CN107682345A - Detection method, detection means and the electronic equipment of IP address - Google Patents
Detection method, detection means and the electronic equipment of IP address Download PDFInfo
- Publication number
- CN107682345A CN107682345A CN201710970197.5A CN201710970197A CN107682345A CN 107682345 A CN107682345 A CN 107682345A CN 201710970197 A CN201710970197 A CN 201710970197A CN 107682345 A CN107682345 A CN 107682345A
- Authority
- CN
- China
- Prior art keywords
- address
- curve
- time period
- preset time
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiments of the invention provide a kind of detection method of IP address, detection means and electronic equipment.This method carries IP address by obtaining the service request in multiple business, each service request.According to IP address curve of each IP address in preset time period in multiple IP address, obtain datum curve of multiple IP address in preset time period, IP address curve is used to represent the corresponding relation between the occurrence number of IP address and time, average change value of the occurrence number that datum curve is used to represent multiple IP address corresponding to multiple IP address in preset time period;Offset of the IP address to be detected in preset time period is obtained, offset is determined by the curve of IP address to be detected with datum curve.When offset is more than default bias threshold value, it is abnormal IP address to determine IP address to be detected.This method, which is realized, completely assesses an IP address, judges whether the IP address is normal IP address, so as to improve the accuracy for identifying normal IP address.
Description
Technical field
The present invention relates to big data technical field, more particularly to the agreement (Internet interconnected between a kind of network
Protocol, abbreviation IP) address detection method, detection means and electronic equipment.
Background technology
At present in network safety filed, IP address dimension is always a dimension for being difficult to accurate evaluation, i.e., from IP
Whether one IP address of angle estimator of location is that the public outlet of safe IP address is very difficult.In view of the situation, some
Internet enterprises (such as iqiyi.com), should as the foundation using the IP address by obtaining related IP address from third company
Third company is the enterprise for specializing in network security, possesses all information of related IP address, such as some Cyberthreat feelings
Report etc..
However, inventor has found that at least there are the following problems for prior art during the present invention is realized:
Detection of the third company to some IP address is only focusing only on whether statistics occurred some irregularities, should
Irregularities (or malicious act) can be:Whether occurred to steal the behavior of user account, whether be transmitted across rubbish postal
The behavior of part, or whether disseminated the behavior of virus etc..That is, third company is concentrated mainly on one IP address of detection
Whether there is malicious act at a time point, or a period of time, the normal behaviour without detecting the IP address, this way
The evaluation information inaccuracy of the IP address obtained can be caused.
As shown in figure 1, by taking the detection time of one day as an example, third company is with detecting IP that a user equipment uses
During the x of location, detect IP address x in the morning 8 when have sent an envelope spam, now third company assert should
IP address x is malicious IP addresses, but what IP address x sent in the other times in one day is all normal email, it is seen that
The ratio that IP address x normal behaviour occupies is very high, i.e. IP address x is being very much no threat in maximum probability.When the 3rd public affairs
Department can cause IP address x to be manslaughtered by after IP address x behavioural information notice Internet enterprises.
It can be seen that the IP address that third company provides is not comprehensive, the threat degree of IP address can not be accurately weighed, is caused just
Normal IP address is manslaughtered.
The content of the invention
The purpose of the embodiment of the present invention is to provide a kind of detection method of IP address, detection means, electronic equipment and clothes
Business device, the long-continued behavioural information (including normal behaviour and malicious act) of the IP address used using user, has been realized
Whole one IP address of assessment, improves the accuracy for identifying abnormal IP address.Concrete technical scheme is as follows:
First aspect, there is provided a kind of detection method of IP address, the executive agent of this method can be servers, the party
Method can include:The service request in multiple business is obtained, each service request carries IP address;According to multiple IP address
In each IP address curve of the IP address in preset time period, obtain benchmark of multiple IP address in time preset time period
Curve, IP curves are used to represent that the access times occurrence number of IP address and the corresponding relation between the time, datum curve are used for
Represent average change value of multiple IP address in preset time period;Obtain the inclined in preset time period of IP address to be detected
Shifting amount, the offset are determined by the curve of the IP address to be detected with the datum curve;Preset partially when offset is more than
When moving threshold value, it is unusual IP addresses (or malicious IP addresses) to determine IP address to be detected.
It is bent according to IP address of each IP address in multiple IP address in preset time period in an optional realization
Line, datum curve of multiple IP address in preset time period is obtained, including:According to each IP address in multiple IP address pre-
If the average value of the occurrence number at each time point in the period, it is bent to obtain benchmark of multiple IP address in preset time period
Line.
It is bent according to IP address of each IP address in multiple IP address in preset time period in an optional realization
Line, after obtaining datum curve of multiple IP address in preset time period, this method also includes:From corresponding to multiple IP address
IP address to be detected is chosen in multiple IP address;The IP address of IP address to be detected based on record, with obtaining IP to be detected
The occurrence number of location IP address to be detected in preset time period with the time IP address curve to be detected.
In an optional realization, calibration curve information includes the curve coefficient of variation, and the curve coefficient of variation is in preset time
Section inner curve information on all time points timesharing request number of times variance with preset time period inner curve information institute sometimes
Between the ratio of the average value of timesharing request number of times put, curve coefficient of variation Y calculation formula can be expressed as:Y=S/M, its
In, S is the variance of the timesharing request number of times at all time points on calibration curve information, and M is the institute in preset time period inner curve information
The average value of the timesharing request number of times of having time point, S and M are all higher than zero.
In an optional realization, the calibration curve information in preset time period of IP address to be detected is believed with datum curve
The difference of the curve coefficient of variation of the curve coefficient of variation of curve and IP address to be detected on the basis of the offset of breath, offset
X calculation formula can be expressed as:X=Y1-Y2, wherein, the curve coefficient of variation of curve on the basis of Y1, Y2 is for IP to be detected
The curve coefficient of variation of location, Y1 and Y2 are all higher than zero.
Second aspect, there is provided a kind of detection means, the device can include:Acquisition module and determining module.
Acquisition module, for obtaining the service request in multiple business, each service request carries IP address;Obtain
Module, for according to each IP address of the IP address in preset time period in multiple IP address, obtaining multiple IP address pre-
If the datum curve in the period, IP curves are used to represent the corresponding relation between the occurrence number of IP address and time, benchmark
Curve is used to represent average change value of multiple IP address in preset time period;Acquisition module, it is additionally operable to obtain IP to be detected
The offset in preset time period of address, curve and the datum curve of the offset by the IP address to be detected
It is determined that.Determining module, for when offset is more than default bias threshold value, it to be unusual IP addresses to determine IP address to be detected.
In an optional realization, acquisition module, it is additionally operable to according to each IP address in multiple IP address pre-
If the average value of the occurrence number at each time point in the period, it is bent to obtain benchmark of multiple IP address in preset time period
Line.
In an optional realization, acquiring unit, it is additionally operable to choose from multiple IP address corresponding to multiple IP address
IP address to be detected;Acquiring unit, the IP address of the IP address to be detected based on record is additionally operable to, obtains IP address to be detected
In preset time period the occurrence number of IP address to be detected with the time IP address curve to be detected.
In an optional realization, calibration curve information includes the curve coefficient of variation, and the curve coefficient of variation is in preset time
Section inner curve information on all time points timesharing request number of times variance with preset time period inner curve information institute sometimes
Between the ratio of the average value of timesharing request number of times put, curve coefficient of variation Y calculation formula can be expressed as:Y=S/M, its
In, S is the variance of the timesharing request number of times at all time points on calibration curve information, and M is the institute in preset time period inner curve information
The average value of the timesharing request number of times of having time point.S and M are all higher than zero.
In an optional realization, the calibration curve information in preset time period of IP address to be detected is believed with datum curve
The difference of the curve coefficient of variation of curve and the curve coefficient of variation of IP address to be detected on the basis of the offset of breath, curve variation
Coefficient Y calculation formula can be expressed as:Y=S/M, wherein, S is the timesharing request number of times at all time points on calibration curve information
Variance, M are the average value of the timesharing request number of times at all time points in preset time period inner curve information.Y1 and Y2 are all higher than
Zero.
The third aspect, there is provided a kind of electronic equipment, the electronic equipment can include processor, communication interface, memory
And communication bus, wherein, processor, communication interface, memory completes mutual communication by communication bus;Memory, use
In storage computer program;Processor, during for performing the program deposited on memory, realize described in above-mentioned first aspect
Method and step.
Fourth aspect, there is provided a kind of server, the server include the electronic equipment described in the third aspect.
At the another aspect that the present invention is implemented, a kind of computer-readable recording medium is additionally provided, it is described computer-readable
Instruction is stored with storage medium, when run on a computer so that computer performs any of the above-described described IP address
Detection method.
At the another aspect that the present invention is implemented, the embodiment of the present invention additionally provides a kind of computer program production comprising instruction
Product, when run on a computer so that computer performs the detection method of any of the above-described described IP address.
Detection method, detection means, electronic equipment and the server of IP address provided in an embodiment of the present invention.The application is led to
The IP address crossed in the service request that multiple IP address are sent, each IP address is recorded in multiple IP address long-continued pre-
If the datum curve of curve and multiple IP address in long-continued preset time period in the period, that is, reflect IP address
Long-continued behavioural information (including normal and malicious act).In long-continued preset time period as IP to be detected
When the offset of the calibration curve information of location and the calibration curve information of datum curve is not less than default bias threshold value, IP address to be detected is determined
For abnormal IP address.This method, which is realized, completely assesses an IP address, judges whether the IP address is normal IP address, from
And improve the accuracy for identifying normal IP address.Certainly, any product or method for implementing the present invention must be not necessarily required to together
When reach all the above advantage.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the required accompanying drawing used in technology description to be briefly described.
The detection that Fig. 1 is a kind of IP address x records schematic diagram;
Fig. 2 is a kind of system framework figure provided in an embodiment of the present invention;
Fig. 3 is a kind of detection method schematic flow sheet of IP address provided in an embodiment of the present invention;
Fig. 4 is the schematic diagram that a kind of IP address provided in an embodiment of the present invention accesses curvilinear coordinate axle;
Fig. 5 is a kind of datum curve schematic diagram provided in an embodiment of the present invention;
Fig. 6 is a kind of curve synoptic diagram of IP address to be detected provided in an embodiment of the present invention;
Fig. 7 is the curve synoptic diagram of another kind IP address to be detected provided in an embodiment of the present invention;
Fig. 8 is a kind of structural representation of detection means provided in an embodiment of the present invention;
Fig. 9 is the structural representation of a kind of electronic equipment provided in an embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is described.
The detection method for the public outlet of IP address that the application provides can be applied in the network system framework described in Fig. 2
In, the network system can include server and user equipment.Server and user equipment by network can carry out instruction and
The transmission of data.The server can be the server (server of such as iqiyi.com) of application.
When the attacker (such as hacker) for being engaged in black industrial technology is attacked using a normal IP address, with the IP
The user equipment of address information all can be under attack, and the attack (malicious act) can steal user account, brush amount (such as
Brush website flow, brush application download or brush order volume), disseminate the abnormal behaviours such as internet worm.By respectively to IP
Location 1 and the prolonged monitoring of IP address 2, it can be found that the attacker for being engaged in black industrial technology uses IP address 1 to service
The attack fluctuation that device is carried out, and normal users access the normal behaviour fluctuation of the server at some by IP address 2
It is distinguishing under part, such as on Annual distribution.
Service request of the application by the multiple IP address of long-term monitoring in business, it is same to obtain multiple IP address access
Fluctuation situation during server on Annual distribution, finds out abnormal IP address.
Alternatively, equipment (or machine) is generally due to being engaged in the attacker of black industrial technology, by with obtaining the IP
Location can also contribute to analyzing whether an IP address is that normal users (or true man) make in Annual distribution upper ripple emotionally condition
With, can assist in identifying hit storehouse (such as steal-number) common program attack form.
Fig. 3 is a kind of detection method schematic flow sheet of IP address provided in an embodiment of the present invention.As shown in figure 3, the party
The executive agent of method can be server, and this method can include:
Service request in step 310, the multiple business of acquisition, each service request include IP address.
User equipment sends service request by IP address to server, and server collects the service request of multiple business,
Such as logging request, video request or purchase request, wherein, each service request includes an IP address, as IP address 1 is believed
Breath, IP2 address informations and IP3 address informations, and IP1 address informations, IP2 address informations and IP3 address informations are all from difference
IP address, IP address is occurrence number of the IP address on each time point.Wherein, it is multiple in the embodiment of the present invention, be
Refer at least two.
Step 320, according to IP address curve of each IP address in preset time period in multiple IP address, obtain multiple
Datum curve of the IP address in preset time period, IP curves are used for the occurrence number pass corresponding with the time for representing the IP address
System, the occurrence number that datum curve is used to represent multiple IP address corresponding to multiple IP address is with the average change value of time.
Preset time period can be time of the IP address in a cycle, if IP address can be in 24 hours one day
Information.By recording occurrence number of each IP address on Annual distribution, the occurrence number of each IP address is obtained with the time
Curve distribution, that is, obtain IP address curve that the occurrence number of each IP address changes over time in preset time period (or
IP address is claimed to access curve), the occurrence number of Each point in time can include normal occurrence number in the IP address curve,
Abnormal occurrence number can be included, you can to reflect the normal behaviour of IP address and abnormal behaviour.
By IP address exemplified by the occurrence number in 24 hours is preset, if in the presence of 5 different IP address, and at 24 hours
Inside record out 5 different IP addresses Each point in time (such as 1 in 24 hours:00、2:00、3:00 etc.) occurrence number on, base
In its corresponding occurrence number of each time point of record, the occurrence number of each IP address is obtained with the song of Annual distribution
Line.
As shown in figure 4, the transverse axis T of the curvilinear coordinate is the time of distribution time point, longitudinal axis N is made to be distributed the IP address
With the occurrence number of situation, by recording occurrence number of each IP address at Each point in time, get in continuous time
The full curve of the occurrence number of the upper IP address.
Step 330, the offset in preset time period for obtaining IP address to be detected, the offset pass through IP to be detected
The curve of address determines with datum curve.
When the offset of calibration curve information of the IP address to be detected in preset time period and datum curve information be more than it is pre-
If during offset threshold, perform step 340.
Step 340, determine that IP address to be detected is unusual IP addresses.
Server identifies whether the IP address to be detected is unusual IP addresses (or abnormal IP according to offset
Location).
When offset is more than default bias threshold value, server determines that the IP address to be detected is abnormal IP address, i.e.,
The curve coefficient of variation of IP address curve to be detected and the curve Difference Between Coefficients of Variation of datum curve are excessive.
When offset is not more than default bias threshold value, server determines that the IP address to be detected is normal IP address, i.e.,
The curve coefficient of variation of IP address curve to be detected and the curve Difference Between Coefficients of Variation of datum curve are smaller or identical, such as curve
I0 is almost identical with curve I1 state, it is seen that the two gap is smaller.
Using preset time as 24 hours, exemplified by default bias threshold value is 0.02, curve I0, curve I1 and curve I2 are small 24
When in each time point occurrence number, can be as shown in table 1.
Table 1
It can be obtained from the information in table 1:
The average value M0 of curve I0 occurrence numbers in 24 hours is 2142.5, and the variance S0 of occurrence number is
920.141519912 it can thus be concluded that the coefficient of variation Y0 for going out curve I0 is 0.429470954;
The average value M1 of curve I1 occurrence numbers in 24 hours is 1653.041666667, and the variance S1 of occurrence number is
678.513907937 it can thus be concluded that the coefficient of variation Y1 for going out curve I1 is;
The average value M2 of curve I2 occurrence numbers in 24 hours is 688.83333333, and the variance S2 of occurrence number is
327.942533923 it can thus be concluded that the coefficient of variation Y2 for going out curve I2 is 0.194182888.
The difference that curve I0 and curve I1 offset is 0.429470954 and 0.410463887 is 0.019;Curve I0 with
The difference that curve I2 offset is 0.429470954 and 0.194182888 is 0.235.
It can be seen that curve I0 and curve I1 offset 0.019 is less than 0.02, illustrative graph I0 and curve I1 gaps are smaller.
Curve I0 and curve I2 offset 0.235 is more than 0.02, and illustrative graph I0 and curve I1 gaps are larger.
Need to say, default bias threshold value can be set according to the identification accuracies of actual conditions and demand is self-defined
Put.
In summary, the IP address in the corresponding service request that this method that the application provides passes through multiple IP address, note
Recording occurrence number of each IP address in long-continued preset time period (includes the appearance of normal occurrence number and exception
Number) curve and datum curve, when the calibration curve information and benchmark of IP address to be detected in long-continued preset time period
When the offset of the calibration curve information of curve is not less than default bias threshold value, it is abnormal IP address to determine IP address to be detected.Should
Method, which is realized, completely assesses an IP address, judges whether the IP address is abnormal IP address, different so as to improve identification
The accuracy of normal IP address.
In an optional embodiment, the IP address that is related in the step 310, in the embodiment of the present application its can be
Occurrence number of the IP address on each time point.Wherein, at the time of time point is gathers IP address occurrence number, such as collection 8:
00 to 10:00 IP address occurrence number, the time point now chosen can be 8:15、8:30、8:45、9:00……9:45、
10:00.
Each IP address is in preset time period in multiple IP address based on record, and goes out occurrence on Annual distribution
Number, obtains multiple IP address in preset time period, the average value of occurrence number of multiple IP address on Annual distribution, so as to
Obtain mean change curve of multiple IP address in preset time period on Annual distribution, i.e. datum curve, it is possible to understand that
It is that the datum curve is referred to as averaged curve.
Server can be analyzed according to multiple IP address of acquisition draws curve such as Fig. 5 institute of multiple IP address with the time
Show, curve I0 shows access state (frequency of use) for daytime is high, night is low, the characteristics of lunch break and After Hours double peaks.
It can be seen that in preset time period, by recording occurrence number of the IP address on Annual distribution, can accurately unite
Count out the average value of the occurrence number at each time point on Annual distribution of multiple IP address, and image with datum curve
Form show, improve the readability of data.
In an optional embodiment, before the step 330 is performed, server needs to obtain IP address to be detected,
The IP address to be detected can choose one from multiple IP address of above-mentioned acquisition, can also detect new IP address.It is based on
The method of the calibration curve information of the above-mentioned each IP address of acquisition, it is to be checked in preset time period that server obtains IP address to be detected
IP address curve is surveyed,
In one example, the curve that the IP address to be detected is formed can be curve I1 as shown in Figure 6, the curve
I1 shows access state (frequency of use) for daytime is high, night is low, and lunch break is in peak, it is After Hours low the characteristics of.Or should
The curve that IP address to be detected is formed can be curve I2 as shown in Figure 7, and curve I2 shows access state (using frequency
Rate) for daytime is low, night is high, lunch break and come off duty double ebbs the characteristics of.
It can be seen that by obtaining the IP address curve to be detected in preset time period, user couple can be intuitively observed
The service condition of IP address to be detected in time, can strengthen man-machine recognition capability, i.e., easily identify to be detected using this
The user of IP address is the machine that normal users are used or attacked, wherein, criterion of identification can be normal users by one
It is set for breath rule and uses IP address, and the machine attacked does not use the IP address by certain work and rest rule, it is such as lasting to use
The IP address.
In an optional embodiment, the IP address of to be detected IP address of the server based on acquisition, obtain to be detected
Curve of the IP address in preset time period, and obtain the curve coefficient of variation of the curve.
In step 320, the calibration curve information on IP address curve is obtained, the calibration curve information can include curve variation lines
Number.Wherein, the curve coefficient of variation is the variance of the timesharing request number of times at all time points in preset time period inner curve information
With the ratio of the average value of the timesharing request number of times at all time points in preset time period inner curve information.Timesharing request number of times
For number corresponding to each time point.
Curve coefficient of variation Y calculation formula can be expressed as:Y=S/M, wherein, S is all time points on calibration curve information
Timesharing request number of times variance, M is the flat of the timesharing request number of times at all time points in preset time period inner curve information
Average, S and M are all higher than zero.
It can be seen that the intensity of variation and datum curve of IP address curve to be detected are preferably embodied by the curve coefficient of variation
Intensity of variation.
In an optional embodiment, after step 330, server can also obtain IP address to be detected pre-
If the offset of the calibration curve information of calibration curve information and datum curve in the period.Wherein, IP address to be detected when default
Between the calibration curve information of calibration curve information in section and datum curve offset on the basis of curve the curve coefficient of variation with it is to be detected
The difference of the curve coefficient of variation of IP address.
The calculation formula of the offset X can be expressed as:X=Y1-Y2, wherein, the curve of curve becomes on the basis of Y1
Different coefficient, Y2 are the curve coefficient of variation of IP address to be detected, and Y1 and Y2 are all higher than zero
, can be so as to by the curve coefficient of variation of benchmark curve and the curve coefficient of variation of IP address curve to be detected
Prompt detects degrees of offset of the IP address curve to be detected to datum curve, so that it is determined that whether IP address to be detected is not just
Normal IP address.
The embodiment of the present invention corresponding with the above method also provides a kind of structural representation of detection means.As shown in figure 8,
The detection means can include:Acquisition module 810 and determining module 820,
Acquisition module 810, for obtaining the service request in multiple business, each service request carries IP address;
Acquisition module 810, for according to IP address curve of each IP address in preset time period in multiple IP address,
Datum curve of multiple IP address in time preset time period is obtained, IP curves are used for the occurrence number for representing each IP address
Corresponding relation between the time, datum curve are used to represent average change value of multiple IP address in preset time period;
Acquisition module 810, is additionally operable to obtain the offset in preset time period of IP address to be detected, and offset passes through
The curve of IP address to be detected determines with datum curve;
Determining module 820, believe for the calibration curve information in preset time period when IP address to be detected with datum curve
When the offset of breath is more than default bias threshold value, it is unusual IP addresses to determine IP address to be detected.
Alternatively, acquisition module 810, be additionally operable to according to each IP address in multiple IP address in preset time period it is each
The average value of the occurrence number at time point, obtain datum curve of multiple IP address in preset time period.
Alternatively, acquisition module 810, it is additionally operable to choose IP to be detected from multiple IP address corresponding to multiple IP address
Address;
Acquisition module 810, the IP address of the IP address to be detected based on record is additionally operable to, obtains IP address to be detected pre-
If the calibration curve information of the occurrence number at each time point in the period.
Alternatively, calibration curve information includes the curve coefficient of variation, and the curve coefficient of variation is in preset time period inner curve information
The variance of the timesharing request number of times at upper all time points please with the timesharing at all time points in preset time period inner curve information
The ratio of the average value of number is sought, curve coefficient of variation Y calculation formula can be expressed as:Y=S/M, wherein, S believes for curve
The variance of the timesharing request number of times at all time points on breath, M are point at all time points in preset time period inner curve information
When request number of times average value.S and M are all higher than zero.
Alternatively, the calibration curve information in preset time period of IP address to be detected and the offset of datum curve information are
The difference of the curve coefficient of variation of datum curve and the curve coefficient of variation of IP address to be detected, curve coefficient of variation Y calculating
Formula can be expressed as:Y=S/M, wherein, S be calibration curve information on all time points timesharing request number of times variance, M be
The average value of the timesharing request number of times at all time points in preset time period inner curve information.Y1 and Y2 are all higher than zero.
The function of each functional module for the detection means that the above embodiment of the present invention provides, can be by each shown in Fig. 3
Method and step realizes, therefore, the specific work process of the modules in detection means provided in an embodiment of the present invention and has
Beneficial effect.Do not repeat again herein.
Fig. 9 is the structural representation of a kind of electronic equipment provided in an embodiment of the present invention.As shown in figure 9,
Including processor 910, communication interface 920, memory 930 and communication bus 940, wherein, processor 910, communication
Interface 920, memory 930 complete mutual communication by communication bus 940,
Memory 930, for depositing computer program;
Processor 910, during for performing the program deposited on memory 930, realize following steps:
The service request in multiple business is obtained, each service request includes IP address;
According to IP address curve of each IP address in preset time period in multiple IP address, obtain multiple IP address and exist
Datum curve in time preset time period, IP address curve are used to represent corresponding between the occurrence number of IP address and time
Relation, datum curve are used to represent average change value of multiple IP address in preset time period;Obtain IP address to be detected
Offset in preset time period, offset are determined by the curve of IP address to be detected with datum curve;When offset is big
When default bias threshold value, it is unusual IP addresses (or malicious IP addresses) to determine IP address to be detected.
Alternatively, IP address is the occurrence number at each time point in preset time period, according to every in multiple IP address
IP address curve of the individual IP address in preset time period, datum curve of multiple IP address in preset time period is obtained, wrapped
Include:According to the average value of each IP address occurrence number at each time point in preset time period in multiple IP address, obtain
Datum curve of multiple IP address in preset time period.
Alternatively, IP address to be detected is obtained from multiple IP address;The IP of IP address to be detected based on record
Location, with obtaining the IP to be detected that IP address to be detected occurrence number of IP address to be detected in preset time period changes over time
Location curve.
Alternatively, calibration curve information includes the curve coefficient of variation, and the curve coefficient of variation is in preset time period inner curve information
The variance of the timesharing request number of times at upper all time points please with the timesharing at all time points in preset time period inner curve information
The ratio of the average value of number is sought, curve coefficient of variation Y calculation formula can be expressed as:Y=S/M, wherein, S believes for curve
The variance of the timesharing request number of times at all time points on breath, M are point at all time points in preset time period inner curve information
When request number of times average value, S and M are all higher than zero.
Alternatively, the calibration curve information in preset time period of IP address to be detected and the offset of datum curve information are
The difference of the curve coefficient of variation of datum curve and the curve coefficient of variation of IP address to be detected, offset X calculation formula
It can be expressed as:X=Y1-Y2, wherein, the curve coefficient of variation of curve on the basis of Y1, Y2 is that the curve of IP address to be detected becomes
Different coefficient, Y1 and Y2 are all higher than zero.
The communication bus that above-mentioned electronic equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component
Interconnect, PCI) bus or EISA (Extended Industry Standard
Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, controlling bus etc..For just
Only represented in expression, figure with a thick line, it is not intended that an only bus or a type of bus.
The communication that communication interface is used between above-mentioned electronic equipment and other equipment.
Memory can include random access memory (Random Access Memory, RAM), can also include non-easy
The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also
To be at least one storage device for being located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit,
CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal
Processing, DSP), it is application specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing
It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other PLDs, discrete
Door or transistor logic, discrete hardware components.
Because each device of electronic equipment solves the embodiment of problem in above-described embodiment and beneficial effect may refer to
Each step in embodiment shown in Fig. 3 realizes, therefore, the specific work process of electronic equipment provided in an embodiment of the present invention
And beneficial effect, do not repeat again herein.
It should be noted that above-mentioned electronic equipment can be applied in the server.
In another embodiment provided by the invention, a kind of computer-readable recording medium is additionally provided, the computer can
Read to be stored with instruction in storage medium, when run on a computer so that computer performs any institute in above-described embodiment
The detection method for the IP address stated.
In another embodiment provided by the invention, a kind of computer program product for including instruction is additionally provided, when it
When running on computers so that computer performs the detection method of any described IP address in above-described embodiment.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or its any combination real
It is existing.When implemented in software, can realize in the form of a computer program product whole or in part.The computer program
Product includes one or more computer instructions.When loading on computers and performing the computer program instructions, all or
Partly produce according to the flow or function described in the embodiment of the present invention.The computer can be all-purpose computer, special meter
Calculation machine, computer network or other programmable devices.The computer instruction can be stored in computer-readable recording medium
In, or the transmission from a computer-readable recording medium to another computer-readable recording medium, for example, the computer
Instruction can pass through wired (such as coaxial cable, optical fiber, numeral from a web-site, computer, server or data center
User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or
Data center is transmitted.The computer-readable recording medium can be any usable medium that computer can access or
It is the data storage devices such as server, the data center integrated comprising one or more usable mediums.The usable medium can be with
It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disc
Solid State Disk (SSD)) etc..
It should be noted that herein, such as first and second or the like relational terms are used merely to a reality
Body or operation make a distinction with another entity or operation, and not necessarily require or imply and deposited between these entities or operation
In any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant are intended to
Nonexcludability includes, so that process, method, article or equipment including a series of elements not only will including those
Element, but also the other element including being not expressly set out, or it is this process, method, article or equipment also to include
Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that
Other identical element also be present in process, method, article or equipment including the key element.
Each embodiment in this specification is described by the way of related, identical similar portion between each embodiment
Divide mutually referring to what each embodiment stressed is the difference with other embodiment.It is real especially for system
For applying example, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is referring to embodiment of the method
Part explanation.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent substitution and improvements made within the spirit and principles in the present invention etc., are all contained in protection scope of the present invention
It is interior.
Claims (12)
1. a kind of detection method of IP address, it is characterised in that methods described includes:
The service request of multiple business is obtained, each service request carries IP address;
According to each IP address curve of the IP address in preset time period in multiple IP address, obtain multiple described
Datum curve of the IP address in the preset time period, the IP address curve are used for the occurrence number for representing the IP address
Corresponding relation between the time, the datum curve are used to represent that multiple IP address are flat in the preset time period
Equal changing value;
Offset of the IP address to be detected in the preset time period is obtained, the offset passes through the IP address to be detected
Curve and the datum curve determine;
When the offset is more than default bias threshold value, it is unusual IP addresses to determine the IP address to be detected.
2. according to the method for claim 1, it is characterised in that it is described according to each IP in multiple IP address
IP address curve of the location in preset time period, datum curve of multiple IP address in the preset time period is obtained,
Including:
According to the occurrence number at each IP address each time point in the preset time period in multiple IP address
Average value, obtain datum curve of the multiple IP address in the preset time period.
3. according to the method for claim 1, it is characterised in that it is described according to each IP in multiple IP address
IP address curve of the location in preset time period, obtain the datum curve of multiple IP address in the preset time period it
Afterwards, methods described also includes:
IP address to be detected is obtained from multiple IP address corresponding to the multiple IP address;
The IP address of the IP address to be detected based on record, the IP address to be detected is obtained in the preset time period
The IP address curve to be detected that the occurrence number of IP address to be detected changes over time.
4. according to the method for claim 1, it is characterised in that the calibration curve information includes the curve coefficient of variation;
The curve coefficient of variation is the timesharing request number of times at all time points on the calibration curve information in the preset time period
Variance with the timesharing request number of times at all time points is averaged on the calibration curve information in the preset time period
The ratio of value;
The calculation formula of the curve coefficient of variation Y can be expressed as:Y=S/M, wherein, S on the calibration curve information institute sometimes
Between the variance of timesharing request number of times put, M be in the preset time period all time points on the calibration curve information
The average value of the timesharing request number of times, S and M are all higher than zero.
5. according to the method for claim 4, it is characterised in that the IP address to be detected in the preset time period
Calibration curve information and the datum curve information offset for the datum curve the curve coefficient of variation with it is to be detected
The difference of the curve coefficient of variation of IP address;
The calculation formula of described offset X can be expressed as:X=Y1-Y2, wherein, Y1 is the song of the datum curve
The line coefficient of variation, Y2 are the curve coefficient of variation of IP address to be detected, and Y1 and Y2 are all higher than zero.
6. a kind of detection means, it is characterised in that described device includes:Acquisition module and determining module,
The acquisition module, for obtaining the service request in multiple business, each service request carries IP address;
The acquisition module, for according to each IP address of the IP address in preset time period in multiple IP address
Curve, obtains datum curve of multiple IP address in the preset time period, and the IP curves are used to represent the IP
The occurrence number of address and the corresponding relation between the time, the datum curve are used to represent multiple IP address described pre-
If the average change value in the period;
The acquisition module, it is additionally operable to obtain the offset in the preset time period of IP address to be detected, the skew
Amount is determined by the curve of the IP address to be detected with the datum curve;
The determining module, for when the offset is more than default bias threshold value, determining that the IP address to be detected is different
Normal IP address.
7. device according to claim 6, it is characterised in that the acquisition module, be additionally operable to according to multiple IP
The average value of each IP address occurrence number at each time point in the preset time period, is obtained the multiple in location
Datum curve of the IP address in the preset time period.
8. device according to claim 6, it is characterised in that the acquisition module, be additionally operable to from the multiple IP
IP address to be detected is chosen in multiple IP address corresponding to address;
The acquisition module, the IP address of the IP address to be detected based on record is additionally operable to, with obtaining the IP to be detected
The occurrence number of location IP address to be detected in the preset time period with the time IP address curve to be detected.
9. device according to claim 6, it is characterised in that the calibration curve information includes the curve coefficient of variation;
The curve coefficient of variation is the timesharing request number of times at all time points on the calibration curve information in the preset time period
Variance with the timesharing request number of times at all time points is averaged on the calibration curve information in the preset time period
The ratio of value;
The calculation formula of the curve coefficient of variation Y can be expressed as:Y=S/M, wherein, S on the calibration curve information institute sometimes
Between the variance of timesharing request number of times put, M be in the preset time period all time points on the calibration curve information
The average value of the timesharing request number of times, S and M are all higher than zero.
10. device according to claim 8, it is characterised in that the IP address to be detected in the preset time period
The offset of interior calibration curve information and the datum curve information for the datum curve the curve coefficient of variation with it is to be checked
Survey the difference of the curve coefficient of variation of IP address;
The calculation formula of described offset X can be expressed as:X=Y1-Y2, wherein, Y1 is the song of the datum curve
The line coefficient of variation, Y2 are the curve coefficient of variation of IP address to be detected, and Y1 and Y2 are all higher than zero.
11. a kind of electronic equipment, it is characterised in that including processor, communication interface, memory and communication bus, wherein, processing
Device, communication interface, memory complete mutual communication by communication bus;
Memory, for depositing computer program;
Processor, during for performing the program deposited on memory, realize any described method and steps of claim 1-5.
12. a kind of computer-readable recording medium, it is characterised in that the computer-readable recording medium internal memory contains computer
Program, the computer program realize claim 1-5 any described method and steps when being executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710970197.5A CN107682345B (en) | 2017-10-16 | 2017-10-16 | IP address detection method and device and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710970197.5A CN107682345B (en) | 2017-10-16 | 2017-10-16 | IP address detection method and device and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107682345A true CN107682345A (en) | 2018-02-09 |
CN107682345B CN107682345B (en) | 2020-03-06 |
Family
ID=61139641
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710970197.5A Active CN107682345B (en) | 2017-10-16 | 2017-10-16 | IP address detection method and device and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107682345B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109413047A (en) * | 2018-09-29 | 2019-03-01 | 武汉极意网络科技有限公司 | Determination method, system, server and the storage medium of Behavior modeling |
CN109413044A (en) * | 2018-09-26 | 2019-03-01 | 中国平安人寿保险股份有限公司 | A kind of request recognition methods of abnormal access and terminal device |
CN110290132A (en) * | 2019-06-24 | 2019-09-27 | 北京奇艺世纪科技有限公司 | A kind of IP address processing method, device, electronic equipment and storage medium |
CN110365747A (en) * | 2019-06-24 | 2019-10-22 | 北京奇艺世纪科技有限公司 | Processing method, device, server and the computer readable storage medium of network request |
CN110809004A (en) * | 2019-11-12 | 2020-02-18 | 成都知道创宇信息技术有限公司 | Safety protection method and device, electronic equipment and storage medium |
CN111224936A (en) * | 2019-11-07 | 2020-06-02 | 中冶赛迪重庆信息技术有限公司 | User abnormal request detection method, system, device and machine readable medium |
CN116663021A (en) * | 2023-07-25 | 2023-08-29 | 闪捷信息科技有限公司 | Machine request behavior recognition method, device, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011193343A (en) * | 2010-03-16 | 2011-09-29 | Kddi Corp | Communications network monitoring system |
CN104113519A (en) * | 2013-04-16 | 2014-10-22 | 阿里巴巴集团控股有限公司 | Network attack detection method and device thereof |
CN104767640A (en) * | 2015-03-25 | 2015-07-08 | 亚信科技(南京)有限公司 | Early-warning method and system |
CN105281966A (en) * | 2014-06-13 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Method and device for identifying abnormal traffic of network equipment |
CN105491054A (en) * | 2015-12-22 | 2016-04-13 | 网易(杭州)网络有限公司 | Method and apparatus for determining malicious access, and method and apparatus for intercepting malicious access |
-
2017
- 2017-10-16 CN CN201710970197.5A patent/CN107682345B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011193343A (en) * | 2010-03-16 | 2011-09-29 | Kddi Corp | Communications network monitoring system |
CN104113519A (en) * | 2013-04-16 | 2014-10-22 | 阿里巴巴集团控股有限公司 | Network attack detection method and device thereof |
CN105281966A (en) * | 2014-06-13 | 2016-01-27 | 腾讯科技(深圳)有限公司 | Method and device for identifying abnormal traffic of network equipment |
CN104767640A (en) * | 2015-03-25 | 2015-07-08 | 亚信科技(南京)有限公司 | Early-warning method and system |
CN105491054A (en) * | 2015-12-22 | 2016-04-13 | 网易(杭州)网络有限公司 | Method and apparatus for determining malicious access, and method and apparatus for intercepting malicious access |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109413044A (en) * | 2018-09-26 | 2019-03-01 | 中国平安人寿保险股份有限公司 | A kind of request recognition methods of abnormal access and terminal device |
CN109413044B (en) * | 2018-09-26 | 2022-08-02 | 中国平安人寿保险股份有限公司 | Abnormal access request identification method and terminal equipment |
CN109413047A (en) * | 2018-09-29 | 2019-03-01 | 武汉极意网络科技有限公司 | Determination method, system, server and the storage medium of Behavior modeling |
CN110290132A (en) * | 2019-06-24 | 2019-09-27 | 北京奇艺世纪科技有限公司 | A kind of IP address processing method, device, electronic equipment and storage medium |
CN110365747A (en) * | 2019-06-24 | 2019-10-22 | 北京奇艺世纪科技有限公司 | Processing method, device, server and the computer readable storage medium of network request |
CN110290132B (en) * | 2019-06-24 | 2022-02-11 | 北京奇艺世纪科技有限公司 | IP address processing method and device, electronic equipment and storage medium |
CN110365747B (en) * | 2019-06-24 | 2022-04-01 | 北京奇艺世纪科技有限公司 | Network request processing method and device, server and computer readable storage medium |
CN111224936A (en) * | 2019-11-07 | 2020-06-02 | 中冶赛迪重庆信息技术有限公司 | User abnormal request detection method, system, device and machine readable medium |
CN111224936B (en) * | 2019-11-07 | 2022-08-02 | 中冶赛迪重庆信息技术有限公司 | User abnormal request detection method, system, device and machine readable medium |
CN110809004A (en) * | 2019-11-12 | 2020-02-18 | 成都知道创宇信息技术有限公司 | Safety protection method and device, electronic equipment and storage medium |
CN116663021A (en) * | 2023-07-25 | 2023-08-29 | 闪捷信息科技有限公司 | Machine request behavior recognition method, device, electronic equipment and storage medium |
CN116663021B (en) * | 2023-07-25 | 2023-11-03 | 闪捷信息科技有限公司 | Machine request behavior recognition method, device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN107682345B (en) | 2020-03-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107682345A (en) | Detection method, detection means and the electronic equipment of IP address | |
AU2019232865B2 (en) | Systems and methods for detecting and scoring anomalies | |
US10878102B2 (en) | Risk scores for entities | |
US8732472B2 (en) | System and method for verification of digital certificates | |
US8205255B2 (en) | Anti-content spoofing (ACS) | |
WO2017107965A1 (en) | Web anomaly detection method and apparatus | |
WO2016150313A1 (en) | Method and apparatus for detecting suspicious process | |
CN107786545A (en) | A kind of attack detection method and terminal device | |
US11374950B2 (en) | Anomaly detection in complex systems | |
US11244043B2 (en) | Aggregating anomaly scores from anomaly detectors | |
US20210136120A1 (en) | Universal computing asset registry | |
US20210281609A1 (en) | Rating organization cybersecurity using probe-based network reconnaissance techniques | |
CN111523012B (en) | Method, apparatus and computer readable storage medium for detecting abnormal data | |
US20200382534A1 (en) | Visualizations representing points corresponding to events | |
US20160062816A1 (en) | Detection of outage in cloud based service using usage data based error signals | |
CN109067794A (en) | A kind of detection method and device of network behavior | |
US10637878B2 (en) | Multi-dimensional data samples representing anomalous entities | |
US11675647B2 (en) | Determining root-cause of failures based on machine-generated textual data | |
CN107612946A (en) | Detection method, detection means and the electronic equipment of IP address | |
CN110138720B (en) | Method and device for detecting abnormal classification of network traffic, storage medium and processor | |
US10977374B1 (en) | Method to assess internal security posture of a computing system using external variables | |
TW202311994A (en) | System and method of malicious domain query behavior detection | |
Simpson et al. | Scalable Misinformation Mitigation in Social Networks Using Reverse Sampling | |
CN112769792A (en) | ISP attack detection method and device, electronic equipment and storage medium | |
JP2022002036A (en) | Detection device, detection system and detection program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |