CN109167773A - A kind of access exception detection method and system based on Markov model - Google Patents
A kind of access exception detection method and system based on Markov model Download PDFInfo
- Publication number
- CN109167773A CN109167773A CN201810960598.7A CN201810960598A CN109167773A CN 109167773 A CN109167773 A CN 109167773A CN 201810960598 A CN201810960598 A CN 201810960598A CN 109167773 A CN109167773 A CN 109167773A
- Authority
- CN
- China
- Prior art keywords
- page
- route
- access
- reference value
- target access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Navigation (AREA)
Abstract
The present invention provides a kind of access exception detection method and system based on Markov model, it is related to the technical field of network security, it include: when detecting user by the source page access purpose page to be detected, draw the access route map of the purpose page to be detected, wherein, access includes target access route in route map;Calculate the route reference value of target access route, obtain target access route reference value, it whether is abnormal access route based on target access route reference value detection target access route, method of the invention improves the detection efficiency of abnormal access route, alleviates existing network security technology lower technical problem of detection efficiency when carrying out abnormal access detection.
Description
Technical field
The present invention relates to the technical fields of network security, more particularly, to a kind of access exception based on Markov model
Detection method and system.
Background technique
Internet has been directed to people's life every aspect, brings huge convenience to people's life, it has also become people's life
Indispensable component part.However, the security incident that hacker is caused using internet at the same time is also exposed again and again, this
Specific threat is brought to the application and development of internet.As Means of Intrusion converts multiterminal, hidden, spread speed promotion,
Coverage expands, and invasion danger increases, and safety problem has become internet development urgent problem to be solved.Existing internet
There are many access exception detection methods, is probably divided into following: access exception detection method based on flowing of access, special based on access
The access exception detection method of sign, the access exception detection method based on access speed.
For the access exception detection method of flowing of access, due to present attack means are more and more hidden can on flow
It can be difficult to obvious characteristic, therefore this method causes analysis result inaccuracy generation to be failed to report.
Based on the access exception detection method of access feature, with development in science and technology, the environmental change multiterminal of client, client
End login location, equipment, browser are likely to change at any time, therefore this method will lead to analysis result inaccuracy and generate mistake
Report.
Access exception detection method based on access speed: the method can only monitor special scenes monitoring user differently
The hacker that domain logs in, and monitoring user is difficult to judge in the hacker that same region logs in, it is easy to it is bypassed and fails to report.
Summary of the invention
In view of this, the access exception detection method that the purpose of the present invention is to provide a kind of based on Markov model and
System, to alleviate existing network security technology lower technical problem of detection efficiency when accessing abnormality detection.
In a first aspect, the embodiment of the invention provides a kind of access exception detection method based on Markov model, packet
It includes: when detecting user by the source page access purpose page to be detected, drawing the access road of the purpose page to be detected
Line chart, wherein include target access route in the access route map, wherein the target access route includes that the source page arrives
The purpose page page experienced to be detected;The route reference value for calculating the target access route, obtains target access
Route reference value;Detect whether the target access route is abnormal access route based on the target access route reference value.
Further, the method also includes: obtain the multiple pages to be protected;Calculate in the page to be protected each to
Protect the page as a purpose the page when corresponding route reference range.
Further, calculate each page to be protected in the page to be protected as a purpose the page when corresponding route
Reference range includes: the log information for obtaining the page to be protected, and determines the page to be protected based on the log information
Middle purpose page QfThe log information for entering page set, in the log information including the source page enters the purpose page, institute
Stating into page set is to enter the purpose page QfThe source page set, wherein f successively takes 1 to F, and F is described wait protect
Protect purpose page quantity in the page;Draw the purpose page QfRoute atlas, wherein it includes X item that the route map, which is concentrated,
Route;The route reference value that the route map concentrates route Ax is calculated, X route reference value is obtained, wherein x successively takes 1 to X,
X is the purpose page QfRoute map collection included in route quantity;By route ginseng maximum in the X route reference value
The value interval of value and minimum route reference value composition is examined as the purpose page QfRoute reference range.
Further, calculating the route map and concentrating the route reference value of route Ax includes: to calculate the route map to concentrate
Probability in route Ax between any two adjacent node obtains multiple probability, wherein the probability indicates any two
The probability of first node second node into any two adjacent node in adjacent node, represented by the first node
The page enters the page for the page represented by the second node;Route Ax is concentrated using route map described in the multiple probability calculation
Route reference value, obtain the route reference value that the route map concentrates route Ax.
Further, calculating the route map and concentrating the probability in route Ax between any two adjacent node includes: system
It counts and enters page set corresponding to the purpose page represented by the second node on the route Ax, and enter page set described in statistics
Enter the number of the purpose page described in page access represented by first node described in conjunction;Calculate the page composition to be protected
Whole purpose pages enters degree in set;Based on it is described enter degree and the number calculate to enter represented by the first node
The probability of the purpose page described in page access.
Further, based on it is described enter degree and the number calculate and enter page access institute represented by the first node
The probability for stating the purpose page includes: according to formulaIt calculates and enters page access institute represented by the first node
State the probability of the purpose page, wherein 1≤j≤k, countjFor the number,For it is described enter degree, k be the mesh
The page corresponding to enter to enter page quantity in page set.
Further, concentrating the route reference value of route Ax using route map described in the multiple probability calculation includes: meter
The product for calculating the multiple probability, obtains result of product;The result of product is carried out to take Logarithmic calculation, and calculated result is made
The route reference value of route Ax is concentrated for the route map.
Further, the route reference value for calculating the target access route includes: source page in statistics target access route
Face is to the purpose page page experienced to be detected;From being read in probability database any two in the target access route
Probability between a adjacent node obtains multiple probability, wherein includes each source precomputed in the probability database
The probability of the page access purpose page;The product for calculating the multiple probability, obtains result of product;The result of product is carried out
Logarithmic calculation is taken, and using calculated result as the target access route reference value of the target access route.
Further, detect whether the target access route is abnormal access based on the target access route reference value
Route includes: the route reference range for obtaining the purpose page to be detected;By the target access route reference value and institute
Route reference range is stated to be compared;If comparison result is the target access route reference value in the route reference value
In range, it is determined that the target access route frequentation that is positive is asked the way line;If comparison result is target access route ginseng
Value is examined not in the route reference range, it is determined that the target access route is abnormal access route.
Second aspect, the access exception detection system based on Markov model that the embodiment of the invention also provides a kind of,
It include: drawing unit, for drawing the mesh to be detected when detecting user by the source page access purpose page to be detected
The page access route map, wherein in the access route map include target access route, wherein the target access road
Line includes the source page to the purpose page page experienced to be detected;Computing unit, for calculating the target access road
The route reference value of line obtains target access route reference value;Detection unit, for being based on the target access route reference value
Detect whether the target access route is abnormal access route.
In embodiments of the present invention, it is drawn first when detecting user by the source page access purpose page to be detected
Then the access route map of the purpose page to be detected calculates the route reference value of target access route, finally, being visited based on target
Line reference value of asking the way detects whether target access route is abnormal access route.As can be seen from the above description, in the present embodiment,
Using the access exception detection method based on Markov model, this method can alleviate existing network security technology into
Detection efficiency lower technical problem when row access exception detects, to improve the technical effect of access exception detection efficiency.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention are in specification, claims
And specifically noted structure is achieved and obtained in attached drawing.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment is cited below particularly, and cooperate
Appended attached drawing, is described in detail below.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of access exception detection method based on Markov model of the embodiment of the present invention;
Fig. 2 is a kind of process of access exception detection method for being optionally based on Markov model of the embodiment of the present invention
Figure;
Fig. 3 is a kind of schematic diagram of the route atlas of purpose page optionally to be protected of the embodiment of the present invention;
Fig. 4 is a kind of schematic diagram of target access route optionally to be detected of the embodiment of the present invention;
Fig. 5 is the stream that the another kind of the embodiment of the present invention is optionally based on the access exception detection method of Markov model
Cheng Tu;
Fig. 6 is a kind of functional module of access exception detection system based on Markov model of the embodiment of the present invention
Figure.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present invention
Technical solution be clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, rather than
Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise
Under every other embodiment obtained, shall fall within the protection scope of the present invention.
Embodiment one:
According to embodiments of the present invention, a kind of implementation of access exception detection method based on Markov model is provided
Example, it should be noted that step shown in the flowchart of the accompanying drawings can be in the calculating of such as a group of computer-executable instructions
It is executed in machine system, although also, logical order is shown in flow charts, and it in some cases, can be to be different from
Sequence herein executes shown or described step.
Fig. 1 is a kind of process of access exception detection method based on Markov model according to an embodiment of the present invention
Figure, as shown in Figure 1, this method comprises the following steps:
Step S102 draws purpose page to be detected when detecting user by the source page access purpose page to be detected
The access route map in face, wherein include target access route in access route map, wherein target access route includes the source page
To the purpose page page experienced to be detected;
Step S104 calculates the route reference value of target access route, obtains target access route reference value;
Whether step S106 is abnormal access route based on target access route reference value detection target access route.
In embodiments of the present invention, it is drawn first when detecting user by the source page access purpose page to be detected
Then the access route map of the purpose page to be detected calculates the route reference value of target access route, finally, being visited based on target
Line reference value of asking the way detects whether target access route is abnormal access route.As can be seen from the above description, in the present embodiment,
Using the access exception detection method based on Markov model, this method can alleviate existing network security technology into
Detection efficiency lower technical problem when row access exception detects, to improve the technical effect of access exception detection efficiency.
In the present embodiment, with reference to Fig. 2, which further includes following steps:
Step S201 obtains multiple pages to be protected;
Step S202, calculate each page to be protected in the page to be protected as a purpose the page when corresponding route reference
It is worth range.
In the present embodiment, need to predefine the route reference range of each purpose page, optionally, step
S202, calculate each page to be protected in the page to be protected as a purpose the page when corresponding route reference range include such as
Lower step:
Step S2021 obtains the log information of the page to be protected, and determines purpose in the page to be protected based on log information
Page QfThe log information for entering page set, in log information including the source page enters the purpose page, entering page set is
Enter purpose page QfThe source page set, wherein f successively takes 1 to F, and F is purpose page quantity in the page to be protected;
Step S2022 draws purpose page QfRoute atlas, wherein route map concentrate include X route;
Step S2023, calculate route map concentrate route Ax route reference value, obtain X route reference value, wherein x according to
Secondary to take 1 to X, X is purpose page QfRoute map collection included in route quantity;
Step S2024, by the value area of route reference value maximum in X route reference value and minimum route reference value composition
Between page Q as a purposefRoute reference range.
The process of the route reference range of each purpose page of above-mentioned determination will be specifically introduced below, and the process description is such as
Under:
Firstly, obtaining multiple pages to be protected, and the quantity S of multiple pages to be protected is counted, obtains page set to be protected
It closes: { URL1,URL2,URL3,...,URLS}.Then, the purpose page of the page as a purpose is counted in the page set to be protected
Set: { Q1,Q2,…,Qf,…,QF-1,QF, wherein f successively takes 1 to F, and F is more than or equal to 1, is less than or equal to S.Count purpose page
Each purpose page enters page set in the set of face, and detailed process is described as follows:
Firstly, collecting the log information of the page to be protected, wherein include source page info and purpose page in the log information
Face information;Then, the source page corresponding to each purpose page is extracted from the log information.For in page set to be protected
Page Qf, obtain page QfIt is corresponding when the page as a purpose to enter page set PINf, wherein 1 < f≤S.For convenient for retouching
It states and gives set PINfEach element set up key assignments and indicate, then set PINfKey value is represented by following: Keyf==
{key1,key2,…,keyk-1,keyk, wherein 1≤k≤S.
According to the log information of collection, purpose page Q is drawnfRoute atlas.Wherein, it includes X road that route map, which is concentrated,
Line calculates the route reference value that route map concentrates route Ax, obtains X route reference value, wherein x successively takes 1 to X.
In an optional embodiment of the present embodiment, calculating route map and concentrating the route reference value of route Ax includes such as
Lower step:
Step S301 calculates the probability in route map concentration route Ax between any two adjacent node, obtains multiple general
Rate, wherein probability indicates the probability of first node second node into any two adjacent node in any two adjacent node,
The page represented by first node enters the page for the page represented by second node;
Step S302 concentrates the route reference value of route Ax using multiple probability calculation route maps, obtains route map concentration
The route reference value of route Ax.
Above-mentioned route atlas can be as shown in Figure 3 route atlas, route map concentrates one that route Ax can be as shown in Figure 3
Route: page A → page B → page C → page D.At this point, being directed to page A → page B, page A is expressed as above-mentioned first segment
Point, page B are expressed as above-mentioned second node, and the page represented by page A enters the page for the page represented by page B.For page
Face B → page C, page B are expressed as above-mentioned first node, and page C is expressed as above-mentioned second node, the page represented by page B
Enter the page for the page represented by page C.It is expressed as above-mentioned first node for page C → page D, page C, page D is indicated
For above-mentioned second node, the page represented by page C is that the page represented by page D enters the page.
As shown in figure 3, concentrating route Ax for route map, route map can be calculated and concentrate any two in route Ax adjacent
Probability between node obtains multiple probability in turn.After obtaining multiple probability, so that it may be based on multiple probability calculation roads
The route reference value of line chart concentration route Ax.
Optionally, step S301, calculating the probability in route map concentration route Ax between any two adjacent node includes
Following steps:
Enter page set corresponding to the purpose page represented by the second node on route Ax firstly, counting, and counts
Enter to enter represented by first node in page set the number of the page access purpose page;
Then, calculate whole purpose pages in the set of the page to be protected composition enters degree;
Finally, based on the probability for entering to enter represented by degree and number calculating first node the page access purpose page.
It is assumed that route atlas can be as shown in Figure 3 route atlas, route map concentrates what route Ax can be as shown in Figure 3
One route: page A → page B → page C → page D.It to calculate in page A → page B → page C → page D and appoint at this time
The probability anticipated between two adjacent nodes calculates between page B → page C for example, calculating the probability between page A → page B
Probability, calculate page C → page D between probability.
When calculating the probability between page A → page B, node where page A is first node, node where page B
For second node, at this point, page B is the above-mentioned purpose page, page A be that the purpose page enters the page.Based on this, in this reality
It applies in example, enters page set corresponding to statistics page B first, wherein this enters in page set comprising page A.Then, it counts
The number of page A accession page B, then, calculate whole purpose pages in the set of the page to be protected composition enters degree, most
Afterwards, the probability of degree and the number calculating page A accession page B of page A accession page B is entered based on this.
In the present embodiment, the probability of page B accession page C can be calculated through the above way, and is calculated page C and visited
The probability for asking page D, is no longer described in detail herein.
In an optional embodiment, enter page access represented by degree and number calculating first node based on entering
The probability of the purpose page includes:
According to formulaThe probability for entering the page access purpose page represented by first node is calculated,
In, 1≤j≤k, countjFor number,To enter degree, k is to enter to enter page in page set corresponding to the purpose page
Face quantity.
It is illustrated for calculating the probability of page A accession page B in page A → page B → page C → page D.
It in the present embodiment, can be according to formulaThe probability for calculating page A accession page B, at this point, countjFor page
The number of face A accession page B,Whole purpose pages enter degree in set for the page to be protected composition, F be to
Protect purpose page quantity in the page.
It should be noted that in the present embodiment, j indicates to enter for j-th entered in page set corresponding to the purpose page
The page, it is that route map concentrates the page corresponding to node adjacent with the purpose page in route Ax, and is that this j-th, which enters the page,
The purpose page enters the page.
In the present embodiment, route map shown in Fig. 3 can be calculated in this mode concentrates any two phase in route Ax
Probability between neighbors, is no longer described in detail herein, all probability being calculated is stored, generating probability data
Library.
Probability value P is being calculated in the manner described abovejLater, so that it may utilize multiple probability calculation route map collection Roads
The route reference value of line Ax, specifically comprises the following steps:
Firstly, calculating the product of multiple probability, result of product is obtained;
Then, result of product is carried out taking Logarithmic calculation, and concentrates the route of route Ax using calculated result as route map
Reference value.
For the route represented by page A in Fig. 3 → page B → page C → page D, route map concentrates the route Ax to be
Page A → page B → page C → page D, then route map concentrates route probability P=a of route Ax1*b1*c1, wherein such as Fig. 3
It is shown, a1For the probability of page A accession page B, b1For the probability of page B accession page C, c1For the general of page C accession page D
Rate.
More stable route reference value takes result of product after result of product is calculated in order to obtain
Logarithmic calculation, and using calculated result as the route reference value of route map concentration route Ax.
According to above-mentioned processing mode, it will be able to obtain purpose page QfThe route reference value of corresponding each route, this
When, X route reference value will be obtained.
Optionally, by the value interval of route reference value maximum in X route reference value and minimum route reference value composition
Page Q as a purposefRoute reference range include:
Firstly, being ranked up to X route reference value, then, by maximum route reference value and minimum route reference value institute
The value interval of composition page Q as a purposefRoute reference range.
Optionally, step S104, the route reference value for calculating target access route include:
Step S1041 counts in target access route the source page to the purpose page page experienced to be detected;
Step S1042, from the probability read in probability database in target access route between any two adjacent node,
Obtain multiple probability, wherein include the probability of each source page access purpose page precomputed in probability database;
Step S1043 calculates the product of multiple probability, obtains result of product;
Step S1044 carries out result of product to take Logarithmic calculation, and using calculated result as the target of target access route
Access route reference value.
In the present embodiment, the route reference value that calculate target access route first has in statistics target access route
The source page is to the purpose page page experienced to be detected, from reading any two phase in target access route in probability database
Probability between neighbors obtains multiple probability, wherein includes each source page access precomputed in probability database
The probability of the purpose page, if the probability in target access route between two adjacent nodes cannot be read in probability database
Out, then the probability between the two adjacent nodes is denoted as 0, then, the product of multiple probability is calculated, obtains product knot
Fruit finally, carrying out taking Logarithmic calculation to result of product, and is joined calculated result as the target access route of target access route
Examine value.
For the route represented by page E in Fig. 4 → page F → page M → page K, target access route is page E
→ page F → page M → page K, will calculate the route reference value of target access route, read from probability database and obtain page
The probability e of face E accession page F1, the probability f of page F accession page M2, the probability m of page M accession page K1, then, calculate and read
The product for the multiple probability got, then route probability P=e of target access route1*f2*m1, wherein as shown in figure 4, e1For page
The probability of face E accession page F, f2For the probability of page F accession page M, m1For the probability of page M accession page K.Finally, to multiplying
Product result carries out taking Logarithmic calculation, obtains target access route reference value value1, and using value1 as target access route
Target access route reference value.
(that is, target access road after the route reference value of target access route is calculated according to above-mentioned processing mode
Line reference value), so that it may detect whether target access route is abnormal access route based on target access route reference value.
In an optional embodiment of the present embodiment, with reference to Fig. 5, step S106, referred to based on target access route
Value detects whether target access route is that the steps included are as follows for abnormal access route:
Step S1061 obtains the route reference range of the purpose page to be detected;
Target access route reference value is compared by step S1062 with route reference range;
Step S1063, if comparison result is target access route reference value in route reference range, it is determined that mesh
The frequentation that is positive of mark access route is asked the way line;
Step S1064, if comparison result is target access route reference value not in route reference range, it is determined that
Target access route is abnormal access route.
It in the present embodiment, whether is being abnormal access road based on target access route reference value detection target access route
When line, the route reference range of the available purpose page to be detected, wherein the route reference range is to precompute
's.Then, target access route reference value is compared with route reference range.If comparison result is target access road
Line reference value is in route reference range, it is determined that the frequentation that is positive of target access route is asked the way line;If comparison result is mesh
Mark access route reference value is not in route reference range, it is determined that target access route is abnormal access route.
For example, as shown in figure 4, the purpose page to be detected is page K, page E → page F → page M → page K target
Access route reference value is value1, value1 is compared with the route reference range of page K, if compared
Value1 is in route reference range, it is determined that the frequentation that is positive of target access route is asked the way line, if comparing value1 not
In route reference range, it is determined that target access route is abnormal access route.
Embodiment two:
The access exception detection system based on Markov model that the embodiment of the invention also provides a kind of should be based on Ma Er
The access exception detection system of section's husband's model is mainly used for executing provided by above content of the embodiment of the present invention based on Ma Erke
The access exception detection method of husband's model, below the access exception inspection to provided in an embodiment of the present invention based on Markov model
Examining system does specific introduction.
Fig. 6 is a kind of signal of access exception detection system based on Markov model according to an embodiment of the present invention
Figure, as shown in fig. 6, being somebody's turn to do the access exception detection system based on Markov model mainly includes drawing unit 10, computing unit
20 and detection unit 30, in which:
Drawing unit, for drawing mesh to be detected when detecting user by the source page access purpose page to be detected
The page access route map, wherein access route map in include target access route, wherein target access route includes source
The page is to the purpose page page experienced to be detected;
Computing unit obtains target access route reference value for calculating the route reference value of target access route;
Detection unit, for whether being abnormal access road based on target access route reference value detection target access route
Line.
In embodiments of the present invention, it is drawn first when detecting user by the source page access purpose page to be detected
Then the access route map of the purpose page to be detected calculates the route reference value of target access route, finally, being visited based on target
Line reference value of asking the way detects whether target access route is abnormal access route.As can be seen from the above description, in the present embodiment,
Using the access exception detection method based on Markov model, this method can alleviate existing network security technology into
Detection efficiency lower technical problem when row access exception detects, to improve the technical effect of access exception detection efficiency.
Optionally, which is also used to, and obtains multiple pages to be protected;Calculate each page to be protected in the page to be protected
Route reference range corresponding when the page as a purpose.
Optionally, which is also used to, and obtains the log information of the page to be protected, and is determined based on log information to be protected
Purpose page Q in the pagefThe log information for entering page set, in log information including the source page enters the purpose page, enter
Page set is to enter purpose page QfThe source page set, wherein f successively takes 1 to F, and F is purpose in the page to be protected
Page quantity;Draw purpose page QfRoute atlas, wherein route map concentrate include X route;Calculate route map collection Road
The route reference value of line Ax obtains X route reference value, wherein it is purpose page Q that x, which successively takes 1 to X, X,fRoute map concentrate
The quantity of included route;By the value area of route reference value maximum in X route reference value and minimum route reference value composition
Between page Q as a purposefRoute reference range.
Optionally, computing unit includes: the first computing module, concentrates any two phase in route Ax for calculating route map
Probability between neighbors obtains multiple probability, wherein probability indicates that first node is to any two in any two adjacent node
The probability of second node in a adjacent node, the page represented by first node are that the page represented by second node enters the page;
Second computing module obtains route map concentration for concentrating the route reference value of route Ax using multiple probability calculation route maps
The route reference value of route Ax.
Optionally, the first computing module is used for: corresponding to the purpose page represented by the second node on statistics route Ax
Enter page set, and count the number for entering the page access purpose page in page set represented by first node;It calculates
Whole purpose pages enters degree in the set of page composition to be protected;It is based on degree and number calculates represented by first node
The probability for entering the page access purpose page.
Optionally, the first computing module is also used to: according to formulaIt calculates and enters represented by first node
The probability of the page access purpose page, wherein 1≤j≤k, countjFor number,To enter degree, k is the purpose page
Corresponding entering enters page quantity in page set.
Optionally, the second computing module is used for: being calculated the product of multiple probability, is obtained result of product;To result of product into
Row takes Logarithmic calculation, and the route reference value of route Ax is concentrated using calculated result as route map.
Optionally, computing unit is also used to, and is counted the source page in target access route and is undergone to the purpose page to be detected
The page;From the probability read in probability database in target access route between any two adjacent node, obtain multiple general
Rate, wherein include the probability of each source page access purpose page precomputed in probability database;Calculate multiple probability
Product, obtain result of product;Result of product is carried out to take Logarithmic calculation, and using calculated result as the mesh of target access route
Mark access route reference value.
Optionally, detection unit is also used to: obtaining the route reference range of the purpose page to be detected;By target access road
Line reference value is compared with route reference range;If comparison result is target access route reference value in route reference value
In range, it is determined that the frequentation that is positive of target access route is asked the way line;If comparison result is that target access route reference value does not exist
In route reference range, it is determined that target access route is abnormal access route.
The technical effect and preceding method embodiment phase of system provided by the embodiment of the present invention, realization principle and generation
Together, to briefly describe, system embodiment part does not refer to place, can refer to corresponding contents in preceding method embodiment.
In addition, in the description of the embodiment of the present invention unless specifically defined or limited otherwise, term " installation ", " phase
Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can
To be mechanical connection, it is also possible to be electrically connected;It can be directly connected, can also can be indirectly connected through an intermediary
Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition
Concrete meaning in invention.
In the description of the present invention, it should be noted that term " center ", "upper", "lower", "left", "right", "vertical",
The orientation or positional relationship of the instructions such as "horizontal", "inner", "outside" be based on the orientation or positional relationship shown in the drawings, merely to
Convenient for description the present invention and simplify description, rather than the device or element of indication or suggestion meaning must have a particular orientation,
It is constructed and operated in a specific orientation, therefore is not considered as limiting the invention.In addition, term " first ", " second ",
" third " is used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with
It realizes by another way.The apparatus embodiments described above are merely exemplary, for example, the division of the unit,
Only a kind of logical function partition, there may be another division manner in actual implementation, in another example, multiple units or components can
To combine or be desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or beg for
The mutual coupling, direct-coupling or communication connection of opinion can be through some communication interfaces, device or unit it is indirect
Coupling or communication connection can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in the executable non-volatile computer-readable storage medium of a processor.Based on this understanding, of the invention
Technical solution substantially the part of the part that contributes to existing technology or the technical solution can be with software in other words
The form of product embodies, which is stored in a storage medium, including some instructions use so that
One computer equipment (can be personal computer, server or the network equipment etc.) executes each embodiment institute of the present invention
State all or part of the steps of method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-
Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can be with
Store the medium of program code.
Finally, it should be noted that embodiment described above, only a specific embodiment of the invention, to illustrate the present invention
Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair
It is bright to be described in detail, those skilled in the art should understand that: anyone skilled in the art
In the technical scope disclosed by the present invention, it can still modify to technical solution documented by previous embodiment or can be light
It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make
The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover in protection of the invention
Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. a kind of access exception detection method based on Markov model characterized by comprising
When detecting user by the source page access purpose page to be detected, the access road of the purpose page to be detected is drawn
Line chart, wherein include target access route in the access route map, wherein the target access route includes that the source page arrives
The purpose page page experienced to be detected;
The route reference value for calculating the target access route obtains target access route reference value;
Detect whether the target access route is abnormal access route based on the target access route reference value.
2. the method according to claim 1, wherein the method also includes:
Obtain multiple pages to be protected;
Calculate each page to be protected in the page to be protected as a purpose the page when corresponding route reference range.
3. according to the method described in claim 2, making it is characterized in that, calculating each page to be protected in the page to be protected
Corresponding route reference range includes: when for the purpose page
The log information of the page to be protected is obtained, and purpose page Q in the page to be protected is determined based on the log informationf
The log information for entering page set, in the log information including the source page enters the purpose page, it is described enter page set
To enter the purpose page QfThe source page set, wherein f successively takes 1 to F, and F is purpose in the page to be protected
Page quantity;
Draw the purpose page QfRoute atlas, wherein it includes X route that the route map, which is concentrated,;
The route reference value that the route map concentrates route Ax is calculated, obtains X route reference value, wherein x successively takes 1 to X, X
For the purpose page QfRoute map collection included in route quantity;
Using route reference value maximum in the X route reference value and the value interval of minimum route reference value composition as described in
Purpose page QfRoute reference range.
4. according to the method described in claim 3, it is characterized in that, calculating the route reference value that the route map concentrates route Ax
Include:
The probability in the route map concentration route Ax between any two adjacent node is calculated, obtains multiple probability, wherein institute
State probability indicate first node in any two adjacent node into any two adjacent node second node it is general
Rate, the page represented by the first node are that the page represented by the second node enters the page;
The route reference value that route Ax is concentrated using route map described in the multiple probability calculation, obtains route map collection Road
The route reference value of line Ax.
5. according to the method described in claim 4, it is characterized in that, calculating the route map concentrates any two phase in route Ax
Probability between neighbors includes:
It counts and enters page set corresponding to the purpose page represented by the second node on the route Ax, and enter described in statistics
Enter the number of the purpose page described in page access represented by first node described in page set;
Calculate whole purpose pages in the set of the page to be protected composition enters degree;
Based on it is described enter degree and the number calculate and enter the purpose page described in page access represented by the first node
Probability.
6. according to the method described in claim 5, it is characterized in that, entering degree and number calculating described first based on described in
The probability for entering the purpose page described in page access represented by node includes:
According to formulaThe probability for entering the purpose page described in page access represented by the first node is calculated,
Wherein, 1≤j≤k, countjFor the number,For it is described enter degree, k be the purpose page corresponding to enter page
Enter page quantity in the set of face.
7. according to the method described in claim 4, it is characterized in that, utilizing route map collection Road described in the multiple probability calculation
The route reference value of line Ax includes:
The product for calculating the multiple probability, obtains result of product;
The result of product is carried out to take Logarithmic calculation, and concentrates the route of route Ax to join for calculated result as the route map
Examine value.
8. the method according to claim 1, wherein calculating the route reference value packet of the target access route
It includes:
The source page is counted in target access route to the purpose page page experienced to be detected;
From the probability read in probability database in the target access route between any two adjacent node, obtain multiple general
Rate, wherein include the probability of each source page access purpose page precomputed in the probability database;
The product for calculating the multiple probability, obtains result of product;
The result of product is carried out to take Logarithmic calculation, and using calculated result as the target access road of the target access route
Line reference value.
9. the method according to claim 1, wherein detecting the mesh based on the target access route reference value
Whether mark access route is that abnormal access route includes:
Obtain the route reference range of the purpose page to be detected;
The target access route reference value is compared with the route reference range;
If comparison result is the target access route reference value in the route reference range, it is determined that the target
The frequentation that is positive of access route is asked the way line;
If comparison result is the target access route reference value not in the route reference range, it is determined that the mesh
Mark access route is abnormal access route.
10. a kind of access exception detection system based on Markov model characterized by comprising
Drawing unit, for drawing the mesh to be detected when detecting user by the source page access purpose page to be detected
The page access route map, wherein in the access route map include target access route, wherein the target access road
Line includes the source page to the purpose page page experienced to be detected;
Computing unit obtains target access route reference value for calculating the route reference value of the target access route;
Detection unit, for detecting whether the target access route is abnormal access based on the target access route reference value
Route.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810960598.7A CN109167773B (en) | 2018-08-22 | 2018-08-22 | Access anomaly detection method and system based on Markov model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810960598.7A CN109167773B (en) | 2018-08-22 | 2018-08-22 | Access anomaly detection method and system based on Markov model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109167773A true CN109167773A (en) | 2019-01-08 |
| CN109167773B CN109167773B (en) | 2021-01-26 |
Family
ID=64896529
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810960598.7A Active CN109167773B (en) | 2018-08-22 | 2018-08-22 | Access anomaly detection method and system based on Markov model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109167773B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110675228A (en) * | 2019-09-27 | 2020-01-10 | 支付宝(杭州)信息技术有限公司 | User ticket buying behavior detection method and device |
| CN112153033A (en) * | 2020-09-16 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | Method and device for detecting webshell |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011065524A (en) * | 2009-09-18 | 2011-03-31 | Hitachi Information Systems Ltd | Web access log confirmation system, method and program |
| CN104135474A (en) * | 2014-07-18 | 2014-11-05 | 国家计算机网络与信息安全管理中心 | Network anomaly behavior detection method based on out-degree and in-degree of host |
| CN106961410A (en) * | 2016-01-08 | 2017-07-18 | 阿里巴巴集团控股有限公司 | A kind of abnormal access detection method and device |
| CN107426136A (en) * | 2016-05-23 | 2017-12-01 | 腾讯科技(深圳)有限公司 | A kind of recognition methods of network attack and device |
| CN107438079A (en) * | 2017-08-18 | 2017-12-05 | 杭州安恒信息技术有限公司 | A kind of detection method of the unknown abnormal behaviour in website |
| CN108304410A (en) * | 2017-01-13 | 2018-07-20 | 阿里巴巴集团控股有限公司 | A kind of detection method, device and the data analysing method of the abnormal access page |
-
2018
- 2018-08-22 CN CN201810960598.7A patent/CN109167773B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011065524A (en) * | 2009-09-18 | 2011-03-31 | Hitachi Information Systems Ltd | Web access log confirmation system, method and program |
| CN104135474A (en) * | 2014-07-18 | 2014-11-05 | 国家计算机网络与信息安全管理中心 | Network anomaly behavior detection method based on out-degree and in-degree of host |
| CN106961410A (en) * | 2016-01-08 | 2017-07-18 | 阿里巴巴集团控股有限公司 | A kind of abnormal access detection method and device |
| CN107426136A (en) * | 2016-05-23 | 2017-12-01 | 腾讯科技(深圳)有限公司 | A kind of recognition methods of network attack and device |
| CN108304410A (en) * | 2017-01-13 | 2018-07-20 | 阿里巴巴集团控股有限公司 | A kind of detection method, device and the data analysing method of the abnormal access page |
| CN107438079A (en) * | 2017-08-18 | 2017-12-05 | 杭州安恒信息技术有限公司 | A kind of detection method of the unknown abnormal behaviour in website |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110675228A (en) * | 2019-09-27 | 2020-01-10 | 支付宝(杭州)信息技术有限公司 | User ticket buying behavior detection method and device |
| CN112153033A (en) * | 2020-09-16 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | Method and device for detecting webshell |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109167773B (en) | 2021-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106506556A (en) | A kind of network flow abnormal detecting method and device | |
| Wang et al. | Using humans as sensors: an estimation-theoretic perspective | |
| CN108881326A (en) | Determine method, system, medium and the equipment of exception of network traffic behavior | |
| CN103996262A (en) | Alarm-device system and detection method thereof | |
| CN104113544B (en) | Network inbreak detection method and system based on fuzzy hidden conditional random fields model | |
| CN109766719A (en) | A kind of sensitive information detection method, device and electronic equipment | |
| CN107315956A (en) | A kind of Graph-theoretical Approach for being used to quick and precisely detect Malware on the zero | |
| CN106778254A (en) | Privacy leakage detection method and system | |
| CN110392046A (en) | The method for detecting abnormality and device of network access | |
| CN109167773A (en) | A kind of access exception detection method and system based on Markov model | |
| Chen et al. | Vehicle trajectory reconstruction for signalized intersections: A hybrid approach integrating Kalman Filtering and variational theory | |
| CN107659562A (en) | A kind of method and device for excavating malice login account | |
| Juba et al. | Principled Sampling for Anomaly Detection. | |
| CN109313541A (en) | For showing and the user interface of comparison attacks telemetering resource | |
| Liao et al. | Structural damage detection and localization with unknown postdamage feature distribution using sequential change-point detection method | |
| CN110222523A (en) | Detection method, device, system and computer readable storage medium | |
| CN108804914A (en) | A kind of method and device of anomaly data detection | |
| CN103501302A (en) | Method and system for automatically extracting worm features | |
| CN107613462A (en) | Data analysing method, device and electronic equipment | |
| CN102904780A (en) | Method and device for detecting network health degree | |
| CN106789951A (en) | A kind of network web page abnormality detection realizes system | |
| CN108141372A (en) | For the system and method based on network flow detection to the attack of mobile ad hoc networks | |
| CN103093236A (en) | Movable terminal porn filtering method based on analyzing image and semantics | |
| Yuwen et al. | Network covert channel detection with cluster based on hierarchy and density | |
| Zhu et al. | Driver behavior-aware parking availability crowdsensing system using truth discovery |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: No. 188, Lianhui street, Xixing street, Binjiang District, Hangzhou, Zhejiang Province, 310000 Applicant after: Hangzhou Anheng Information Technology Co.,Ltd. Address before: 310000 15-storey Zhejiang Zhongcai Building, No. 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province Applicant before: Hangzhou Anheng Information Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |