value corresponding to the destination address for each destination address; the smaller the lower bound value of the historical visited time interval is, the larger the corresponding offset weight value is;
the offset weight value summing unit is used for summing the offset weight values corresponding to the destination addresses to obtain offset weight sum values;
and the offset weight sum value judging unit is used for determining the terminal as an illegal scanning detection terminal if the offset weight sum value exceeds a set offset weight threshold value.
The apparatus may further include an access address list generating unit, configured to generate an access address list, where the generating process may include:
acquiring a plurality of historical data access requests in a historical set time period;
determining a destination address accessed by each historical data access request and an access result, wherein the access result indicates whether the access is successful or not; description of the drawings: success may be determined to be in an open state.
Determining the number of times of accessing each destination address according to the historical data access request of which the access result indicates successful access;
determining a set frequency interval to which the accessed frequency of each destination address belongs;
and storing each destination address into an access address list according to the corresponding relation of the corresponding set frequency interval.
The detailed description of the steps executed by the units may refer to the contents of the above-mentioned method embodiment.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (16)

1. A data access control method, comprising:
acquiring at least one data access request sent by a terminal within a set time period;
determining a destination address accessed by each data access request to obtain at least one destination address;
determining the successful access times of each destination address in a historical set time period as historical access times; the historical access times of each destination address are obtained by counting the accesses of all terminals of the whole network to each destination address;
and determining whether the terminal is an illegal scanning detection terminal according to the historical access times of each destination address so as to determine whether to control the data access request of the terminal.
2. The method according to claim 1, wherein the determining the number of times each destination address is successfully accessed within a history set time period as a history access number comprises:
acquiring a pre-stored access address list, wherein a destination address of which the number of successful accesses belongs to a set number interval in a historical set time period is stored in the access address list, and the lower bound of the set number interval is zero and does not contain zero;
for the destination address stored in the access address list, determining a frequency interval to which the successful access frequency of the destination address in a historical set time period belongs, and taking the frequency interval as a historical access frequency interval;
and determining that the historical accessed time interval of the destination address which is not stored in the access address list is zero.
3. The method of claim 2, wherein the determining whether the terminal is an illegal scanning probe terminal according to the historical number of times of access of each destination address comprises:
and determining whether the terminal is an illegal scanning detection terminal or not according to the historical accessed frequency interval of each destination address.
4. The method of claim 2, wherein the access address list comprises a plurality of access address sub-lists, different access address sub-lists correspond to different times intervals, and each time interval has no intersection and the lower bound of the minimum time interval is zero and does not contain zero;
the determining, as a history accessed time interval, a time interval to which the number of times of successful access to the destination address stored in the access address list within a history set time period belongs includes:
and determining an access address sub-list where the destination address is located, wherein a frequency interval corresponding to the access address sub-list where the destination address is located is used as a historical access frequency interval of the destination address.
5. The method according to claim 3, wherein the determining whether the terminal is an illegal scanning detection terminal according to the historical visited time interval of each destination address comprises:
for each destination address, determining an offset weight value corresponding to the historical visited frequency interval of the destination address as the offset weight value corresponding to the destination address; the smaller the lower bound value of the historical visited time interval is, the larger the corresponding offset weight value is;
summing the offset weight values corresponding to the destination addresses to obtain an offset weight sum value;
and if the offset weight sum exceeds a set offset weight threshold, determining that the terminal is an illegal scanning detection terminal.
6. The method of claim 2, wherein the generating of the access address list comprises:
acquiring a plurality of historical data access requests in a historical set time period;
determining a destination address accessed by each historical data access request and an access result, wherein the access result indicates whether the access is successful or not;
determining the number of times of accessing each destination address according to the historical data access request of which the access result indicates successful access;
determining a set frequency interval to which the accessed frequency of each destination address belongs;
and storing each destination address into an access address list according to the corresponding relation of the corresponding set frequency interval.
7. The method according to any of claims 1-6, wherein the destination address comprises a destination IP, or a destination IP and a destination port.
8. The method according to claim 2, wherein if the destination address includes a destination IP and a destination port, the access address list includes two subclasses, and a first subclass of the access address list stores therein the destination IP whose number of times of successful access within a history set time period belongs to a set number of times interval; the second sub-category access address list stores the combination of the destination IP and the destination port, the number of times of successful access of which belongs to the set number interval in the history set time period.
9. A data access control device, comprising:
the data access request acquisition unit is used for acquiring at least one data access request sent by the terminal within a set time period;
the destination address determining unit is used for determining a destination address accessed by each data access request to obtain at least one destination address;
a history access frequency determining unit, configured to determine the number of times that each destination address is successfully accessed within a history set time period, as a history access frequency; the historical access times of each destination address are obtained by counting the accesses of all terminals of the whole network to each destination address;
and the terminal type determining unit is used for determining whether the terminal is an illegal scanning detection terminal according to the historical access times of the destination addresses so as to determine whether to control the data access request of the terminal.
10. The apparatus of claim 9, wherein the historical number of accesses determining unit comprises:
the access address list acquisition unit is used for acquiring a pre-stored access address list, wherein a destination address of which the number of successful accesses belongs to a set number interval within a historical set time period is stored in the access address list, and the lower bound of the set number interval is zero and does not contain zero;
a first interval determination unit, configured to determine, as a history accessed number interval, a number interval to which the number of times of successful access to a destination address stored in the access address list belongs within a history set time period;
and the second interval determining unit is used for determining that the historical accessed time interval of the destination address which is not stored in the access address list is zero.
11. The apparatus of claim 10, wherein the terminal type determining unit comprises:
and the terminal type determining subunit is used for determining whether the terminal is an illegal scanning detection terminal or not according to the historical accessed frequency interval of each destination address.
12. The apparatus of claim 10, wherein the access address list comprises a plurality of access address sub-lists, different access address sub-lists correspond to different times intervals, and each time interval has no intersection and a lower bound of a minimum time interval is zero and does not contain zero;
the first section determination unit includes:
and the access address sub-list determining unit is used for determining the access address sub-list where the destination address is located, and the frequency interval corresponding to the access address sub-list where the destination address is located is used as the historical access frequency interval of the destination address.
13. The apparatus of claim 11, wherein the terminal type determining subunit comprises:
the offset weight value determining unit is used for determining an offset weight value corresponding to the historical visited frequency interval of the destination address as the offset weight value corresponding to the destination address for each destination address; the smaller the lower bound value of the historical visited time interval is, the larger the corresponding offset weight value is;
the offset weight value summing unit is used for summing the offset weight values corresponding to the destination addresses to obtain offset weight sum values;
and the offset weight sum value judging unit is used for determining the terminal as an illegal scanning detection terminal if the offset weight sum value exceeds a set offset weight threshold value.
14. The apparatus of claim 10, further comprising an access address list generation unit configured to generate an access address list, wherein the generation process includes:
acquiring a plurality of historical data access requests in a historical set time period;
determining a destination address accessed by each historical data access request and an access result, wherein the access result indicates whether the access is successful or not;
determining the number of times of accessing each destination address according to the historical data access request of which the access result indicates successful access;
determining a set frequency interval to which the accessed frequency of each destination address belongs;
and storing each destination address into an access address list according to the corresponding relation of the corresponding set frequency interval.
15. A server, comprising a memory for storing a program and a processor for invoking the program, the program for:
acquiring at least one data access request sent by a terminal within a set time period;
determining a destination address accessed by each data access request to obtain at least one destination address;
determining the successful access times of each destination address in a historical set time period as historical access times; the historical access times of each destination address are obtained by counting the accesses of all terminals of the whole network to each destination address;
and determining whether the terminal is an illegal scanning detection terminal according to the historical access times of each destination address so as to determine whether to control the data access request of the terminal.
16. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the data access control method according to any one of claims 1 to 8.
CN201710428519.3A 2017-06-08 2017-06-08 Data access control method and device and server Active CN107172064B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710428519.3A CN107172064B (en) 2017-06-08 2017-06-08 Data access control method and device and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710428519.3A CN107172064B (en) 2017-06-08 2017-06-08 Data access control method and device and server

Publications (2)

Publication Number Publication Date
CN107172064A CN107172064A (en) 2017-09-15
CN107172064B true CN107172064B (en) 2020-08-04

Family

ID=59826078

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710428519.3A Active CN107172064B (en) 2017-06-08 2017-06-08 Data access control method and device and server

Country Status (1)

Country Link
CN (1) CN107172064B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259473B (en) * 2017-12-29 2022-08-16 西安交大捷普网络科技有限公司 Web server scanning protection method
CN110191004B (en) * 2019-06-18 2022-05-27 北京搜狐新媒体信息技术有限公司 Port detection method and system
CN112218131A (en) * 2019-07-09 2021-01-12 中国移动通信集团吉林有限公司 Set top box working method and device, electronic equipment and computer readable storage medium
CN111447201A (en) * 2020-03-24 2020-07-24 深信服科技股份有限公司 Scanning behavior recognition method and device, electronic equipment and storage medium
CN112153011A (en) * 2020-09-01 2020-12-29 杭州安恒信息技术股份有限公司 Detection method and device for machine scanning, electronic equipment and storage medium
CN111897869A (en) * 2020-10-09 2020-11-06 北京志翔科技股份有限公司 Data display method and device and readable storage medium
CN113542310B (en) * 2021-09-17 2021-12-21 上海观安信息技术股份有限公司 Network scanning detection method and device and computer storage medium
CN114070613A (en) * 2021-11-15 2022-02-18 北京天融信网络安全技术有限公司 Vulnerability scanning identification method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883017A (en) * 2009-05-04 2010-11-10 北京启明星辰信息技术股份有限公司 System and method for evaluating network safe state
CN102868669A (en) * 2011-07-08 2013-01-09 上海寰雷信息技术有限公司 Protection method and device aiming to attacks continuously changing prefix domain name
CN106603555A (en) * 2016-12-29 2017-04-26 杭州迪普科技股份有限公司 Method and device for preventing library-hit attacks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883017A (en) * 2009-05-04 2010-11-10 北京启明星辰信息技术股份有限公司 System and method for evaluating network safe state
CN102868669A (en) * 2011-07-08 2013-01-09 上海寰雷信息技术有限公司 Protection method and device aiming to attacks continuously changing prefix domain name
CN106603555A (en) * 2016-12-29 2017-04-26 杭州迪普科技股份有限公司 Method and device for preventing library-hit attacks

Also Published As

Publication number Publication date
CN107172064A (en) 2017-09-15

Similar Documents

Publication Publication Date Title
CN107172064B (en) Data access control method and device and server
US10693910B2 (en) Fake web addresses and hyperlinks
CN110213356B (en) Login processing method based on data processing and related equipment
CN110830445B (en) Method and device for identifying abnormal access object
CN103491543A (en) Method for detecting malicious websites through wireless terminal, and wireless terminal
CN108259425A (en) The determining method, apparatus and server of query-attack
CN104396220A (en) Method and device for secure content retrieval
CN108647240B (en) Method and device for counting access amount, electronic equipment and storage medium
CN108334774A (en) A kind of method, first server and the second server of detection attack
CN108390856B (en) DDoS attack detection method and device and electronic equipment
CN104935605A (en) Detection method, device and system for fishing websites
CN104980446A (en) Detection method and system for malicious behavior
CN112134954A (en) Service request processing method and device, electronic equipment and storage medium
CN102315952A (en) Method and device for detecting junk posts in community network
CN112131507A (en) Website content processing method, device, server and computer-readable storage medium
CN111314285A (en) Method and device for detecting route prefix attack
CN115190108B (en) Method, device, medium and electronic equipment for detecting monitored equipment
CN110944007B (en) Network access management method, system, device and storage medium
CN106713242B (en) Data request processing method and processing device
CN109600254B (en) Method for generating full-link log and related system
CN111767481A (en) Access processing method, device, equipment and storage medium
CN114448645A (en) Method, device, storage medium and program product for processing webpage access
CN112104765A (en) Illegal website detection method and device
CN111949363B (en) Service access management method, computer equipment, storage medium and system
CN110516170B (en) Method and device for checking abnormal web access

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant