CN107682345B - IP address detection method and device and electronic equipment - Google Patents

IP address detection method and device and electronic equipment Download PDF

Info

Publication number
CN107682345B
CN107682345B CN201710970197.5A CN201710970197A CN107682345B CN 107682345 B CN107682345 B CN 107682345B CN 201710970197 A CN201710970197 A CN 201710970197A CN 107682345 B CN107682345 B CN 107682345B
Authority
CN
China
Prior art keywords
address
curve
time period
detected
preset time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710970197.5A
Other languages
Chinese (zh)
Other versions
CN107682345A (en
Inventor
张凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN201710970197.5A priority Critical patent/CN107682345B/en
Publication of CN107682345A publication Critical patent/CN107682345A/en
Application granted granted Critical
Publication of CN107682345B publication Critical patent/CN107682345B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a detection method and a detection device for an IP address and electronic equipment. The method comprises the steps of obtaining service requests in a plurality of services, wherein each service request carries an IP address. Acquiring a reference curve of a plurality of IP addresses in a preset time period according to an IP address curve of each IP address in the plurality of IP addresses in the preset time period, wherein the IP address curve is used for representing the corresponding relation between the occurrence times of the IP addresses and time, and the reference curve is used for representing the average change value of the occurrence times of the IP addresses corresponding to the IP addresses in the preset time period; and acquiring the offset of the IP address to be detected in a preset time period, wherein the offset is determined by the curve of the IP address to be detected and the reference curve. And when the offset is larger than a preset offset threshold, determining that the IP address to be detected is an abnormal IP address. The method realizes complete evaluation of one IP address and judges whether the IP address is a normal IP address, thereby improving the accuracy of identifying the normal IP address.

Description

IP address detection method and device and electronic equipment
Technical Field
The present invention relates to the field of big data technologies, and in particular, to a method and an apparatus for detecting an Internet Protocol (IP) address between networks, and an electronic device.
Background
At present, in the field of network security, the dimension of an IP address is always a dimension which is difficult to accurately evaluate, that is, it is not easy to evaluate whether an IP address is a secure public outlet of the IP address from the perspective of the IP address. Based on this situation, some internet enterprises (such as the loving art) use the IP address by obtaining the relevant IP address from a third party company, which is an enterprise specializing in network security and has all information of the relevant IP address, such as some network threat intelligence, and the like.
However, the inventor finds that the prior art has at least the following problems in the process of implementing the invention:
the detection of an IP address by a third party company is only focused on counting whether some abnormal behavior has occurred, which may be: whether the behavior of stealing the user account number, the behavior of sending the junk mail, the behavior of spreading the virus and the like occur. That is, the third-party company mainly focuses on detecting whether an IP address has malicious behaviors at a time point or for a certain period of time, but does not detect the normal behaviors of the IP address, which may result in inaccurate evaluation information of the IP address.
As shown in fig. 1, taking the detection time of a day as an example, in the process of detecting an IP address x used by a user equipment, a third party company detects that the IP address x sends a spam email at 8 am, at this time, the third party company considers that the IP address x is a malicious IP address, but the IP address x sends normal emails at other times of the day, and it is seen that the proportion of normal behaviors of the IP address x is high, that is, the IP address x is non-threatening with a high probability. When the third company notifies the internet enterprise of the behavior information of the IP address x, the IP address x is killed by mistake.
Therefore, the IP addresses provided by the third-party company are not comprehensive, and the threat degree of the IP addresses cannot be accurately measured, so that the normal IP addresses are killed by mistake.
Disclosure of Invention
Embodiments of the present invention provide a method, an apparatus, an electronic device, and a server for detecting an IP address, which implement complete evaluation of an IP address by using long-term continuous behavior information (including normal behavior and malicious behavior) of an IP address used by a user, and improve accuracy of identifying an abnormal IP address. The specific technical scheme is as follows:
in a first aspect, a method for detecting an IP address is provided, where an execution subject of the method may be a server, and the method may include: acquiring service requests in a plurality of services, wherein each service request carries an IP address; acquiring a reference curve of the plurality of IP addresses in a preset time period according to an IP address curve of each IP address in the plurality of IP addresses in the preset time period, wherein the IP curve is used for representing the corresponding relation between the occurrence times of the use times of the IP addresses and the time, and the reference curve is used for representing the average change value of the plurality of IP addresses in the preset time period; acquiring the offset of the IP address to be detected in a preset time period, wherein the offset is determined by the curve of the IP address to be detected and the reference curve; and when the offset is larger than a preset offset threshold, determining that the IP address to be detected is an abnormal IP address (or malicious IP address).
In an optional implementation, obtaining a reference curve of a plurality of IP addresses in a preset time period according to an IP address curve of each IP address in the plurality of IP addresses in the preset time period includes: and obtaining a reference curve of the plurality of IP addresses in the preset time period according to the average value of the occurrence times of each IP address in the plurality of IP addresses in each time point in the preset time period.
In an optional implementation, after acquiring a reference curve of a plurality of IP addresses in a preset time period according to an IP address curve of each IP address in the plurality of IP addresses in the preset time period, the method further includes: selecting an IP address to be detected from a plurality of IP addresses corresponding to the plurality of IP addresses; and acquiring an IP address curve to be detected of the occurrence times of the IP address to be detected in a preset time period along with the time based on the recorded IP address of the IP address to be detected.
In an alternative implementation, the curve information includes a curve variation coefficient, the curve variation coefficient is a ratio of a variance of the time-sharing request times at all time points on the curve information in a preset time period to an average of the time-sharing request times at all time points on the curve information in the preset time period, and a calculation formula of the curve variation coefficient Y may be represented as: and Y is S/M, wherein S is the variance of the time sharing request times of all time points on the curve information, M is the average value of the time sharing request times of all time points on the curve information in a preset time period, and both S and M are larger than zero.
In an optional implementation, the offset of the curve information of the IP address to be detected in the preset time period and the reference curve information is a difference between the curve variation coefficient of the reference curve and the curve variation coefficient of the IP address to be detected, and the calculation formula of the offset X may be represented as: and X is Y1-Y2, wherein Y1 is the curve variation coefficient of the reference curve, Y2 is the curve variation coefficient of the IP address to be detected, and Y1 and Y2 are both larger than zero.
In a second aspect, there is provided a detection apparatus, which may include: the device comprises an acquisition module and a determination module.
The system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring service requests in a plurality of services, and each service request carries an IP address; the device comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a reference curve of a plurality of IP addresses in a preset time period according to the IP address of each IP address in the plurality of IP addresses in the preset time period, the IP curve is used for representing the corresponding relation between the occurrence frequency of the IP addresses and the time, and the reference curve is used for representing the average change value of the plurality of IP addresses in the preset time period; the obtaining module is further configured to obtain an offset of the to-be-detected IP address within a preset time period, where the offset is determined by the curve of the to-be-detected IP address and the reference curve. And the determining module is used for determining the IP address to be detected as the abnormal IP address when the offset is greater than the preset offset threshold.
In an optional implementation, the obtaining module is further configured to obtain a reference curve of the multiple IP addresses in a preset time period according to an average value of occurrence times of each IP address in the multiple IP addresses at each time point in the preset time period.
In an optional implementation, the obtaining unit is further configured to select an IP address to be detected from a plurality of IP addresses corresponding to the plurality of IP addresses; and the acquisition unit is further used for acquiring an IP address curve of the IP address to be detected, wherein the IP address to be detected has the appearance times of the IP address to be detected within a preset time period along with the time, based on the recorded IP address of the IP address to be detected.
In an alternative implementation, the curve information includes a curve variation coefficient, the curve variation coefficient is a ratio of a variance of the time-sharing request times at all time points on the curve information in a preset time period to an average of the time-sharing request times at all time points on the curve information in the preset time period, and a calculation formula of the curve variation coefficient Y may be represented as: and Y is S/M, wherein S is the variance of the time sharing request times of all time points on the curve information, and M is the average value of the time sharing request times of all time points on the curve information in a preset time period. S and M are both greater than zero.
In an optional implementation, the offset between the curve information of the to-be-detected IP address in the preset time period and the reference curve information is a difference between the curve variation coefficient of the reference curve and the curve variation coefficient of the to-be-detected IP address, and the calculation formula of the curve variation coefficient Y may be represented as: and Y is S/M, wherein S is the variance of the time sharing request times of all time points on the curve information, and M is the average value of the time sharing request times of all time points on the curve information in a preset time period. Y1 and Y2 are both greater than zero.
In a third aspect, an electronic device is provided, which may include a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus; a memory for storing a computer program; a processor configured to implement the method steps of the first aspect when executing the program stored in the memory.
In a fourth aspect, a server is provided, which includes the electronic device of the third aspect.
In yet another aspect of the present invention, there is also provided a computer-readable storage medium having stored therein instructions, which when run on a computer, cause the computer to execute any one of the above-described IP address detection methods.
In another aspect of the present invention, the present invention also provides a computer program product containing instructions, which when run on a computer, causes the computer to execute any of the above-mentioned IP address detection methods.
The embodiment of the invention provides a detection method and a detection device for an IP address, electronic equipment and a server. According to the method and the device, the IP addresses in the service request sent by the IP addresses are recorded, and the curve of each IP address in the IP addresses in the long-term continuous preset time period and the reference curve of the IP addresses in the long-term continuous preset time period are recorded, namely the long-term continuous behavior information (including normal and malicious behaviors) of the IP addresses is reflected. And determining the IP address to be detected as the abnormal IP address when the offset of the curve information of the IP address to be detected and the curve information of the reference curve is not less than a preset offset threshold value within a long continuous preset time period. The method realizes complete evaluation of one IP address and judges whether the IP address is a normal IP address, thereby improving the accuracy of identifying the normal IP address. Of course, it is not necessary for any product or method of practicing the invention to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
FIG. 1 is a schematic diagram of a detection record of an IP address x;
FIG. 2 is a system framework diagram provided by an embodiment of the present invention;
fig. 3 is a schematic flowchart of a method for detecting an IP address according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an IP address access curve coordinate axis according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a reference curve provided in accordance with an embodiment of the present invention;
fig. 6 is a schematic diagram of a curve of an IP address to be detected according to an embodiment of the present invention;
fig. 7 is a schematic diagram of another curve for detecting an IP address according to the embodiment of the present invention;
fig. 8 is a schematic structural diagram of a detection apparatus according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention.
The method for detecting the public IP address outlet provided by the present application can be applied to the network system framework described in fig. 2, and the network system can include a server and a user equipment. The server and the user equipment may perform transmission of instructions and data over a network. The server may be a server of an application (e.g., a server of an arcade).
When an attacker (such as a hacker) working in the black industry technology attacks using a normal IP address, the user equipment associated with the IP address is attacked, and the attack behavior (malicious behavior) may be an abnormal behavior such as stealing a user account, swiping amount (such as traffic of a website, downloading amount of a swiping application or swiping order amount), and spreading network viruses. Through long-term monitoring of the IP address 1 and the IP address 2, respectively, it can be found that the fluctuation of the attack behavior of an attacker who engages in the black industry technology to the server using the IP address 1 and the fluctuation of the normal behavior of a normal user accessing the server through the IP address 2 are distinguished under some conditions, such as in time distribution.
By monitoring service requests of a plurality of IP addresses in a service for a long time, the method and the device can acquire the fluctuation condition of the plurality of IP addresses in time distribution when accessing the same server, and find out abnormal IP addresses.
Optionally, since an attacker who is engaged in the black industry technology is generally a device (or machine), by acquiring the fluctuation situation of the IP address in the time distribution, the method can also be helpful for analyzing whether one IP address is used by a normal user (or called a real person), and can assist in identifying common program attack forms such as a hit bank (e.g., stealing a number).
Fig. 3 is a schematic flowchart of a method for detecting an IP address according to an embodiment of the present invention. As shown in fig. 3, the execution subject of the method may be a server, and the method may include:
step 310, obtain service requests in a plurality of services, each service request including an IP address.
The user equipment sends a service request to the server through the IP address, and the server collects the service requests of a plurality of services, such as login requests, video requests or shopping requests, wherein each service request comprises an IP address, such as IP address 1 information, IP2 address information and IP3 address information, the IP1 address information, the IP2 address information and the IP3 address information are all from different IP addresses, and the IP addresses are the occurrence times of the IP addresses at each time point. In the embodiments of the present invention, a plurality means at least two.
Step 320, obtaining a reference curve of the multiple IP addresses in the preset time period according to an IP address curve of each IP address in the multiple IP addresses in the preset time period, where the IP curve is used to indicate a corresponding relationship between the occurrence number of the IP address and time, and the reference curve is used to indicate an average change value of the occurrence number of the multiple IP addresses corresponding to the multiple IP addresses along with time.
The preset time period may be the time of the IP address in one cycle, for example, the IP address may be information within 24 hours of a day. The occurrence frequency of each IP address in the time distribution is recorded to obtain the curve distribution of the occurrence frequency of each IP address along with the time, that is, an IP address curve (or IP address access curve) in which the occurrence frequency of each IP address changes along with the time in a preset time period is obtained, and the occurrence frequency of each time point in the IP address curve can include the normal occurrence frequency and also can include the abnormal occurrence frequency, that is, the normal behavior and the abnormal behavior of the IP address can be reflected.
Taking the occurrence frequency of the IP address within a preset 24-hour period as an example, if 5 different IP addresses exist, and the occurrence frequency of the 5 different IP addresses at each time point (such as 1: 00, 2: 00, 3: 00, etc.) within the 24-hour period is recorded, a curve of the distribution of the occurrence frequency of each IP address with time is obtained based on each recorded time point and the corresponding occurrence frequency.
As shown in fig. 4, the horizontal axis T of the curve coordinate is the time of the distribution time point, the vertical axis N is the number of occurrences of the distribution of the usage of the IP address, and a continuous curve of the number of occurrences of the IP address in continuous time is obtained by recording the number of occurrences of each IP address at each time point.
And 330, acquiring the offset of the IP address to be detected in a preset time period, wherein the offset is determined by the curve of the IP address to be detected and the reference curve.
When the offset of the curve information of the IP address to be detected in the preset time period and the reference curve information is greater than the preset offset threshold, step 340 is executed.
And 340, determining the IP address to be detected as an abnormal IP address.
And the server identifies whether the IP address to be detected is an abnormal IP address (or abnormal IP address) according to the offset.
And when the offset is greater than a preset offset threshold, the server determines that the IP address to be detected is an abnormal IP address, namely the curve variation coefficient of the IP address to be detected is too different from the curve variation coefficient of the reference curve.
When the offset is not greater than the preset offset threshold, the server determines that the IP address to be detected is a normal IP address, that is, the curve variation coefficient of the curve of the IP address to be detected is smaller or the same as the curve variation coefficient of the reference curve, for example, the states of the curve I0 and the curve I1 are almost the same, and it is found that the difference between the two is smaller.
Taking the preset time as 24 hours and the preset deviation threshold as 0.02 as an example, the occurrence frequency of the curve I0, the curve I1 and the curve I2 at each time point within 24 hours can be shown in table 1.
TABLE 1
Figure BDA0001434938080000071
Figure BDA0001434938080000081
From the information in table 1, one can obtain:
the mean M0 of the number of occurrences of the curve I0 in 24 hours was 2142.5, and the variance S0 of the number of occurrences was 920.141519912, from which it was found that the coefficient of variation Y0 of the curve I0 was 0.429470954;
the mean M1 of the number of occurrences of the curve I1 in 24 hours was 1653.041666667, and the variance S1 of the number of occurrences was 678.513907937, from which it was found that the coefficient of variation Y1 of the curve I1 was 3983;
the mean M2 of the number of occurrences of the curve I2 in 24 hours was 688.83333333, and the variance S2 of the number of occurrences was 327.942533923, whereby it was found that the coefficient of variation Y2 of the curve I2 was 0.194182888.
The offset of the curve I0 from the curve I1 is 0.429470954 and 0.410463887, which are different by 0.019; the offset of curve I0 from curve I2 was 0.429470954 and 0.194182888, which are 0.235.
It can be seen that the offset 0.019 between the curve I0 and the curve I1 is less than 0.02, which indicates that the difference between the curve I0 and the curve I1 is small. The offset 0.235 between curve I0 and curve I2 is greater than 0.02, indicating that the difference between curve I0 and curve I1 is large.
It should be noted that the preset offset threshold can be set by self-defining according to the actual situation and the required recognition accuracy.
In summary, the method provided by the application records a curve of occurrence times (including normal occurrence times and abnormal occurrence times) of each IP address in a long-term continuous preset time period and a reference curve through the IP addresses in the corresponding service requests of the multiple IP addresses, and determines that the IP address to be detected is an abnormal IP address when an offset between curve information of the IP address to be detected and curve information of the reference curve is not less than a preset offset threshold value in the long-term continuous preset time period. The method realizes complete evaluation of one IP address and judges whether the IP address is an abnormal IP address, thereby improving the accuracy of identifying the abnormal IP address.
In an alternative embodiment, the IP address referred to in step 310 may be, in the embodiment of the present application, the number of occurrences of the IP address at each time point. Wherein, the time point is the moment of collecting the occurrence frequency of the IP address, and if collecting 8: 00 to 10: the number of times of occurrence of the IP address between 00, at this time, the selected time point may be 8: 15. 8: 30. 8: 45. 9: 00 … … 9: 45. 10: 00.
based on the recorded occurrence number of each IP address in the plurality of IP addresses in the preset time period and in the time distribution, an average value of the occurrence number of the plurality of IP addresses in the preset time period and in the time distribution is obtained, so as to obtain an average variation curve, i.e., a reference curve, of the plurality of IP addresses in the time distribution in the preset time period.
The server can analyze the obtained multiple IP addresses to obtain a curve of the multiple IP addresses along with time as shown in fig. 5, where the curve I0 shows that the access status (usage frequency) is high in the daytime, low at night, and double peaks in the afternoon and afternoon hours.
Therefore, in a preset time period, by recording the occurrence times of the IP addresses in the time distribution, the average value of the occurrence times of the IP addresses at each time point in the time distribution can be accurately counted, and the IP addresses are vividly displayed in a reference curve mode, so that the readability of data is improved.
In an optional embodiment, before performing step 330, the server needs to acquire an IP address to be detected, where the IP address to be detected may be one selected from the acquired multiple IP addresses, or may detect a new IP address. Based on the method for acquiring the curve information of each IP address, the server acquires the curve of the IP address to be detected in the preset time period,
in one example, the curve formed by the IP addresses to be detected may be a curve I1 as shown in fig. 6, and the curve I1 shows the characteristics that the access status (use frequency) is high in the daytime and low in the nighttime, high in the noon break and low after work. Alternatively, the curve formed by the IP addresses to be detected may be a curve I2 as shown in fig. 7, and the curve I2 exhibits the characteristics that the access status (use frequency) is low in the daytime, high in the nighttime, and double-low peak in noon break and off duty.
Therefore, by obtaining the curve of the IP address to be detected in the preset time period, the use condition of the IP address to be detected of the user in time can be visually observed, the man-machine identification capability can be enhanced, namely, whether the user using the IP address to be detected uses the IP address by a normal user or an attacking machine is easily identified, wherein the identification standard can be that the normal user uses the IP address according to a certain work and rest rule, and the attacking machine does not use the IP address according to a certain work and rest rule, such as continuously using the IP address.
In an optional embodiment, the server obtains a curve of the to-be-detected IP address within a preset time period based on the obtained IP address of the to-be-detected IP address, and obtains a curve variation coefficient of the curve.
In step 320, curve information on the IP address curve is obtained, which may include a curve coefficient of variation. The curve variation coefficient is a ratio of a variance of the time-sharing request times of all time points on the curve information in a preset time period to an average of the time-sharing request times of all time points on the curve information in the preset time period. The time-sharing request times are the times corresponding to each time point.
The formula for calculating the coefficient of variation Y of the curve can be expressed as: and Y is S/M, wherein S is the variance of the time sharing request times of all time points on the curve information, M is the average value of the time sharing request times of all time points on the curve information in a preset time period, and both S and M are larger than zero.
Therefore, the change degree of the IP address curve to be detected and the change degree of the reference curve are better reflected through the curve variation coefficient.
In an optional embodiment, after step 330, the server may further obtain an offset of the curve information of the IP address to be detected in the preset time period from the curve information of the reference curve. And the offset of the curve information of the IP address to be detected in the preset time period and the curve information of the reference curve is the difference value of the curve variation coefficient of the reference curve and the curve variation coefficient of the IP address to be detected.
The offset X can be calculated as: Y1-Y2, wherein Y1 is the curve variation coefficient of a reference curve, Y2 is the curve variation coefficient of an IP address to be detected, and Y1 and Y2 are both larger than zero
By comparing the curve variation coefficient of the reference curve with the curve variation coefficient of the IP address curve to be detected, the deviation degree of the IP address curve to be detected to the reference curve can be conveniently detected, and whether the IP address to be detected is an abnormal IP address or not is determined.
The embodiment of the invention corresponding to the method also provides a structural schematic diagram of the detection device. As shown in fig. 8, the detecting means may include: an acquisition module 810 and a determination module 820,
an obtaining module 810, configured to obtain service requests in multiple services, where each service request carries an IP address;
the acquiring module 810 is configured to acquire a reference curve of the multiple IP addresses in a preset time period according to an IP address curve of each IP address in the multiple IP addresses in the preset time period, where the IP curve is used to represent a corresponding relationship between the occurrence frequency of each IP address and time, and the reference curve is used to represent an average change value of the multiple IP addresses in the preset time period;
the obtaining module 810 is further configured to obtain an offset of the to-be-detected IP address within a preset time period, where the offset is determined by a curve of the to-be-detected IP address and a reference curve;
the determining module 820 is configured to determine that the IP address to be detected is an abnormal IP address when an offset between curve information of the IP address to be detected in a preset time period and reference curve information is greater than a preset offset threshold.
Optionally, the obtaining module 810 is further configured to obtain a reference curve of the multiple IP addresses in the preset time period according to an average value of the occurrence times of each IP address in the multiple IP addresses at each time point in the preset time period.
Optionally, the obtaining module 810 is further configured to select an IP address to be detected from a plurality of IP addresses corresponding to the plurality of IP addresses;
the obtaining module 810 is further configured to obtain curve information of the occurrence frequency of the to-be-detected IP address at each time point in a preset time period based on the recorded IP address of the to-be-detected IP address.
Optionally, the curve information includes a curve variation coefficient, the curve variation coefficient is a ratio of a variance of the time-sharing request times at all time points on the curve information in the preset time period to an average of the time-sharing request times at all time points on the curve information in the preset time period, and a calculation formula of the curve variation coefficient Y may be represented as: and Y is S/M, wherein S is the variance of the time sharing request times of all time points on the curve information, and M is the average value of the time sharing request times of all time points on the curve information in a preset time period. S and M are both greater than zero.
Optionally, the offset of the curve information of the IP address to be detected within the preset time period and the reference curve information is a difference between the curve variation coefficient of the reference curve and the curve variation coefficient of the IP address to be detected, and the calculation formula of the curve variation coefficient Y may be represented as: and Y is S/M, wherein S is the variance of the time sharing request times of all time points on the curve information, and M is the average value of the time sharing request times of all time points on the curve information in a preset time period. Y1 and Y2 are both greater than zero.
The functions of the functional modules of the detection apparatus provided in the above embodiment of the present invention can be implemented by the method steps shown in fig. 3, and therefore, the specific working process and beneficial effects of the modules in the detection apparatus provided in the embodiment of the present invention are provided. And will not be described herein.
Fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. As shown in figure 9 of the drawings,
comprises a processor 910, a communication interface 920, a memory 930 and a communication bus 940, wherein the processor 910, the communication interface 920 and the memory 930 are communicated with each other through the communication bus 940,
a memory 930 for storing a computer program;
the processor 910 is configured to implement the following steps when executing the program stored in the memory 930:
acquiring service requests in a plurality of services, wherein each service request comprises an IP address;
acquiring a reference curve of a plurality of IP addresses in a preset time period according to an IP address curve of each IP address in the plurality of IP addresses in the preset time period, wherein the IP address curve is used for representing the corresponding relation between the occurrence times of the IP addresses and the time, and the reference curve is used for representing the average change value of the plurality of IP addresses in the preset time period; acquiring the offset of the IP address to be detected in a preset time period, wherein the offset is determined by the curve of the IP address to be detected and a reference curve; and when the offset is larger than a preset offset threshold, determining that the IP address to be detected is an abnormal IP address (or malicious IP address).
Optionally, the acquiring, by the IP address acquisition unit, a reference curve of the multiple IP addresses in the preset time period according to an IP address curve of each IP address in the multiple IP addresses in the preset time period includes: and obtaining a reference curve of the plurality of IP addresses in the preset time period according to the average value of the occurrence times of each IP address in the plurality of IP addresses in each time point in the preset time period.
Optionally, acquiring an IP address to be detected from a plurality of IP addresses; and acquiring an IP address curve to be detected, wherein the appearance times of the IP address to be detected in a preset time period change along with time, based on the recorded IP address of the IP address to be detected.
Optionally, the curve information includes a curve variation coefficient, the curve variation coefficient is a ratio of a variance of the time-sharing request times at all time points on the curve information in the preset time period to an average of the time-sharing request times at all time points on the curve information in the preset time period, and a calculation formula of the curve variation coefficient Y may be represented as: and Y is S/M, wherein S is the variance of the time sharing request times of all time points on the curve information, M is the average value of the time sharing request times of all time points on the curve information in a preset time period, and both S and M are larger than zero.
Optionally, the offset of the curve information of the IP address to be detected in the preset time period and the reference curve information is a difference between the curve variation coefficient of the reference curve and the curve variation coefficient of the IP address to be detected, and the calculation formula of the offset X may be represented as: and X is Y1-Y2, wherein Y1 is the curve variation coefficient of the reference curve, Y2 is the curve variation coefficient of the IP address to be detected, and Y1 and Y2 are both larger than zero.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
Since the implementation and the beneficial effects of the problem solving of each device of the electronic device in the above embodiment can be realized by referring to each step in the embodiment shown in fig. 3, detailed working processes and beneficial effects of the electronic device provided by the embodiment of the present invention are not described herein again.
It should be noted that the electronic device may be applied to a server.
In another embodiment of the present invention, a computer-readable storage medium is further provided, which stores instructions that, when executed on a computer, cause the computer to execute the IP address detection method described in any one of the above embodiments.
In yet another embodiment of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the method for detecting an IP address as described in any of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (12)

1. A method for detecting an IP address, the method comprising:
acquiring service requests of a plurality of services, wherein each service request carries an IP address;
acquiring a reference curve of a plurality of IP addresses in a preset time period according to an IP address curve of each IP address in the plurality of IP addresses in the preset time period, wherein the IP address curve is used for representing the corresponding relation between the occurrence frequency and the time of the IP addresses, and the reference curve is used for representing the average change value of the plurality of IP addresses in the preset time period;
acquiring the offset of the IP address to be detected in the preset time period, wherein the offset is determined by the curve of the IP address to be detected and the reference curve;
and when the offset is larger than a preset offset threshold, determining that the IP address to be detected is an abnormal IP address.
2. The method according to claim 1, wherein the obtaining a reference curve of a plurality of IP addresses in a preset time period according to an IP address curve of each IP address in the plurality of IP addresses in the preset time period comprises:
and obtaining a reference curve of the plurality of IP addresses in the preset time period according to the average value of the occurrence times of each IP address in the plurality of IP addresses at each time point in the preset time period.
3. The method according to claim 1, wherein after obtaining a reference curve of a plurality of IP addresses within a preset time period according to an IP address curve of each IP address within the preset time period, the method further comprises:
acquiring an IP address to be detected from a plurality of IP addresses corresponding to the plurality of IP addresses;
and acquiring a to-be-detected IP address curve of the to-be-detected IP address, wherein the occurrence frequency of the to-be-detected IP address in the preset time period changes along with time, based on the recorded IP address of the to-be-detected IP address.
4. The method of claim 1, wherein the curve information comprises a curve coefficient of variation;
the curve variation coefficient is the ratio of the variance of the time-sharing request times of all the time points on the curve information in the preset time period to the average value of the time-sharing request times of all the time points on the curve information in the preset time period;
the calculation formula of the curve variation coefficient Y can be expressed as: and Y is S/M, wherein S is the variance of the time sharing request times of all time points on the curve information, M is the average value of the time sharing request times of all the time points on the curve information in the preset time period, and both S and M are greater than zero.
5. The method according to claim 4, wherein the offset of the curve information of the IP address to be detected in the preset time period from the reference curve information is the difference between the curve variation coefficient of the reference curve and the curve variation coefficient of the IP address to be detected;
the calculation formula of the offset X can be expressed as: and X is Y1-Y2, wherein Y1 is the curve variation coefficient of the reference curve, Y2 is the curve variation coefficient of the IP address to be detected, and Y1 and Y2 are both larger than zero.
6. A detection device, the device comprising: an acquisition module and a determination module, wherein the acquisition module and the determination module,
the acquiring module is used for acquiring service requests in a plurality of services, and each service request carries an IP address;
the acquiring module is configured to acquire a reference curve of the plurality of IP addresses in a preset time period according to an IP address curve of each IP address in the plurality of IP addresses in the preset time period, where the IP curve is used to represent a correspondence between the occurrence frequency of the IP address and time, and the reference curve is used to represent an average change value of the plurality of IP addresses in the preset time period;
the acquiring module is further configured to acquire an offset of the to-be-detected IP address within the preset time period, where the offset is determined by the curve of the to-be-detected IP address and the reference curve;
the determining module is configured to determine that the IP address to be detected is an abnormal IP address when the offset is greater than a preset offset threshold.
7. The apparatus according to claim 6, wherein the obtaining module is further configured to obtain a reference curve of the plurality of IP addresses in the preset time period according to an average value of occurrence times of each IP address in the plurality of IP addresses at each time point in the preset time period.
8. The apparatus according to claim 6, wherein the obtaining module is further configured to select an IP address to be detected from a plurality of IP addresses corresponding to the plurality of IP addresses;
the acquiring module is further configured to acquire, based on the recorded IP address of the IP address to be detected, an IP address curve to be detected in which the number of occurrences of the IP address to be detected within the preset time period is time-dependent.
9. The apparatus of claim 6, wherein the curve information comprises a curve coefficient of variation;
the curve variation coefficient is the ratio of the variance of the time-sharing request times of all the time points on the curve information in the preset time period to the average value of the time-sharing request times of all the time points on the curve information in the preset time period;
the calculation formula of the curve variation coefficient Y can be expressed as: and Y is S/M, wherein S is the variance of the time sharing request times of all time points on the curve information, M is the average value of the time sharing request times of all the time points on the curve information in the preset time period, and both S and M are greater than zero.
10. The apparatus according to claim 9, wherein an offset between the curve information of the IP address to be detected in the preset time period and the reference curve information is a difference between the curve variation coefficient of the reference curve and the curve variation coefficient of the IP address to be detected;
the calculation formula of the offset X can be expressed as: and X is Y1-Y2, wherein Y1 is the curve variation coefficient of the reference curve, Y2 is the curve variation coefficient of the IP address to be detected, and Y1 and Y2 are both larger than zero.
11. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any one of claims 1 to 5 when executing a program stored in the memory.
12. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of the claims 1-5.
CN201710970197.5A 2017-10-16 2017-10-16 IP address detection method and device and electronic equipment Active CN107682345B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710970197.5A CN107682345B (en) 2017-10-16 2017-10-16 IP address detection method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710970197.5A CN107682345B (en) 2017-10-16 2017-10-16 IP address detection method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN107682345A CN107682345A (en) 2018-02-09
CN107682345B true CN107682345B (en) 2020-03-06

Family

ID=61139641

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710970197.5A Active CN107682345B (en) 2017-10-16 2017-10-16 IP address detection method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN107682345B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413044B (en) * 2018-09-26 2022-08-02 中国平安人寿保险股份有限公司 Abnormal access request identification method and terminal equipment
CN109413047B (en) * 2018-09-29 2021-02-26 武汉极意网络科技有限公司 Behavior simulation judgment method, behavior simulation judgment system, server and storage medium
CN110365747B (en) * 2019-06-24 2022-04-01 北京奇艺世纪科技有限公司 Network request processing method and device, server and computer readable storage medium
CN110290132B (en) * 2019-06-24 2022-02-11 北京奇艺世纪科技有限公司 IP address processing method and device, electronic equipment and storage medium
CN111224936B (en) * 2019-11-07 2022-08-02 中冶赛迪重庆信息技术有限公司 User abnormal request detection method, system, device and machine readable medium
CN110809004A (en) * 2019-11-12 2020-02-18 成都知道创宇信息技术有限公司 Safety protection method and device, electronic equipment and storage medium
CN116663021B (en) * 2023-07-25 2023-11-03 闪捷信息科技有限公司 Machine request behavior recognition method, device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011193343A (en) * 2010-03-16 2011-09-29 Kddi Corp Communications network monitoring system
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
CN104767640A (en) * 2015-03-25 2015-07-08 亚信科技(南京)有限公司 Early-warning method and system
CN105281966A (en) * 2014-06-13 2016-01-27 腾讯科技(深圳)有限公司 Method and device for identifying abnormal traffic of network equipment
CN105491054A (en) * 2015-12-22 2016-04-13 网易(杭州)网络有限公司 Method and apparatus for determining malicious access, and method and apparatus for intercepting malicious access

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011193343A (en) * 2010-03-16 2011-09-29 Kddi Corp Communications network monitoring system
CN104113519A (en) * 2013-04-16 2014-10-22 阿里巴巴集团控股有限公司 Network attack detection method and device thereof
CN105281966A (en) * 2014-06-13 2016-01-27 腾讯科技(深圳)有限公司 Method and device for identifying abnormal traffic of network equipment
CN104767640A (en) * 2015-03-25 2015-07-08 亚信科技(南京)有限公司 Early-warning method and system
CN105491054A (en) * 2015-12-22 2016-04-13 网易(杭州)网络有限公司 Method and apparatus for determining malicious access, and method and apparatus for intercepting malicious access

Also Published As

Publication number Publication date
CN107682345A (en) 2018-02-09

Similar Documents

Publication Publication Date Title
CN107682345B (en) IP address detection method and device and electronic equipment
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US11582207B2 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
US20200358804A1 (en) User and entity behavioral analysis with network topology enhancements
US12003534B2 (en) Detecting and mitigating forged authentication attacks within a domain
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
JP6863969B2 (en) Detecting security incidents with unreliable security events
US11570204B2 (en) Detecting and mitigating golden ticket attacks within a domain
US8321934B1 (en) Anti-phishing early warning system based on end user data submission statistics
US11757849B2 (en) Detecting and mitigating forged authentication object attacks in multi-cloud environments
US12058177B2 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
Liu et al. Cloudy with a chance of breach: Forecasting cyber security incidents
US10728264B2 (en) Characterizing behavior anomaly analysis performance based on threat intelligence
US9413773B2 (en) Method and apparatus for classifying and combining computer attack information
CN107579956B (en) User behavior detection method and device
CN111800395A (en) Threat information defense method and system
US20180075240A1 (en) Method and device for detecting a suspicious process by analyzing data flow characteristics of a computing device
US20200382534A1 (en) Visualizations representing points corresponding to events
CN105208009B (en) Account security detection method and device
CN108282446A (en) Identify the method and apparatus of scanner
CN109005181B (en) Detection method, system and related components for DNS amplification attack
CN107612946B (en) IP address detection method and device and electronic equipment
CN114884735B (en) Multi-source data intelligent evaluation system based on security situation
US10977374B1 (en) Method to assess internal security posture of a computing system using external variables
WO2019113492A1 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant