CN107302547A - A kind of web service exceptions detection method and device - Google Patents

A kind of web service exceptions detection method and device Download PDF

Info

Publication number
CN107302547A
CN107302547A CN201710720367.4A CN201710720367A CN107302547A CN 107302547 A CN107302547 A CN 107302547A CN 201710720367 A CN201710720367 A CN 201710720367A CN 107302547 A CN107302547 A CN 107302547A
Authority
CN
China
Prior art keywords
characteristic vector
abnormal
daily records
behavior
web service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710720367.4A
Other languages
Chinese (zh)
Other versions
CN107302547B (en
Inventor
卢艺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201710720367.4A priority Critical patent/CN107302547B/en
Publication of CN107302547A publication Critical patent/CN107302547A/en
Application granted granted Critical
Publication of CN107302547B publication Critical patent/CN107302547B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This application discloses a kind of web service exceptions detection method, including multiple characteristic values that behavior is accessed in HTTP daily records are extracted, generate characteristic vector;According to the Outlier Detection Algorithm model pre-established, the abnormal index of the characteristic vector is calculated;Judge whether the abnormal index exceeds preset threshold range;If so, then judging the access abnormal behavior corresponding to the characteristic vector.The application, by extraction and analysis to the access record progress characteristic value in HTTP daily records, is that can detect that abnormal behaviour without dependent Rule storehouse, therefore can effectively improve the detectability to UNKNOWN TYPE abnormal behaviour.Disclosed herein as well is a kind of web service exceptions detection means, equally with above-mentioned beneficial effect.

Description

A kind of web service exceptions detection method and device
Technical field
The application is related to information security field, more particularly to a kind of web service exceptions detection method and device.
Background technology
With continuing to develop for information technology, in contemporary work and life, web is accessed in the application of all trades and professions Play an important role.
However, the unsafe factor in network can cause normal operation system various abnormal behaviours, example occur Local vital document information is such as scanned by network worm malice, be i.e. explosion is attacked by rogue program, or is bypassed by some The routine access of security control is back door, and security breaches etc. occurs, and these are likely to bring bigger to operation system Failure and problem, cause to have a strong impact on and lose.Therefore, abnormality detection is extremely important for web business.
The detection of abnormal behaviour in accessing in the prior art web, is mainly based upon the rule extracted to security expert Carry out matching detection.Security expert accesses behavior according to the various web that there is safety problem known at present and extracts rule, Then matching detection is carried out to the flow bag or access log that access web server using the rule:If some access row To match with the rule, then illustrate that the access behavior has safety problem, belong to abnormal behaviour.
But, because abnormality detection scheme of the prior art can only be regular according to known anomaly behavior extraction, therefore, The detection scheme can only detect known abnormal behaviour, and can not then be examined for some safety problems not in rule base Survey.As can be seen here, the detectability of web service exceptions detection method of the prior art has much room for improvement.
The content of the invention
The purpose of the application is to provide a kind of web service exceptions detection method and device, so as to effectively improve The detectability of the abnormal behaviour of UNKNOWN TYPE in accessing web.
In order to solve the above technical problems, the application provides a kind of web service exceptions detection method, including:
Multiple characteristic values that behavior is accessed in HTTP daily records are extracted, characteristic vector is generated;
According to the Outlier Detection Algorithm model pre-established, the abnormal index of the characteristic vector is calculated;
Judge whether the abnormal index exceeds preset threshold range;If so, then judging corresponding to the characteristic vector Access abnormal behavior.
Alternatively, the characteristic value includes following any type or any combination:
Access time distribution characteristics value, request number of times metrology features value, server response word throttling characteristic value, transition probability Characteristic value.
Alternatively, multiple characteristic values of behavior are accessed in the extraction HTTP daily records, generation characteristic vector includes:
Obtain HTTP daily records;
The HTTP daily records are filed according to source IP;
Slicing treatment is carried out according to preset duration to the HTTP daily records after filing;
Calculate and extract the access behavior in multiple characteristic values of access behavior in each time slicing, generation time slicing Corresponding characteristic vector.
Alternatively, after the acquisition HTTP daily records, it is described the HTTP daily records are filed according to source IP before Also include:
Filter out unrelated with access behavior in original HTTP daily records or interference abnormality detection log recording.
Alternatively, the Outlier Detection Algorithm model that the basis is pre-established, calculates the abnormal index of the characteristic vector Including:
According to the multivariate Gaussian abnormal distribution detection algorithm model or IsolationForest abnormality detections pre-established Algorithm model, calculates the abnormal index of the characteristic vector.
Alternatively, judge whether the abnormal index exceeds preset threshold range described;If so, then judging the feature Also include after access abnormal behavior corresponding to vector:
According to the scope of each characteristic value of default all kinds of abnormal behaviours, the access corresponding to the characteristic vector is judged The Exception Type of behavior.
Present invention also provides a kind of web service exceptions detection means, including:
Extraction module:Multiple characteristic values of behavior are accessed in HTTP daily records for extracting, characteristic vector is generated;
Detection module:For according to the Outlier Detection Algorithm model pre-established, the exception for calculating the characteristic vector to refer to Number;Judge whether the abnormal index exceeds preset threshold range;If so, then judging the access row corresponding to the characteristic vector For exception.
Alternatively, the extraction module specifically for:
Obtain HTTP daily records;The HTTP daily records are filed according to source IP;To the HTTP daily records after filing according to pre- If duration carries out slicing treatment;Multiple characteristic values of access behavior in each time slicing are calculated and extracted, time slicing is generated The interior corresponding characteristic vector of access behavior.
Alternatively, the extraction module is additionally operable to:
After the acquisition HTTP daily records, it is described the HTTP daily records are filed according to source IP before, filter out original Log recording unrelated with accessing behavior or interference abnormality detection in the daily record of beginning HTTP.
Alternatively, the detection module is additionally operable to:
If the access abnormal behavior corresponding to the characteristic vector, each feature according to default all kinds of abnormal behaviours It is worth scope, judges the Exception Type of the access behavior corresponding to the characteristic vector.
In web service exception detection methods provided herein, multiple features that behavior is accessed in HTTP daily records are extracted Value, generates characteristic vector;According to the Outlier Detection Algorithm model pre-established, the abnormal index of the characteristic vector is calculated;Sentence Whether the abnormal index that breaks exceeds preset threshold range;If so, then judging that the access behavior corresponding to the characteristic vector is different Often.
It can be seen that, compared to prior art, in web service exception detection methods provided herein, by being gone to accessing For characteristic value analyzed, and calculate abnormal index and judged, abnormal behaviour can be detected.As can be seen here, this Shen The web service exception detection methods please provided are feature based analysis rather than rule match, thus be need not rely upon known Rule base, so as to comprehensively detect all kinds of safety problems, improves detectability.Web service exceptions provided herein Detection means can realize above-mentioned web service exceptions detection method, equally with above-mentioned beneficial effect.
Brief description of the drawings
In order to illustrate more clearly of the technical scheme in the embodiment of the present application, needed in being described below to the embodiment of the present application The accompanying drawing to be used makees brief introduction.Certainly, about in only the application of the accompanying drawing description of the embodiment of the present application below A part of embodiment, to those skilled in the art, on the premise of not paying creative work, can be with root Other accompanying drawings are obtained according to the accompanying drawing of offer, the other accompanying drawings obtained fall within the protection domain of the application.
A kind of flow chart for web service exceptions detection method that Fig. 1 is provided by the embodiment of the present application;
The flow chart for another web service exception detection method that Fig. 2 is provided by the embodiment of the present application;
A kind of structured flowchart for web service exceptions detection means that Fig. 3 is provided by the embodiment of the present application;
A kind of application architecture figure for web service exceptions detection means that Fig. 4 is provided by the embodiment of the present application.
Embodiment
In order to more clearly and completely be described to the technical scheme in the embodiment of the present application, below in conjunction with this Shen Accompanying drawing that please be in embodiment, the technical scheme in the embodiment of the present application is introduced.Obviously, described embodiment is only Some embodiments of the present application, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art The every other embodiment obtained under the premise of creative work is not made also belongs to the scope of the application protection.
Fig. 1 is refer to, a kind of flow chart for web service exceptions detection method that Fig. 1 is provided by the embodiment of the present application is main Comprise the following steps:
Step 101:Multiple characteristic values that behavior is accessed in HTTP daily records are extracted, characteristic vector is generated.
Web service exception detection methods provided herein, are mainly based upon to HTTP (Hypertext Transfer Protocol) analysis of the access data recorded in daily record and deploy.
HTTP, i.e. HTTP, are a kind of procotol being most widely used on internet, all web File is in compliance with this consensus standard.And in HTTP daily records, then have recorded the session letter that each IP user accesses server every time Breath, including the source IP and source port of each session, purpose IP and destination interface, Session Time stamp, session duration, request bag length, Requesting method, response bag length, return conditional code etc..
By analyzing and counting the related session information of each session in HTTP daily records, it can therefrom extract and calculate web The characteristic value of user access activity, and then generate characteristic vector, the access feature to represent the access behavior.
Characteristic value mentioned here, can include following any type characteristic value or any combination:Access time is distributed Characteristic value, request number of times metrology features value, server response byte characteristic value, transition probability characteristic value;And characteristic vector is then Each numerical value in the vector generated by foregoing characteristic value, this feature vector represents one of user access activity Feature.
Specifically, the reflection of access time distribution characteristics value is that user accesses HTTP frequency and the feature at interval;Request Described by number of times metrology features value is the quantative attribute that user asks HTTP;Server response word throttling characteristic value is described The feature of the business change of user's request;Transition probability characteristic value describes page jump, requesting method conversion and responded The probability characteristics of state code conversion.For which characteristic value specifically used, those skilled in the art can be according to actual use Situation is voluntarily selected and set, and the embodiment of the present application is not defined to this.
It should be noted that because access behavior is initiated by source IP, that is, access behavior and made a distinction with source IP, Therefore, data of the above characteristic value also both for the access behavior of same source IP carry out statistics and analysis.So, When the characteristic value that multiple source IPs are accessed with behavior is extracted, after can HTTP daily records be filed according to source IP first again The extraction of characteristic value is carried out respectively.
In addition, supplementary notes are also needed, because features above value is relevant with the duration counted, therefore, in order to set up one Individual unified web service exceptions detection criterion, the features above value of each source IP must describe the visit in equal duration The characteristic value of behavioural characteristic is asked, otherwise, the statistical significance of this feature value will be lost.
Step 102:According to the Outlier Detection Algorithm model pre-established, the abnormal index of the characteristic vector is calculated.
Outlier Detection Algorithm model mentioned here, can use multivariate Gaussian abnormal distribution detection algorithm model, also may be used With using other Outlier Detection Algorithm models such as Isolation Forest, to be carried out to the characteristic vector generated in step 101 The calculating of abnormal index.Abnormal index, as its name suggests, exactly weigh the corresponding access behavior of this feature vector whether abnormal finger Mark, there is a set of corresponding computational methods in different algorithms.Specifically abnormal index is calculated using which kind of algorithm, this Art personnel voluntarily can be selected and set, and the embodiment of the present application is not defined.
Step 103:Judge whether abnormal index exceeds preset threshold range;If so, then judging corresponding to characteristic vector Access abnormal behavior.
If the abnormal index of a certain characteristic vector is beyond default threshold range, it can illustrate, this feature vector Represented access behavior has abnormal behaviour.
It can be seen that, the web service exception detection methods that the embodiment of the present application is provided, by analyzing what is recorded in HTTP daily records Access information, characteristic value and characteristic vector to the access behavior of user are extracted, and pass through Outlier Detection Algorithm model meter The abnormal index of characteristic vector is calculated, judges whether abnormal index exceeds preset threshold range and judge corresponding access will pass through Whether behavior is abnormal.As can be seen here, web service exception detection algorithms provided herein be feature based analysis and it is irregular Matching, thus without relying on the rule base set up to known exception behavior, thus unknown abnormal behaviour can be detected, improve Detectability.
Fig. 2 is refer to, on the basis of the web service exception detection methods shown in the application Fig. 1, Fig. 2 is that the application is real The flow chart for another web service exception detection method that example is provided is applied, is mainly included the following steps that.Same or similar portion Divide and refer to content shown in Fig. 1, just repeat no more here.
Step 201:HTTP daily records are obtained, and are filtered out unrelated with access behavior in HTTP daily records or interference abnormality detection Log recording.
In order to improve the extraction efficiency to accessing behavioural characteristic value, original HTTP daily records can be located in advance first Reason, you can to filter out the record unrelated with accessing behavior, such as purpose IP is not belonging to the access log record of web server, with And the record of interference abnormality detection is washed, such as field information records imperfect or wrong record, the file type accessed Belong to the log recordings such as picture, CSS.
Step 202:HTTP daily records are filed according to source IP.
Because each access behavior is initiated by source IP, i.e., source IP is the build-in attribute of an access behavior, this Individual information is extremely important for the management of web safety, therefore, before the statistics of characteristic value and extraction is carried out, and first has to clearly The source IP of access behavior.Specifically, it will can be filed through the pretreated HTTP daily records of step 201 according to source IP, so as to The progress of subsequent step.
Step 203:Slicing treatment is carried out according to preset duration to the HTTP daily records after filing.
As it was noted above, the characteristic value extracted is it has to be ensured that be the characteristic value of the access feature in the equal period, Otherwise the symbolical meaningses of characteristic value will be lost.Simultaneously as log recording content is typically more, so, can be by the period A less chronomere is taken as, the calculating of data can also be simplified to a certain extent, speed is improved.Therefore, for convenience Calculating and statistics to the characteristic value in timing statisticses, can be first before characteristic value be extracted, to the HTTP daily records after filing Slicing treatment is carried out according to preset duration, i.e. HTTP daily records are cut into the HTTP days in multiple time slicings by preset duration Will, to extract the generation characteristic vector of the characteristic value in the time slicing.As for the preset duration be specially how long, this area skill Art personnel voluntarily can be selected and set, and the embodiment of the present application is not defined.
Step 204:Calculate and extract and visited in multiple characteristic values of access behavior in each time slicing, generation time slicing Ask behavior corresponding characteristic vector.
Hereinbefore the characteristic value for accessing behavior is provided a brief description, below will be by way of example to all kinds of characteristic values Describe in detail.
(1) access time distribution characteristics value.
The reflection of such characteristic value is that the source IP accesses HTTP frequency and the feature at interval, for example:
Time_mean, represents the average value of the adjacent two access intra-record slack byte time of certain time endogenous IP user, uses To describe the frequecy characteristic of source IP user access activity.
Time_std, represents the standard deviation of the adjacent two access intra-record slack byte time of certain time endogenous IP user, For describing the spaced features of source IP user access activity.
(2) request number of times metrology features value.
Described by such characteristic value is the quantative attribute that source IP user asks HTTP, for example:
Req_count, represents the total degree for all requests that certain time endogenous IP user sends.
Page_count, represents different URI (the Uniform Resource that certain time endogenous IP user is accessed Identifier, universal resource identifier) quantity.
Get_count, represents the number of times that certain time endogenous IP user is made requests in GET request mode.In HTTP/ In 1.1 agreements, GET and POST, OPTIONS, HEAD, PUT, DELETE, TRACE, CONNECT be defined as HTTP eight kinds please Mode is sought, for showing the different modes of operation to the resource on server.Merely just list and one of which is asked The number of times metrology features value of mode, it is, of course, also possible to which the request number of times of other one or more of request methods is entered to any of the above Row statistics, those skilled in the art should can obtain other specific various features values by modes such as analogies.
400_count, represents to receive the responsive state synchronous codes numbers of 4 prefixs in certain time, that is, receive 400~ Responsive state synchronous codes number in the range of 417.Because the conditional code of 4 prefixs represents request error, for example, responsive state code 403 expression servers have understood that but refusal is performed for request, and 404 expression requested resources are not found on the server, 405 Represent that the requesting method specified in request cannot be used for requested resource, therefore, this feature value to be solved for the application Web service exceptions the problem of detect, with certain directive significance.
(3) server response word throttling characteristic value.
Such characteristic value describes the feature of the business change of source IP user request, for example:
Bytes_mean, represents the average value of each bar HTTP access logs response word joint number in certain time.
Bytes_std, represents the standard deviation of each bar HTTP access logs response word joint number in certain time.
Method_code_status, is the statistics of the combination number of times to requesting method and responsive state code, for example, What (GET, 200) was represented is that the request sent in GET request mode is responded successfully, wherein, responsive state code 200 represents that request rings It should succeed, and requested resource will be returned with responsive state code.
(4) transition probability characteristic value.
Such characteristic value describes the probability of page jump, requesting method conversion and responsive state code conversion, for example:
Prob_req_seq, represents the URI sequence transition probability asked in certain time in each bar request.
Prob_method_seq, represents the sequence transition probability of the request method of each bar request in certain time.
Prob_status_code_seq, represents that the sequence transfer of the responsive state code of each bar request in certain time is general Rate.
Wherein, sequence transition probability is the concept in Markov Chain, and it refers to according to some status switch in n state Between the probability changed.When carrying out calculating transition probability, it is necessary to calculate the adjacent shape of any two in the sequence first Transition probability between state, then opens (n-1) th Root by the product of all transition probabilities of the sequence, you can tries to achieve sequence and turns Move probability.
For example, for prob_req_seq, if the sequence that the URI pages are accessed in sometime burst is [a, b, c, a, b], And it is 0.5 that page a, which jumps to page b transition probability, the transition probability that page b jumps to page c is 0.6, and page c jumps to page Face a transition probability is 0.8, then the final transition probability value of above-mentioned access sequence is
For another example for prob_status_code_seq, if the HTTP in sometime burst accesses behavior Responsive state code is followed successively by [200,200,404,200,200], and conditional code is 0.8 by 200 transition probabilities for being transformed to 200, It is 0.2 by 200 transition probabilities for being transformed to 404, is 0.3 by 404 transition probabilities for being transformed to 200, then above-mentioned conditional code sequence Row final transition probability value be
Transition probability is still a probability characteristics value, and its scope is still between 0~1;Also, transition probability is got over Greatly, it is that normal possibility is higher to represent the sequence, otherwise lower.
It should be noted that only list a part of characteristic value in all kinds of characteristic values above, the application is included but not It is limited to above content, those skilled in the art can obtain other characteristic values by modes such as analogies, the application and without limit It is fixed.In addition, any characteristic value can be arbitrarily named, simply given by way of example wherein in above content One kind is named, but the application is not defined to this.
Step 205:According to the Outlier Detection Algorithm model pre-established, the abnormal index of characteristic vector is calculated.
Step 206:Judge whether abnormal index exceeds preset threshold range;If so, the then access corresponding to characteristic vector Abnormal behavior.
Step 207:According to the scope of each characteristic value of default all kinds of abnormal behaviours, judge that the characteristic vector institute is right The Exception Type for the access behavior answered.
When judging to obtain the access abnormal behavior represented by this feature vector by step 206, it can carry out further Analysis and judgement, to recognize the specific type of the abnormal behaviour.In order to it is accurate recognize abnormal behaviour type, it is necessary to feature to Each characteristic value in amount is made a concrete analysis of.Now can be by each feature of security expert's knowledge to all kinds of abnormal behaviours It is worth the threshold range of definition, to detecting that judgement is compared in abnormal set of eigenvectors, thereby confirms that the tool of the abnormal behaviour Body Exception Type, such as malice scanning, explosion, back door, leak etc..Certainly, if necessary, can also further export Detect the HTTP log recordings corresponding to abnormal set of eigenvectors, so as to understand it is more for information about.
It can be seen that, the web service exception detection methods that the embodiment of the present application is provided, in the web service exceptions inspection shown in Fig. 1 On the basis of survey method, specific abnormal row can also be judged according to security expert's knowledge after abnormal behaviour is detected For type.Therefore, can more fast and effeciently to carry out web business different for web service exceptions detection method provided herein Often detection, clearly detects Exception Type, greatly improves Consumer's Experience.
The web service exception detection means provided below the embodiment of the present application is introduced.Web industry described below Being engaged in abnormal detector can be mutually to should refer to above-described web service exceptions detection method.
Referring to Fig. 3, Fig. 3 is a kind of structured flowchart of web service exceptions detection means provided herein;Including carrying Modulus block 301 and detection module 302.
Extraction module 301 is mainly used in extracting the characteristic value that behavior is accessed in HTTP daily records, generates characteristic vector.
Specifically, extraction module 301 can be used for obtaining HTTP daily records;And filed HTTP daily records according to source IP; Then slicing treatment is carried out according to preset duration to the HTTP daily records after filing;Calculate and extract and row is accessed in each time slicing For multiple characteristic values, generation time slicing in the corresponding characteristic vector of access behavior.
Wherein, the characteristic value can include following any type characteristic value or any combination:Access time distribution characteristics Value, request number of times metrology features value, server response word throttling characteristic value, transition probability characteristic value.And characteristic vector be then by Each numerical value in the vector of foregoing characteristic value generation, this feature vector represents one of the user access activity Feature.
The reflection of access time distribution characteristics value is that user accesses HTTP frequency and the feature at interval;Request number of times is measured Described by characteristic value is the quantative attribute that user asks HTTP, and server response word throttling characteristic value describes user's request Business change feature, transition probability characteristic value describe page jump, requesting method conversion and responsive state code change The probability changed.For which characteristic value specifically used, those skilled in the art can voluntarily select according to actual use situation And set, the embodiment of the present application is not defined to this.
In addition, extraction module 301 can be also used for after HTTP daily records are obtained, be returned HTTP daily records according to source IP Before shelves, unrelated with access behavior in original HTTP daily records or interference abnormality detection log recording is filtered out, to a certain extent The efficiency and accuracy of abnormality detection can be improved.
Detection module 302 is mainly used in, according to the Outlier Detection Algorithm model pre-established, calculating the characteristic vector Abnormal index;And judge whether the abnormal index exceeds preset threshold range;If so, then judging corresponding to the characteristic vector Access abnormal behavior.
Wherein, described Outlier Detection Algorithm model can be multivariate Gaussian abnormal distribution detection algorithm model, certainly It can voluntarily be selected according to actual conditions for the Outlier Detection Algorithm models such as Isolation Forest, those skilled in the art Select and set, the embodiment of the present application is not defined to this.
In addition, detection module 302 can be also used for after the access abnormal behavior corresponding to judging characteristic vector, foundation The scope of each characteristic value of default all kinds of abnormal behaviours, judges the exception class of the access behavior corresponding to the characteristic vector Type.
Fig. 4 is refer to, Fig. 4 is a kind of application architecture figure of web service exceptions detection means provided herein.
As shown in figure 4, extraction module 301 carries out characteristics extraction to HTTP access logs, multiple characteristic vectors (figure is generated Shown in for n).Then calculating processing is carried out, such as to characteristic vector according to Outlier Detection Algorithm model by detection module 302 Really calculate obtained abnormal index and exceed preset threshold range, as detect exception;Then again according to a plurality of security expert's knowledge (being n bars shown in figure), determines whether out Exception Type, obtains Exception Type result.
It can be seen that, web service exception detection means provided herein conducts interviews using to the record in HTTP daily records The extraction of behavioural characteristic value, and abnormal index is calculated by Outlier Detection Algorithm model, and then judge that the access behavior is No exception.Because web service exceptions detection means provided herein is without using the rule set up according to known exception behavior Then storehouse, therefore can detect unknown abnormal behaviour, improves safety detection level.In addition, web business provided herein Abnormal detector can also utilize security expert's knowledge, and exception class is determined whether out to the access behavior for detecting abnormal Type, it is convenient for users to use.
The embodiment of each in the application is described by the way of progressive, and what each embodiment was stressed is and other realities Apply the difference of example, between each embodiment identical similar portion mutually referring to.For device disclosed in embodiment Speech, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part is referring to method part illustration .
Professional further appreciates that, with reference to the method and step of the embodiments described herein description, energy It is enough to be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate the interchangeable of hardware and software Property, the composition and step of each example are generally described according to function in the above description.These functions are actually with hard Part or software mode are performed, depending on the application-specific and design constraint of technical scheme.Professional and technical personnel can be with Described function is realized using distinct methods to each specific application, but this realization is it is not considered that beyond this Shen Scope please.
Directly it can be held with reference to the step of the method or algorithm that the embodiments described herein is described with hardware, processor Capable software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.
Technical scheme provided herein is described in detail above.Specific case used herein is to this Shen Principle and embodiment please is set forth, the explanation of above example be only intended to help understand the present processes and its Core concept.It should be pointed out that for those skilled in the art, not departing from the premise of the application principle Under, some improvement and modification can also be carried out to the application, these are improved and modification also falls into the protection of the application claim In the range of.

Claims (10)

1. a kind of web service exceptions detection method, it is characterised in that including:
Multiple characteristic values that behavior is accessed in HTTP daily records are extracted, characteristic vector is generated;
According to the Outlier Detection Algorithm model pre-established, the abnormal index of the characteristic vector is calculated;
Judge whether the abnormal index exceeds preset threshold range;If so, then judging the access corresponding to the characteristic vector Abnormal behavior.
2. web service exceptions detection method according to claim 1, it is characterised in that the characteristic value includes following any One class or any combination:
Access time distribution characteristics value, request number of times metrology features value, server response word throttling characteristic value, transition probability feature Value.
3. web service exceptions detection method according to claim 1, it is characterised in that accessed in the extraction HTTP daily records Multiple characteristic values of behavior, generation characteristic vector includes:
Obtain HTTP daily records;
The HTTP daily records are filed according to source IP;
Slicing treatment is carried out according to preset duration to the HTTP daily records after filing;
Calculate and extract the access behavior correspondence in multiple characteristic values of access behavior in each time slicing, generation time slicing Characteristic vector.
4. web service exceptions detection method according to claim 3, it is characterised in that after the acquisition HTTP daily records, It is described the HTTP daily records are filed according to source IP before also include:
Filter out unrelated with access behavior in original HTTP daily records or interference abnormality detection log recording.
5. according to any one of Claims 1-4 web service exceptions detection method, it is characterised in that the basis is built in advance Vertical Outlier Detection Algorithm model, calculating the abnormal index of the characteristic vector includes:
Calculated according to the multivariate Gaussian abnormal distribution detection algorithm model or Isolation Forest abnormality detections pre-established Method model, calculates the abnormal index of the characteristic vector.
6. web service exceptions detection method according to claim 5, it is characterised in that judge the abnormal index described Whether preset threshold range is exceeded;If so, then judging also to include after the access abnormal behavior corresponding to the characteristic vector:
According to the scope of each characteristic value of default all kinds of abnormal behaviours, the access behavior corresponding to the characteristic vector is judged Exception Type.
7. a kind of web service exceptions detection means, it is characterised in that including:
Extraction module:Multiple characteristic values of behavior are accessed in HTTP daily records for extracting, characteristic vector is generated;
Detection module:For according to the Outlier Detection Algorithm model pre-established, calculating the abnormal index of the characteristic vector;Sentence Whether the abnormal index that breaks exceeds preset threshold range;If so, then judging that the access behavior corresponding to the characteristic vector is different Often.
8. web service exceptions detection means according to claim 7, it is characterised in that the extraction module specifically for:
Obtain HTTP daily records;The HTTP daily records are filed according to source IP;To the HTTP daily records after filing according to it is default when It is long to carry out slicing treatment;Calculate and extract in multiple characteristic values of access behavior in each time slicing, generation time slicing The corresponding characteristic vector of access behavior.
9. web service exceptions detection means according to claim 8, it is characterised in that the extraction module is additionally operable to:
After the acquisition HTTP daily records, it is described the HTTP daily records are filed according to source IP before, filter out original Log recording unrelated with accessing behavior or interference abnormality detection in HTTP daily records.
10. according to any one of claim 7 to the 9 web service exceptions detection means, it is characterised in that the detection module It is additionally operable to:
If the access abnormal behavior corresponding to the characteristic vector, each characteristic value model according to default all kinds of abnormal behaviours Enclose, judge the Exception Type of the access behavior corresponding to the characteristic vector.
CN201710720367.4A 2017-08-21 2017-08-21 Web service anomaly detection method and device Active CN107302547B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710720367.4A CN107302547B (en) 2017-08-21 2017-08-21 Web service anomaly detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710720367.4A CN107302547B (en) 2017-08-21 2017-08-21 Web service anomaly detection method and device

Publications (2)

Publication Number Publication Date
CN107302547A true CN107302547A (en) 2017-10-27
CN107302547B CN107302547B (en) 2021-07-02

Family

ID=60131997

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710720367.4A Active CN107302547B (en) 2017-08-21 2017-08-21 Web service anomaly detection method and device

Country Status (1)

Country Link
CN (1) CN107302547B (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259482A (en) * 2018-01-04 2018-07-06 平安科技(深圳)有限公司 Network Abnormal data detection method, device, computer equipment and storage medium
CN108491720A (en) * 2018-03-20 2018-09-04 腾讯科技(深圳)有限公司 A kind of application and identification method, system and relevant device
CN109450864A (en) * 2018-10-17 2019-03-08 国网河北省电力有限公司电力科学研究院 A kind of safety detection method, device and system
CN109462580A (en) * 2018-10-24 2019-03-12 全球能源互联网研究院有限公司 Training flow detection model, the method and device for detecting service traffics exception
CN109492394A (en) * 2018-10-25 2019-03-19 平安科技(深圳)有限公司 The recognition methods of abnormal traffic request and terminal device
CN109688166A (en) * 2019-02-28 2019-04-26 新华三信息安全技术有限公司 A kind of exception outgoing behavioral value method and device
CN109948738A (en) * 2019-04-11 2019-06-28 合肥工业大学 Energy consumption method for detecting abnormality, the apparatus and system of coating drying room
CN109981596A (en) * 2019-03-05 2019-07-05 腾讯科技(深圳)有限公司 A kind of host external connection detection method and device
CN110311888A (en) * 2019-05-09 2019-10-08 深信服科技股份有限公司 A kind of Web anomalous traffic detection method, device, equipment and medium
CN110399268A (en) * 2019-07-26 2019-11-01 阿里巴巴集团控股有限公司 A kind of method, device and equipment of anomaly data detection
CN110751354A (en) * 2018-07-24 2020-02-04 北京京东金融科技控股有限公司 Abnormal user detection method and device
CN110830450A (en) * 2019-10-18 2020-02-21 平安科技(深圳)有限公司 Abnormal flow monitoring method, device and equipment based on statistics and storage medium
CN111090885A (en) * 2019-12-20 2020-05-01 北京天融信网络安全技术有限公司 User behavior auditing method and device, electronic equipment and storage medium
CN111147944A (en) * 2019-12-26 2020-05-12 广州易方信息科技股份有限公司 On-demand infringement risk discovery method based on big data log analysis
CN111314326A (en) * 2020-02-01 2020-06-19 深信服科技股份有限公司 Method, device, equipment and medium for confirming HTTP vulnerability scanning host
CN111600880A (en) * 2020-05-14 2020-08-28 深信服科技股份有限公司 Method, system, storage medium and terminal for detecting abnormal access behavior
CN111984346A (en) * 2020-08-12 2020-11-24 八维通科技有限公司 Method, system, device and storage medium for call chain tracking in micro-service environment
CN112866279A (en) * 2021-02-03 2021-05-28 恒安嘉新(北京)科技股份公司 Webpage security detection method, device, equipment and medium
CN113940034A (en) * 2019-04-18 2022-01-14 甲骨文国际公司 Detecting behavioral anomalies for cloud users
WO2023174002A1 (en) * 2022-03-18 2023-09-21 华为技术有限公司 System monitoring method and apparatus

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105072089A (en) * 2015-07-10 2015-11-18 中国科学院信息工程研究所 WEB malicious scanning behavior abnormity detection method and system
CN105337985A (en) * 2015-11-19 2016-02-17 北京师范大学 Attack detection method and system
US9282114B1 (en) * 2011-06-30 2016-03-08 Emc Corporation Generation of alerts in an event management system based upon risk
CN105554007A (en) * 2015-12-25 2016-05-04 北京奇虎科技有限公司 web anomaly detection method and device
CN105577440A (en) * 2015-12-24 2016-05-11 华为技术有限公司 Network fault time location method and analyzing device
CN105656886A (en) * 2015-12-29 2016-06-08 北京邮电大学 Method and device for detecting website attack behaviors based on machine learning
US9516053B1 (en) * 2015-08-31 2016-12-06 Splunk Inc. Network security threat detection by user/user-entity behavioral analysis
CN106357618A (en) * 2016-08-26 2017-01-25 北京奇虎科技有限公司 Web abnormality detection method and device
CN106506327A (en) * 2016-10-11 2017-03-15 东软集团股份有限公司 A kind of spam filtering method and device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9282114B1 (en) * 2011-06-30 2016-03-08 Emc Corporation Generation of alerts in an event management system based upon risk
CN105072089A (en) * 2015-07-10 2015-11-18 中国科学院信息工程研究所 WEB malicious scanning behavior abnormity detection method and system
US9516053B1 (en) * 2015-08-31 2016-12-06 Splunk Inc. Network security threat detection by user/user-entity behavioral analysis
CN105337985A (en) * 2015-11-19 2016-02-17 北京师范大学 Attack detection method and system
CN105577440A (en) * 2015-12-24 2016-05-11 华为技术有限公司 Network fault time location method and analyzing device
CN105554007A (en) * 2015-12-25 2016-05-04 北京奇虎科技有限公司 web anomaly detection method and device
CN105656886A (en) * 2015-12-29 2016-06-08 北京邮电大学 Method and device for detecting website attack behaviors based on machine learning
CN106357618A (en) * 2016-08-26 2017-01-25 北京奇虎科技有限公司 Web abnormality detection method and device
CN106506327A (en) * 2016-10-11 2017-03-15 东软集团股份有限公司 A kind of spam filtering method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
赵刚等: "基于系统调用时间特征的异常行为智能检测系统", 《计算机应用与软件》 *

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259482A (en) * 2018-01-04 2018-07-06 平安科技(深圳)有限公司 Network Abnormal data detection method, device, computer equipment and storage medium
CN108259482B (en) * 2018-01-04 2019-05-28 平安科技(深圳)有限公司 Network Abnormal data detection method, device, computer equipment and storage medium
US11683330B2 (en) 2018-01-04 2023-06-20 Ping An Technology (Shenzhen) Co., Ltd. Network anomaly data detection method and device as well as computer equipment and storage medium
CN108491720A (en) * 2018-03-20 2018-09-04 腾讯科技(深圳)有限公司 A kind of application and identification method, system and relevant device
CN110751354B (en) * 2018-07-24 2024-03-05 京东科技控股股份有限公司 Abnormal user detection method and device
CN110751354A (en) * 2018-07-24 2020-02-04 北京京东金融科技控股有限公司 Abnormal user detection method and device
CN109450864A (en) * 2018-10-17 2019-03-08 国网河北省电力有限公司电力科学研究院 A kind of safety detection method, device and system
CN109462580A (en) * 2018-10-24 2019-03-12 全球能源互联网研究院有限公司 Training flow detection model, the method and device for detecting service traffics exception
CN109462580B (en) * 2018-10-24 2021-03-30 全球能源互联网研究院有限公司 Training flow detection model, method and device for detecting abnormal business flow
CN109492394A (en) * 2018-10-25 2019-03-19 平安科技(深圳)有限公司 The recognition methods of abnormal traffic request and terminal device
CN109492394B (en) * 2018-10-25 2024-05-03 平安科技(深圳)有限公司 Abnormal service request identification method and terminal equipment
CN109688166A (en) * 2019-02-28 2019-04-26 新华三信息安全技术有限公司 A kind of exception outgoing behavioral value method and device
CN109688166B (en) * 2019-02-28 2021-06-04 新华三信息安全技术有限公司 Abnormal outgoing behavior detection method and device
CN109981596A (en) * 2019-03-05 2019-07-05 腾讯科技(深圳)有限公司 A kind of host external connection detection method and device
CN109981596B (en) * 2019-03-05 2020-09-04 腾讯科技(深圳)有限公司 Host external connection detection method and device
CN109948738A (en) * 2019-04-11 2019-06-28 合肥工业大学 Energy consumption method for detecting abnormality, the apparatus and system of coating drying room
CN113940034A (en) * 2019-04-18 2022-01-14 甲骨文国际公司 Detecting behavioral anomalies for cloud users
CN110311888A (en) * 2019-05-09 2019-10-08 深信服科技股份有限公司 A kind of Web anomalous traffic detection method, device, equipment and medium
CN110399268A (en) * 2019-07-26 2019-11-01 阿里巴巴集团控股有限公司 A kind of method, device and equipment of anomaly data detection
CN110399268B (en) * 2019-07-26 2023-09-26 创新先进技术有限公司 Abnormal data detection method, device and equipment
CN110830450A (en) * 2019-10-18 2020-02-21 平安科技(深圳)有限公司 Abnormal flow monitoring method, device and equipment based on statistics and storage medium
WO2021073114A1 (en) * 2019-10-18 2021-04-22 平安科技(深圳)有限公司 Abnormal traffic monitoring method, apparatus and device based on statistics, and storage medium
CN111090885A (en) * 2019-12-20 2020-05-01 北京天融信网络安全技术有限公司 User behavior auditing method and device, electronic equipment and storage medium
CN111147944A (en) * 2019-12-26 2020-05-12 广州易方信息科技股份有限公司 On-demand infringement risk discovery method based on big data log analysis
CN111147944B (en) * 2019-12-26 2021-11-09 广州易方信息科技股份有限公司 On-demand infringement risk discovery method based on big data log analysis
CN111314326B (en) * 2020-02-01 2022-06-21 深信服科技股份有限公司 Method, device, equipment and medium for confirming HTTP vulnerability scanning host
CN111314326A (en) * 2020-02-01 2020-06-19 深信服科技股份有限公司 Method, device, equipment and medium for confirming HTTP vulnerability scanning host
CN111600880A (en) * 2020-05-14 2020-08-28 深信服科技股份有限公司 Method, system, storage medium and terminal for detecting abnormal access behavior
CN111984346B (en) * 2020-08-12 2023-10-27 八维通科技有限公司 Method, system, device and storage medium for calling chain tracking in micro-service environment
CN111984346A (en) * 2020-08-12 2020-11-24 八维通科技有限公司 Method, system, device and storage medium for call chain tracking in micro-service environment
CN112866279B (en) * 2021-02-03 2022-12-09 恒安嘉新(北京)科技股份公司 Webpage security detection method, device, equipment and medium
CN112866279A (en) * 2021-02-03 2021-05-28 恒安嘉新(北京)科技股份公司 Webpage security detection method, device, equipment and medium
WO2023174002A1 (en) * 2022-03-18 2023-09-21 华为技术有限公司 System monitoring method and apparatus

Also Published As

Publication number Publication date
CN107302547B (en) 2021-07-02

Similar Documents

Publication Publication Date Title
CN107302547A (en) A kind of web service exceptions detection method and device
CN111262722B (en) Safety monitoring method for industrial control system network
EP2244418B1 (en) Database security monitoring method, device and system
CN104519032B (en) A kind of security strategy and system of internet account number
CN111949803B (en) Knowledge graph-based network abnormal user detection method, device and equipment
CN107992398A (en) The monitoring method and monitoring system of a kind of operation system
CN107786545A (en) A kind of attack detection method and terminal device
CN107465651A (en) Network attack detecting method and device
CN108156131A (en) Webshell detection methods, electronic equipment and computer storage media
CN108989150A (en) A kind of login method for detecting abnormality and device
CN108154029A (en) Intrusion detection method, electronic equipment and computer storage media
WO2014110370A2 (en) Method and apparatus of identifying a website user
CN112463553B (en) System and method for analyzing intelligent alarms based on common alarm association
CN108334758A (en) A kind of detection method, device and the equipment of user's ultra vires act
CN107493277A (en) The online method for detecting abnormality of big data platform based on maximum information coefficient
EP3742700B1 (en) Method, product, and system for maintaining an ensemble of hierarchical machine learning models for detection of security risks and breaches in a network
CN105306463A (en) Modbus TCP intrusion detection method based on support vector machine
CN107294953A (en) Attack operation detection method and device
CN109040130A (en) Mainframe network behavior pattern measure based on attributed relational graph
CN108259202A (en) A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems
CN104090835A (en) eID (electronic IDentity) and spectrum theory based cross-platform virtual asset transaction audit method
CN110602021A (en) Safety risk value evaluation method based on combination of HTTP request behavior and business process
US10091223B2 (en) Method for detecting anomalies in network traffic
CN108600172A (en) Hit library attack detection method, device, equipment and computer readable storage medium
CN110135162A (en) The recognition methods of the back door WEBSHELL, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Chen Ruiqin

Inventor after: Liang Yu

Inventor after: Wang Dawei

Inventor after: Gu Liang

Inventor before: Lu Yi

GR01 Patent grant
GR01 Patent grant