CN107682345A - Detection method, detection means and the electronic equipment of IP address - Google Patents

Detection method, detection means and the electronic equipment of IP address Download PDF

Info

Publication number
CN107682345A
CN107682345A CN201710970197.5A CN201710970197A CN107682345A CN 107682345 A CN107682345 A CN 107682345A CN 201710970197 A CN201710970197 A CN 201710970197A CN 107682345 A CN107682345 A CN 107682345A
Authority
CN
China
Prior art keywords
address
curve
time period
preset time
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710970197.5A
Other languages
Chinese (zh)
Other versions
CN107682345B (en
Inventor
张凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN201710970197.5A priority Critical patent/CN107682345B/en
Publication of CN107682345A publication Critical patent/CN107682345A/en
Application granted granted Critical
Publication of CN107682345B publication Critical patent/CN107682345B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiments of the invention provide a kind of detection method of IP address, detection means and electronic equipment.This method carries IP address by obtaining the service request in multiple business, each service request.According to IP address curve of each IP address in preset time period in multiple IP address, obtain datum curve of multiple IP address in preset time period, IP address curve is used to represent the corresponding relation between the occurrence number of IP address and time, average change value of the occurrence number that datum curve is used to represent multiple IP address corresponding to multiple IP address in preset time period;Offset of the IP address to be detected in preset time period is obtained, offset is determined by the curve of IP address to be detected with datum curve.When offset is more than default bias threshold value, it is abnormal IP address to determine IP address to be detected.This method, which is realized, completely assesses an IP address, judges whether the IP address is normal IP address, so as to improve the accuracy for identifying normal IP address.

Description

Detection method, detection means and the electronic equipment of IP address
Technical field
The present invention relates to big data technical field, more particularly to the agreement (Internet interconnected between a kind of network Protocol, abbreviation IP) address detection method, detection means and electronic equipment.
Background technology
At present in network safety filed, IP address dimension is always a dimension for being difficult to accurate evaluation, i.e., from IP Whether one IP address of angle estimator of location is that the public outlet of safe IP address is very difficult.In view of the situation, some Internet enterprises (such as iqiyi.com), should as the foundation using the IP address by obtaining related IP address from third company Third company is the enterprise for specializing in network security, possesses all information of related IP address, such as some Cyberthreat feelings Report etc..
However, inventor has found that at least there are the following problems for prior art during the present invention is realized:
Detection of the third company to some IP address is only focusing only on whether statistics occurred some irregularities, should Irregularities (or malicious act) can be:Whether occurred to steal the behavior of user account, whether be transmitted across rubbish postal The behavior of part, or whether disseminated the behavior of virus etc..That is, third company is concentrated mainly on one IP address of detection Whether there is malicious act at a time point, or a period of time, the normal behaviour without detecting the IP address, this way The evaluation information inaccuracy of the IP address obtained can be caused.
As shown in figure 1, by taking the detection time of one day as an example, third company is with detecting IP that a user equipment uses During the x of location, detect IP address x in the morning 8 when have sent an envelope spam, now third company assert should IP address x is malicious IP addresses, but what IP address x sent in the other times in one day is all normal email, it is seen that The ratio that IP address x normal behaviour occupies is very high, i.e. IP address x is being very much no threat in maximum probability.When the 3rd public affairs Department can cause IP address x to be manslaughtered by after IP address x behavioural information notice Internet enterprises.
It can be seen that the IP address that third company provides is not comprehensive, the threat degree of IP address can not be accurately weighed, is caused just Normal IP address is manslaughtered.
The content of the invention
The purpose of the embodiment of the present invention is to provide a kind of detection method of IP address, detection means, electronic equipment and clothes Business device, the long-continued behavioural information (including normal behaviour and malicious act) of the IP address used using user, has been realized Whole one IP address of assessment, improves the accuracy for identifying abnormal IP address.Concrete technical scheme is as follows:
First aspect, there is provided a kind of detection method of IP address, the executive agent of this method can be servers, the party Method can include:The service request in multiple business is obtained, each service request carries IP address;According to multiple IP address In each IP address curve of the IP address in preset time period, obtain benchmark of multiple IP address in time preset time period Curve, IP curves are used to represent that the access times occurrence number of IP address and the corresponding relation between the time, datum curve are used for Represent average change value of multiple IP address in preset time period;Obtain the inclined in preset time period of IP address to be detected Shifting amount, the offset are determined by the curve of the IP address to be detected with the datum curve;Preset partially when offset is more than When moving threshold value, it is unusual IP addresses (or malicious IP addresses) to determine IP address to be detected.
It is bent according to IP address of each IP address in multiple IP address in preset time period in an optional realization Line, datum curve of multiple IP address in preset time period is obtained, including:According to each IP address in multiple IP address pre- If the average value of the occurrence number at each time point in the period, it is bent to obtain benchmark of multiple IP address in preset time period Line.
It is bent according to IP address of each IP address in multiple IP address in preset time period in an optional realization Line, after obtaining datum curve of multiple IP address in preset time period, this method also includes:From corresponding to multiple IP address IP address to be detected is chosen in multiple IP address;The IP address of IP address to be detected based on record, with obtaining IP to be detected The occurrence number of location IP address to be detected in preset time period with the time IP address curve to be detected.
In an optional realization, calibration curve information includes the curve coefficient of variation, and the curve coefficient of variation is in preset time Section inner curve information on all time points timesharing request number of times variance with preset time period inner curve information institute sometimes Between the ratio of the average value of timesharing request number of times put, curve coefficient of variation Y calculation formula can be expressed as:Y=S/M, its In, S is the variance of the timesharing request number of times at all time points on calibration curve information, and M is the institute in preset time period inner curve information The average value of the timesharing request number of times of having time point, S and M are all higher than zero.
In an optional realization, the calibration curve information in preset time period of IP address to be detected is believed with datum curve The difference of the curve coefficient of variation of the curve coefficient of variation of curve and IP address to be detected on the basis of the offset of breath, offset X calculation formula can be expressed as:X=Y1-Y2, wherein, the curve coefficient of variation of curve on the basis of Y1, Y2 is for IP to be detected The curve coefficient of variation of location, Y1 and Y2 are all higher than zero.
Second aspect, there is provided a kind of detection means, the device can include:Acquisition module and determining module.
Acquisition module, for obtaining the service request in multiple business, each service request carries IP address;Obtain Module, for according to each IP address of the IP address in preset time period in multiple IP address, obtaining multiple IP address pre- If the datum curve in the period, IP curves are used to represent the corresponding relation between the occurrence number of IP address and time, benchmark Curve is used to represent average change value of multiple IP address in preset time period;Acquisition module, it is additionally operable to obtain IP to be detected The offset in preset time period of address, curve and the datum curve of the offset by the IP address to be detected It is determined that.Determining module, for when offset is more than default bias threshold value, it to be unusual IP addresses to determine IP address to be detected.
In an optional realization, acquisition module, it is additionally operable to according to each IP address in multiple IP address pre- If the average value of the occurrence number at each time point in the period, it is bent to obtain benchmark of multiple IP address in preset time period Line.
In an optional realization, acquiring unit, it is additionally operable to choose from multiple IP address corresponding to multiple IP address IP address to be detected;Acquiring unit, the IP address of the IP address to be detected based on record is additionally operable to, obtains IP address to be detected In preset time period the occurrence number of IP address to be detected with the time IP address curve to be detected.
In an optional realization, calibration curve information includes the curve coefficient of variation, and the curve coefficient of variation is in preset time Section inner curve information on all time points timesharing request number of times variance with preset time period inner curve information institute sometimes Between the ratio of the average value of timesharing request number of times put, curve coefficient of variation Y calculation formula can be expressed as:Y=S/M, its In, S is the variance of the timesharing request number of times at all time points on calibration curve information, and M is the institute in preset time period inner curve information The average value of the timesharing request number of times of having time point.S and M are all higher than zero.
In an optional realization, the calibration curve information in preset time period of IP address to be detected is believed with datum curve The difference of the curve coefficient of variation of curve and the curve coefficient of variation of IP address to be detected on the basis of the offset of breath, curve variation Coefficient Y calculation formula can be expressed as:Y=S/M, wherein, S is the timesharing request number of times at all time points on calibration curve information Variance, M are the average value of the timesharing request number of times at all time points in preset time period inner curve information.Y1 and Y2 are all higher than Zero.
The third aspect, there is provided a kind of electronic equipment, the electronic equipment can include processor, communication interface, memory And communication bus, wherein, processor, communication interface, memory completes mutual communication by communication bus;Memory, use In storage computer program;Processor, during for performing the program deposited on memory, realize described in above-mentioned first aspect Method and step.
Fourth aspect, there is provided a kind of server, the server include the electronic equipment described in the third aspect.
At the another aspect that the present invention is implemented, a kind of computer-readable recording medium is additionally provided, it is described computer-readable Instruction is stored with storage medium, when run on a computer so that computer performs any of the above-described described IP address Detection method.
At the another aspect that the present invention is implemented, the embodiment of the present invention additionally provides a kind of computer program production comprising instruction Product, when run on a computer so that computer performs the detection method of any of the above-described described IP address.
Detection method, detection means, electronic equipment and the server of IP address provided in an embodiment of the present invention.The application is led to The IP address crossed in the service request that multiple IP address are sent, each IP address is recorded in multiple IP address long-continued pre- If the datum curve of curve and multiple IP address in long-continued preset time period in the period, that is, reflect IP address Long-continued behavioural information (including normal and malicious act).In long-continued preset time period as IP to be detected When the offset of the calibration curve information of location and the calibration curve information of datum curve is not less than default bias threshold value, IP address to be detected is determined For abnormal IP address.This method, which is realized, completely assesses an IP address, judges whether the IP address is normal IP address, from And improve the accuracy for identifying normal IP address.Certainly, any product or method for implementing the present invention must be not necessarily required to together When reach all the above advantage.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the required accompanying drawing used in technology description to be briefly described.
The detection that Fig. 1 is a kind of IP address x records schematic diagram;
Fig. 2 is a kind of system framework figure provided in an embodiment of the present invention;
Fig. 3 is a kind of detection method schematic flow sheet of IP address provided in an embodiment of the present invention;
Fig. 4 is the schematic diagram that a kind of IP address provided in an embodiment of the present invention accesses curvilinear coordinate axle;
Fig. 5 is a kind of datum curve schematic diagram provided in an embodiment of the present invention;
Fig. 6 is a kind of curve synoptic diagram of IP address to be detected provided in an embodiment of the present invention;
Fig. 7 is the curve synoptic diagram of another kind IP address to be detected provided in an embodiment of the present invention;
Fig. 8 is a kind of structural representation of detection means provided in an embodiment of the present invention;
Fig. 9 is the structural representation of a kind of electronic equipment provided in an embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is described.
The detection method for the public outlet of IP address that the application provides can be applied in the network system framework described in Fig. 2 In, the network system can include server and user equipment.Server and user equipment by network can carry out instruction and The transmission of data.The server can be the server (server of such as iqiyi.com) of application.
When the attacker (such as hacker) for being engaged in black industrial technology is attacked using a normal IP address, with the IP The user equipment of address information all can be under attack, and the attack (malicious act) can steal user account, brush amount (such as Brush website flow, brush application download or brush order volume), disseminate the abnormal behaviours such as internet worm.By respectively to IP Location 1 and the prolonged monitoring of IP address 2, it can be found that the attacker for being engaged in black industrial technology uses IP address 1 to service The attack fluctuation that device is carried out, and normal users access the normal behaviour fluctuation of the server at some by IP address 2 It is distinguishing under part, such as on Annual distribution.
Service request of the application by the multiple IP address of long-term monitoring in business, it is same to obtain multiple IP address access Fluctuation situation during server on Annual distribution, finds out abnormal IP address.
Alternatively, equipment (or machine) is generally due to being engaged in the attacker of black industrial technology, by with obtaining the IP Location can also contribute to analyzing whether an IP address is that normal users (or true man) make in Annual distribution upper ripple emotionally condition With, can assist in identifying hit storehouse (such as steal-number) common program attack form.
Fig. 3 is a kind of detection method schematic flow sheet of IP address provided in an embodiment of the present invention.As shown in figure 3, the party The executive agent of method can be server, and this method can include:
Service request in step 310, the multiple business of acquisition, each service request include IP address.
User equipment sends service request by IP address to server, and server collects the service request of multiple business, Such as logging request, video request or purchase request, wherein, each service request includes an IP address, as IP address 1 is believed Breath, IP2 address informations and IP3 address informations, and IP1 address informations, IP2 address informations and IP3 address informations are all from difference IP address, IP address is occurrence number of the IP address on each time point.Wherein, it is multiple in the embodiment of the present invention, be Refer at least two.
Step 320, according to IP address curve of each IP address in preset time period in multiple IP address, obtain multiple Datum curve of the IP address in preset time period, IP curves are used for the occurrence number pass corresponding with the time for representing the IP address System, the occurrence number that datum curve is used to represent multiple IP address corresponding to multiple IP address is with the average change value of time.
Preset time period can be time of the IP address in a cycle, if IP address can be in 24 hours one day Information.By recording occurrence number of each IP address on Annual distribution, the occurrence number of each IP address is obtained with the time Curve distribution, that is, obtain IP address curve that the occurrence number of each IP address changes over time in preset time period (or IP address is claimed to access curve), the occurrence number of Each point in time can include normal occurrence number in the IP address curve, Abnormal occurrence number can be included, you can to reflect the normal behaviour of IP address and abnormal behaviour.
By IP address exemplified by the occurrence number in 24 hours is preset, if in the presence of 5 different IP address, and at 24 hours Inside record out 5 different IP addresses Each point in time (such as 1 in 24 hours:00、2:00、3:00 etc.) occurrence number on, base In its corresponding occurrence number of each time point of record, the occurrence number of each IP address is obtained with the song of Annual distribution Line.
As shown in figure 4, the transverse axis T of the curvilinear coordinate is the time of distribution time point, longitudinal axis N is made to be distributed the IP address With the occurrence number of situation, by recording occurrence number of each IP address at Each point in time, get in continuous time The full curve of the occurrence number of the upper IP address.
Step 330, the offset in preset time period for obtaining IP address to be detected, the offset pass through IP to be detected The curve of address determines with datum curve.
When the offset of calibration curve information of the IP address to be detected in preset time period and datum curve information be more than it is pre- If during offset threshold, perform step 340.
Step 340, determine that IP address to be detected is unusual IP addresses.
Server identifies whether the IP address to be detected is unusual IP addresses (or abnormal IP according to offset Location).
When offset is more than default bias threshold value, server determines that the IP address to be detected is abnormal IP address, i.e., The curve coefficient of variation of IP address curve to be detected and the curve Difference Between Coefficients of Variation of datum curve are excessive.
When offset is not more than default bias threshold value, server determines that the IP address to be detected is normal IP address, i.e., The curve coefficient of variation of IP address curve to be detected and the curve Difference Between Coefficients of Variation of datum curve are smaller or identical, such as curve I0 is almost identical with curve I1 state, it is seen that the two gap is smaller.
Using preset time as 24 hours, exemplified by default bias threshold value is 0.02, curve I0, curve I1 and curve I2 are small 24 When in each time point occurrence number, can be as shown in table 1.
Table 1
It can be obtained from the information in table 1:
The average value M0 of curve I0 occurrence numbers in 24 hours is 2142.5, and the variance S0 of occurrence number is 920.141519912 it can thus be concluded that the coefficient of variation Y0 for going out curve I0 is 0.429470954;
The average value M1 of curve I1 occurrence numbers in 24 hours is 1653.041666667, and the variance S1 of occurrence number is 678.513907937 it can thus be concluded that the coefficient of variation Y1 for going out curve I1 is;
The average value M2 of curve I2 occurrence numbers in 24 hours is 688.83333333, and the variance S2 of occurrence number is 327.942533923 it can thus be concluded that the coefficient of variation Y2 for going out curve I2 is 0.194182888.
The difference that curve I0 and curve I1 offset is 0.429470954 and 0.410463887 is 0.019;Curve I0 with The difference that curve I2 offset is 0.429470954 and 0.194182888 is 0.235.
It can be seen that curve I0 and curve I1 offset 0.019 is less than 0.02, illustrative graph I0 and curve I1 gaps are smaller. Curve I0 and curve I2 offset 0.235 is more than 0.02, and illustrative graph I0 and curve I1 gaps are larger.
Need to say, default bias threshold value can be set according to the identification accuracies of actual conditions and demand is self-defined Put.
In summary, the IP address in the corresponding service request that this method that the application provides passes through multiple IP address, note Recording occurrence number of each IP address in long-continued preset time period (includes the appearance of normal occurrence number and exception Number) curve and datum curve, when the calibration curve information and benchmark of IP address to be detected in long-continued preset time period When the offset of the calibration curve information of curve is not less than default bias threshold value, it is abnormal IP address to determine IP address to be detected.Should Method, which is realized, completely assesses an IP address, judges whether the IP address is abnormal IP address, different so as to improve identification The accuracy of normal IP address.
In an optional embodiment, the IP address that is related in the step 310, in the embodiment of the present application its can be Occurrence number of the IP address on each time point.Wherein, at the time of time point is gathers IP address occurrence number, such as collection 8: 00 to 10:00 IP address occurrence number, the time point now chosen can be 8:15、8:30、8:45、9:00……9:45、 10:00.
Each IP address is in preset time period in multiple IP address based on record, and goes out occurrence on Annual distribution Number, obtains multiple IP address in preset time period, the average value of occurrence number of multiple IP address on Annual distribution, so as to Obtain mean change curve of multiple IP address in preset time period on Annual distribution, i.e. datum curve, it is possible to understand that It is that the datum curve is referred to as averaged curve.
Server can be analyzed according to multiple IP address of acquisition draws curve such as Fig. 5 institute of multiple IP address with the time Show, curve I0 shows access state (frequency of use) for daytime is high, night is low, the characteristics of lunch break and After Hours double peaks.
It can be seen that in preset time period, by recording occurrence number of the IP address on Annual distribution, can accurately unite Count out the average value of the occurrence number at each time point on Annual distribution of multiple IP address, and image with datum curve Form show, improve the readability of data.
In an optional embodiment, before the step 330 is performed, server needs to obtain IP address to be detected, The IP address to be detected can choose one from multiple IP address of above-mentioned acquisition, can also detect new IP address.It is based on The method of the calibration curve information of the above-mentioned each IP address of acquisition, it is to be checked in preset time period that server obtains IP address to be detected IP address curve is surveyed,
In one example, the curve that the IP address to be detected is formed can be curve I1 as shown in Figure 6, the curve I1 shows access state (frequency of use) for daytime is high, night is low, and lunch break is in peak, it is After Hours low the characteristics of.Or should The curve that IP address to be detected is formed can be curve I2 as shown in Figure 7, and curve I2 shows access state (using frequency Rate) for daytime is low, night is high, lunch break and come off duty double ebbs the characteristics of.
It can be seen that by obtaining the IP address curve to be detected in preset time period, user couple can be intuitively observed The service condition of IP address to be detected in time, can strengthen man-machine recognition capability, i.e., easily identify to be detected using this The user of IP address is the machine that normal users are used or attacked, wherein, criterion of identification can be normal users by one It is set for breath rule and uses IP address, and the machine attacked does not use the IP address by certain work and rest rule, it is such as lasting to use The IP address.
In an optional embodiment, the IP address of to be detected IP address of the server based on acquisition, obtain to be detected Curve of the IP address in preset time period, and obtain the curve coefficient of variation of the curve.
In step 320, the calibration curve information on IP address curve is obtained, the calibration curve information can include curve variation lines Number.Wherein, the curve coefficient of variation is the variance of the timesharing request number of times at all time points in preset time period inner curve information With the ratio of the average value of the timesharing request number of times at all time points in preset time period inner curve information.Timesharing request number of times For number corresponding to each time point.
Curve coefficient of variation Y calculation formula can be expressed as:Y=S/M, wherein, S is all time points on calibration curve information Timesharing request number of times variance, M is the flat of the timesharing request number of times at all time points in preset time period inner curve information Average, S and M are all higher than zero.
It can be seen that the intensity of variation and datum curve of IP address curve to be detected are preferably embodied by the curve coefficient of variation Intensity of variation.
In an optional embodiment, after step 330, server can also obtain IP address to be detected pre- If the offset of the calibration curve information of calibration curve information and datum curve in the period.Wherein, IP address to be detected when default Between the calibration curve information of calibration curve information in section and datum curve offset on the basis of curve the curve coefficient of variation with it is to be detected The difference of the curve coefficient of variation of IP address.
The calculation formula of the offset X can be expressed as:X=Y1-Y2, wherein, the curve of curve becomes on the basis of Y1 Different coefficient, Y2 are the curve coefficient of variation of IP address to be detected, and Y1 and Y2 are all higher than zero
, can be so as to by the curve coefficient of variation of benchmark curve and the curve coefficient of variation of IP address curve to be detected Prompt detects degrees of offset of the IP address curve to be detected to datum curve, so that it is determined that whether IP address to be detected is not just Normal IP address.
The embodiment of the present invention corresponding with the above method also provides a kind of structural representation of detection means.As shown in figure 8, The detection means can include:Acquisition module 810 and determining module 820,
Acquisition module 810, for obtaining the service request in multiple business, each service request carries IP address;
Acquisition module 810, for according to IP address curve of each IP address in preset time period in multiple IP address, Datum curve of multiple IP address in time preset time period is obtained, IP curves are used for the occurrence number for representing each IP address Corresponding relation between the time, datum curve are used to represent average change value of multiple IP address in preset time period;
Acquisition module 810, is additionally operable to obtain the offset in preset time period of IP address to be detected, and offset passes through The curve of IP address to be detected determines with datum curve;
Determining module 820, believe for the calibration curve information in preset time period when IP address to be detected with datum curve When the offset of breath is more than default bias threshold value, it is unusual IP addresses to determine IP address to be detected.
Alternatively, acquisition module 810, be additionally operable to according to each IP address in multiple IP address in preset time period it is each The average value of the occurrence number at time point, obtain datum curve of multiple IP address in preset time period.
Alternatively, acquisition module 810, it is additionally operable to choose IP to be detected from multiple IP address corresponding to multiple IP address Address;
Acquisition module 810, the IP address of the IP address to be detected based on record is additionally operable to, obtains IP address to be detected pre- If the calibration curve information of the occurrence number at each time point in the period.
Alternatively, calibration curve information includes the curve coefficient of variation, and the curve coefficient of variation is in preset time period inner curve information The variance of the timesharing request number of times at upper all time points please with the timesharing at all time points in preset time period inner curve information The ratio of the average value of number is sought, curve coefficient of variation Y calculation formula can be expressed as:Y=S/M, wherein, S believes for curve The variance of the timesharing request number of times at all time points on breath, M are point at all time points in preset time period inner curve information When request number of times average value.S and M are all higher than zero.
Alternatively, the calibration curve information in preset time period of IP address to be detected and the offset of datum curve information are The difference of the curve coefficient of variation of datum curve and the curve coefficient of variation of IP address to be detected, curve coefficient of variation Y calculating Formula can be expressed as:Y=S/M, wherein, S be calibration curve information on all time points timesharing request number of times variance, M be The average value of the timesharing request number of times at all time points in preset time period inner curve information.Y1 and Y2 are all higher than zero.
The function of each functional module for the detection means that the above embodiment of the present invention provides, can be by each shown in Fig. 3 Method and step realizes, therefore, the specific work process of the modules in detection means provided in an embodiment of the present invention and has Beneficial effect.Do not repeat again herein.
Fig. 9 is the structural representation of a kind of electronic equipment provided in an embodiment of the present invention.As shown in figure 9,
Including processor 910, communication interface 920, memory 930 and communication bus 940, wherein, processor 910, communication Interface 920, memory 930 complete mutual communication by communication bus 940,
Memory 930, for depositing computer program;
Processor 910, during for performing the program deposited on memory 930, realize following steps:
The service request in multiple business is obtained, each service request includes IP address;
According to IP address curve of each IP address in preset time period in multiple IP address, obtain multiple IP address and exist Datum curve in time preset time period, IP address curve are used to represent corresponding between the occurrence number of IP address and time Relation, datum curve are used to represent average change value of multiple IP address in preset time period;Obtain IP address to be detected Offset in preset time period, offset are determined by the curve of IP address to be detected with datum curve;When offset is big When default bias threshold value, it is unusual IP addresses (or malicious IP addresses) to determine IP address to be detected.
Alternatively, IP address is the occurrence number at each time point in preset time period, according to every in multiple IP address IP address curve of the individual IP address in preset time period, datum curve of multiple IP address in preset time period is obtained, wrapped Include:According to the average value of each IP address occurrence number at each time point in preset time period in multiple IP address, obtain Datum curve of multiple IP address in preset time period.
Alternatively, IP address to be detected is obtained from multiple IP address;The IP of IP address to be detected based on record Location, with obtaining the IP to be detected that IP address to be detected occurrence number of IP address to be detected in preset time period changes over time Location curve.
Alternatively, calibration curve information includes the curve coefficient of variation, and the curve coefficient of variation is in preset time period inner curve information The variance of the timesharing request number of times at upper all time points please with the timesharing at all time points in preset time period inner curve information The ratio of the average value of number is sought, curve coefficient of variation Y calculation formula can be expressed as:Y=S/M, wherein, S believes for curve The variance of the timesharing request number of times at all time points on breath, M are point at all time points in preset time period inner curve information When request number of times average value, S and M are all higher than zero.
Alternatively, the calibration curve information in preset time period of IP address to be detected and the offset of datum curve information are The difference of the curve coefficient of variation of datum curve and the curve coefficient of variation of IP address to be detected, offset X calculation formula It can be expressed as:X=Y1-Y2, wherein, the curve coefficient of variation of curve on the basis of Y1, Y2 is that the curve of IP address to be detected becomes Different coefficient, Y1 and Y2 are all higher than zero.
The communication bus that above-mentioned electronic equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI) bus or EISA (Extended Industry Standard Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, controlling bus etc..For just Only represented in expression, figure with a thick line, it is not intended that an only bus or a type of bus.
The communication that communication interface is used between above-mentioned electronic equipment and other equipment.
Memory can include random access memory (Random Access Memory, RAM), can also include non-easy The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also To be at least one storage device for being located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit, CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal Processing, DSP), it is application specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other PLDs, discrete Door or transistor logic, discrete hardware components.
Because each device of electronic equipment solves the embodiment of problem in above-described embodiment and beneficial effect may refer to Each step in embodiment shown in Fig. 3 realizes, therefore, the specific work process of electronic equipment provided in an embodiment of the present invention And beneficial effect, do not repeat again herein.
It should be noted that above-mentioned electronic equipment can be applied in the server.
In another embodiment provided by the invention, a kind of computer-readable recording medium is additionally provided, the computer can Read to be stored with instruction in storage medium, when run on a computer so that computer performs any institute in above-described embodiment The detection method for the IP address stated.
In another embodiment provided by the invention, a kind of computer program product for including instruction is additionally provided, when it When running on computers so that computer performs the detection method of any described IP address in above-described embodiment.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or its any combination real It is existing.When implemented in software, can realize in the form of a computer program product whole or in part.The computer program Product includes one or more computer instructions.When loading on computers and performing the computer program instructions, all or Partly produce according to the flow or function described in the embodiment of the present invention.The computer can be all-purpose computer, special meter Calculation machine, computer network or other programmable devices.The computer instruction can be stored in computer-readable recording medium In, or the transmission from a computer-readable recording medium to another computer-readable recording medium, for example, the computer Instruction can pass through wired (such as coaxial cable, optical fiber, numeral from a web-site, computer, server or data center User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or Data center is transmitted.The computer-readable recording medium can be any usable medium that computer can access or It is the data storage devices such as server, the data center integrated comprising one or more usable mediums.The usable medium can be with It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disc Solid State Disk (SSD)) etc..
It should be noted that herein, such as first and second or the like relational terms are used merely to a reality Body or operation make a distinction with another entity or operation, and not necessarily require or imply and deposited between these entities or operation In any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant are intended to Nonexcludability includes, so that process, method, article or equipment including a series of elements not only will including those Element, but also the other element including being not expressly set out, or it is this process, method, article or equipment also to include Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that Other identical element also be present in process, method, article or equipment including the key element.
Each embodiment in this specification is described by the way of related, identical similar portion between each embodiment Divide mutually referring to what each embodiment stressed is the difference with other embodiment.It is real especially for system For applying example, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is referring to embodiment of the method Part explanation.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Any modification, equivalent substitution and improvements made within the spirit and principles in the present invention etc., are all contained in protection scope of the present invention It is interior.

Claims (12)

1. a kind of detection method of IP address, it is characterised in that methods described includes:
The service request of multiple business is obtained, each service request carries IP address;
According to each IP address curve of the IP address in preset time period in multiple IP address, obtain multiple described Datum curve of the IP address in the preset time period, the IP address curve are used for the occurrence number for representing the IP address Corresponding relation between the time, the datum curve are used to represent that multiple IP address are flat in the preset time period Equal changing value;
Offset of the IP address to be detected in the preset time period is obtained, the offset passes through the IP address to be detected Curve and the datum curve determine;
When the offset is more than default bias threshold value, it is unusual IP addresses to determine the IP address to be detected.
2. according to the method for claim 1, it is characterised in that it is described according to each IP in multiple IP address IP address curve of the location in preset time period, datum curve of multiple IP address in the preset time period is obtained, Including:
According to the occurrence number at each IP address each time point in the preset time period in multiple IP address Average value, obtain datum curve of the multiple IP address in the preset time period.
3. according to the method for claim 1, it is characterised in that it is described according to each IP in multiple IP address IP address curve of the location in preset time period, obtain the datum curve of multiple IP address in the preset time period it Afterwards, methods described also includes:
IP address to be detected is obtained from multiple IP address corresponding to the multiple IP address;
The IP address of the IP address to be detected based on record, the IP address to be detected is obtained in the preset time period The IP address curve to be detected that the occurrence number of IP address to be detected changes over time.
4. according to the method for claim 1, it is characterised in that the calibration curve information includes the curve coefficient of variation;
The curve coefficient of variation is the timesharing request number of times at all time points on the calibration curve information in the preset time period Variance with the timesharing request number of times at all time points is averaged on the calibration curve information in the preset time period The ratio of value;
The calculation formula of the curve coefficient of variation Y can be expressed as:Y=S/M, wherein, S on the calibration curve information institute sometimes Between the variance of timesharing request number of times put, M be in the preset time period all time points on the calibration curve information The average value of the timesharing request number of times, S and M are all higher than zero.
5. according to the method for claim 4, it is characterised in that the IP address to be detected in the preset time period Calibration curve information and the datum curve information offset for the datum curve the curve coefficient of variation with it is to be detected The difference of the curve coefficient of variation of IP address;
The calculation formula of described offset X can be expressed as:X=Y1-Y2, wherein, Y1 is the song of the datum curve The line coefficient of variation, Y2 are the curve coefficient of variation of IP address to be detected, and Y1 and Y2 are all higher than zero.
6. a kind of detection means, it is characterised in that described device includes:Acquisition module and determining module,
The acquisition module, for obtaining the service request in multiple business, each service request carries IP address;
The acquisition module, for according to each IP address of the IP address in preset time period in multiple IP address Curve, obtains datum curve of multiple IP address in the preset time period, and the IP curves are used to represent the IP The occurrence number of address and the corresponding relation between the time, the datum curve are used to represent multiple IP address described pre- If the average change value in the period;
The acquisition module, it is additionally operable to obtain the offset in the preset time period of IP address to be detected, the skew Amount is determined by the curve of the IP address to be detected with the datum curve;
The determining module, for when the offset is more than default bias threshold value, determining that the IP address to be detected is different Normal IP address.
7. device according to claim 6, it is characterised in that the acquisition module, be additionally operable to according to multiple IP The average value of each IP address occurrence number at each time point in the preset time period, is obtained the multiple in location Datum curve of the IP address in the preset time period.
8. device according to claim 6, it is characterised in that the acquisition module, be additionally operable to from the multiple IP IP address to be detected is chosen in multiple IP address corresponding to address;
The acquisition module, the IP address of the IP address to be detected based on record is additionally operable to, with obtaining the IP to be detected The occurrence number of location IP address to be detected in the preset time period with the time IP address curve to be detected.
9. device according to claim 6, it is characterised in that the calibration curve information includes the curve coefficient of variation;
The curve coefficient of variation is the timesharing request number of times at all time points on the calibration curve information in the preset time period Variance with the timesharing request number of times at all time points is averaged on the calibration curve information in the preset time period The ratio of value;
The calculation formula of the curve coefficient of variation Y can be expressed as:Y=S/M, wherein, S on the calibration curve information institute sometimes Between the variance of timesharing request number of times put, M be in the preset time period all time points on the calibration curve information The average value of the timesharing request number of times, S and M are all higher than zero.
10. device according to claim 8, it is characterised in that the IP address to be detected in the preset time period The offset of interior calibration curve information and the datum curve information for the datum curve the curve coefficient of variation with it is to be checked Survey the difference of the curve coefficient of variation of IP address;
The calculation formula of described offset X can be expressed as:X=Y1-Y2, wherein, Y1 is the song of the datum curve The line coefficient of variation, Y2 are the curve coefficient of variation of IP address to be detected, and Y1 and Y2 are all higher than zero.
11. a kind of electronic equipment, it is characterised in that including processor, communication interface, memory and communication bus, wherein, processing Device, communication interface, memory complete mutual communication by communication bus;
Memory, for depositing computer program;
Processor, during for performing the program deposited on memory, realize any described method and steps of claim 1-5.
12. a kind of computer-readable recording medium, it is characterised in that the computer-readable recording medium internal memory contains computer Program, the computer program realize claim 1-5 any described method and steps when being executed by processor.
CN201710970197.5A 2017-10-16 2017-10-16 IP address detection method and device and electronic equipment Active CN107682345B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710970197.5A CN107682345B (en) 2017-10-16 2017-10-16 IP address detection method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710970197.5A CN107682345B (en) 2017-10-16 2017-10-16 IP address detection method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN107682345A true CN107682345A (en) 2018-02-09
CN107682345B CN107682345B (en) 2020-03-06

Family

ID=61139641

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710970197.5A Active CN107682345B (en) 2017-10-16 2017-10-16 IP address detection method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN107682345B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413047A (en) * 2018-09-29 2019-03-01 武汉极意网络科技有限公司 Determination method, system, server and the storage medium of Behavior modeling
CN109413044A (en) * 2018-09-26 2019-03-01 中国平安人寿保险股份有限公司 A kind of request recognition methods of abnormal access and terminal device
CN110290132A (en) * 2019-06-24 2019-09-27 北京奇艺世纪科技有限公司 A kind of IP address processing method, device, electronic equipment and storage medium
CN110365747A (en) * 2019-06-24 2019-10-22 北京奇艺世纪科技有限公司 Processing method, device, server and the computer readable storage medium of network request
CN110809004A (en) * 2019-11-12 2020-02-18 成都知道创宇信息技术有限公司 Safety protection method and device, electronic equipment and storage medium
CN111224936A (en) * 2019-11-07 2020-06-02 中冶赛迪重庆信息技术有限公司 User abnormal request detection method, system, device and machine readable medium
CN116663021A (en) * 2023-07-25 2023-08-29 闪捷信息科技有限公司 Machine request behavior recognition method, device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011193343A (en) * 2010-03-16 2011-09-29 Kddi Corp Communications network monitoring system
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
CN104767640A (en) * 2015-03-25 2015-07-08 亚信科技(南京)有限公司 Early-warning method and system
CN105281966A (en) * 2014-06-13 2016-01-27 腾讯科技(深圳)有限公司 Method and device for identifying abnormal traffic of network equipment
CN105491054A (en) * 2015-12-22 2016-04-13 网易(杭州)网络有限公司 Method and apparatus for determining malicious access, and method and apparatus for intercepting malicious access

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011193343A (en) * 2010-03-16 2011-09-29 Kddi Corp Communications network monitoring system
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
CN105281966A (en) * 2014-06-13 2016-01-27 腾讯科技(深圳)有限公司 Method and device for identifying abnormal traffic of network equipment
CN104767640A (en) * 2015-03-25 2015-07-08 亚信科技(南京)有限公司 Early-warning method and system
CN105491054A (en) * 2015-12-22 2016-04-13 网易(杭州)网络有限公司 Method and apparatus for determining malicious access, and method and apparatus for intercepting malicious access

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413044A (en) * 2018-09-26 2019-03-01 中国平安人寿保险股份有限公司 A kind of request recognition methods of abnormal access and terminal device
CN109413044B (en) * 2018-09-26 2022-08-02 中国平安人寿保险股份有限公司 Abnormal access request identification method and terminal equipment
CN109413047A (en) * 2018-09-29 2019-03-01 武汉极意网络科技有限公司 Determination method, system, server and the storage medium of Behavior modeling
CN110290132A (en) * 2019-06-24 2019-09-27 北京奇艺世纪科技有限公司 A kind of IP address processing method, device, electronic equipment and storage medium
CN110365747A (en) * 2019-06-24 2019-10-22 北京奇艺世纪科技有限公司 Processing method, device, server and the computer readable storage medium of network request
CN110290132B (en) * 2019-06-24 2022-02-11 北京奇艺世纪科技有限公司 IP address processing method and device, electronic equipment and storage medium
CN110365747B (en) * 2019-06-24 2022-04-01 北京奇艺世纪科技有限公司 Network request processing method and device, server and computer readable storage medium
CN111224936A (en) * 2019-11-07 2020-06-02 中冶赛迪重庆信息技术有限公司 User abnormal request detection method, system, device and machine readable medium
CN111224936B (en) * 2019-11-07 2022-08-02 中冶赛迪重庆信息技术有限公司 User abnormal request detection method, system, device and machine readable medium
CN110809004A (en) * 2019-11-12 2020-02-18 成都知道创宇信息技术有限公司 Safety protection method and device, electronic equipment and storage medium
CN116663021A (en) * 2023-07-25 2023-08-29 闪捷信息科技有限公司 Machine request behavior recognition method, device, electronic equipment and storage medium
CN116663021B (en) * 2023-07-25 2023-11-03 闪捷信息科技有限公司 Machine request behavior recognition method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN107682345B (en) 2020-03-06

Similar Documents

Publication Publication Date Title
CN107682345A (en) Detection method, detection means and the electronic equipment of IP address
AU2019232865B2 (en) Systems and methods for detecting and scoring anomalies
US10878102B2 (en) Risk scores for entities
US8732472B2 (en) System and method for verification of digital certificates
US8205255B2 (en) Anti-content spoofing (ACS)
WO2017107965A1 (en) Web anomaly detection method and apparatus
WO2016150313A1 (en) Method and apparatus for detecting suspicious process
CN107786545A (en) A kind of attack detection method and terminal device
US11374950B2 (en) Anomaly detection in complex systems
US11244043B2 (en) Aggregating anomaly scores from anomaly detectors
US20210136120A1 (en) Universal computing asset registry
US20210281609A1 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
CN111523012B (en) Method, apparatus and computer readable storage medium for detecting abnormal data
US20200382534A1 (en) Visualizations representing points corresponding to events
US20160062816A1 (en) Detection of outage in cloud based service using usage data based error signals
CN109067794A (en) A kind of detection method and device of network behavior
US10637878B2 (en) Multi-dimensional data samples representing anomalous entities
US11675647B2 (en) Determining root-cause of failures based on machine-generated textual data
CN107612946A (en) Detection method, detection means and the electronic equipment of IP address
CN110138720B (en) Method and device for detecting abnormal classification of network traffic, storage medium and processor
US10977374B1 (en) Method to assess internal security posture of a computing system using external variables
TW202311994A (en) System and method of malicious domain query behavior detection
Simpson et al. Scalable Misinformation Mitigation in Social Networks Using Reverse Sampling
CN112769792A (en) ISP attack detection method and device, electronic equipment and storage medium
JP2022002036A (en) Detection device, detection system and detection program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant