CN108683531B - Method and apparatus for handling log information - Google Patents

Method and apparatus for handling log information Download PDF

Info

Publication number
CN108683531B
CN108683531B CN201810409743.2A CN201810409743A CN108683531B CN 108683531 B CN108683531 B CN 108683531B CN 201810409743 A CN201810409743 A CN 201810409743A CN 108683531 B CN108683531 B CN 108683531B
Authority
CN
China
Prior art keywords
address
time section
target
historical time
host identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810409743.2A
Other languages
Chinese (zh)
Other versions
CN108683531A (en
Inventor
马蕴杨
温天伟
罗金梅
张瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201810409743.2A priority Critical patent/CN108683531B/en
Publication of CN108683531A publication Critical patent/CN108683531A/en
Application granted granted Critical
Publication of CN108683531B publication Critical patent/CN108683531B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the present application discloses the method and apparatus for handling log information.One specific embodiment of this method includes: the Request Log obtained at least one historical time section;For the historical time section at least one historical time section, determines the IP address for including in the record in the historical time section comprising the first host identification and the record comprising the second host identification, obtain first object IP address set;The IP address that will include in the record in the historical time section comprising the first host identification, obtains the second target ip address set;Based on the address number in the address number and the second target ip address set in first object IP address set, the first probability is determined;Determine whether the first probability is greater than destination probability threshold value;It is greater than destination probability threshold value in response to the first probability, the second host identification is determined as target host identification.The embodiment realizes the processing to Request Log.

Description

Method and apparatus for handling log information
Technical field
The invention relates to field of computer technology, and in particular to the method and apparatus for handling log information.
Background technique
For the network equipment or smart machine, usually using big data technology or based on the network equipment Or the Cookies (data that can be used in distinguishing user identity stored on local terminal) on smart machine is to each equipment Number be associated mapping, to obtain some network equipment or the relevant other equipment of smart machine.
Summary of the invention
The embodiment of the present application proposes the method and apparatus for handling log information.
In a first aspect, the embodiment of the present application provides a kind of method for handling log information, this method comprises: obtaining Request Log at least one historical time section, wherein Request Log includes at least one record, and record includes initiating request Host host identification and receive request host internet protocol address;For at least one historical time section Historical time section determines in the record in the historical time section comprising the first host identification and the record comprising the second host identification The IP address for including obtains first object IP address set as first object IP address;To include in the historical time section The IP address for including in the record of first host identification obtains the second target ip address set as the second target ip address;Base The address number in address number and the second target ip address set in first object IP address set determines that first is general Rate, wherein in the case that the first probability is for indicating that the first host identification occurs, the probability of the second host identification appearance;It determines Whether the first probability is greater than destination probability threshold value;It is greater than destination probability threshold value in response to the first probability, the second host identification is true It is set to target host identification.
In some embodiments, based on the address number and the second target ip address set in first object IP address set In address number, determine the first probability, comprising: determine that each historical time section at least one historical time section is corresponding The summation of address number in first object IP address set, is denoted as the first summation;It determines at least one historical time section The summation of address number in the corresponding second target ip address set of each historical time section, is denoted as the second summation;By first Summation is determined as the first probability divided by the quotient that the second summation obtains.
In some embodiments, this method further include: be based on the first summation, determine the first regulated value and the second regulated value; Determine the hyperbolic tangent function value of the product of the first summation and the first regulated value;By the second regulated value and hyperbolic tangent function value Product is determined as destination probability threshold value.
In some embodiments, the time span of each period at least one historical time section is identical.
In some embodiments, this method further include: parsing includes the record of target host identification;Based on analysis result, Target information is pushed to the corresponding host of the first host identification.
Second aspect, the embodiment of the present application provide it is a kind of for handling the device of log information, the device include: obtain Unit is configured to obtain the Request Log at least one historical time section, wherein Request Log includes at least one note Record, record include the internet protocol address initiated the host identification of the host of request and receive the host of request;Address is true Order member, is configured to for the historical time section at least one historical time section, determines in the historical time section comprising the The IP address for including in the record of one host identification and record comprising the second host identification is obtained as first object IP address To first object IP address set;Using in the historical time section include the first host identification record in include IP address as Second target ip address obtains the second target ip address set;First probability determining unit is configured to based on first object IP The address number in address number and the second target ip address set in address set, determines the first probability, wherein first is general In the case that rate is for indicating that the first host identification occurs, the probability of the second host identification appearance;Comparing unit is configured to really Whether fixed first probability is greater than destination probability threshold value;It is big to be configured in response to the first probability for target host identification determination unit In destination probability threshold value, the second host identification is determined as target host identification.
In some embodiments, the first probability determining unit is further configured to: determining at least one historical time section In the corresponding first object IP address set of each historical time section in address number summation, be denoted as the first summation;Really Determine the address number in the corresponding second target ip address set of each historical time section at least one historical time section Summation is denoted as the second summation;First summation is determined as the first probability divided by the quotient that the second summation obtains.
In some embodiments, device further include: regulated value determination unit is configured to determine based on the first summation First regulated value and the second regulated value;Hyperbolic tangent function value determination unit is configured to determine the first summation and adjusts with first The hyperbolic tangent function value of the product of value;Destination probability threshold value determination unit is configured to the second regulated value and tanh The product of functional value is determined as destination probability threshold value.
In some embodiments, the time span of each period at least one historical time section is identical.
In some embodiments, device further include: resolution unit is configured to parse the note comprising target host identification Record;Target information push unit is configured to based on analysis result, to the corresponding host push target letter of the first host identification Breath.
The third aspect, the embodiment of the present application provide a kind of electronic equipment, which includes: one or more processing Device;Storage device is stored thereon with one or more programs;When one or more programs are executed by one or more processors, So that one or more processors realize the method as described in implementation any in first aspect.
Fourth aspect, the embodiment of the present application provide a kind of computer-readable medium, are stored thereon with computer program, should The method as described in implementation any in first aspect is realized when computer program is executed by processor.
Method and apparatus provided by the embodiments of the present application for handling log information, by first obtaining at least one history Request Log in period, the host for including in each item record in the Request Log being then based in each historical time section Mark and IP address, in the case where determining that the first host identification occurs, it is general to be denoted as first for the probability that the second host identification occurs Rate.Then, compare the size relation of the first probability Yu destination probability threshold value, if the first probability is larger, then just by the second host Mark is determined as target host identification, to realize the content based on each item record in Request Log, determines the first host In the case that mark occurs, the probability that the second host identification occurs, and according to determining probability, the second host identification is sieved Choosing, to obtain target host identification.
Detailed description of the invention
By reading a detailed description of non-restrictive embodiments in the light of the attached drawings below, the application's is other Feature, objects and advantages will become more apparent upon:
Fig. 1 is that this application can be applied to exemplary system architecture figures therein;
Fig. 2 is the flow chart of one embodiment of the method for handling log information of the application;
Fig. 3 a is a reality of the record comprising the first host identification of the method for handling log information of the application Apply the schematic diagram of example;
Fig. 3 b is a reality of the record comprising the second host identification of the method for handling log information of the application Apply the schematic diagram of example;
Fig. 4 is the schematic diagram according to an application scenarios of the method for handling log information of the application;
Fig. 5 is the flow chart according to another embodiment of the method for handling log information of the application;
Fig. 6 is the structural schematic diagram according to one embodiment of the device for handling log information of the application;
Fig. 7 is adapted for the structural representation of the computer system for the terminal device or server of realizing the embodiment of the present application Figure.
Specific embodiment
The application is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched The specific embodiment stated is used only for explaining related invention, rather than the restriction to the invention.It also should be noted that in order to Convenient for description, part relevant to related invention is illustrated only in attached drawing.
It should be noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can phase Mutually combination.The application is described in detail below with reference to the accompanying drawings and in conjunction with the embodiments.
Fig. 1 is shown can the method for handling log information using the application or the dress for handling log information The exemplary architecture 100 set.
As shown in Figure 1, system architecture 100 may include terminal device 101, database 102, network 103 and server 104.Network 103 between terminal device 101, database 102 and server 104 to provide the medium of communication link.Network 103 may include various connection types, such as wired, wireless communication link or fiber optic cables etc..
Terminal device 101, database 102 are interacted by network 103 with server 104, to carry out data interaction etc..Terminal Various client applications, such as log management software can be installed in equipment 101.Log is can store in database 102 Information.
Terminal device 101 can be hardware, be also possible to software.When terminal device 101 is hardware, it can be and support day The various electronic equipments of will information processing, including but not limited to smart phone, tablet computer, E-book reader, it is on knee just Take computer and desktop computer etc..When terminal device 101 is software, above-mentioned cited electronic equipment may be mounted at In.Multiple softwares or software module (such as providing Distributed Services) may be implemented into it, also may be implemented into single soft Part or software module.It is not specifically limited herein.
Database 102 can be built upon the data acquisition system in various storage equipment, be also possible to data platform.
Server 104 can be to provide the server of various services, for example, terminal device 101, store on database 102 The log processing server that is analyzed and processed of log information.Log processing server can be to journal file or log information The processing such as analyzed, counted.
It should be noted that for handling the method for log information generally by server provided by the embodiment of the present application 104 execute, and correspondingly, the device for handling log information is generally positioned in server 104.It should be noted that above-mentioned Journal file or log information can also be stored directly in the local of server 104, and server 104 can directly extract local institute The journal file or log information of storage are simultaneously handled, at this point it is possible to which terminal device 101 and database 102 is not present.
It may also be noted that log management or log processing class application, terminal can also be equipped in terminal device 101 Equipment 101 can also be applied with log management or log processing class and be handled journal file or log information.At this point, for locating The method of reason log information can also be executed by terminal device 101, and correspondingly, the device for handling log information can also be set It is placed in terminal device 101.Above-mentioned journal file or log information can be obtained from database 102 or server 104.It needs Bright, above-mentioned journal file or log information can also be stored directly in the local of terminal device 101, at this point, exemplary system Database 102, server 104 and network 103 can be not present in system framework 100.
It should be noted that server 104 can be hardware, it is also possible to software.It, can when server 104 is hardware To be implemented as the distributed server cluster that multiple servers form, individual server also may be implemented into.When server 104 is When software, multiple softwares or software module (such as providing Distributed Services) may be implemented into, also may be implemented into single Software or software module.It is not specifically limited herein.
It should be understood that the number of terminal device, database, network and server in Fig. 1 is only schematical.According to It realizes and needs, can have any number of terminal device, network and server.
With continued reference to Fig. 2, the stream of one embodiment of the method for handling log information according to the application is shown Journey 200.This be used for handle log information method the following steps are included:
Step 201, the Request Log at least one historical time section is obtained.
It in the present embodiment, can for handling the executing subject (server 104 as shown in Figure 1) of the method for log information To obtain the Request Log at least one historical time section.Wherein, Request Log includes at least one record, and record includes hair It plays the host identification of the host of request and receives the internet protocol address of the host of request.Log can refer to the network equipment, The logout that system or service routine generate at runtime.Generally, log is made of each item record.Every record can be remembered Carry the relevant description such as date, time, user, operation.Under normal conditions, the network equipment, system or service routine etc. exist All operations when operation can be got off by journal file or logdata record.
In practice, Request Log can refer to any journal file or daily record data.Request Log is also possible to be related to network The correlation log of request or response, at this point, every in Request Log record can correspond to a network request or response Relevant operation.It may include the host identification of requesting host and the IP address for receiving the host requested in record.
Wherein, record corresponding operation when being related to the interaction of two hosts in network, then can using requesting party as Requesting host, using Requested Party as the host for receiving request.Host can refer to networking to carry out network communication equipment, wrap Include but be not limited to the network equipment and smart machine etc..The network equipment includes but is not limited to that smart phone, tablet computer, e-book are read Read device, pocket computer on knee, desktop computer etc..Smart machine includes but is not limited to smart television, smartwatch, intelligence Bracelet, smart bluetooth earphone, Intelligent lost-proof type equipment, Intelligent water cup and smart home etc..
Host identification can be the identification code referred to for identifying host.For example, host identification can be host IP address, MAC (Media Access Control, media access control) address etc., be also possible to the host number of host ID (such as TV ID of smart television), product ID etc..IP address may include each master in each network or network Logical address, public network IP of machine etc..
In practice, historical time section be can be by technical staff's preassigned period, is also possible to based on one Determine logic, the period determined by certain calculating.Generally, every record all having times in journal file are believed Breath, therefore, the period of the one or more Request Logs that can be will acquire as desired is split as multiple Request Logs.It can also To directly acquire the Request Log in multiple historical time sections, for example, obtaining Request Log daily in first trimester this moment.
In some optional implementations of the present embodiment, each period at least one historical time section when Between length it is identical.It should be noted that when to obtain the Request Log in two or more historical time sections, Ge Geli The time span of history period may be the same or different.
In practice, above-mentioned executing subject can be obtained from one or more servers or other databases, data platform etc. Take the Request Log at least one above-mentioned historical time section.
Step 202, it for the historical time section at least one historical time section, determines in the historical time section comprising the The IP address for including in the record of one host identification and record comprising the second host identification is obtained as first object IP address To first object IP address set;Using in the historical time section include the first host identification record in include IP address as Second target ip address obtains the second target ip address set.
In the present embodiment, above-mentioned executing subject can be remembered based on each item in the Request Log in each historical time section The content of record obtains the corresponding first object IP address set of each historical time section and the second target ip address set.First Host identification and the second host identification can be by preassigned two host identifications of technical staff, be also possible to Request Log In include host identification.
Specifically, for each historical time section, the historical time section corresponding first can be obtained as follows Target ip address set:
1) it determines the record in the historical time section comprising the first host identification, obtains the first set of records ends;
2) it determines the record in the historical time section comprising the second host identification, obtains the second set of records ends;
3) determine that the IP address for including in the first set of records ends and the second set of records ends as first object IP address, obtains To the corresponding first object IP address set of the historical time section;
4) determine that as the second target ip address, it is right to obtain the historical time section for the IP address for including in the first set of records ends The the second target ip address set answered.
It is to be understood that the step 1) in above-mentioned steps and sequence 2) are in no particular order, step 3) and sequence 4) In no particular order.
For above-mentioned steps 1) and 2), can use various methods to filter out the first set of records ends and the second record set It closes.For example, such as the Request Log in the historical time section can be traversed from the beginning, to filter out comprising first The record of host identification obtains the first set of records ends, and filters out the record comprising the second host identification, obtains the second record Set.In practice, the set of records ends comprising the first host identification and the second host identification can also be first filtered out, then again should Set of records ends divides into the first set of records ends and the second set of records ends.
For above-mentioned steps 3), for example, Fig. 3 a and Fig. 3 b can be referred to.Wherein, Fig. 3 a is comprising the first host mark Know the record of " A ", i.e. the first set of records ends a schematic diagram.Fig. 3 b is the record comprising the second host identification " B ", i.e., second One schematic diagram of set of records ends.Wherein, it is recorded in the first set of records ends comprising 5,7 notes is included in the second set of records ends Record.The IP address for including in the first set of records ends it can be seen from Fig. 3 a and Fig. 3 b and the second set of records ends include: IP1 and IP3.Therefore, IP1 and IP3 can be used as first object IP address, obtain the corresponding first object IP address of the historical time section Gather { IP1, IP3 }.
For above-mentioned steps 4), for example, can be with continued reference to Fig. 3 a, the first set of records ends it can be seen from Fig. 3 a In include IP address include: IP1, IP2, IP3 and IP4.It therefore, can be using IP1, IP2, IP3 and IP4 as the second Target IP Address obtains the corresponding second target ip address set { IP1, IP2, IP3, IP4 } of the historical time section.
Step 203, based on the ground in the address number and the second target ip address set in first object IP address set Location number determines the first probability.
In the present embodiment, above-mentioned executing subject can use various methods based on the ground in first object IP address set Address number in location number and the second target ip address set, obtains the first probability.Wherein, the first probability can indicate first In the case that host identification occurs, the probability of the second host identification appearance.Address number can indicate first object IP address collection Close the number with the element for including in the second target ip address set.As an example it is assumed that first object IP address collection is combined into { IP1, IP2 }, the second target ip address collection are combined into { IP1, IP2, IP3 }.It include 2 members i.e. in first object IP address set Element includes 3 elements in the second target ip address set.So, the address number in corresponding first object IP address set As 2, the address number in corresponding first object IP address set is 3.
For example, the first probability can be determined by method as follows:
1) it determines the number for the record that the Request Log in each historical time section includes, and determines each historical time section The summation of the number for the record that interior Request Log includes can be denoted as record total number.
2) it determines the address number in the corresponding first object IP address set of each historical time section, first can be denoted as Address number, and the summation of corresponding first address number of each historical time section is calculated, obtain the first address total number.And It determines the address number in the corresponding second target ip address set of each historical time section, the second address number can be denoted as, And the summation of corresponding second address number of each historical time section is calculated, obtain the second address total number.
3) the first address total number is obtained into the first intermediate result divided by record total number;Second address total number is removed To record total number, the second intermediate result is obtained.
4) by the first intermediate result divided by the second intermediate result, and using calculated result as the first probability.
For example, the first probability can also be determined by method as follows:
1) for each historical time section, by the number of addresses in the corresponding first object IP address set of the historical time section Calculated result can be denoted as first divided by the address number in the corresponding second target ip address set of the historical time section by mesh Intermediate probability.
2) summation for calculating the corresponding first intermediate probability of each historical time section, can be denoted as the first intermediate total probability.
3) by the first intermediate total probability divided by the number of historical time section, and using calculated result as the first probability.
In some optional implementations of the present embodiment, it can determine that first is general by method as follows Rate:
1) summation of the address number in the corresponding first object IP address set of each historical time section, Ke Yiji are determined For the first summation.And determine the summation of the address number in the corresponding second target ip address set of each historical time section, The second summation can be denoted as.
2) the first summation is calculated divided by the second summation, and using calculated result as the first probability.
Step 204, determine whether the first probability is greater than destination probability threshold value.
In the present embodiment, above-mentioned executing subject can compare the size of the first probability and destination probability threshold value.Wherein, mesh Mark probability threshold value, which can be, is based on historical experience or the preassigned probability threshold value of actual demand by technical staff.Target Probability threshold value is also possible to based on certain logic, a probability threshold value obtained by calculation.
In some optional implementations of the present embodiment, destination probability threshold value can determine as follows:
1) it is based on above-mentioned first summation, determines the first regulated value and the second regulated value.
In this step, the first regulated value and the second regulated value can be any one specific numerical value between 0-1, can To include the endpoint 0 and 1 at both ends.In practice, above-mentioned first summation can be based on by technical staff, specify the according to historical experience One regulated value and the second regulated value.
In practice, regulated value inquiry table can also be previously stored in above-mentioned executing subject.In regulated value inquiry table It can store the first summation corresponding the first regulated value and the second regulated value, so as to pass through inquiry regulated value inquiry Table obtains the first regulated value and the second regulated value.In practice, be also possible to corresponding first regulated value of numerical intervals and Second regulated value.It is possible to then it is corresponding to search the numerical intervals in which numerical intervals for first above-mentioned first summation of interpretation First regulated value and the second regulated value.Above-mentioned regulated value inquiry table can be in advance based on to the statistics of a large amount of historical data and It generates.
Generally, the first regulated value and the second regulated value can be positively related relationship.It is right when i.e. the first regulated value is smaller Ying Di, the second regulated value can also be smaller.When first regulated value is larger, accordingly, the second regulated value can also be larger.
2) the hyperbolic tangent function value of the product of the first summation and the first regulated value is determined.
In this step, the product that can calculate the first summation Yu the first regulated value first can be denoted as the first product knot Fruit.Then the hyperbolic tangent function value of the first result of product is calculated.Wherein, hyperbolic tangent function is one kind of hyperbolic functions.? On mathematical linguistics, hyperbolic tangent function can generally write tanh, can also be abbreviated as th.Hyperbolic tangent function is odd function, Its figure is by origin and about origin symmetry.The domain of hyperbolic tangent function be it is positive and negative it is infinite between.Hyperbolic tangent function It is a kind of common hyperbolic functions, therefore, can use existing hyperbolic functions tangent calculation method and obtain above-mentioned first product As a result hyperbolic tangent function value.Here, repeating no more.
3) product of the second regulated value and hyperbolic tangent function value is determined as destination probability threshold value.
Step 205, it is greater than destination probability threshold value in response to the first probability, the second host identification is determined as destination host mark Know.
In the present embodiment, if above-mentioned steps 204 judge that the first probability is greater than destination probability threshold value, above-mentioned executing subject Second host identification can be determined as target host identification.In practice, above-mentioned executing subject can also be main by select second Machine mark is stored or is exported.
It is one of the application scenarios of the method according to the present embodiment for handling log information with continued reference to Fig. 4, Fig. 4 Schematic diagram 400.In the application scenarios of Fig. 4, above-mentioned executing subject can be obtained first using current time as starting point, yesterday morning Request Log 401 and 402 in 8 points to ten two points and afternoon 1 point to 5 points two historical time section.Wherein, day is requested Will 401 includes 10 records.Request Log 402 includes 9 records.
Then, it for 8 points to ten two points this historical time sections of yesterday morning, determines in the historical time section comprising the The record of one host identification " A " can be denoted as the first set of records ends 403, and determine main comprising second in the historical time section Machine identifies the record of " B ", can be denoted as the second set of records ends 404.Later, the first set of records ends 403 and the second record set are chosen The IP address for including in 404 is closed as first object IP address, obtains first object IP address set { IP5 } 407.By first The IP address for including in set of records ends 403 as the second target ip address, obtain the second target ip address set IP1, IP3, IP5}408。
Similarly, for 1 point to 5 points this historical time section yesterday afternoon, the historical time section corresponding is determined One set of records ends 405 and the second set of records ends 406.And determine the corresponding first object IP address set of the historical time section { IP3, IP7 } 409 and the second target ip address set { IP3, IP5, IP7 } 410.
Later, the corresponding first object IP address collection of 8 points to ten two points this historical time sections of yesterday morning can be determined Closing with the address number in the second target ip address set is respectively 1 and 3.Similarly, determine 1 point to 5 points of yesterday afternoon this Address number in the corresponding first object IP address set of one historical time section and the second target ip address set is respectively 2 Hes 3。
Later, the summation of the address number in the corresponding first object IP address set of above-mentioned two historical time section is calculated For 3 (1+2=3), can be denoted as the first summation and the address number in corresponding second target ip address set second is total With for 6 (3+3=6), the second summation can be denoted as.Then, by the first summation divided by the second summation, and the result 0.5 that will be obtained As the first probability 411.
Later, judge whether the first probability 411 is greater than destination probability threshold value 0.4, since 0.5 greater than 0.4, so by second Host identification " B " is determined as target host identification.
It should be noted that as seen from Figure 4, the host identification for including in Request Log 401 and 402 has very much (examples Such as: " A ", " B ", " C ", " D ", " E " and " F "), the IP address for including also have it is very much (such as " IP1 ", " IP2 ", " IP3 ", " IP4 ", " IP5 ", " IP6 ", " IP7 ", " IP8 " and " IP9 ").It is " A " and that above-mentioned application scenarios, which are for the first host identification, In the case that two host identifications are " B ", determine that the second host identification " B " is target host identification.It should be appreciated that request The each host identification for including in log 401 and 402 all can serve as the first host identification, can also be used as the second host mark Know.Using above-mentioned same method, in the case where can also determining other first host identifications and the second host identification, second is main Whether machine mark is target host identification.For example, in the case where being " A " for the first host identification, it can respectively will be in Fig. 4 " B ", " C ", " D ", " E " and " F " successively be used as the second host identification, by the same method determine the second host identification whether be Target host identification, so as to obtain the corresponding target host identification set of the first host identification " A ".
The method provided by the above embodiment of the application passes through the Request Log first obtained at least one historical time section, The host identification and IP address for including in each item record in the Request Log being then based in each historical time section, determine the In the case that one host identification occurs, the probability that the second host identification occurs is denoted as the first probability.Then, compare the first probability With the size relation of destination probability threshold value, if the first probability is larger, then the second host identification is just determined as destination host mark Know, thus realize based in Request Log each item record content, to the second host identification for including in Request Log into Row screening, to obtain target host identification.
With further reference to Fig. 5, it illustrates the processes 500 of another embodiment of the method for handling log information. This is used to handle the process 500 of log information, comprising the following steps:
Step 501, the Request Log at least one historical time section is obtained.
Step 502, it for the historical time section at least one historical time section, determines in the historical time section comprising the The IP address for including in the record of one host identification and record comprising the second host identification is obtained as first object IP address To first object IP address set;Using in the historical time section include the first host identification record in include IP address as Second target ip address obtains the second target ip address set.
Step 503, based on the ground in the address number and the second target ip address set in first object IP address set Location number determines the first probability.
Step 504, determine whether the first probability is greater than destination probability threshold value.
Step 505, it is greater than destination probability threshold value in response to the first probability, the second host identification is determined as destination host mark Know.
The specific implementation procedure of above-mentioned steps 501,502,503,504 and 505 can refer to the step in Fig. 2 corresponding embodiment The related description of rapid 201,202,203,204 and 205, details are not described herein.
Step 506, parsing includes the record of target host identification.
In the present embodiment, above-mentioned executing subject can first obtain the record comprising target host identification, then to comprising The record of target host identification is parsed.Wherein it is possible at least one historical time section obtained in the above-mentioned steps 501 Request Log in obtain include target host identification record, can also be obtained from other servers, database or data platform Take the record comprising target host identification.
In practice, existing some log analysis, Web log mining, log processing or log analytically dependent one can use A little methods parse the record comprising target host identification.For example, it can be used each under Unix or (SuSE) Linux OS Kind log processing instruction (such as stats, join, awk, grep etc.) parses the record comprising target host identification.It lifts It, can also be by some programs (such as Awstats, Webalizer etc.) dedicated for analyzing log to including mesh for example The record of mark host identification is parsed.For example, it can also be provided using some companies relevant to log analysis soft Part or product parse the record comprising target host identification.It should be appreciated that a variety of log analysis also can be used Method respectively parses the record comprising target host identification, and parsing knot is generated after the parsing result respectively obtained is summarized Fruit.
Step 507, based on analysis result, target information is pushed to the corresponding host of the first host identification.
In the present embodiment, above-mentioned executing subject can based on the parsing result to the record comprising target host identification, Target information is pushed to the corresponding host of the first host identification.Wherein, target information can be preassigned by technical staff What information, is also possible to based on the parsing result to the record comprising target host identification and the information of the push of determination.
In practice, different log analytic methods or tool, obtained parsing result can in direction, granularity or content It can be different.The target information pushed to the corresponding host of the first host identification can be determined according to specific parsing result.Citing For, if parsing result obtains target host identification and often accesses shopping website, can be marked to the first host identification The host of knowledge pushes some merchandise newss.If parsing result obtains target host identification for a long time within the same network, The product information of some houses can be so pushed to the first host identification.
In practice, above-mentioned executing subject can be pushed flat by various information-pushing methods or information pushing software, information Platform pushes target information to the corresponding host of the first host identification.The corresponding host of usual first host identification receive it is above-mentioned After target information, target information can also be shown.The corresponding host of first host identification is also based on target letter Breath is handled again target information (such as analysis, screening etc.), is then based on processing result, shows to processing result Show, or pushes processing result etc. to the corresponding host of target host identification.
For example, if the period that parsing result discovery target host identification occurs is always held in a determining time In section, and video website is frequently accessed within the determination period, and the most of the time is all browsing music class program, that Can targetedly within the determination period, to the corresponding host of the first host identification push some music class programs, Sound class, dancing class program etc. relevant information.Later, it can show that it is received on the corresponding host of the first host identification Music class program, sound class, the relevant information of dancing class program etc..The corresponding host of first host identification is also based on This, to after it display or the modes such as recommendation do some adjustment.For example, the corresponding host of the first host identification can later will It is the relevant program of music class or product etc. that its advertisement being switched on the page, which is launched,.
From figure 5 it can be seen that compared with the corresponding embodiment of Fig. 2, the process of the information-pushing method in the present embodiment 500 highlight after determining target host identification, can also further parse the record comprising target host identification, and Based on analysis result, the step of host push target information corresponding to the first host identification.The side of the present embodiment description as a result, Case can be based on Request Log, screen to the second host identification, to obtain target host identification, to realize rich in needle Object to be pushed is chosen to property.It, can be main to first and based on the parsing result to the record comprising target host identification Machine identifies corresponding host and pushes target information, so that the corresponding host of first object host identification can receive target Information or information relevant to target host identification.In addition, can also be to receiving on the corresponding host of the first host identification Target information is shown etc., to help to promote information push effect.
With further reference to Fig. 6, as the realization to method shown in above-mentioned each figure, this application provides for handling log letter One embodiment of the device of breath, the Installation practice is corresponding with embodiment of the method shown in Fig. 2, which can specifically answer For in various electronic equipments.
As shown in fig. 6, the device 600 provided in this embodiment for handling log information includes acquiring unit 601, address Determination unit 602, the first probability determining unit 603, comparing unit 604 and target host identification determination unit 605.Wherein, it obtains Unit 601 is taken to be configured to obtain the Request Log at least one historical time section, wherein Request Log includes at least one Record, record include the internet protocol address initiated the host identification of the host of request and receive the host of request.Address Determination unit 602 is configured to determine packet in the historical time section for the historical time section at least one historical time section The IP address for including in record containing the first host identification and the record comprising the second host identification is as first object IP Location obtains first object IP address set;By the IP for including in the record in the historical time section comprising the first host identification Location obtains the second target ip address set as the second target ip address.First probability determining unit 603 is configured to based on the The address number in address number and the second target ip address set in one target ip address set, determines the first probability, In, in the case that the first probability is for indicating that the first host identification occurs, the probability of the second host identification appearance.Comparing unit 604 are configured to determine whether the first probability is greater than destination probability threshold value.Target host identification determination unit 605 is configured to ring Destination probability threshold value should be greater than in the first probability, the second host identification is determined as target host identification.
In the present embodiment, in the device 600 for handling log information: acquiring unit 601, address determination unit 602, First probability determining unit 603, comparing unit 604 and the specific of target host identification determination unit 605 handle and its are brought Technical effect can be respectively with reference to step 201, step 202, step 203, step 204 and the step 205 in Fig. 2 corresponding embodiment Related description, details are not described herein.
In some optional implementations of the present embodiment, above-mentioned first probability determining unit 603 is further configured At: determine the number of addresses in the corresponding first object IP address set of each historical time section at least one historical time section Purpose summation is denoted as the first summation;Determine corresponding second target of each historical time section at least one historical time section The summation of address number in IP address set is denoted as the second summation;First summation is determined divided by the quotient that the second summation obtains For the first probability.
In some optional implementations of the present embodiment, above-mentioned apparatus 600 further include: regulated value determination unit (figure In be not shown), be configured to determine the first regulated value and the second regulated value based on the first summation;Hyperbolic tangent function value determines Unit (not shown) is configured to determine the hyperbolic tangent function value of the product of the first summation and the first regulated value;Target Probability threshold value determination unit (not shown) is configured to for the second regulated value and the product of hyperbolic tangent function value being determined as Destination probability threshold value.
Each period in some optional implementations of the present embodiment, at least one above-mentioned historical time section Time span it is identical.
In some optional implementations of the present embodiment, above-mentioned apparatus 600 further include: resolution unit (is not shown in figure Out), it is configured to parse the record comprising target host identification;Target information push unit (not shown), is configured to Based on analysis result, target information is pushed to the corresponding host of the first host identification.
The device provided by the above embodiment of the application first obtains at least one historical time section by acquiring unit 601 Interior Request Log, then by address determination unit 602 and the first probability determining unit 603 based in each historical time section The host identification and IP address for including in each item record in Request Log, in the case where determining that the first host identification occurs, the The probability that two host identifications occur, is denoted as the first probability.Then, comparing unit 604 compares the first probability and destination probability threshold value Size relation.If the first probability is larger, the second host identification is just determined as by target by target host identification determination unit 605 Host identification, so that the content based on each item record in Request Log is realized, to the second host for including in Request Log Mark is screened, to obtain target host identification.
Below with reference to Fig. 7, it illustrates the calculating of the terminal device or server that are suitable for being used to realize the embodiment of the present application The structural schematic diagram of machine system 700.Server shown in Fig. 7 is only an example, should not be to the function of the embodiment of the present application Any restrictions are brought with use scope.
As shown in fig. 7, computer system 700 includes central processing unit (CPU) 701, it can be read-only according to being stored in Program in memory (ROM) 702 or be loaded into the program in random access storage device (RAM) 703 from storage section 708 and Execute various movements appropriate and processing.In RAM 703, also it is stored with system 700 and operates required various programs and data. CPU 701, ROM 702 and RAM 703 are connected with each other by bus 704.Input/output (I/O) interface 705 is also connected to always Line 704.
I/O interface 705 is connected to lower component: the importation 706 including keyboard, mouse etc.;It is penetrated including such as cathode The output par, c 707 of spool (CRT), liquid crystal display (LCD) etc. and loudspeaker etc.;Storage section 708 including hard disk etc.; And the communications portion 709 of the network interface card including LAN card, modem etc..Communications portion 709 via such as because The network of spy's net executes communication process.Driver 710 is also connected to I/O interface 705 as needed.Detachable media 711, such as Disk, CD, magneto-optic disk, semiconductor memory etc. are mounted on as needed on driver 710, in order to read from thereon Computer program be mounted into storage section 708 as needed.
Particularly, in accordance with an embodiment of the present disclosure, it may be implemented as computer above with reference to the process of flow chart description Software program.For example, embodiment of the disclosure includes a kind of computer program product comprising be carried on computer-readable medium On computer program, which includes the program code for method shown in execution flow chart.In such reality It applies in example, which can be downloaded and installed from network by communications portion 709, and/or from detachable media 711 are mounted.When the computer program is executed by central processing unit (CPU) 701, limited in execution the present processes Above-mentioned function.
It should be noted that the computer-readable medium of the application can be computer-readable signal media or computer Readable storage medium storing program for executing either the two any combination.Computer readable storage medium for example can be --- but it is unlimited In system, device or the device of --- electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor, or any above combination.It calculates The more specific example of machine readable storage medium storing program for executing can include but is not limited to: have the electrical connection, portable of one or more conducting wires Formula computer disk, hard disk, random access storage device (RAM), read-only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), light storage device, magnetic memory device or The above-mentioned any appropriate combination of person.In this application, computer readable storage medium can be it is any include or storage program Tangible medium, which can be commanded execution system, device or device use or in connection.And in this Shen Please in, computer-readable signal media may include in a base band or as carrier wave a part propagate data-signal, In carry computer-readable program code.The data-signal of this propagation can take various forms, including but not limited to Electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be computer-readable Any computer-readable medium other than storage medium, the computer-readable medium can send, propagate or transmit for by Instruction execution system, device or device use or program in connection.The journey for including on computer-readable medium Sequence code can transmit with any suitable medium, including but not limited to: wireless, electric wire, optical cable, RF etc. are above-mentioned Any appropriate combination.
Flow chart and block diagram in attached drawing are illustrated according to the system of the various embodiments of the application, method and computer journey The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation A part of one module, program segment or code of table, a part of the module, program segment or code include one or more use The executable instruction of the logic function as defined in realizing.It should also be noted that in some implementations as replacements, being marked in box The function of note can also occur in a different order than that indicated in the drawings.For example, two boxes succeedingly indicated are actually It can be basically executed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.Also it to infuse Meaning, the combination of each box in block diagram and or flow chart and the box in block diagram and or flow chart can be with holding The dedicated hardware based system of functions or operations as defined in row is realized, or can use specialized hardware and computer instruction Combination realize.
Being described in unit involved in the embodiment of the present application can be realized by way of software, can also be by hard The mode of part is realized.Described unit also can be set in the processor, for example, can be described as: a kind of processor, packet Include acquiring unit, address determination unit, the first probability determining unit, comparing unit and target host identification determination unit.Wherein, The title of these units does not constitute the restriction to the unit itself under certain conditions, for example, acquiring unit can also be retouched State for " obtain the unit of the Request Log at least one historical time section, wherein Request Log include at least one record, Record includes the internet protocol address initiated the host identification of the host of request and receive the host of request ".
As on the other hand, present invention also provides a kind of computer-readable medium, which be can be Included in device described in above-described embodiment;It is also possible to individualism, and without in the supplying device.Above-mentioned calculating Machine readable medium carries one or more program, when said one or multiple programs are executed by the device, so that should Device: the Request Log at least one historical time section is obtained, wherein Request Log includes at least one record, record packet It includes the host identification for initiating the host of request and receives the internet protocol address of the host of request;For at least one history Historical time section in period determines the interior record comprising the first host identification of the historical time section and comprising the second host mark The IP address for including in the record of knowledge obtains first object IP address set as first object IP address;When by the history Between include in record in section comprising the first host identification IP address as the second target ip address, with obtaining the second Target IP Location set;Based on the address number in the address number and the second target ip address set in first object IP address set, really Fixed first probability, wherein in the case that the first probability is for indicating that the first host identification occurs, the second host identification occurs general Rate;Determine whether the first probability is greater than destination probability threshold value;It is greater than destination probability threshold value in response to the first probability, by the second host Mark is determined as target host identification.
Above description is only the preferred embodiment of the application and the explanation to institute's application technology principle.Those skilled in the art Member is it should be appreciated that invention scope involved in the application, however it is not limited to technology made of the specific combination of above-mentioned technical characteristic Scheme, while should also cover in the case where not departing from foregoing invention design, it is carried out by above-mentioned technical characteristic or its equivalent feature Any combination and the other technical solutions formed.Such as features described above has similar function with (but being not limited to) disclosed herein Can technical characteristic replaced mutually and the technical solution that is formed.

Claims (12)

1. a kind of method for handling log information, comprising:
Obtain the Request Log at least one historical time section, wherein Request Log includes at least one record, and record includes It initiates the host identification of the host of request and receives the internet protocol address of the host of request;
For the historical time section at least one described historical time section, determine in the historical time section comprising the first host mark The IP address for including in the record of knowledge and record comprising the second host identification obtains the first mesh as first object IP address Mark IP address set;Using the IP address for including in the record in the historical time section comprising first host identification as second Target ip address obtains the second target ip address set;
Based on the address number in the address number and the second target ip address set in first object IP address set, is determined One probability, wherein in the case that first probability is for indicating that first host identification occurs, second host identification The probability of appearance;
Determine whether first probability is greater than destination probability threshold value;
It is greater than destination probability threshold value in response to first probability, second host identification is determined as target host identification.
2. according to the method described in claim 1, wherein, the address number and based in first object IP address set Address number in two target ip address set, determines the first probability, comprising:
It determines in the corresponding first object IP address set of each historical time section at least one described historical time section The summation of address number is denoted as the first summation;
It determines in the corresponding second target ip address set of each historical time section at least one described historical time section The summation of address number is denoted as the second summation;
First summation is determined as first probability divided by the quotient that second summation obtains.
3. according to the method described in claim 2, wherein, the method also includes:
Based on first summation, the first regulated value and the second regulated value are determined;
Determine the hyperbolic tangent function value of the product of first summation and first regulated value;
The product of second regulated value and the hyperbolic tangent function value is determined as the destination probability threshold value.
4. according to the method described in claim 1, wherein, the time of each period at least one described historical time section Length is identical.
5. method described in one of -4 according to claim 1, wherein the method also includes:
Parsing includes the record of the target host identification;
Based on analysis result, the corresponding host of the first host identification of Xiang Suoshu pushes target information.
6. a kind of for handling the device of log information, wherein include:
Acquiring unit is configured to obtain the Request Log at least one historical time section, wherein Request Log includes at least One record, record include the internet protocol address initiated the host identification of the host of request and receive the host of request;
Address determination unit is configured to determine the history for the historical time section at least one described historical time section The IP address for including in record in period comprising the first host identification and the record comprising the second host identification is as the One target ip address obtains first object IP address set;It will include the note of first host identification in the historical time section The IP address for including in record obtains the second target ip address set as the second target ip address;
First probability determining unit is configured to based on the address number and the second Target IP in first object IP address set Address number in the set of location, determines the first probability, wherein first probability is for indicating that first host identification occurs In the case where, the probability of the second host identification appearance;
Comparing unit, is configured to determine whether first probability is greater than destination probability threshold value;
Target host identification determination unit, is configured in response to first probability greater than destination probability threshold value, by described the Two host identifications are determined as target host identification.
7. device according to claim 6, wherein first probability determining unit is further configured to:
It determines in the corresponding first object IP address set of each historical time section at least one described historical time section The summation of address number is denoted as the first summation;
It determines in the corresponding second target ip address set of each historical time section at least one described historical time section The summation of address number is denoted as the second summation;
First summation is determined as first probability divided by the quotient that second summation obtains.
8. device according to claim 7, wherein described device further include:
Regulated value determination unit is configured to determine the first regulated value and the second regulated value based on first summation;
Hyperbolic tangent function value determination unit is configured to determine the double of the product of first summation and first regulated value Bent tangent function value;
Destination probability threshold value determination unit is configured to second regulated value and the product of the hyperbolic tangent function value is true It is set to the destination probability threshold value.
9. device according to claim 6, wherein the time of each period at least one described historical time section Length is identical.
10. the device according to one of claim 6-9, wherein described device further include:
Resolution unit is configured to parse the record comprising the target host identification;
Target information push unit is configured to based on analysis result, and the corresponding host of the first host identification of Xiang Suoshu pushes mesh Mark information.
11. a kind of electronic equipment, comprising:
One or more processors;
Storage device is stored thereon with one or more programs;
When one or more of programs are executed by one or more of processors, so that one or more of processors are real Now such as method as claimed in any one of claims 1 to 5.
12. a kind of computer-readable medium, is stored thereon with computer program, wherein the realization when program is executed by processor Such as method as claimed in any one of claims 1 to 5.
CN201810409743.2A 2018-05-02 2018-05-02 Method and apparatus for handling log information Active CN108683531B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810409743.2A CN108683531B (en) 2018-05-02 2018-05-02 Method and apparatus for handling log information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810409743.2A CN108683531B (en) 2018-05-02 2018-05-02 Method and apparatus for handling log information

Publications (2)

Publication Number Publication Date
CN108683531A CN108683531A (en) 2018-10-19
CN108683531B true CN108683531B (en) 2019-06-21

Family

ID=63801838

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810409743.2A Active CN108683531B (en) 2018-05-02 2018-05-02 Method and apparatus for handling log information

Country Status (1)

Country Link
CN (1) CN108683531B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109714413B (en) * 2018-12-26 2021-07-27 郑州云海信息技术有限公司 Method and device for pushing information through website file change based on drive type
WO2021035750A1 (en) * 2019-08-30 2021-03-04 Oppo广东移动通信有限公司 Rule check method and device, and computer device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312835A (en) * 2013-05-31 2013-09-18 中国联合网络通信集团有限公司 Address tracing method and device
CN103532760A (en) * 2013-10-18 2014-01-22 北京奇虎科技有限公司 Equipment, system and method for analyzing commands executed on hosts
CN103944995A (en) * 2014-04-28 2014-07-23 东华大学 Method for recognizing accounts of independent users in broadband network
CN104506540A (en) * 2014-12-29 2015-04-08 成都致云科技有限公司 Method and system for processing reading-writing request of virtual host and host
CN107707516A (en) * 2017-04-01 2018-02-16 贵州白山云科技有限公司 A kind of IP address analysis method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9032527B2 (en) * 2012-01-11 2015-05-12 Hewlett-Packard Development Company, L.P. Inferring a state of behavior through marginal probability estimation

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312835A (en) * 2013-05-31 2013-09-18 中国联合网络通信集团有限公司 Address tracing method and device
CN103532760A (en) * 2013-10-18 2014-01-22 北京奇虎科技有限公司 Equipment, system and method for analyzing commands executed on hosts
CN103944995A (en) * 2014-04-28 2014-07-23 东华大学 Method for recognizing accounts of independent users in broadband network
CN104506540A (en) * 2014-12-29 2015-04-08 成都致云科技有限公司 Method and system for processing reading-writing request of virtual host and host
CN107707516A (en) * 2017-04-01 2018-02-16 贵州白山云科技有限公司 A kind of IP address analysis method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《基于贝叶斯网络和行为日志挖掘的行为信任控制》;赵洁等;《华南理工大学学报(自然科学版)》;20090515;第37卷(第5期);第94-99页

Also Published As

Publication number Publication date
CN108683531A (en) 2018-10-19

Similar Documents

Publication Publication Date Title
US10547618B2 (en) Method and apparatus for setting access privilege, server and storage medium
CN109032760A (en) Method and apparatus for application deployment
US20160267170A1 (en) Machine learning-derived universal connector
CN109036425A (en) Method and apparatus for operating intelligent terminal
CN108989362A (en) A kind for the treatment of method and apparatus of static resource
CN108256070A (en) For generating the method and apparatus of information
JP2021103506A (en) Method and device for generating information
CN108540831A (en) Method and apparatus for pushed information
CN108134951A (en) For recommending the method and apparatus of broadcasting content
CN108494860A (en) WEB accesses system, WEB access methods and device for client
CN109388548A (en) Method and apparatus for generating information
CN109815105A (en) Applied program testing method and device based on Btrace
CN110391938A (en) Method and apparatus for deployment services
CN109241722A (en) For obtaining method, electronic equipment and the computer-readable medium of information
CN108683531B (en) Method and apparatus for handling log information
CN107347093A (en) Collocation method and device for distributed server system
CN109819042A (en) For providing the method and apparatus of Software Development Kit
CN109885564A (en) Method and apparatus for sending information
CN109635923A (en) Method and apparatus for handling data
CN110083501A (en) Interface calls method of counting and device
CN110019363A (en) A kind of method and apparatus verifying data
CN108011936A (en) Method and apparatus for pushed information
CN111813685A (en) Automatic testing method and device
CN109408647A (en) Method and apparatus for handling information
CN109144864A (en) Method and device for test window

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant