CN107426136A - A kind of recognition methods of network attack and device - Google Patents

A kind of recognition methods of network attack and device Download PDF

Info

Publication number
CN107426136A
CN107426136A CN201610345863.1A CN201610345863A CN107426136A CN 107426136 A CN107426136 A CN 107426136A CN 201610345863 A CN201610345863 A CN 201610345863A CN 107426136 A CN107426136 A CN 107426136A
Authority
CN
China
Prior art keywords
subpage frame
access
access probability
target pages
mrow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610345863.1A
Other languages
Chinese (zh)
Other versions
CN107426136B (en
Inventor
任杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Tencent Cloud Computing Beijing Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201610345863.1A priority Critical patent/CN107426136B/en
Publication of CN107426136A publication Critical patent/CN107426136A/en
Application granted granted Critical
Publication of CN107426136B publication Critical patent/CN107426136B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention discloses a kind of recognition methods of network attack and device, wherein method includes:When flowing of access state is abnormality, obtain the current accessed data acquisition system for including the current accessed data associated with target pages, and according to Bayesian formula and current accessed data acquisition system, calculate and corresponding current associated access probability is distinguished between target pages and each subpage frame in multiple subpage frames;Corresponding currently associated access probability will be distinguished between target pages and each subpage frame, between institute's target pages and each subpage frame respectively compared with corresponding historical context access probability;When current difference between associated access probability and historical context access probability corresponding to target subpage frame in multiple subpage frames be present and exceed default value threshold value, it is illegal IP address to determine the IP address in current accessed data acquisition system.Using the present invention, it is ensured that the identification accuracy to network attack, and cost of labor can be reduced.

Description

A kind of recognition methods of network attack and device
Technical field
The present invention relates to recognition methods and the device of Internet technical field, more particularly to a kind of network attack.
Background technology
With the popularization of internet, also occur increasing network attack, such as CC in internet (Challenge Collapsar, Challenging black hole) is attacked, and CC attacks are primarily used to attack the page, wherein The principle of CC attacks refers to that attacker controls some main frames ceaselessly to send out mass data bag and made to other side's server Exhausted into server resource, until machine collapse of delaying.In order to preferably prevent CC from attacking, then need accurately to know Certain concealed CC attacks are not gone out to have.
At present, identifying the method for CC attacks can be:Keeper is corresponding according to logging time Attributions selection Web daily records, and open selected Web daily records and analyzed, to determine whether Web is attacked by CC.Can See that current recognition methods more depends on manual analysis, when with a large amount of Web daily records, it will increase greatly Add cost of labor, and the accuracy of manual analysis can not be guaranteed all the time.
The content of the invention
The embodiment of the present invention provides recognition methods and the device of a kind of network attack, it is ensured that to network attack Accuracy is identified, and cost of labor can be reduced.
The embodiments of the invention provide a kind of recognition methods of network attack, including:
When flowing of access state is abnormality, acquisition includes the current accessed associated with target pages The current accessed data acquisition system of data, and according to Bayesian formula and the current accessed data acquisition system, meter Calculate and corresponding current associated access probability is distinguished between the target pages and each subpage frame in multiple subpage frames;
Corresponding current associated access probability will be distinguished between the target pages and each subpage frame, with institute Between the target pages and each subpage frame respectively compared with corresponding historical context access probability;Institute It according to the Bayesian formula and in the flowing of access state is normal shape to state historical context access probability to be Accessed history accesses what data acquisition system was calculated under state;
When the current associated access probability corresponding to target subpage frame and described in the multiple subpage frame being present When difference between historical context access probability exceedes default value threshold value, the current accessed data set is determined IP address in conjunction is illegal IP address.
Correspondingly, the embodiment of the present invention additionally provides a kind of identification device of network attack, including:
Computing module is obtained, for when flowing of access state is abnormality, acquisition includes and page object The current accessed data acquisition system of the associated current accessed data in face, and according to Bayesian formula and described work as Preceding access data acquisition system, calculate corresponding respectively between the target pages and each subpage frame in multiple subpage frames Current associated access probability;
Comparison module, for corresponding current association will to be distinguished between the target pages and each subpage frame Access probability, corresponding historical context accesses generally respectively between institute's target pages and each subpage frame Rate is compared;The historical context access probability is to access stream according to the Bayesian formula and described Amount state accesses what data acquisition system calculated by history accessed under normal condition;
Determining module, for when the current association corresponding to target subpage frame in the multiple subpage frame being present When difference between access probability and the historical context access probability exceedes default value threshold value, it is determined that described IP address in current accessed data acquisition system is illegal IP address.
The embodiment of the present invention is by when flowing of access state is abnormality, calculating target pages and more height In the page between each subpage frame respectively corresponding to current associated access probability, and by target pages and each subpage frame Between respectively corresponding to current associated access probability, distinguish between institute's target pages and each subpage frame corresponding Historical context access probability is compared, and is existed in multiple subpage frames and currently closed corresponding to target subpage frame When difference between connection access probability and historical context access probability exceedes default value threshold value, it may be determined that when IP address in preceding access data acquisition system is illegal IP address;As can be seen here, the present invention is no longer dependent on Cost of labor, so as to substantially reduce cost of labor, and the present invention is calculated based on Bayesian formula Current associated access probability and historical context access probability, it is possible to which the page for analyzing user exactly is visited Custom is asked, and the change being accustomed to according to the page access of user determines whether network attack be present, so as to The identification accuracy to network attack can be ensured.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to implementing The required accompanying drawing used is briefly described in example or description of the prior art, it should be apparent that, describe below In accompanying drawing be only some embodiments of the present invention, for those of ordinary skill in the art, do not paying On the premise of going out creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of schematic flow sheet of the recognition methods of network attack provided in an embodiment of the present invention;
Fig. 2 is a kind of structural representation of the identification device of network attack provided in an embodiment of the present invention;
Fig. 3 is a kind of structural representation for obtaining computing module provided in an embodiment of the present invention;
Fig. 4 is the structural representation of the identification device of another network attack provided in an embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear Chu, it is fully described by, it is clear that described embodiment is only part of the embodiment of the present invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creation Property work under the premise of the every other embodiment that is obtained, belong to the scope of protection of the invention.
Fig. 1 is referred to, is a kind of schematic flow sheet of the recognition methods of network attack provided in an embodiment of the present invention; Methods described can include:
S101, when flowing of access state is abnormality, obtains and include associated with target pages work as The preceding current accessed data acquisition system for accessing data, and according to Bayesian formula and the current accessed data set Close, calculate and corresponding current associated access is distinguished between the target pages and each subpage frame in multiple subpage frames Probability;
Specifically, the identification device for the network attack that the embodiment of the present invention is provided can be periodically detected currently Whether the flowing of access in network in the unit interval exceedes preset flow threshold value, that is, detects the access frequency of the page Whether transfinite, if detecting, the flowing of access in current network in the unit interval exceedes preset flow threshold value, It is abnormality that the flowing of access state, which can be determined, and it is normal shape otherwise to determine the flowing of access state State.When flowing of access state is abnormality, the identification device of the network attack, which can obtain, to be included The current accessed data acquisition system of the current accessed data associated with target pages, the current accessed data set Current accessed data corresponding to multiple users difference can be included by closing, and the current accessed data of each user are wrapped User IP (Internet Protocol, the procotol) address for corresponding to user and the user are included to multiple pages Access situation.When the current accessed packet of some user contains the access situation to the target pages When (illustrating that the user accessed the target pages), it may be determined that the current accessed data of the user with The target pages are associated, that is, illustrate that the current accessed data acquisition system includes and the target pages phase The current accessed data of association, certain current accessed data acquisition system also include and the non-target pages phase The current accessed data of association (not comprising the target pages in the multiple pages accessed such as some user).
Further, according to the current accessed data acquisition system, it can respectively calculate and access corresponding subpage frame Probability, to obtain subpage frame access probability corresponding to each subpage frame difference.Wherein, the subpage frame is Screen in advance, and there can be multiple subpage frames, the corresponding subpage frame of a subpage frame is visited Ask probability.For example, subpage frame A, subpage frame B and subpage frame C are filtered out in advance, it is described when getting During current accessed data acquisition system, it can respectively count in the current accessed data acquisition system and access subpage frame A Number of users, the number of users that accessed subpage frame B number of users and accessed subpage frame C, if described work as Preceding access data acquisition system includes 100 users, wherein, the number of users for accessing subpage frame A is 10, accessed The number of users that the number of users for crossing subpage frame B is 15, accessed subpage frame C is 50, then can calculate son Subpage frame access probability corresponding to page A is 10%, subpage frame access probability corresponding to subpage frame B is 15%, Subpage frame access probability corresponding to subpage frame C is 50%.
While the subpage frame access probability is calculated, the identification device of the network attack can also basis The current accessed data acquisition system, calculate accessed the mesh under conditions of corresponding subpage frame has been accessed respectively The probability of the page is marked, to obtain conditional access probability corresponding to each subpage frame difference.Wherein, the mesh It is also to filter out in advance to mark the page.For example, filtered out in advance target pages X, subpage frame A, Subpage frame B and subpage frame C, and the accessed current accessed data acquisition system includes 100 users, Wherein, accessed subpage frame A and accessed the number of users of the target pages X for 8, accessed subpage frame B and accessed the number of users of the target pages X for 15, accessed subpage frame C and accessed the target Page X number of users is 40, then can calculate conditional access probability corresponding to subpage frame A for 8%, Conditional access probability corresponding to subpage frame B is 15%, conditional access probability is 40% corresponding to subpage frame C.
Further, further according to the Bayesian formula, each subpage frame access probability and each bar Part access probability, the probability that corresponding subpage frame is accessed under conditions of the target pages have been accessed is calculated respectively, To obtain distinguishing between the target pages and each subpage frame corresponding current associated access probability;It is described Bayesian formula is specially:
Wherein, j is integer, and P (x | Dj) refer to conditional access probability corresponding to j-th of subpage frame, P (Dj) Refer to subpage frame access probability corresponding to j-th of subpage frame, and P (x | Di) refer to bar corresponding to i-th of subpage frame Part access probability, P (Di) refer to subpage frame access probability corresponding to i-th of subpage frame, P (Dj| x) refer to Corresponding current associated access probability between the target pages and j-th of subpage frame.
S102, corresponding current associated access probability will be distinguished between the target pages and each subpage frame, With institute's target pages between each subpage frame respectively compared with corresponding historical context access probability; It according to the Bayesian formula and in the flowing of access state is normal that the historical context access probability, which is, Accessed history accesses what data acquisition system was calculated under state;
Specifically, it is calculated between the target pages and each subpage frame in multiple subpage frames corresponding respectively After current associated access probability, it will can distinguish between the target pages and each subpage frame corresponding Current associated access probability, corresponding history pass is distinguished between institute's target pages and each subpage frame Connection access probability is compared;If for example, have subpage frame A, subpage frame B, subpage frame C, and the target Be corresponding between the page and subpage frame A current associated access probability a1, the target pages and subpage frame B it Between be corresponding between current associated access probability b1, the target pages and subpage frame C and be corresponding with current association Historical context access probability a2, described is corresponding between access probability c1, the target pages and subpage frame A Historical context access probability b2, the target pages and subpage frame are corresponding between target pages and subpage frame B Historical context access probability c2 is corresponding between C, then can be by current associated access probability a1 and historical context Access probability a2 is compared, and current associated access probability b1 and historical context access probability b2 are compared Compared with by current associated access probability c1 compared with historical context access probability c2.
The historical context access probability is Accessed history accesses what data acquisition system was calculated under normal condition.Wherein, the history is generated to close Joining the specific steps of access probability can be:Obtain in during the flowing of access state is normal condition The history accesses data acquisition system;The history access data acquisition system includes associated with the target pages History access data;Data acquisition system is accessed according to the Bayesian formula and the history, described in calculating Corresponding historical context access probability is distinguished between target pages and each subpage frame.The history is generated to close The step of joining access probability can perform before S101 or when flowing of access state is abnormality.For example, When flowing of access state is abnormality, the identification device of the network attack can be looked into historical record Find out the flowing of access state be normal condition during in the history access data acquisition system, and according to The Bayesian formula and the history access data acquisition system, calculate the historical context access probability.
Wherein, the history, which accesses data acquisition system, can include history access data corresponding to multiple users difference, The history of each user, which accesses data, includes corresponding to the IP address of user and the user to multiple pages Access situation.When the history access packet of some user contains the access situation to the target pages When (illustrating that the user accessed the target pages), it may be determined that the history of the user access data with The target pages are associated, that is, illustrate that the history accesses data acquisition system and included and the target pages phase The history of association accesses data, and certainly described history, which accesses data acquisition system, also to be included and the non-target pages phase The history of association accesses data (not comprising the target pages in the multiple pages accessed such as some user). Wherein, data acquisition system is accessed according to the Bayesian formula and the history, calculate the target pages with The detailed process of corresponding historical context access probability can be respectively between each subpage frame:According to described History accesses data acquisition system, calculates the probability for accessing corresponding subpage frame respectively, to obtain each subpage frame point Not corresponding history subpage frame access probability;Data acquisition system is accessed according to the history, calculates visiting respectively The probability that the target pages were accessed under conditions of corresponding subpage frame is asked, is distinguished with obtaining each subpage frame Corresponding historical conditions access probability;According to the Bayesian formula, each history subpage frame access probability And each historical conditions access probability, calculate accessed under conditions of the target pages have been accessed respectively The probability of corresponding subpage frame, to obtain distinguishing corresponding history between the target pages and each subpage frame Associated access probability;Wherein, calculate arrived used in the historical context access probability process subpage frame, Target pages and Bayesian formula and the subpage frame in above-mentioned S101, target pages and described Bayesian formula is identical.
S103, when the current associated access probability corresponding to target subpage frame in the multiple subpage frame being present When difference between the historical context access probability exceedes default value threshold value, the current accessed is determined IP address in data acquisition system is illegal IP address;
It is specifically, general when the current associated access corresponding to target subpage frame in the multiple subpage frame be present When difference between rate and the historical context access probability exceedes default value threshold value, it may be determined that described to work as IP address in preceding access data acquisition system is illegal IP address.If for example, gone through corresponding to some subpage frame History associated access probability is 35%, and current associated access probability corresponding to the subpage frame is 85%, described pre- If numerical threshold is 20%, then the current associated access probability and institute corresponding to the subpage frame can be determined The difference (50%) stated between historical context access probability exceedes the default value threshold value, therefore, can be true IP address in the fixed current accessed data acquisition system is illegal IP address, so as to work as described The preceding data acquisition system that accesses performs the safeguard procedures attacked CC.
It is 1 equivalent to depth because CC attacks are exactly the behavior that attacker imitates the accession page of real user Normal access, and the present invention using historical data Training valuation based on Bayesian formula and can obtaining depth For 2 page access probability (i.e. historical context access probability), so the present invention can evade is by depth 1 page access probability directly assesses whether access is malicious attack.And the present invention is based on Bayesian formula Probable value fluctuation situation between the historical context access probability and current associated access probability that calculate, can be true Whether the access habits attribute for determining user corresponding to current accessed data acquisition system is varied widely, so as to To be recognized accurately currently with the presence or absence of the analog subscriber for having malicious attack in accession page.
The embodiment of the present invention is by when flowing of access state is abnormality, calculating target pages and more height In the page between each subpage frame respectively corresponding to current associated access probability, and by target pages and each subpage frame Between respectively corresponding to current associated access probability, distinguish between institute's target pages and each subpage frame corresponding Historical context access probability is compared, and is existed in multiple subpage frames and currently closed corresponding to target subpage frame When difference between connection access probability and historical context access probability exceedes default value threshold value, it may be determined that when IP address in preceding access data acquisition system is illegal IP address;As can be seen here, the present invention is no longer dependent on Cost of labor, so as to substantially reduce cost of labor, and the present invention is calculated based on Bayesian formula Current associated access probability and historical context access probability, it is possible to which the page for analyzing user exactly is visited Custom is asked, and the change being accustomed to according to the page access of user determines whether network attack be present, so as to The identification accuracy to network attack can be ensured.
Fig. 2 is referred to, is a kind of structural representation of the identification device of network attack provided in an embodiment of the present invention, The identification device 1 of the network attack can apply in server, the identification device 1 of the network attack It can include:Obtain computing module 10, comparison module 20, determining module 30, detection module 40, state Determining module 50;
The detection module 40, for detecting whether the flowing of access in current network in the unit interval exceedes in advance If flow threshold;
The state determining module 50, it is if being detected as the detection module 40, it is determined that the access Flow status are abnormality;
The state determining module 50, if be additionally operable to the detection module 40 be detected as it is no, it is determined that the visit It is normal condition to ask flow status;
Specifically, the detection module 40 can be periodically detected in current network the access stream in the unit interval Whether whether amount exceedes preset flow threshold value, that is, detect the access frequency of the page and transfinite, if the detection module 40 detect that the flowing of access in current network in the unit interval exceedes preset flow threshold value, then the state is true Cover half block 50 can determine that the flowing of access state is abnormality, otherwise the state determining module 50 It is normal condition to determine the flowing of access state.
The acquisition computing module 10, for when flowing of access state be abnormality, acquisition include and The current accessed data acquisition system of the associated current accessed data of target pages, and according to Bayesian formula and The current accessed data acquisition system, calculate in the target pages and multiple subpage frames and distinguish between each subpage frame Corresponding current associated access probability;
Specifically, when flowing of access state is abnormality, the acquisition computing module 10 can obtain bag Current accessed data acquisition system containing the current accessed data associated with target pages, and it is public according to Bayes Formula and the current accessed data acquisition system, calculate in the target pages and multiple subpage frames each subpage frame it Between respectively corresponding to current associated access probability;The current accessed data acquisition system can include multiple users point Not corresponding current accessed data, the current accessed data of each user are with including the User IP of corresponding user The access situation of location and the user to multiple pages.When the current accessed packet of some user contains pair During the access situation (illustrating that the user accessed the target pages) of the target pages, it may be determined that The current accessed data of the user are associated with the target pages, that is, illustrate the current accessed data acquisition system Include the current accessed data associated with the target pages, certain current accessed data acquisition system is also Including current accessed data (the multiple pages that such as some user are accessed associated with the non-target pages In not comprising the target pages).
Further, it is a kind of acquisition computing module provided in an embodiment of the present invention then please also refer to Fig. 3 10 structural representation, the acquisition computing module 10 can include:Acquiring unit 101, computing unit 102;
The acquiring unit 101, include working as the current accessed data associated with target pages for obtaining Preceding access data acquisition system;
The computing unit 102, for according to the current accessed data acquisition system, calculating access corresponding son respectively The probability of the page, to obtain subpage frame access probability corresponding to each subpage frame difference;
Specifically, the computing unit 102 can calculate visit respectively according to the current accessed data acquisition system The probability of corresponding subpage frame is asked, to obtain subpage frame access probability corresponding to each subpage frame difference.Wherein, The subpage frame is that advance screening is good, and can have multiple subpage frames, and a subpage frame is corresponding One sub- page access probability.For example, subpage frame A, subpage frame B and subpage frame C are filtered out in advance, When the acquiring unit 101 gets the current accessed data acquisition system, the computing unit 102 can be with Count respectively and subpage frame A number of users was accessed in the current accessed data acquisition system, accessed subpage frame B Number of users and accessed subpage frame C number of users, if the current accessed data acquisition system includes 100 User, wherein, the number of users for accessing subpage frame A is 10, the number of users that accessed subpage frame B is 15, The number of users for accessing subpage frame C is 50, then the computing unit 102 can calculate A pairs of subpage frame The subpage frame access probability answered is 10%, subpage frame access probability corresponding to subpage frame B is 15%, subpage frame Subpage frame access probability corresponding to C is 50%.
The computing unit 102, it is additionally operable to, according to the current accessed data acquisition system, calculate accessing respectively The probability of the target pages was accessed under conditions of corresponding subpage frame, it is right respectively to obtain each subpage frame The conditional access probability answered;
Specifically, the computing unit 102 is while the subpage frame access probability is calculated, can be with root According to the current accessed data acquisition system, calculate respectively accessed under conditions of corresponding subpage frame has been accessed it is described The probability of target pages, to obtain conditional access probability corresponding to each subpage frame difference.Wherein, it is described Target pages are also to filter out in advance.For example, filtered out in advance target pages X, subpage frame A, Subpage frame B and subpage frame C, and the current accessed data acquisition system that the acquiring unit 101 is got Comprising 100 users, wherein, accessed subpage frame A and accessed the number of users of the target pages X and be 8th, accessed subpage frame B and accessed the number of users of the target pages X for 15, accessed subpage frame C And the number of users for accessing the target pages X is 40, then the computing unit 102 can calculate son Conditional access probability corresponding to page A is 8%, conditional access probability corresponding to subpage frame B is 15%, son Conditional access probability corresponding to page C is 40%.
The computing unit 102, be additionally operable to according to the Bayesian formula, each subpage frame access probability with And each conditional access probability, calculate corresponding son is accessed under conditions of the target pages have been accessed respectively The probability of the page, visited with obtaining distinguishing between the target pages and each subpage frame corresponding current association Ask probability;
Specifically, the computing unit 102 accesses generally further according to the Bayesian formula, each subpage frame Rate and each conditional access probability, the access pair under conditions of the target pages have been accessed is calculated respectively The probability of subpage frame is answered, to obtain distinguishing between the target pages and each subpage frame corresponding current pass Join access probability;The Bayesian formula is specially:
Wherein, j is integer, and P (x | Dj) refer to conditional access probability corresponding to j-th of subpage frame, P (Dj) Refer to subpage frame access probability corresponding to j-th of subpage frame, and P (x | Di) refer to bar corresponding to i-th of subpage frame Part access probability, P (Di) refer to subpage frame access probability corresponding to i-th of subpage frame, P (Dj| x) refer to Corresponding current associated access probability between the target pages and j-th of subpage frame.
The comparison module 20, for corresponding work as will to be distinguished between the target pages and each subpage frame Preceding associated access probability, corresponding historical context is distinguished between institute's target pages and each subpage frame Access probability is compared;The historical context access probability is according to the Bayesian formula and described Flowing of access state accesses what data acquisition system calculated by history accessed under normal condition;
Specifically, the target pages and each son in multiple subpage frames are calculated in the acquisition computing module 10 After current associated access probability corresponding to distinguishing between the page, the comparison module 20 can be by the target Distinguish corresponding current associated access probability between the page and each subpage frame, target pages described with institute and Corresponding historical context access probability is compared respectively between each subpage frame;If for example, have subpage frame A, Subpage frame B, subpage frame C, and it is general that current associated access is corresponding between the target pages and subpage frame A Current associated access probability b1, the page object are corresponding between rate a1, the target pages and subpage frame B It is corresponding between face and subpage frame C between current associated access probability c1, the target pages and subpage frame A It is corresponding between historical context access probability a2, the target pages and subpage frame B and is corresponding with historical context visit Ask and historical context access probability c2 is corresponding between probability b2, the target pages and subpage frame C, then it is described Comparison module 20 can be by current associated access probability a1 compared with historical context access probability a2, will Current associated access probability b1 is compared with historical context access probability b2, by current associated access probability C1 is compared with historical context access probability c2.
Wherein, the historical context access probability is according to the Bayesian formula and in the flowing of access State accesses what data acquisition system calculated by history accessed under normal condition.Specifically, described obtain The history for taking computing module 10 to be additionally operable to obtain in during the flowing of access state is normal condition is visited Ask data acquisition system;The history accesses data acquisition system and includes the history access associated with the target pages Data;The acquisition computing module 10 is additionally operable to access data according to the Bayesian formula and the history Set, calculate and corresponding historical context access probability is distinguished between the target pages and each subpage frame. The process that the acquisition computing module 10 generates the historical context access probability can be in above-mentioned Fig. 1 Perform before S101 steps or when flowing of access state is abnormality.For example, when flowing of access state is During abnormality, the acquisition computing module 10 can be found out in historical record in the flowing of access shape The state history interior during being normal condition accesses data acquisition system, and according to the Bayesian formula and institute State history and access data acquisition system, calculate the historical context access probability.
Wherein, the history, which accesses data acquisition system, can include history access data corresponding to multiple users difference, The history of each user, which accesses data, includes corresponding to the IP address of user and the user to multiple pages Access situation.When the history access packet of some user contains the access situation to the target pages When (illustrating that the user accessed the target pages), it may be determined that the history of the user access data with The target pages are associated, that is, illustrate that the history accesses data acquisition system and included and the target pages phase The history of association accesses data, and certainly described history, which accesses data acquisition system, also to be included and the non-target pages phase The history of association accesses data (not comprising the target pages in the multiple pages accessed such as some user). Wherein, the acquisition computing module 10 accesses data acquisition system according to the Bayesian formula and the history, Calculate the specific mistake that corresponding historical context access probability is distinguished between the target pages and each subpage frame Journey can be:Data acquisition system is accessed according to the history, calculates the probability for accessing corresponding subpage frame respectively, with History subpage frame access probability corresponding to each subpage frame difference is obtained, and data are accessed according to the history Set, the probability that the target pages were accessed under conditions of corresponding subpage frame has been accessed is calculated respectively, with Obtain each subpage frame respectively corresponding to historical conditions access probability, and according to the Bayesian formula, each The history subpage frame access probability and each historical conditions access probability, are calculated having accessed respectively The probability that corresponding subpage frame is accessed under conditions of target pages is stated, to obtain the target pages and each son Historical context access probability corresponding to distinguishing between the page;Wherein, the acquisition computing module 10 is calculating institute State the subpage frame, target pages and the Bayesian formula that are arrived used in historical context access probability process and institute State obtain computing module 10 calculate arrived used in the current associated access probabilistic process the subpage frame, The target pages and the Bayesian formula are identical.
The determining module 30, for when described work as in the multiple subpage frame being present corresponding to target subpage frame When difference between preceding associated access probability and the historical context access probability exceedes default value threshold value, really IP address in the fixed current accessed data acquisition system is illegal IP address.
It is specifically, general when the current associated access corresponding to target subpage frame in the multiple subpage frame be present When difference between rate and the historical context access probability exceedes default value threshold value, the determining module 30 It is illegal IP address that the IP address in the current accessed data acquisition system, which can be determined,.If for example, some Historical context access probability corresponding to subpage frame is 35%, and current associated access probability corresponding to the subpage frame For 85%, the default value threshold value is 20%, then can determine described corresponding to the subpage frame current close Difference (50%) between connection access probability and the historical context access probability exceedes the default value threshold value, Therefore, the determining module 30 can determine that the IP address in the current accessed data acquisition system is illegal IP address, so as to perform the safeguard procedures to CC attacks for the current accessed data acquisition system.
It is 1 equivalent to depth because CC attacks are exactly the behavior that attacker imitates the accession page of real user Normal access, and the present invention using historical data Training valuation based on Bayesian formula and can obtaining depth For 2 page access probability (i.e. historical context access probability), so the present invention can evade is by depth 1 page access probability directly assesses whether access is malicious attack.And the present invention is based on Bayesian formula Probable value fluctuation situation between the historical context access probability and current associated access probability that calculate, can be true Whether the access habits attribute for determining user corresponding to current accessed data acquisition system is varied widely, so as to To be recognized accurately currently with the presence or absence of the analog subscriber for having malicious attack in accession page.
The embodiment of the present invention is by when flowing of access state is abnormality, calculating target pages and more height In the page between each subpage frame respectively corresponding to current associated access probability, and by target pages and each subpage frame Between respectively corresponding to current associated access probability, distinguish between institute's target pages and each subpage frame corresponding Historical context access probability is compared, and is existed in multiple subpage frames and currently closed corresponding to target subpage frame When difference between connection access probability and historical context access probability exceedes default value threshold value, it may be determined that when IP address in preceding access data acquisition system is illegal IP address;As can be seen here, the present invention is no longer dependent on Cost of labor, so as to substantially reduce cost of labor, and the present invention is calculated based on Bayesian formula Current associated access probability and historical context access probability, it is possible to which the page for analyzing user exactly is visited Custom is asked, and the change being accustomed to according to the page access of user determines whether network attack be present, so as to The identification accuracy to network attack can be ensured.
Fig. 4 is referred to, is the structural representation of the identification device of another network attack provided in an embodiment of the present invention Figure.The identification device 1000 of the network attack can include:At least one processor 1001, such as CPU, At least one network interface 1004, user interface 1003, memory 1005, at least one communication bus 1002. Wherein, communication bus 1002 is used to realize the connection communication between these components.Wherein, user interface 1003 Display screen (Display), keyboard (Keyboard) can be included, optional user interface 1003 can also include Wireline interface, the wave point of standard.Network interface 1004 optionally can include standard wireline interface, Wave point (such as WI-FI interfaces).Memory 1005 can be high-speed RAM memory or non- Unstable memory (non-volatile memory), for example, at least a magnetic disk storage.Memory 1005 It optionally can also be at least one storage device for being located remotely from aforementioned processor 1001.As shown in figure 4, As in a kind of memory 1005 of computer-readable storage medium can include operating system, network communication module, Subscriber Interface Module SIM and equipment control application program.
In the identification device 1000 of the network attack shown in Fig. 4, user interface 1003 be mainly used in for Family provides the interface of input, obtains the data of user's output;And processor 1001 can be used for calling memory The equipment control application program stored in 1005, and specifically perform following steps:
When flowing of access state is abnormality, acquisition includes the current accessed associated with target pages The current accessed data acquisition system of data, and according to Bayesian formula and the current accessed data acquisition system, meter Calculate and corresponding current associated access probability is distinguished between the target pages and each subpage frame in multiple subpage frames;
Corresponding current associated access probability will be distinguished between the target pages and each subpage frame, with institute Between the target pages and each subpage frame respectively compared with corresponding historical context access probability;Institute It according to the Bayesian formula and in the flowing of access state is normal shape to state historical context access probability to be Accessed history accesses what data acquisition system was calculated under state;
When the current associated access probability corresponding to target subpage frame and described in the multiple subpage frame being present When difference between historical context access probability exceedes default value threshold value, the current accessed data set is determined IP address in conjunction is illegal IP address.
In one embodiment, the processor 1001 also performs following steps:
The history obtained in during the flowing of access state is normal condition accesses data acquisition system;Institute State history access data acquisition system and include the history access data associated with the target pages;
Data acquisition system is accessed according to the Bayesian formula and the history, calculates the target pages and institute State between each subpage frame respectively corresponding to historical context access probability.
In one embodiment, the processor 1001 includes associated with target pages in execution acquisition The current accessed data acquisition system of current accessed data, and according to Bayesian formula and the current accessed data Set, calculate and corresponding current association visit is distinguished between the target pages and each subpage frame in multiple subpage frames When asking probability, following steps are specifically performed:
Obtain the current accessed data acquisition system for including the current accessed data associated with target pages;
According to the current accessed data acquisition system, the probability for accessing corresponding subpage frame is calculated respectively, to obtain State subpage frame access probability corresponding to each subpage frame difference;
According to the current accessed data acquisition system, calculate accessed under conditions of corresponding subpage frame has been accessed respectively The probability of the target pages is crossed, to obtain conditional access probability corresponding to each subpage frame difference;
According to the Bayesian formula, each subpage frame access probability and each conditional access probability, The probability that corresponding subpage frame is accessed under conditions of the target pages have been accessed is calculated respectively, it is described to obtain Corresponding current associated access probability is distinguished between target pages and each subpage frame.
In one embodiment, the Bayesian formula is specially:
Wherein, j is integer, and P (x | Dj) refer to conditional access probability corresponding to j-th of subpage frame, P (Dj) Refer to subpage frame access probability corresponding to j-th of subpage frame, and P (x | Di) refer to bar corresponding to i-th of subpage frame Part access probability, P (Di) refer to subpage frame access probability corresponding to i-th of subpage frame, P (Dj| x) refer to Corresponding current associated access probability between the target pages and j-th of subpage frame.
In one embodiment, the processor 1001 is being performed when flowing of access state is abnormality, The current accessed data acquisition system for including the current accessed data associated with target pages is obtained, and according to shellfish This formula of leaf and the current accessed data acquisition system, calculate the target pages and each son in multiple subpage frames Before current associated access probability corresponding to distinguishing between the page, following steps are also performed:
Whether the flowing of access in detection current network in the unit interval exceedes preset flow threshold value;
It is if being detected as, it is determined that the flowing of access state is abnormality;
If it is detected as no, it is determined that the flowing of access state is normal condition.
The embodiment of the present invention is by when flowing of access state is abnormality, calculating target pages and more height In the page between each subpage frame respectively corresponding to current associated access probability, and by target pages and each subpage frame Between respectively corresponding to current associated access probability, distinguish between institute's target pages and each subpage frame corresponding Historical context access probability is compared, and is existed in multiple subpage frames and currently closed corresponding to target subpage frame When difference between connection access probability and historical context access probability exceedes default value threshold value, it may be determined that when IP address in preceding access data acquisition system is illegal IP address;As can be seen here, the present invention is no longer dependent on Cost of labor, so as to substantially reduce cost of labor, and the present invention is calculated based on Bayesian formula Current associated access probability and historical context access probability, it is possible to which the page for analyzing user exactly is visited Custom is asked, and the change being accustomed to according to the page access of user determines whether network attack be present, so as to The identification accuracy to network attack can be ensured.
One of ordinary skill in the art will appreciate that all or part of flow in above-described embodiment method is realized, It is that by computer program the hardware of correlation can be instructed to complete, described program can be stored in a calculating In machine read/write memory medium, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method. Wherein, described storage medium can be magnetic disc, CD, read-only memory (Read-Only Memory, ) or random access memory (Random Access Memory, RAM) etc. ROM.
Above disclosure is only preferred embodiment of present invention, can not limit the present invention's with this certainly Interest field, therefore the equivalent variations made according to the claims in the present invention, still belong to the scope that the present invention is covered.

Claims (10)

  1. A kind of 1. recognition methods of network attack, it is characterised in that including:
    When flowing of access state is abnormality, acquisition includes the current accessed associated with target pages The current accessed data acquisition system of data, and according to Bayesian formula and the current accessed data acquisition system, meter Calculate and corresponding current associated access probability is distinguished between the target pages and each subpage frame in multiple subpage frames;
    Corresponding current associated access probability will be distinguished between the target pages and each subpage frame, with institute Between the target pages and each subpage frame respectively compared with corresponding historical context access probability;Institute It according to the Bayesian formula and in the flowing of access state is normal shape to state historical context access probability to be Accessed history accesses what data acquisition system was calculated under state;
    When the current associated access probability corresponding to target subpage frame and described in the multiple subpage frame being present When difference between historical context access probability exceedes default value threshold value, the current accessed data set is determined User network Protocol IP address in conjunction is illegal IP address.
  2. 2. the method as described in claim 1, it is characterised in that also include:
    The history obtained in during the flowing of access state is normal condition accesses data acquisition system;Institute State history access data acquisition system and include the history access data associated with the target pages;
    Data acquisition system is accessed according to the Bayesian formula and the history, calculates the target pages and institute State between each subpage frame respectively corresponding to historical context access probability.
  3. 3. the method as described in claim 1, it is characterised in that the acquisition includes and target pages phase The current accessed data acquisition system of the current accessed data of association, and according to Bayesian formula and the current visit Data acquisition system is asked, is calculated corresponding current respectively between the target pages and each subpage frame in multiple subpage frames Associated access probability, including:
    Obtain the current accessed data acquisition system for including the current accessed data associated with target pages;
    According to the current accessed data acquisition system, the probability for accessing corresponding subpage frame is calculated respectively, to obtain State subpage frame access probability corresponding to each subpage frame difference;
    According to the current accessed data acquisition system, calculate accessed under conditions of corresponding subpage frame has been accessed respectively The probability of the target pages is crossed, to obtain conditional access probability corresponding to each subpage frame difference;
    According to the Bayesian formula, each subpage frame access probability and each conditional access probability, The probability that corresponding subpage frame is accessed under conditions of the target pages have been accessed is calculated respectively, it is described to obtain Corresponding current associated access probability is distinguished between target pages and each subpage frame.
  4. 4. method as claimed in claim 3, it is characterised in that the Bayesian formula is specially:
    <mrow> <mi>P</mi> <mrow> <mo>(</mo> <msub> <mi>D</mi> <mi>j</mi> </msub> <mo>|</mo> <mi>x</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <mi>P</mi> <mrow> <mo>(</mo> <mi>x</mi> <mo>|</mo> <msub> <mi>D</mi> <mi>j</mi> </msub> <mo>)</mo> </mrow> <mi>P</mi> <mrow> <mo>(</mo> <msub> <mi>D</mi> <mi>j</mi> </msub> <mo>)</mo> </mrow> </mrow> <mrow> <msubsup> <mi>&amp;Sigma;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </msubsup> <mi>P</mi> <mrow> <mo>(</mo> <mi>x</mi> <mo>|</mo> <msub> <mi>D</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mi>P</mi> <mrow> <mo>(</mo> <msub> <mi>D</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> </mrow> </mfrac> <mo>,</mo> <mi>j</mi> <mo>&amp;Element;</mo> <mo>&amp;lsqb;</mo> <mn>1</mn> <mo>,</mo> <mi>n</mi> <mo>&amp;rsqb;</mo> </mrow>
    Wherein, j is integer, and P (x | Dj) refer to conditional access probability corresponding to j-th of subpage frame, P (Dj) Refer to subpage frame access probability corresponding to j-th of subpage frame, and P (x | Di) refer to bar corresponding to i-th of subpage frame Part access probability, P (Di) refer to subpage frame access probability corresponding to i-th of subpage frame, P (Dj| x) refer to Corresponding current associated access probability between the target pages and j-th of subpage frame.
  5. 5. the method as described in claim 1, it is characterised in that described when flowing of access state is abnormal During state, the current accessed data acquisition system for including the current accessed data associated with target pages is obtained, And according to Bayesian formula and the current accessed data acquisition system, calculate the target pages and multiple subpages Before current associated access probability corresponding to distinguishing in face between each subpage frame, in addition to:
    Whether the flowing of access in detection current network in the unit interval exceedes preset flow threshold value;
    It is if being detected as, it is determined that the flowing of access state is abnormality;
    If it is detected as no, it is determined that the flowing of access state is normal condition.
  6. A kind of 6. identification device of network attack, it is characterised in that including:
    Computing module is obtained, for when flowing of access state is abnormality, acquisition includes and page object The current accessed data acquisition system of the associated current accessed data in face, and according to Bayesian formula and described work as Preceding access data acquisition system, calculate corresponding respectively between the target pages and each subpage frame in multiple subpage frames Current associated access probability;
    Comparison module, for corresponding current association will to be distinguished between the target pages and each subpage frame Access probability, corresponding historical context accesses generally respectively between institute's target pages and each subpage frame Rate is compared;The historical context access probability is to access stream according to the Bayesian formula and described Amount state accesses what data acquisition system calculated by history accessed under normal condition;
    Determining module, for when the current association corresponding to target subpage frame in the multiple subpage frame being present When difference between access probability and the historical context access probability exceedes default value threshold value, it is determined that described IP address in current accessed data acquisition system is illegal IP address.
  7. 7. device as claimed in claim 6, it is characterised in that
    The acquisition computing module, it is additionally operable to obtain in during the flowing of access state is normal condition The history accesses data acquisition system;The history access data acquisition system includes associated with the target pages History access data;
    The acquisition computing module, it is additionally operable to access data set according to the Bayesian formula and the history Close, calculate and corresponding historical context access probability is distinguished between the target pages and each subpage frame.
  8. 8. device as claimed in claim 6, it is characterised in that the acquisition computing module includes:
    Acquiring unit, the current accessed of the current accessed data associated with target pages is included for obtaining Data acquisition system;
    Computing unit, for according to the current accessed data acquisition system, calculating access corresponding subpage frame respectively Probability, to obtain subpage frame access probability corresponding to each subpage frame difference;
    The computing unit, it is additionally operable to according to the current accessed data acquisition system, calculates accessing pair respectively The probability that the target pages were accessed under conditions of subpage frame is answered, is corresponded to respectively with obtaining each subpage frame Conditional access probability;
    The computing unit, be additionally operable to according to the Bayesian formula, each subpage frame access probability and Each conditional access probability, calculate corresponding subpage is accessed under conditions of the target pages have been accessed respectively The probability in face, to obtain distinguishing corresponding current associated access between the target pages and each subpage frame Probability.
  9. 9. device as claimed in claim 8, it is characterised in that the Bayesian formula is specially:
    <mrow> <mi>P</mi> <mrow> <mo>(</mo> <msub> <mi>D</mi> <mi>j</mi> </msub> <mo>|</mo> <mi>x</mi> <mo>)</mo> </mrow> <mo>=</mo> <mfrac> <mrow> <mi>P</mi> <mrow> <mo>(</mo> <mi>x</mi> <mo>|</mo> <msub> <mi>D</mi> <mi>j</mi> </msub> <mo>)</mo> </mrow> <mi>P</mi> <mrow> <mo>(</mo> <msub> <mi>D</mi> <mi>j</mi> </msub> <mo>)</mo> </mrow> </mrow> <mrow> <msubsup> <mi>&amp;Sigma;</mi> <mrow> <mi>i</mi> <mo>=</mo> <mn>1</mn> </mrow> <mi>n</mi> </msubsup> <mi>P</mi> <mrow> <mo>(</mo> <mi>x</mi> <mo>|</mo> <msub> <mi>D</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> <mi>P</mi> <mrow> <mo>(</mo> <msub> <mi>D</mi> <mi>i</mi> </msub> <mo>)</mo> </mrow> </mrow> </mfrac> <mo>,</mo> <mi>j</mi> <mo>&amp;Element;</mo> <mo>&amp;lsqb;</mo> <mn>1</mn> <mo>,</mo> <mi>n</mi> <mo>&amp;rsqb;</mo> </mrow>
    Wherein, j is integer, and P (x | Dj) refer to conditional access probability corresponding to j-th of subpage frame, P (Dj) Refer to subpage frame access probability corresponding to j-th of subpage frame, and P (x | Di) refer to bar corresponding to i-th of subpage frame Part access probability, P (Di) refer to subpage frame access probability corresponding to i-th of subpage frame, P (Dj| x) refer to Corresponding current associated access probability between the target pages and j-th of subpage frame.
  10. 10. device as claimed in claim 6, it is characterised in that also include:
    Detection module, for detecting whether the flowing of access in current network in the unit interval exceedes preset flow Threshold value;
    State determining module, it is if being detected as the detection module, it is determined that the flowing of access state For abnormality;
    The state determining module, if be additionally operable to the detection module be detected as it is no, it is determined that it is described access stream Amount state is normal condition.
CN201610345863.1A 2016-05-23 2016-05-23 Network attack identification method and device Active CN107426136B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610345863.1A CN107426136B (en) 2016-05-23 2016-05-23 Network attack identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610345863.1A CN107426136B (en) 2016-05-23 2016-05-23 Network attack identification method and device

Publications (2)

Publication Number Publication Date
CN107426136A true CN107426136A (en) 2017-12-01
CN107426136B CN107426136B (en) 2020-01-14

Family

ID=60422433

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610345863.1A Active CN107426136B (en) 2016-05-23 2016-05-23 Network attack identification method and device

Country Status (1)

Country Link
CN (1) CN107426136B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109167773A (en) * 2018-08-22 2019-01-08 杭州安恒信息技术股份有限公司 A kind of access exception detection method and system based on Markov model
CN110505232A (en) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 The detection method and device of network attack, electronic equipment, storage medium
CN111079138A (en) * 2019-12-19 2020-04-28 北京天融信网络安全技术有限公司 Abnormal access detection method and device, electronic equipment and readable storage medium
CN111190926A (en) * 2019-11-25 2020-05-22 腾讯云计算(北京)有限责任公司 Resource caching method, device, equipment and storage medium
CN111669379A (en) * 2020-05-28 2020-09-15 北京天空卫士网络安全技术有限公司 Behavior abnormity detection method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101150586A (en) * 2007-11-20 2008-03-26 杭州华三通信技术有限公司 CC attack prevention method and device
CN104935609A (en) * 2015-07-17 2015-09-23 北京京东尚科信息技术有限公司 Network attack detection method and detection apparatus
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
CN105429936A (en) * 2015-10-21 2016-03-23 北京交通大学 Defense method and apparatus of malicious occupation of storage resources in private network router

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101150586A (en) * 2007-11-20 2008-03-26 杭州华三通信技术有限公司 CC attack prevention method and device
CN104967629A (en) * 2015-07-16 2015-10-07 网宿科技股份有限公司 Network attack detection method and apparatus
CN104935609A (en) * 2015-07-17 2015-09-23 北京京东尚科信息技术有限公司 Network attack detection method and detection apparatus
CN105429936A (en) * 2015-10-21 2016-03-23 北京交通大学 Defense method and apparatus of malicious occupation of storage resources in private network router

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109167773A (en) * 2018-08-22 2019-01-08 杭州安恒信息技术股份有限公司 A kind of access exception detection method and system based on Markov model
CN109167773B (en) * 2018-08-22 2021-01-26 杭州安恒信息技术股份有限公司 Access anomaly detection method and system based on Markov model
CN110505232A (en) * 2019-08-27 2019-11-26 百度在线网络技术(北京)有限公司 The detection method and device of network attack, electronic equipment, storage medium
CN111190926A (en) * 2019-11-25 2020-05-22 腾讯云计算(北京)有限责任公司 Resource caching method, device, equipment and storage medium
CN111079138A (en) * 2019-12-19 2020-04-28 北京天融信网络安全技术有限公司 Abnormal access detection method and device, electronic equipment and readable storage medium
CN111669379A (en) * 2020-05-28 2020-09-15 北京天空卫士网络安全技术有限公司 Behavior abnormity detection method and device
CN111669379B (en) * 2020-05-28 2022-02-22 北京天空卫士网络安全技术有限公司 Behavior abnormity detection method and device

Also Published As

Publication number Publication date
CN107426136B (en) 2020-01-14

Similar Documents

Publication Publication Date Title
CN109831465B (en) Website intrusion detection method based on big data log analysis
CN107426136A (en) A kind of recognition methods of network attack and device
CN110602029B (en) Method and system for identifying network attack
CN106209862A (en) A kind of steal-number defence implementation method and device
CN103593609B (en) Trustworthy behavior recognition method and device
CN109962903A (en) A kind of home gateway method for safety monitoring, device, system and medium
CN102945340A (en) Information object detection method and system
CN108334758A (en) A kind of detection method, device and the equipment of user&#39;s ultra vires act
CN101505247A (en) Detection method and apparatus for number of shared access hosts
WO2022042194A1 (en) Block detection method and apparatus for login device, server, and storage medium
TWI234974B (en) Methodology of predicting distributed denial of service based on gray theory
CN108881138A (en) A kind of web-page requests recognition methods and device
CN106685899A (en) Method and device for identifying malicious access
CN110096013A (en) A kind of intrusion detection method and device of industrial control system
CN109218294A (en) Anti-scanning method, device and server based on machine learning bayesian algorithm
CN107231383B (en) CC attack detection method and device
CN112671724A (en) Terminal security detection analysis method, device, equipment and readable storage medium
CN105813114B (en) A kind of shared host method and device of determining access
CN107135199B (en) Method and device for detecting webpage backdoor
US11245712B2 (en) Method and apparatus for generating virtual malicious traffic template for terminal group including device infected with malicious code
CN107426132A (en) The detection method and device of network attack
CN112989158A (en) Method, device and storage medium for identifying webpage crawler behavior
CN113132316A (en) Web attack detection method and device, electronic equipment and storage medium
CN107294986B (en) A kind of method, apparatus and system of access HTTPS websites
CN113542252A (en) Detection method, detection model and detection device for Web attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20231227

Address after: 518057 Tencent Building, No. 1 High-tech Zone, Nanshan District, Shenzhen City, Guangdong Province, 35 floors

Patentee after: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd.

Patentee after: TENCENT CLOUD COMPUTING (BEIJING) Co.,Ltd.

Address before: 2, 518000, East 403 room, SEG science and Technology Park, Zhenxing Road, Shenzhen, Guangdong, Futian District

Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd.