CN107911232A - A kind of method and device of definite business operation rule - Google Patents

A kind of method and device of definite business operation rule Download PDF

Info

Publication number
CN107911232A
CN107911232A CN201711022301.4A CN201711022301A CN107911232A CN 107911232 A CN107911232 A CN 107911232A CN 201711022301 A CN201711022301 A CN 201711022301A CN 107911232 A CN107911232 A CN 107911232A
Authority
CN
China
Prior art keywords
historical requests
business operation
sequence
business
history service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711022301.4A
Other languages
Chinese (zh)
Other versions
CN107911232B (en
Inventor
吴子建
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201711022301.4A priority Critical patent/CN107911232B/en
Publication of CN107911232A publication Critical patent/CN107911232A/en
Application granted granted Critical
Publication of CN107911232B publication Critical patent/CN107911232B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0876Aspects of the degree of configuration automation
    • H04L41/0883Semiautomatic configuration, e.g. proposals from system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5041Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
    • H04L41/5048Automatic or semi-automatic definitions, e.g. definition templates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Automation & Control Theory (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the present invention provides a kind of method and device of definite business operation rule, for solving the technical problem that prior art arrangement business operation rule difficulty is big, accuracy is poor.Method includes:M are obtained by Client-initiated historical requests;Extract the M determinant attribute fields by each historical requests in Client-initiated historical requests;The M historical requests are clustered and sorted according to the determinant attribute field of each historical requests, obtain the corresponding business operation sequence of each secondary history service operation behavior in n times history service operation behavior and the n times history service operation behavior;Wherein, a history service operation behavior corresponds to a business operation sequence, and a business operation sequence pair answers at least one historical requests, N<M;The business operation sequence for meeting preset condition is determined from the corresponding each business operation sequence of the n times history service operation behavior;According to the business operation sequence generation business operation rule determined.

Description

A kind of method and device of definite business operation rule
Technical field
The present invention relates to field of information processing, more particularly to a kind of method and device of definite business operation rule.
Background technology
As advanced continuation threatens spreading unchecked for (Advanced Persistent Threat, APT), for operation system Security threat it is increasing.Currently, the safety monitoring product of operation system, as operating system (Operating System, OS) drain sweep system, Web drain sweeps system, database (Database, DB) drain sweep system etc., can only be to operation system network level Security threat be detected and protect, and for the security threat of service application aspect, such as identifying code is guessed, password violence is broken Solution, key business operating procedure missing etc., without any protection effect.
The prior art is monitored the security threat of service application aspect to realize, the technical solution used for:People It is that each business formulates a business operation rule for ground, by judging whether the business operation flow that user performs meets phase Answer business operation rule and then determine whether to provide the alarm of user's abnormal operation business.
But the method for existing this human configuration business operation rule requires administrator must be to the non-Changshu of operation system Know, thus realize that difficulty is very big;Secondly, fully rely on manually to configure to carry out the accuracy of business operation rule and cannot obtain Ensure well.
The content of the invention
The embodiment of the present invention provides a kind of method and device of definite business operation rule, for solving prior art arrangement The technical problem that business operation rule difficulty is big, accuracy is poor.
First aspect of the embodiment of the present invention provides a kind of method of definite business operation rule, including:
M are obtained by Client-initiated historical requests;
Extract the M determinant attribute fields by each historical requests in Client-initiated historical requests;
The M historical requests are clustered and sorted according to the determinant attribute field of each historical requests, obtain n times The corresponding business behaviour of each secondary history service operation behavior in history service operation behavior and the n times history service operation behavior Make sequence;Wherein, a history service operation behavior corresponds to a business operation sequence, and a business operation sequence pair should be at least One historical requests, N<M;
Determine to meet preset condition from the corresponding each business operation sequence of the n times history service operation behavior Business operation sequence;
According to the business operation sequence generation business operation rule determined.
In such scheme, statistical analysis is carried out by the historical requests data initiated a large number of users, extracts satisfaction The business operation sequence of preset condition, and based on business operation sequence generation business operation rule, effectively reduce management The workload of member, reduces the configuration difficulty of business operation rule, improves the accuracy of business operation rule configuration.
Optionally, the acquisition M are included by Client-initiated historical requests:It is initial by Client-initiated from the P The hypertext transfer protocol (HyperText Transfer Protocol, HTTP) of M POST type is filtered out in historical requests Request is as the M by Client-initiated historical requests.Pass through the manner, it is possible to achieve to the HTTP requests of POST types into Row statistical analysis, and then determine the business operation rule of business handling class, the workload of administrator is effectively reduced, reduces industry The configuration difficulty of business operation rules, improves the accuracy of the configuration of business operation rule.
Optionally, the time identifier of the determinant attribute field including each historical requests, user identifier, session identification with And service identification;The determinant attribute field according to each historical requests is clustered and is sorted to the M historical requests, Each secondary history service operation behavior in n times history service operation behavior and the n times history service operation behavior is obtained to correspond to Business operation sequence, including:According to the user identifier of each historical requests, session identification and service identification by the M The historical requests initiated when handling same item business in the same session by same user in historical requests condense together, and obtain N number of classification, history service operation behavior of a categorized representation;The historical requests of each classification in N number of classification are pressed It is ranked up according to time identifier, obtains N number of historical requests sequence;Determined each time according to the corresponding historical requests sequence of each classification The corresponding business operation sequence of history service operation behavior.Pass through the manner, it is possible to achieve historical requests are clustered and are arranged Sequence, generates multiple historical requests sequences, and then determines that each secondary history service operation behavior corresponds to according to each historical requests sequence Business operation sequence, ensure business operation rule configuration accuracy.
Optionally, the determinant attribute field further includes the universal resource locator (Uniform of each historical requests Resource Locator, URL) identify and required parameter attribute-bit;After being clustered to the M historical requests, Before the historical requests of each classification are ranked up according to time identifier, the method further includes:Determine in N number of classification URL marks, the historical requests of required parameter attribute-bit all same in the other historical requests of any sort;To URL marks, request ginseng The historical requests of number attribute mark all same carry out duplicate removal processing, so that each history please in the other historical requests of any sort URL marks, the required parameter attribute-bit difference asked.By the manner, minimal service during user's transacting business can be obtained The sequence of operation, further improves the accuracy of definite business operation rule and method.
Optionally, it is described to determine that each secondary history service operation behavior corresponds to according to the corresponding historical requests sequence of each classification Business operation sequence, including:According to the corresponding URL marks sequence of each historical requests sequence, required parameter attribute-bit sequence Row, generate the corresponding business operation sequence of each secondary history service operation behavior., can be according to each historical requests by the manner Sequence obtains the corresponding business operation sequence of each secondary history service operation behavior, ensures to determine the accurate of business operation rule and method Property.
Optionally, determined in corresponding each business operation sequence from the n times history service operation behavior full The business operation sequence of sufficient preset condition, including:Using hidden Markov model (Hidden Markov Model, HMM) to each The corresponding business operation sequence of secondary history service operation behavior carries out long sequence separates processing, obtains K short business operation sequences, K>=N;The short business operation sequence for meeting preset condition is determined from the K short business operation sequences.By the manner, It can be multiple short business operation sequences by long business operation sequence separates, and then realize the accurate subdivision of business operation sequence, Further improve the accuracy of definite business operation rule and method.
Optionally, the preset condition includes:Frequency of occurrence exceedes predetermined value;Or frequency of occurrence is most. By the manner, the accuracy of definite business operation rule and method can be improved.
Optionally, after according to the business operation sequence determined generation business operation rule, the method further includes: The business operation rule of generation is sent to administrator to confirm;After the confirmation message of administrator's feedback is received, make The business operation taking effect rules.By the manner, the accuracy of definite business operation rule and method can be improved.
Second aspect of the embodiment of the present invention provides a kind of device of definite business operation rule, including:Acquiring unit, is used for M are obtained by Client-initiated historical requests;Processing unit, for extracting the M by each in Client-initiated historical requests The determinant attribute field of a historical requests;The M historical requests are carried out according to the determinant attribute field of each historical requests Cluster and sequence, obtain each secondary history service behaviour in n times history service operation behavior and the n times history service operation behavior Make the corresponding business operation sequence of behavior;Wherein, a history service operation behavior corresponds to a business operation sequence, an industry The business sequence of operation corresponds at least one historical requests, N<M;From the corresponding each business behaviour of the n times history service operation behavior Make to determine the business operation sequence for meeting preset condition in sequence;Generation unit, for according to the business operation sequence determined Column-generation business operation rule.
Optionally, the acquiring unit is used for:Obtain P to be asked by Client-initiated initial history, P>=M;From the P The HTTP request that M POST type is filtered out in a request by Client-initiated initial history is initiated as the M by user Historical requests.
Optionally, the time identifier of the determinant attribute field including each historical requests, user identifier, session identification with And service identification;The processing unit is used for:Will according to the user identifier of each historical requests, session identification and service identification The historical requests initiated when handling same item business in the same session by same user in the M historical requests are aggregated in one Rise, obtain N number of classification, history service operation behavior of a categorized representation;By the history of each classification in N number of classification Request is ranked up according to time identifier, obtains N number of historical requests sequence;It is true according to the corresponding historical requests sequence of each classification Determine the corresponding business operation sequence of each secondary history service operation behavior.
Optionally, the determinant attribute field further includes the URL marks and required parameter attribute-bit of each historical requests; The processing unit is additionally operable to:After being clustered to the M historical requests, by the historical requests of each classification according to when Between before mark is ranked up, determine in N number of classification URL marks, required parameter attribute in the other historical requests of any sort Identify the historical requests of all same;Duplicate removal processing is carried out to URL marks, the historical requests of required parameter attribute-bit all same, So that the URL marks of each historical requests, required parameter attribute-bit are different in the other historical requests of any sort.
Optionally, the processing unit is used for:According to the corresponding URL marks sequence of each historical requests sequence, request ginseng Number attribute identifies sequence, generates the corresponding business operation sequence of each secondary history service operation behavior.
Optionally, the processing unit is used for:Using HMM to the corresponding business operation sequence of each secondary history service operation behavior Row carry out long sequence separates processing, obtain K short business operation sequences, K>=N;From the K short business operation sequences really Make the short business operation sequence for meeting preset condition.
Optionally, described device further includes:Transmitting element, in the processing unit according to the business operation determined After sequence generation business operation rule, the business operation rule of generation is sent to administrator and is confirmed;Receiving unit, is used In the confirmation message for receiving administrator's feedback;The processing unit, is additionally operable to receive the administrator in the receiving unit After the confirmation message of feedback, make the business operation taking effect rules.
The third aspect of the embodiment of the present invention also provides a kind of equipment of definite business operation rule, including:At least one place Manage device, and be connected with least one processor communication memory, communication interface;Wherein, the memory storage has The instruction that can be performed by least one processor, at least one processor is by performing the finger of the memory storage Order, the method described in first aspect of the embodiment of the present invention is performed using the communication interface.
Fourth aspect of the embodiment of the present invention also provides a kind of computer-readable recording medium, the computer-readable storage medium Matter is stored with computer instruction, when the computer instruction is run on computers so that computer, which performs the present invention, to be implemented Method described in example first aspect.
The one or more technical solutions provided in the embodiment of the present invention, have at least the following technical effects or advantages:
1st, the embodiment of the present invention carries out statistical analysis by the historical requests data initiated a large number of users, extracts satisfaction The business operation sequence of preset condition, and based on business operation sequence generation business operation rule, and then realize and business is grasped Make the newly-increased or renewal of rule, effectively reduce the workload of administrator, reduce the configuration difficulty of business operation rule, improve The accuracy and promptness of the configuration of business operation rule;
2nd, the embodiment of the present invention is to URL marks, the historical requests of required parameter attribute-bit all same in each classification Carrying out duplicate removal processing so that the URL marks of each historical requests, required parameter attribute-bit are different in each classification, and then Minimal service sequence of operation during user's transacting business is obtained, further improves the accuracy of definite business operation rule and method;
3rd, the embodiment of the present invention uses HMM by long business operation sequence separates for multiple short business operation sequences, Jin Ershi The accurate subdivision of existing business operation sequence, improves the accuracy of definite business operation rule and method;
4th, the embodiment of the present invention is also sent it to before the business operation determined rule is added to system come into force Administrator confirms, after the confirmation message of administrator's feedback is received, then is added in system and uses, further improves The accuracy and reliability of business operation rule configuration.
Brief description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this For the those of ordinary skill in field, without having to pay creative labor, it can also be obtained according to these attached drawings His attached drawing.
Fig. 1 is the flow diagram for the method that business operation rule is determined in the embodiment of the present invention;
Fig. 2 is the structure diagram for the device that business operation rule is determined in the embodiment of the present invention;
Fig. 3 is the structure diagram for the equipment that business operation rule is determined in the embodiment of the present invention.
Embodiment
Currently, the safety detection class product for enterprise operation system has operating system (Operating System, abbreviation OS) drain sweep, Web drain sweeps, database (Database, DB) drain sweep system etc., but these equipment cannot be all found from development and application Safety problem, the safety problem in terms of service logic;Intruding detection system (the Intrusion Detection disposed at present Systems, IDS) etc. detection kind equipment, be based primarily upon feature database or heuristic rule be detected, for being patrolled for business Collect class attack, the attack of APT classes has no to perceive;Traditional firewall system often just for five-tuple (source IP address, source port, Purpose IP address, destination interface and transport layer protocol) it is detected, to upper layer application almost without protection effect;Web applications are anti- Protecting system (Web Application Firewall, WAF) is protected mainly for web attacks, to service logic, business number It is helpless according to the attack such as forgery;Sandbox class APT attack detection systems are mainly to detect the malice generation for threatening OS or some applications Code, it is also helpless to the detection for service application data.In conclusion safety detection, protection kind equipment are directed to industry at present The security threat of business application there is no protection effect.
Safe different from network level, the characteristics of service application aspect is safe is that the business operation behavior of user meets visit Ask control rule, to every single stepping of business handling all without obvious attack signature, such as there is no structuralized query language Say (Structured Query Language, SQL) injection, without cross-site scripting attack (Cross Site Scripting, The attack signature such as XSS).The usual form of expression of the security threat of service application aspect has:Disabled user is using abnormal business Operating process carries out business handling, such as identifying code conjecture, password Brute Force, key business operating procedure missing etc..
Technical solution is general used by the prior art is detected and protects to the security threat of service application aspect: The corresponding business operation rule of each business of human configuration, establishes out the normal users behavior baseline of each single item business handling, By judge user perform business operation flow whether meet business operation rule determine whether to abnormal traffic behavior into Row alarm.
But the method for this human configuration needs specific behaviour of the administrator to the class of business in operation system and business It is very familiar to make flow, realizes that difficulty is very big, cost of labor is also higher;Meanwhile it is easy to industry occur by manually completely Key operation step of being engaged in configuration missing, or the problems such as the missing of attribute field, therefore accuracy is difficult to be guaranteed;Furthermore If system has new business to add, or when have the business to change, manually it cannot be guaranteed that discovery in time and to business Operation rules is increased newly or changed.It can be seen from the above that there are difficulty is big, accuracy for prior art arrangement business operation rule Difference, the technical problem such as not in time.
For above-mentioned technical problem existing in the prior art, the embodiment of the present invention provides a kind of definite business operation rule Method and device, carries out statistical analysis by the historical requests data initiated a large number of users, extracts and meet preset condition Business operation sequence, based on business operation sequence generation business operation rule, and the business operation rule of generation is sent to Administrator confirms that the business operation rule is increased newly in operation system or advised using the business operation by member to be managed after confirming Then old service operation rules is updated, effectively reduces the workload of administrator, reduces the configuration of business operation rule Difficulty, improves the accuracy and promptness of the configuration of business operation rule.
Technical solution of the present invention is described in detail below by attached drawing and specific embodiment, it should be understood that the present invention Specific features in embodiment and embodiment are the detailed description to technical solution of the present invention, rather than to the technology of the present invention The restriction of scheme, in the case where there is no conflict, the technical characteristic in the embodiment of the present invention and embodiment can be mutually combined.
An embodiment of the present invention provides a kind of method of definite business operation rule, with reference to Fig. 1, this method mainly include with Lower step:
Step 101:M are obtained by Client-initiated historical requests;
User is generally sent during the carry out business operation to operation system using web browser to server HTTP request, realization and server communication.Existing HTTP request mainly has GET and POST two types, for business handling For the operation of class, user needs to submit association requests parameter to server, therefore business handling generic operation committed step corresponds to HTTP request be typically all POST types HTTP request.
In consideration of it, in embodiments of the present invention, the acquisition M specific implementations by Client-initiated historical requests It can include:Obtain P to be asked by Client-initiated initial history, P>=M;From the P by Client-initiated initial history The HTTP request of M POST type is filtered out in request, using the HTTP request of the M POST types as the M by with The historical requests that family is initiated.Wherein, the P acquisition modes asked by Client-initiated initial history can be directly working Obtained in the business operation log data of business system storage.
Step 102:Extract the M determinant attribute fields by each historical requests in Client-initiated historical requests;
Specifically, extract the time identifier of each historical requests, user identifier, session identification and service identification.
In specific implementation process, HTTP request generally comprised request initiate the time, HTTP request type, body, The information such as cookie, referer.Wherein, HTTP request type can identify the request be the HTTP request of POST types also It is the HTTP request of GET types;Body and cookie information can identify the corresponding user information of the request and session information, Referer information can be used for identifying the corresponding service resources information of the request.Therefore, the time identifier is specifically as follows The field where the time is initiated in request, and the user identifier and session identification can be the word where body and cookie information Section, the service identification can be the field where referer information.
Step 103:The M historical requests are clustered and arranged according to the determinant attribute field of each historical requests Sequence, obtains each secondary history service operation behavior pair in n times history service operation behavior and the n times history service operation behavior The business operation sequence answered.Wherein, a history service operation behavior corresponds to a business operation sequence, a business operation sequence The corresponding at least one historical requests of row, N<M.
It is possible, firstly, to according to the user identifier of each historical requests, session identification and service identification by the M history The historical requests initiated when handling same item business in the same session by same user in request condense together, a classification Characterize a history service operation behavior.In specific implementation process, the concrete methods of realizing of cluster may comprise steps of: According to the user identifier of each historical requests, same Client-initiated historical requests are condensed together;Then it is directed to each Client-initiated historical requests, are classified using session identification, please by the history initiated in the same session by same user Ask and condense together;Then classified for historical requests of each user in each session using service identification, will be same One user condenses together with the historical requests that same item business initiation is handled in a session, finally obtains N number of classification.
Then, each classification in the N number of classification obtained for cluster, by the historical requests in each classification according to the time Mark is ranked up according to time order and function order, obtains N number of historical requests sequence according to time sequence.
Finally, the corresponding business of each secondary history service operation behavior is determined according to the corresponding historical requests sequence of each classification The sequence of operation.
In specific implementation process, in each historical requests sequence that ranked processing obtains, include user identifier With the information such as session identification, but in practical applications, judge whether customer service operation behavior is normal and be generally only concerned business behaviour Make flow in itself, it is not necessary to which it is whom to be concerned about user, or which time session session is, it is therefore desirable to removes user and session letter Breath, i.e., determine the corresponding business operation sequence of each secondary history service operation behavior according to the corresponding historical requests sequence of each classification Row.
In embodiments of the present invention, business operation sequence is by URL sequences, and the body in sequence corresponding to each URL Attribute-name information (i.e. required parameter attribute-bit) composition in information.Why to include the attribute-name information in body, be Because the business of somewhat different species may have identical URL sequences, the request ginseng that difference is simply submitted in every single stepping Several attributes is different, for example request sequence A and request sequence B has identical URL sequences:URL1 → URL2 → URL3, still The corresponding body information of the corresponding URL1 of request sequence A is " telephone number ", and the corresponding body of the corresponding URL1 of request sequence B Information is " email address ".In consideration of it, above-mentioned determine that each secondary history service is grasped according to the corresponding historical requests sequence of each classification Making the concrete methods of realizing of the corresponding business operation sequence of behavior can include:Determine the corresponding URL of each historical requests sequence Identify sequence, required parameter attribute-bit sequence;According to the corresponding URL marks sequence of each historical requests sequence, required parameter Attribute-bit sequence, generates the corresponding business operation sequence of each secondary history service operation behavior.
Step 104:Determine to meet from the corresponding each business operation sequence of the n times history service operation behavior pre- If the business operation sequence of condition.
In embodiments of the present invention, the preset condition can have a variety of implementations, include but not limited to following several:
The first:Frequency of occurrence exceedes predetermined value.
For example, it is assumed that predetermined value is 1000, if some business operation sequence is in the above-mentioned N number of business operation determined Frequency of occurrence is more than 1000 times in sequence, it was demonstrated that at least 1000 customer service operation behaviors correspond to the business operation sequence Row, then be determined as the business operation sequence for meeting preset condition.Under this implementation, it can determine at the same time multiple Meet the business operation sequence of preset condition.
Second:Frequency of occurrence is most.
For example, the occurrence number of each business operation sequence in N number of business operation sequence can be counted, and according to going out The various businesses sequence of operation is ranked up by the order of occurrence number from big to small, and the most business operation sequence of occurrence number is Meet the business operation sequence of preset condition.Under this implementation, a kind of business for meeting preset condition can only be determined The sequence of operation.
The third:Belong to preceding W of frequency of occurrence at most, W>=2.
For example, the occurrence number of each business operation sequence in N number of business operation sequence can be counted, and according to going out The various businesses sequence of operation is ranked up by the order of occurrence number from big to small, the business operation sequence of the at most preceding W of occurrence number In any business operation sequence be satisfied by preset condition.Under this implementation, multiple meet in advance can be determined at the same time If the business operation sequence of condition.
Step 105:According to the business operation sequence generation business operation rule determined.
Specifically, using the business operation sequence for meeting preset condition determined as business operation rule, it is used for Whether the business operation sequence that detection user initiates in transacting business is normal, if what some user initiated in transacting business Business operation sequence is not inconsistent with the business operation rule, then provides service exception alarm
In specific implementation process, if system can incite somebody to action in itself without the corresponding business operation rule of corresponding service The business operation rule of above-mentioned generation is added directly into system, it is come into force in systems;If there is corresponding industry in system originally Be engaged in corresponding business operation rule, then can use by the business operation rule of above-mentioned generation to original business operation rule into Row renewal.
In specific implementation process, after business operation rule is generated, before it is come into force in systems, it can also incite somebody to action The business operation rule of generation is sent to administrator's confirmation, after the confirmation message of administrator's feedback is received, then will It, which is added in system, uses, and ensures the reliability of business operation rule with this.
In such scheme, statistical analysis is carried out by the historical requests data initiated a large number of users, extracts satisfaction The business operation sequence of preset condition, and based on business operation sequence generation business operation rule, and then realize and business is grasped Make the newly-increased or renewal of rule, effectively reduce the workload of administrator, reduce the configuration difficulty of business operation rule, carry The high accuracy and promptness of business operation rule configuration.
Optionally, in specific implementation process, it is possible that the URL much repeated during user's transacting business Data are redirected, such as repeatedly just input is correct for identifying code.In consideration of it, after being clustered to the M historical requests, incite somebody to action respectively Before the historical requests of a classification are ranked up according to time identifier, aggregated good request can also be carried out at duplicate removal Reason, is carried out operating as follows to each classification in N number of classification:Determine the other history of any sort in N number of classification URL marks, the historical requests of required parameter attribute-bit all same in request;It is homogeneous to URL marks, required parameter attribute-bit Same historical requests carry out duplicate removal processing, so that the URL of each historical requests is identified, asked in the other historical requests of any sort Ask parameter attribute mark different.
Specifically, when in same classification at least two requests include identical URL, while each corresponding to URL Attribute-name information in body information is also identical, then proves that at least two request is the request repeated, then only need to retain Wherein any one is asked, remaining identical request is deleted.So allow for sequence generation business operation sequence be Minimal service sequence of operation during user's transacting business, i.e., the business according to time order and function sequence of no repetitive operation data are grasped Make sequence.
By the manner, minimal service sequence of operation during user's transacting business can be obtained, further improves definite industry The accuracy for operation rules method of being engaged in.
Optionally, during actual business handling, it may appear that a user is directed to identical industry in a session Business resource repeatedly handles the situation of different business, such as is given again after being downloaded to a song user oneself and give other good friends. In this case, it is difficult to different separation of traffic is come according to service identification referer information, therefore above-mentioned steps 103 are given birth to Into business operation sequence may substantially correspond to multinomial subservice.
In consideration of it, being ranked up by the historical requests of each classification according to time identifier, each secondary history service behaviour is obtained After making the corresponding business operation sequence of behavior, the method can further include:Each secondary history service is grasped using HMM Make the corresponding business operation sequence of behavior and carry out long sequence separates processing, obtain K short business operation sequences, K>=N.
Correspondingly, determined in corresponding each business operation sequence from the n times history service operation behavior full The business operation sequence of sufficient preset condition, specifically includes:Determine to meet preset condition from the K short business operation sequences Short business operation sequence.
Correspondingly, the business operation sequence generation business operation rule that the basis is determined, specifically includes:According to definite The short business operation sequence generation business operation rule gone out.
In specific implementation process, HMM is by status switch, observation sequence, initial probability distribution, state transition probability square Battle array, observation probability matrix determine jointly.In embodiments of the present invention, HMM inputs is long business operation sequence, and output is to separate Short operation sequence afterwards, therefore HMM problems in embodiments of the present invention are being broadly divided into problem concerning study and forecasting problem two Point.
Wherein, problem concerning study is the process for the model parameter that HMM is estimated according to observation sequence, and the model parameter of HMM includes Initial probability distribution, state transition probability matrix, observation probability matrix.In embodiments of the present invention, it is every in a URL sequence One step, it may be possible to the beginning step (B) during a business handling, or intermediate steps (M), or the step of ending (E), therefore the state set of HMM is (B, M, E), each step business operation corresponding states set in each business operation sequence In a state.Baum-Welch algorithms are used in learning process, the input of algorithm is the short business by manual confirmation The sequence of operation, state set, initial value, the output of algorithm are the model parameter of HMM, i.e. state transition probability matrix, observation is general Rate matrix and initial probability distribution.
Wherein, forecasting problem is according to the model parameter of the above-mentioned HMM estimated, is calculated using Viterbi (Viterbi) The process that method is separated long business operation sequence.The input of forecasting problem is long business operation sequence, is exported as in sequence Each step corresponding to state.After the state corresponding to each step is obtained, behind state (E) or state (B) Above long business operation sequence is separated, it is the short operation sequence corresponding to each business handling that sequence is obtained after separation Row.
Can be multiple short business operation sequences by long business operation sequence separates, and then realize business by the manner The accurate subdivision of the sequence of operation, further improves the accuracy of definite business operation rule and method.
Based on same inventive concept, the embodiment of the present invention additionally provides a kind of device of definite business operation rule, reference Fig. 2, the device include:
Acquiring unit 201, for obtaining M by Client-initiated historical requests;
Processing unit 202, is belonged to for extracting the M by the crucial of each historical requests in Client-initiated historical requests Property field;The M historical requests are clustered and sorted according to the determinant attribute field of each historical requests, obtain n times The corresponding business behaviour of each secondary history service operation behavior in history service operation behavior and the n times history service operation behavior Make sequence;Wherein, a history service operation behavior corresponds to a business operation sequence, and a business operation sequence pair should be at least One historical requests, N<M;Determine to meet from the corresponding each business operation sequence of the n times history service operation behavior The business operation sequence of preset condition;
Generation unit 203, for according to the business operation sequence generation business operation rule determined.
Optionally, the acquiring unit 201 is used for:Obtain P to be asked by Client-initiated initial history, P>=M;From institute P are stated to be sent out by user as the M by the HTTP request for filtering out M POST type in the request of Client-initiated initial history The historical requests risen.
Optionally, the time identifier of the determinant attribute field including each historical requests, user identifier, session identification with And service identification;The processing unit 202 is used for:According to the user identifier of each historical requests, session identification and business mark Know and polymerize the historical requests initiated when handling same item business in the same session by same user in the M historical requests Together, N number of classification, history service operation behavior of a categorized representation are obtained;By each classification in N number of classification Historical requests are ranked up according to time identifier, obtain N number of historical requests sequence;According to the corresponding historical requests sequence of each classification Row determine the corresponding business operation sequence of each secondary history service operation behavior.
Optionally, the determinant attribute field further includes the URL marks and required parameter attribute-bit of each historical requests; The processing unit 202 is additionally operable to:After being clustered to the M historical requests, by the historical requests of each classification by Before being ranked up according to time identifier, URL marks, required parameter in the other historical requests of any sort are determined in N number of classification The historical requests of attribute-bit all same;URL marks, the historical requests of required parameter attribute-bit all same are carried out at duplicate removal Reason, so that the URL marks of each historical requests, required parameter attribute-bit are different in the other historical requests of any sort.
Optionally, the processing unit 202 is used for:According to the corresponding URL marks sequence of each historical requests sequence, request Parameter attribute identifies sequence, generates the corresponding business operation sequence of each secondary history service operation behavior.
Optionally, the processing unit 202 is used for:The corresponding business of each secondary history service operation behavior is grasped using HMM Long sequence separates processing is carried out as sequence, obtains K short business operation sequences, K>=N;From the K short business operation sequences In determine the short business operation sequence that meets preset condition.
Optionally, described device further includes:Transmitting element, in the processing unit 202 according to the business determined After sequence of operation generation business operation rule, the business operation rule of generation is sent to administrator and is confirmed;Receive single Member, for receiving the confirmation message of administrator's feedback;The processing unit 202, is additionally operable to receive institute in the receiving unit After the confirmation message for stating administrator's feedback, make the business operation taking effect rules.
Based on same inventive concept, the embodiment of the present invention additionally provides a kind of equipment of definite business operation rule, reference Fig. 3, the equipment include:
At least one processor 301, and
Memory 302, communication interface 303 with least one communication connection of processor 301;
Wherein, the memory 302 is stored with the instruction that can be performed by least one processor 301, it is described at least The instruction that one processor 301 is stored by performing the memory 302, is performed of the invention real using the communication interface 303 Apply and business operation rule and method is determined in example.
Based on same inventive concept, the embodiment of the present invention additionally provides a kind of computer-readable recording medium, the calculating Machine readable storage medium storing program for executing is stored with computer instruction, when the computer instruction is run on computers so that computer is held The method that business operation rule is determined described in the row embodiment of the present invention.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program Product.Therefore, the present invention can use the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware Apply the form of example.Moreover, the present invention can use the computer for wherein including computer usable program code in one or more The computer program production that usable storage medium is implemented on (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that it can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or square frame in journey and/or square frame and flowchart and/or the block diagram.These computer programs can be provided The processors of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that the instruction performed by computer or the processor of other programmable data processing devices, which produces, to be used in fact The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art God and scope.In this way, if these modifications and changes of the present invention belongs to the scope of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to comprising including these modification and variations.

Claims (14)

  1. A kind of 1. method of definite business operation rule, it is characterised in that including:
    M are obtained by Client-initiated historical requests;
    Extract the M determinant attribute fields by each historical requests in Client-initiated historical requests;
    The M historical requests are clustered and sorted according to the determinant attribute field of each historical requests, obtain n times history The corresponding business operation sequence of each secondary history service operation behavior in business operation behavior and the n times history service operation behavior Row;Wherein, a history service operation behavior corresponds to a business operation sequence, and a business operation sequence pair should be at least one Historical requests, N<M;
    The business for meeting preset condition is determined from the corresponding each business operation sequence of the n times history service operation behavior The sequence of operation;
    According to the business operation sequence generation business operation rule determined.
  2. 2. the method as described in claim 1, it is characterised in that the acquisition M are included by Client-initiated historical requests:
    Obtain P to be asked by Client-initiated initial history, P>=M;
    From the P hypertext transfer protocol HTTP by filtering out M POST type in the request of Client-initiated initial history Request is as the M by Client-initiated historical requests.
  3. 3. the method as described in claim 1, it is characterised in that the determinant attribute field includes the time of each historical requests Mark, user identifier, session identification and service identification;
    The determinant attribute field according to each historical requests is clustered and is sorted to the M historical requests, obtains n times The corresponding business behaviour of each secondary history service operation behavior in history service operation behavior and the n times history service operation behavior Make sequence, including:
    According to the user identifier of each historical requests, session identification and service identification by the M historical requests by same User handles the historical requests initiated during same item business and condenses together in the same session, obtains N number of classification, a classification Characterize a history service operation behavior;
    The historical requests of each classification in N number of classification are ranked up according to time identifier, obtain N number of historical requests sequence Row;
    The corresponding business operation sequence of each secondary history service operation behavior is determined according to the corresponding historical requests sequence of each classification.
  4. 4. method as claimed in claim 3, it is characterised in that the determinant attribute field further includes the system of each historical requests One Resource Locator URL is identified and required parameter attribute-bit;
    It is ranked up after being clustered to the M historical requests, by the historical requests of each classification according to time identifier Before, the method further includes:
    Determine in N number of classification URL marks, the history of required parameter attribute-bit all same in the other historical requests of any sort Request;
    Duplicate removal processing is carried out to URL marks, the historical requests of required parameter attribute-bit all same, so that any sort is other The URL marks of each historical requests, required parameter attribute-bit are different in historical requests.
  5. 5. method as claimed in claim 3, it is characterised in that described to be determined according to the corresponding historical requests sequence of each classification The corresponding business operation sequence of each secondary history service operation behavior, including:
    According to the corresponding URL marks sequence of each historical requests sequence, required parameter attribute-bit sequence, each secondary history industry is generated The corresponding business operation sequence of operation behavior of being engaged in.
  6. 6. method as claimed in claim 3, it is characterised in that described corresponding each from the n times history service operation behavior The business operation sequence for meeting preset condition is determined in a business operation sequence, including:
    Long sequence point is carried out to the corresponding business operation sequence of each secondary history service operation behavior using hidden Markov model HMM Every processing, K short business operation sequences, K are obtained>=N;
    The short business operation sequence for meeting preset condition is determined from the K short business operation sequences.
  7. 7. such as claim 1-6 any one of them methods, it is characterised in that according to the business operation sequence generation determined After business operation rule, the method further includes:
    The business operation rule of generation is sent to administrator to confirm;
    After the confirmation message of administrator's feedback is received, make the business operation taking effect rules.
  8. A kind of 8. device of definite business operation rule, it is characterised in that including:
    Acquiring unit, for obtaining M by Client-initiated historical requests;
    Processing unit, for extracting the M determinant attribute fields by each historical requests in Client-initiated historical requests; The M historical requests are clustered and sorted according to the determinant attribute field of each historical requests, obtain n times history service The corresponding business operation sequence of each secondary history service operation behavior in operation behavior and the n times history service operation behavior; Wherein, a history service operation behavior corresponds to a business operation sequence, and a business operation sequence pair answers at least one go through History is asked, N<M;Determine to meet default bar from the corresponding each business operation sequence of the n times history service operation behavior The business operation sequence of part;
    Generation unit, for according to the business operation sequence generation business operation rule determined.
  9. 9. device as claimed in claim 8, it is characterised in that the acquiring unit is used for:
    Obtain P to be asked by Client-initiated initial history, P>=M;
    From the P by filtering out the HTTP request of M POST type in the request of Client-initiated initial history as the M By Client-initiated historical requests.
  10. 10. device as claimed in claim 8, it is characterised in that the determinant attribute field include each historical requests when Between mark, user identifier, session identification and service identification;
    The processing unit is used for:According to the user identifier of each historical requests, session identification and service identification by the M The historical requests initiated when handling same item business in the same session by same user in historical requests condense together, and obtain N number of classification, history service operation behavior of a categorized representation;The historical requests of each classification in N number of classification are pressed It is ranked up according to time identifier, obtains N number of historical requests sequence;Determined each time according to the corresponding historical requests sequence of each classification The corresponding business operation sequence of history service operation behavior.
  11. 11. device as claimed in claim 10, it is characterised in that the determinant attribute field further includes each historical requests URL is identified and required parameter attribute-bit;
    The processing unit is additionally operable to:After being clustered to the M historical requests, by the historical requests of each classification by Before being ranked up according to time identifier, URL marks, required parameter in the other historical requests of any sort are determined in N number of classification The historical requests of attribute-bit all same;URL marks, the historical requests of required parameter attribute-bit all same are carried out at duplicate removal Reason, so that the URL marks of each historical requests, required parameter attribute-bit are different in the other historical requests of any sort.
  12. 12. device as claimed in claim 10, it is characterised in that the processing unit is used for:
    According to the corresponding URL marks sequence of each historical requests sequence, required parameter attribute-bit sequence, each secondary history industry is generated The corresponding business operation sequence of operation behavior of being engaged in.
  13. 13. device as claimed in claim 10, it is characterised in that the processing unit is used for:
    Long sequence separates processing is carried out to the corresponding business operation sequence of each secondary history service operation behavior using HMM, obtains K Short business operation sequence, K>=N;
    The short business operation sequence for meeting preset condition is determined from the K short business operation sequences.
  14. 14. such as claim 8-13 any one of them devices, it is characterised in that described device further includes:
    Transmitting element, after in the processing unit according to the business operation sequence generation business operation rule determined, The business operation rule of generation is sent to administrator to confirm;
    Receiving unit, for receiving the confirmation message of administrator's feedback;
    The processing unit, is additionally operable to after the confirmation message that the receiving unit receives administrator's feedback, makes described Business operation taking effect rules.
CN201711022301.4A 2017-10-27 2017-10-27 Method and device for determining business operation rule Active CN107911232B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711022301.4A CN107911232B (en) 2017-10-27 2017-10-27 Method and device for determining business operation rule

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711022301.4A CN107911232B (en) 2017-10-27 2017-10-27 Method and device for determining business operation rule

Publications (2)

Publication Number Publication Date
CN107911232A true CN107911232A (en) 2018-04-13
CN107911232B CN107911232B (en) 2021-04-30

Family

ID=61841915

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711022301.4A Active CN107911232B (en) 2017-10-27 2017-10-27 Method and device for determining business operation rule

Country Status (1)

Country Link
CN (1) CN107911232B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110290148A (en) * 2019-07-16 2019-09-27 深圳乐信软件技术有限公司 A kind of defence method, device, server and the storage medium of WEB firewall
CN110784929A (en) * 2019-09-05 2020-02-11 腾讯科技(深圳)有限公司 Access resource allocation method, device, equipment and system
CN114416191A (en) * 2021-12-06 2022-04-29 奇安信科技集团股份有限公司 Application configuration utilization rate prediction method and device

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110125509A1 (en) * 2007-12-21 2011-05-26 Telefonaktiebolaget Lm Ericsson (Publ) Method and Apparatus for Providing Differentiated Service Levels in a Communication Network
US20140149409A1 (en) * 2012-11-26 2014-05-29 Wal-Mart Stores, Inc. Massive rule-based classification engine
CN105183809A (en) * 2015-08-26 2015-12-23 成都布林特信息技术有限公司 Cloud platform data query method
CN105279614A (en) * 2015-11-11 2016-01-27 上海熙菱信息技术有限公司 Business auditing system based on process and method thereof
CN105302911A (en) * 2015-11-10 2016-02-03 珠海多玩信息技术有限公司 Data screening engine establishing method and data screening engine
CN105608636A (en) * 2015-12-17 2016-05-25 国家电网公司 Rule mining-based power grid switching operation rule base building method
CN105786635A (en) * 2016-03-01 2016-07-20 国网江苏省电力公司电力科学研究院 Complex event processing system and method oriented to fault sensitive point dynamic detection
CN106156791A (en) * 2016-06-15 2016-11-23 北京京东尚科信息技术有限公司 Business datum sorting technique and device
CN106294091A (en) * 2016-08-11 2017-01-04 福建富士通信息软件有限公司 A kind of without intrusive mood daily record interception method for analyzing performance and system
CN106529953A (en) * 2015-09-15 2017-03-22 阿里巴巴集团控股有限公司 Method and device for carrying out risk identification on business attributes
CN106570131A (en) * 2016-10-27 2017-04-19 北京途美科技有限公司 Sensitive data exception access detection method based on clustering analysis
CN106874943A (en) * 2017-01-23 2017-06-20 腾讯科技(深圳)有限公司 Business object sorting technique and system

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110125509A1 (en) * 2007-12-21 2011-05-26 Telefonaktiebolaget Lm Ericsson (Publ) Method and Apparatus for Providing Differentiated Service Levels in a Communication Network
US20140149409A1 (en) * 2012-11-26 2014-05-29 Wal-Mart Stores, Inc. Massive rule-based classification engine
CN105183809A (en) * 2015-08-26 2015-12-23 成都布林特信息技术有限公司 Cloud platform data query method
CN106529953A (en) * 2015-09-15 2017-03-22 阿里巴巴集团控股有限公司 Method and device for carrying out risk identification on business attributes
CN105302911A (en) * 2015-11-10 2016-02-03 珠海多玩信息技术有限公司 Data screening engine establishing method and data screening engine
CN105279614A (en) * 2015-11-11 2016-01-27 上海熙菱信息技术有限公司 Business auditing system based on process and method thereof
CN105608636A (en) * 2015-12-17 2016-05-25 国家电网公司 Rule mining-based power grid switching operation rule base building method
CN105786635A (en) * 2016-03-01 2016-07-20 国网江苏省电力公司电力科学研究院 Complex event processing system and method oriented to fault sensitive point dynamic detection
CN106156791A (en) * 2016-06-15 2016-11-23 北京京东尚科信息技术有限公司 Business datum sorting technique and device
CN106294091A (en) * 2016-08-11 2017-01-04 福建富士通信息软件有限公司 A kind of without intrusive mood daily record interception method for analyzing performance and system
CN106570131A (en) * 2016-10-27 2017-04-19 北京途美科技有限公司 Sensitive data exception access detection method based on clustering analysis
CN106874943A (en) * 2017-01-23 2017-06-20 腾讯科技(深圳)有限公司 Business object sorting technique and system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110290148A (en) * 2019-07-16 2019-09-27 深圳乐信软件技术有限公司 A kind of defence method, device, server and the storage medium of WEB firewall
CN110290148B (en) * 2019-07-16 2022-05-03 深圳乐信软件技术有限公司 Defense method, device, server and storage medium for WEB firewall
CN110784929A (en) * 2019-09-05 2020-02-11 腾讯科技(深圳)有限公司 Access resource allocation method, device, equipment and system
CN110784929B (en) * 2019-09-05 2021-06-15 腾讯科技(深圳)有限公司 Access resource allocation method, device, equipment and system
CN114416191A (en) * 2021-12-06 2022-04-29 奇安信科技集团股份有限公司 Application configuration utilization rate prediction method and device

Also Published As

Publication number Publication date
CN107911232B (en) 2021-04-30

Similar Documents

Publication Publication Date Title
US20200412767A1 (en) Hybrid system for the protection and secure data transportation of convergent operational technology and informational technology networks
CN110222525B (en) Database operation auditing method and device, electronic equipment and storage medium
US20200389495A1 (en) Secure policy-controlled processing and auditing on regulated data sets
US11968227B2 (en) Detecting KERBEROS ticket attacks within a domain
US20220210200A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
Lee et al. An effective security measures for nuclear power plant using big data analysis approach
EP2882159B1 (en) Profiling cyber threats detected in a target environment and automatically generating one or more rule bases for an expert system usable to profile cyber threats detected in a target environment
US8225398B2 (en) System for regulating host security configuration
US9621589B2 (en) Dynamic provisioning of protection software in a host intrusion prevention system
US9386036B2 (en) Method for detecting and preventing a DDoS attack using cloud computing, and server
US20170026390A1 (en) Identifying Malware Communications with DGA Generated Domains by Discriminative Learning
US7930747B2 (en) Host intrusion prevention server
US11487880B2 (en) Inferring security incidents from observational data
US9674210B1 (en) Determining risk of malware infection in enterprise hosts
CN111786950A (en) Situation awareness-based network security monitoring method, device, equipment and medium
Elshoush et al. An improved framework for intrusion alert correlation
CN107911232A (en) A kind of method and device of definite business operation rule
CN110896386B (en) Method, device, storage medium, processor and terminal for identifying security threat
CN114915479B (en) Web attack stage analysis method and system based on Web log
CN114338064B (en) Method, device, system, equipment and storage medium for identifying network traffic type
US20230308459A1 (en) Authentication attack detection and mitigation with embedded authentication and delegation
CN109510800B (en) Network request processing method and device, electronic equipment and storage medium
CN115442159B (en) Household routing-based risk management and control method, system and storage medium
CN115174205B (en) Network space safety real-time monitoring method, system and computer storage medium
Sahin et al. An efficient firewall for web applications (EFWA)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Applicant after: NSFOCUS Technologies Group Co.,Ltd.

Applicant after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Applicant before: NSFOCUS TECHNOLOGIES Inc.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant