CN109167773B - Access anomaly detection method and system based on Markov model - Google Patents

Access anomaly detection method and system based on Markov model Download PDF

Info

Publication number
CN109167773B
CN109167773B CN201810960598.7A CN201810960598A CN109167773B CN 109167773 B CN109167773 B CN 109167773B CN 201810960598 A CN201810960598 A CN 201810960598A CN 109167773 B CN109167773 B CN 109167773B
Authority
CN
China
Prior art keywords
page
route
target
reference value
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810960598.7A
Other languages
Chinese (zh)
Other versions
CN109167773A (en
Inventor
刘博�
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201810960598.7A priority Critical patent/CN109167773B/en
Publication of CN109167773A publication Critical patent/CN109167773A/en
Application granted granted Critical
Publication of CN109167773B publication Critical patent/CN109167773B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Navigation (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an access anomaly detection method and system based on a Markov model, which relate to the technical field of network security and comprise the following steps: when detecting that a user accesses a target page to be detected through a source page, drawing an access route map of the target page to be detected, wherein the access route map comprises a target access route; the route reference value of the target access route is calculated to obtain the target access route reference value, and whether the target access route is an abnormal access route is detected based on the target access route reference value.

Description

Access anomaly detection method and system based on Markov model
Technical Field
The invention relates to the technical field of network security, in particular to an access anomaly detection method and system based on a Markov model.
Background
The Internet relates to the aspects of people's lives, brings great convenience to people's lives, and becomes an indispensable component of people's lives. However, at the same time, security events caused by hackers using the internet are frequently exposed, which brings specific threats to the application and development of the internet. With the change of multiple ends and concealment of the intrusion means, the propagation speed is increased, the influence range is enlarged, the intrusion hazard is enlarged, and the safety problem becomes a problem to be solved urgently in the internet development. The existing internet access abnormity detection methods are many and are roughly divided into the following methods: an access flow based access anomaly detection method, an access characteristic based access anomaly detection method and an access speed based access anomaly detection method.
The access anomaly detection method for the access traffic has the advantage that the existing attack means are more and more hidden on the traffic and can hardly have obvious characteristics, so that the method causes inaccurate analysis results and false alarm.
According to the access characteristic-based access anomaly detection method, along with the development of science and technology, the environment of a client changes in multiple ends, and the login position, equipment and a browser of the client can possibly change at any time, so that the method can cause inaccurate analysis results and generate false alarms.
The access speed-based access anomaly detection method comprises the following steps: the method can only monitor hackers logged in different regions by a monitoring user in a specific scene, but hackers logged in the same region by the monitoring user are difficult to judge and are easy to bypass and report in a missing manner.
Disclosure of Invention
In view of this, the present invention provides an access anomaly detection method and system based on a markov model, so as to alleviate the technical problem of low detection efficiency when performing access anomaly detection in the existing network security technology.
In a first aspect, an embodiment of the present invention provides an access anomaly detection method based on a markov model, including: when a user is detected to access a target page to be detected through a source page, drawing an access route map of the target page to be detected, wherein the access route map comprises a target access route, and the target access route comprises a page from the source page to the target page to be detected; calculating a route reference value of the target access route to obtain a target access route reference value; detecting whether the target access route is an abnormal access route based on the target access route reference value.
Further, the method further comprises: acquiring a plurality of pages to be protected; and calculating a route reference value range corresponding to each page to be protected in the pages to be protected as a target page.
Further, calculating a route reference value range corresponding to each page to be protected in the pages to be protected as a destination page includes: obtaining log information of a page to be protected, and determining a target page Q in the page to be protected based on the log informationfThe log information comprises log information of the source page entering the destination page, and the page entering set is the page entering set QfThe set of source pages in (1), wherein F is 1 to F in sequence, and F is the number of destination pages in the page to be protected; drawing the destination page QfWherein, the route map set comprises X routes; calculating route reference values of the routes Ax in the route map set to obtain X route reference values, wherein X is 1 to X in sequence, and X is the target page QfThe number of routes contained in the roadmap set; combining the maximum route reference value and the minimum route reference value of the X route reference valuesThe value interval is used as the target page QfThe route reference value range of (1).
Further, calculating the route reference value for the route Ax in the route pattern set includes: calculating the probability between any two adjacent nodes in the route Ax in the route map set to obtain a plurality of probabilities, wherein the probability represents the probability from a first node in any two adjacent nodes to a second node in any two adjacent nodes, and a page represented by the first node is an incoming page of a page represented by the second node; and calculating a route reference value of the route Ax in the route map set by using the plurality of probabilities to obtain the route reference value of the route Ax in the route map set.
Further, calculating the probability between any two adjacent nodes in the route Ax in the route set comprises: counting a page entering set corresponding to a destination page represented by a second node on the route Ax, and counting the number of times that the destination page is accessed by the page entering represented by the first node in the page entering set; calculating the in-degree number of all target pages in the set consisting of the pages to be protected; and calculating the probability of the incoming page represented by the first node accessing the destination page based on the incoming number and the times.
Further, calculating the probability that the incoming page represented by the first node accesses the destination page based on the incoming number and the number comprises: according to the formula
Figure BDA0001773757120000031
Calculating the probability of the incoming page represented by the first node accessing the target page, wherein j is more than or equal to 1 and less than or equal to k, and countjAs the number of times,
Figure BDA0001773757120000032
and k is the number of page entries in the page entry set corresponding to the target page.
Further, the calculation of the route reference value for the route Ax in the roadmap set using the plurality of probabilities includes: calculating the product of the probabilities to obtain a product result; and carrying out logarithm calculation on the product result, and using the calculation result as a route reference value of the route Ax in the route map set.
Further, calculating the route reference value of the target access route includes: counting pages from a source page to the target page to be detected in a target access route; reading the probability between any two adjacent nodes in the target access route from a probability database to obtain a plurality of probabilities, wherein the probability database comprises the probability of each pre-calculated source page accessing the target page; calculating the product of the probabilities to obtain a product result; and carrying out logarithm calculation on the multiplication result, and taking the calculation result as a target access route reference value of the target access route.
Further, detecting whether the target access route is an abnormal access route based on the target access route reference value includes: acquiring a route reference value range of the target page to be detected; comparing the target access route reference value to the route reference value range; if the comparison result is that the target access route reference value is within the route reference value range, determining that the target access route is a normal access route; and if the comparison result is that the target access route reference value is not within the route reference value range, determining that the target access route is an abnormal access route.
In a second aspect, an embodiment of the present invention further provides an access anomaly detection system based on a markov model, including: the system comprises a drawing unit, a processing unit and a processing unit, wherein the drawing unit is used for drawing an access route map of a target page to be detected when a user is detected to access the target page to be detected through a source page, the access route map comprises a target access route, and the target access route comprises a page from the source page to the target page to be detected; the calculation unit is used for calculating a route reference value of the target access route to obtain a target access route reference value; a detection unit for detecting whether the target access route is an abnormal access route based on the target access route reference value.
In the embodiment of the invention, firstly, when a user is detected to access a target page to be detected through a source page, an access route map of the target page to be detected is drawn, then, a route reference value of a target access route is calculated, and finally, whether the target access route is an abnormal access route is detected based on the target access route reference value. As can be seen from the above description, in this embodiment, by using the access anomaly detection method based on the markov model, the method can alleviate the technical problem that the detection efficiency is low when the access anomaly is detected by the existing network security technology, so as to improve the technical effect of the access anomaly detection efficiency.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of an access anomaly detection method based on a markov model according to an embodiment of the present invention;
FIG. 2 is a flow chart of an alternative Markov model based access anomaly detection method in accordance with embodiments of the present invention;
FIG. 3 is a diagram illustrating a set of route maps of an optional destination page to be protected, according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an access route of an optional target to be detected according to an embodiment of the present invention;
FIG. 5 is a flow chart of another alternative Markov model-based access anomaly detection method in accordance with embodiments of the present invention;
fig. 6 is a functional block diagram of an access anomaly detection system based on a markov model according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The first embodiment is as follows:
according to an embodiment of the present invention, there is provided an embodiment of a method for access anomaly detection based on a markov model, it is noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
Fig. 1 is a flowchart of an access anomaly detection method based on a markov model according to an embodiment of the present invention, as shown in fig. 1, the method includes the following steps:
step S102, when it is detected that a user accesses a target page to be detected through a source page, drawing an access route map of the target page to be detected, wherein the access route map comprises a target access route, and the target access route comprises a page from the source page to the target page to be detected;
step S104, calculating a route reference value of the target access route to obtain a target access route reference value;
and step S106, detecting whether the target access route is an abnormal access route or not based on the target access route reference value.
In the embodiment of the invention, firstly, when a user is detected to access a target page to be detected through a source page, an access route map of the target page to be detected is drawn, then, a route reference value of a target access route is calculated, and finally, whether the target access route is an abnormal access route is detected based on the target access route reference value. As can be seen from the above description, in this embodiment, by using the access anomaly detection method based on the markov model, the method can alleviate the technical problem that the detection efficiency is low when the access anomaly is detected by the existing network security technology, so as to improve the technical effect of the access anomaly detection efficiency.
In this embodiment, referring to fig. 2, the access abnormality detection method further includes the following steps:
step S201, acquiring a plurality of pages to be protected;
step S202, calculating a route reference value range corresponding to each page to be protected in the pages to be protected as a target page.
In this embodiment, the route reference value range of each destination page needs to be predetermined, and optionally, the step S202 of calculating the route reference value range corresponding to each page to be protected in the pages to be protected as the destination page includes the following steps:
step S2021, obtaining the log information of the page to be protected, and determining the target page Q in the page to be protected based on the log informationfThe log information comprises log information of the source page entering the target page, and the page entering set is a page entering set QfThe set of source pages in (1), wherein F is 1 to F in sequence, and F is the number of target pages in the page to be protected;
step S2022, draw the destination page QfWherein the route map set comprises X routes;
step S2023, calculating a route reference value of the route Ax in the route map set to obtain X route reference values, wherein X is 1 to X in sequence, and X is a target page QfThe number of routes contained in the roadmap set;
step S2024, willA value interval composed of the maximum route reference value and the minimum route reference value in the X route reference values is used as a target page QfThe route reference value range of (1).
The above-described process of determining the route reference value range of each destination page is described in detail below, and is described as follows:
firstly, obtaining a plurality of pages to be protected, and counting the number S of the pages to be protected to obtain a page set to be protected: { URL1,URL2,URL3,...,URLS}. Then, counting a target page set serving as a target page in the page set to be protected: { Q1,Q2,…,Qf,…,QF-1,QFAnd F is 1 to F in sequence, wherein F is more than or equal to 1 and less than or equal to S. Counting the page-entering set of each destination page in the destination page set, wherein the specific process is described as follows:
firstly, collecting log information of a page to be protected, wherein the log information comprises source page information and destination page information; then, the source page corresponding to each destination page is extracted from the log information. For page Q in page set to be protectedfGet the page QfCorresponding input page set PIN when serving as a target pagefWherein 1 is<f is less than or equal to S. Giving set PIN for ease of descriptionfSets up a key value to represent, then sets the PINfA key value may be represented as follows: key (R)f=={key1,key2,…,keyk-1,keykAnd k is more than or equal to 1 and less than or equal to S.
Drawing a destination page Q according to the collected log informationfThe set of roadmaps of (1). The route map set comprises X routes, route reference values of the routes Ax in the route map set are calculated, and X route reference values are obtained, wherein X is 1 to X in sequence.
In an alternative implementation of this embodiment, the calculation of the route reference value for the route Ax in the roadmap set comprises the following steps:
step S301, calculating the probability between any two adjacent nodes in the route Ax in the route map set to obtain a plurality of probabilities, wherein the probability represents the probability from a first node to a second node in any two adjacent nodes, and a page represented by the first node is an incoming page of a page represented by the second node;
step S302, calculating a route reference value of the route Ax in the route map set by using a plurality of probabilities to obtain the route reference value of the route Ax in the route map set.
The route map set may be a route map set as shown in fig. 3, and the route Ax in the route map set may be a route as shown in fig. 3: page a → page B → page C → page D. In this case, page a → page B indicates the first node, page B indicates the second node, and the page indicated by page a is the entry page of the page indicated by page B. For page B → page C, page B is represented as the first node, page C is represented as the second node, and the page represented by page B is the in-page of the page represented by page C. For page C → page D, page C is represented as the first node, page D is represented as the second node, and the page represented by page C is the in-page of the page represented by page D.
As shown in fig. 3, for a route Ax in the route set, a probability between any two adjacent nodes in the route Ax in the route set can be calculated, and then, a plurality of probabilities can be obtained. After the plurality of probabilities is obtained, a route reference value for the route Ax in the roadmap set can be calculated based on the plurality of probabilities.
Optionally, in step S301, calculating the probability between any two adjacent nodes in the route Ax in the route set includes the following steps:
firstly, counting a page entering set corresponding to a target page represented by a second node on a route Ax, and counting the number of times that the page entering represented by a first node in the page entering set accesses the target page;
then, calculating the in-degree number of all target pages in a set consisting of pages to be protected;
and finally, calculating the probability of the page access destination page represented by the first node based on the number of the entries and the number of times.
Assuming that the route map set may be a route map set as shown in fig. 3, the route Ax in the route map set may be one route as shown in fig. 3: page a → page B → page C → page D. At this time, the probability between any two adjacent nodes in page a → page B → page C → page D is calculated, for example, the probability between page a → page B, the probability between page B → page C, and the probability between page C → page D.
When calculating the probability between page a → page B, the node where page a is located is the first node, and the node where page B is located is the second node, at this time, page B is the above-mentioned destination page, and page a is the input page of the destination page. Based on this, in this embodiment, first, a page entry set corresponding to the page B is counted, where the page entry set includes the page a. Then, counting the times of the page A accessing the page B, then calculating the degree of entry of all target pages in a set consisting of pages to be protected, and finally calculating the probability of the page A accessing the page B based on the degree of entry and the times of the page A accessing the page B.
In this embodiment, the probability that the page B accesses the page C and the probability that the page C accesses the page D may be calculated in the above manner, which is not described in detail herein.
In an alternative embodiment, calculating the probability of the page of the incoming page visit destination represented by the first node based on the number of the incoming numbers and the number of times comprises:
according to the formula
Figure BDA0001773757120000101
Calculating the probability of the page access destination page represented by the first node, wherein j is more than or equal to 1 and less than or equal to k, and countjIn order to count the number of times,
Figure BDA0001773757120000102
and k is the number of pages in the page set corresponding to the destination page.
The description will be given by taking the example of calculating the probability that page a accesses page B in page a → page B → page C → page D. In this embodiment, the formula can be followed
Figure BDA0001773757120000103
Calculate the probability that Page A will access Page B, at this time, countjThe number of times page a accesses page B,
Figure BDA0001773757120000104
the number of entries of all the target pages in the set formed by the pages to be protected is F, and the number of the target pages in the pages to be protected is F.
It should be noted that, in this embodiment, j represents a jth inbound page in the inbound page set corresponding to the destination page, and the jth inbound page is a page corresponding to a node adjacent to the destination page in the route Ax in the route map set and is an inbound page of the destination page.
In this embodiment, the probability between any two adjacent nodes in the route map concentrated route Ax shown in fig. 3 may be calculated in this manner, which is not described in detail herein, and all calculated probabilities are stored to generate a probability database.
The probability value P is calculated and obtained according to the above modejThen, the route reference value of the route Ax in the roadmap set can be calculated by using a plurality of probabilities, and the method specifically comprises the following steps:
firstly, calculating the product of a plurality of probabilities to obtain a product result;
then, the product result is subjected to logarithm calculation, and the calculation result is used as a route reference value of the route Ax in the route map set.
Taking the route represented by page a → page B → page C → page D in fig. 3 as an example, and the route Ax in the route set is page a → page B → page C → page D, the route probability P of the route Ax in the route set is a1*b1*c1Wherein, as shown in FIG. 3, a1Probability of accessing page B for page A, B1Probability of accessing page C for page B, C1Probability of accessing page D for page C.
In order to obtain a more stable route reference value, after the calculation of the multiplication result, the logarithm calculation is carried out on the multiplication result, and the calculation result is used as the route reference value of the route Ax in the route map set.
According to the above processing method, the destination page Q can be obtainedfAnd obtaining X route reference values corresponding to the route reference value of each route.
Optionally, a value section composed of a maximum route reference value and a minimum route reference value in the X route reference values is used as the destination page QfThe route reference value range of (1) includes:
firstly, sorting X route reference values, and then taking a value interval formed by the maximum route reference value and the minimum route reference value as a target page QfThe route reference value range of (1).
Optionally, in step S104, calculating the route reference value of the target access route includes:
step S1041, counting pages from a source page to a target page to be detected in a target access route;
step S1042, reading the probability between any two adjacent nodes in the target access route from a probability database to obtain a plurality of probabilities, wherein the probability database comprises the probability of each pre-calculated source page to access the target page;
step S1043, calculating a product of the probabilities to obtain a product result;
and step S1044, carrying out logarithm calculation on the multiplication result, and taking the calculation result as a target access route reference value of the target access route.
In this embodiment, to calculate a route reference value of a target access route, first, statistics is performed on pages from a source page to a target page to be detected in the target access route, and a probability between any two adjacent nodes in the target access route is read from a probability database to obtain a plurality of probabilities, where the probability database includes pre-calculated probabilities for each source page to access the target page, and if the probability between two adjacent nodes in the target access route cannot be read from the probability database, the probability between the two adjacent nodes is recorded as 0, then, a product of the plurality of probabilities is calculated to obtain a product result, and finally, a logarithm calculation is performed on the product result, and the calculation result is used as the target access route reference value of the target access route.
Taking the route represented by page E → page F → page M → page K in FIG. 4 as an example, the target access route is page E → page F → page M → page K, calculating the route reference value of the target access route, and reading the probability E of accessing page F by page E from the probability database1Probability F of page F accessing page M2Probability M of page M accessing page K1Then, the product of the multiple read probabilities is calculated, and the line probability P of the target access route is equal to e1*f2*m1Wherein, as shown in FIG. 4, e1Probability of accessing page F for page E, F2Probability of accessing page M for page F, M1Probability of accessing page K for page M. And finally, carrying out logarithm calculation on the multiplication result to obtain a target access route reference value1, and taking value1 as the target access route reference value of the target access route.
After the route reference value of the target access route (i.e., the target access route reference value) is calculated in the above-described processing manner, it is possible to detect whether the target access route is an abnormal access route based on the target access route reference value.
In an optional implementation manner of this embodiment, referring to fig. 5, the step S106 of detecting whether the target access route is an abnormal access route based on the target access route reference value includes the following steps:
step S1061, acquiring a route reference value range of a target page to be detected;
step S1062, comparing the target access route reference value with the route reference value range;
step S1063, if the comparison result is that the reference value of the target access route is within the reference value range of the route, determining that the target access route is a normal access route;
in step S1064, if the comparison result is that the target access route reference value is not within the route reference value range, it is determined that the target access route is an abnormal access route.
In this embodiment, when detecting whether the target access route is an abnormal access route based on the target access route reference value, a route reference value range of the target page to be detected may be obtained, where the route reference value range is calculated in advance. The target visit route reference value is then compared to the route reference value range. If the comparison result is that the target access route reference value is within the route reference value range, determining that the target access route is a normal access route; and if the comparison result is that the target access route reference value is not within the route reference value range, determining that the target access route is an abnormal access route.
For example, as shown in fig. 4, the target page to be detected is page K, and the target access route reference value of page E → page F → page M → page K is value1, the value1 is compared with the route reference value range of page K, if the value1 is within the route reference value range, the target access route is determined to be a normal access route, and if the value1 is not within the route reference value range, the target access route is determined to be an abnormal access route.
Example two:
the embodiment of the invention also provides an access anomaly detection system based on the Markov model, which is mainly used for executing the access anomaly detection method based on the Markov model provided by the embodiment of the invention.
Fig. 6 is a schematic diagram of an access anomaly detection system based on a markov model according to an embodiment of the present invention, and as shown in fig. 6, the access anomaly detection system based on the markov model mainly includes a drawing unit 10, a calculation unit 20 and a detection unit 30, where:
the system comprises a drawing unit, a processing unit and a display unit, wherein the drawing unit is used for drawing an access route map of a target page to be detected when detecting that a user accesses the target page to be detected through a source page, the access route map comprises a target access route, and the target access route comprises a page from the source page to the target page to be detected;
the calculating unit is used for calculating a route reference value of the target access route to obtain a target access route reference value;
a detection unit for detecting whether the target access route is an abnormal access route based on the target access route reference value.
In the embodiment of the invention, firstly, when a user is detected to access a target page to be detected through a source page, an access route map of the target page to be detected is drawn, then, a route reference value of a target access route is calculated, and finally, whether the target access route is an abnormal access route is detected based on the target access route reference value. As can be seen from the above description, in this embodiment, by using the access anomaly detection method based on the markov model, the method can alleviate the technical problem that the detection efficiency is low when the access anomaly is detected by the existing network security technology, so as to improve the technical effect of the access anomaly detection efficiency.
Optionally, the system is further configured to obtain a plurality of pages to be protected; and calculating a route reference value range corresponding to each page to be protected in the pages to be protected as a target page.
Optionally, the system is further configured to obtain log information of the page to be protected, and determine a destination page Q in the page to be protected based on the log informationfThe log information comprises log information of the source page entering the target page, and the page entering set is a page entering set QfThe set of source pages in (1), wherein F is 1 to F in sequence, and F is the number of target pages in the page to be protected; drawing destination page QfWherein the route map set comprises X routes; calculating route reference values of the routes Ax in the route map set to obtain X route reference values, wherein X is 1 to X in sequence, and X is a target page QfThe number of routes contained in the roadmap set; taking a value interval consisting of the maximum route reference value and the minimum route reference value in the X route reference values as a target page QfThe route reference value range of (1).
Optionally, the calculation unit comprises: the first calculation module is used for calculating the probability between any two adjacent nodes in the route Ax in the route map set to obtain a plurality of probabilities, wherein the probability represents the probability from a first node to a second node in any two adjacent nodes, and a page represented by the first node is an incoming page of a page represented by the second node; and the second calculating module is used for calculating the route reference value of the route Ax in the route map set by utilizing the plurality of probabilities to obtain the route reference value of the route Ax in the route map set.
Optionally, the first calculation module is configured to: counting a page entering set corresponding to a target page represented by a second node on the route Ax, and counting the number of times that the page entering represented by a first node in the page entering set accesses the target page; calculating the in-degree number of all target pages in a set consisting of pages to be protected; and calculating the probability of the page access destination page represented by the first node based on the number of the entries and the number of times.
Optionally, the first calculation module is further configured to: according to the formula
Figure BDA0001773757120000151
Calculating the probability of the page access destination page represented by the first node, wherein j is more than or equal to 1 and less than or equal to k, and countjIn order to count the number of times,
Figure BDA0001773757120000152
and k is the number of pages in the page set corresponding to the destination page.
Optionally, the second calculation module is configured to: calculating the product of a plurality of probabilities to obtain a product result; and carrying out logarithm calculation on the multiplication result, and using the calculation result as a route reference value of the route Ax in the route map set.
Optionally, the calculating unit is further configured to count pages from the source page to the destination page to be detected in the target access route; reading the probability between any two adjacent nodes in a target access route from a probability database to obtain a plurality of probabilities, wherein the probability database comprises the probability of each pre-calculated source page to access a target page; calculating the product of a plurality of probabilities to obtain a product result; and carrying out logarithm taking calculation on the multiplication result, and taking the calculation result as a target access route reference value of the target access route.
Optionally, the detection unit is further configured to: acquiring a route reference value range of a target page to be detected; comparing the target visit route reference value to a route reference value range; if the comparison result is that the target access route reference value is within the route reference value range, determining that the target access route is a normal access route; and if the comparison result is that the target access route reference value is not within the route reference value range, determining that the target access route is an abnormal access route.
The system provided by the embodiment of the present invention has the same implementation principle and technical effect as the foregoing method embodiment, and for the sake of brief description, no mention is made in the system embodiment, and reference may be made to the corresponding contents in the foregoing method embodiment.
In addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (9)

1. An access anomaly detection method based on a Markov model is characterized by comprising the following steps:
when a user is detected to access a target page to be detected through a source page, drawing an access route map of the target page to be detected, wherein the access route map comprises a target access route, and the target access route comprises a page from the source page to the target page to be detected;
calculating a route reference value of the target access route to obtain a target access route reference value;
detecting whether the target access route is an abnormal access route based on the target access route reference value;
wherein calculating the route reference value of the target access route comprises:
counting pages from a source page to the target page to be detected in a target access route;
reading the probability between any two adjacent nodes in the target access route from a probability database to obtain a plurality of probabilities, wherein the probability database comprises the probability of each pre-calculated source page accessing the target page;
calculating the product of the probabilities to obtain a product result;
and carrying out logarithm calculation on the multiplication result, and taking the calculation result as a target access route reference value of the target access route.
2. The method of claim 1, further comprising:
acquiring a plurality of pages to be protected;
and calculating a route reference value range corresponding to each page to be protected in the pages to be protected as a target page.
3. The method according to claim 2, wherein calculating the route reference value range corresponding to each of the pages to be protected as a destination page comprises:
obtaining log information of a page to be protected, and determining a target page Q in the page to be protected based on the log informationfThe log information comprises log information of the source page entering the destination page, and the page entering set is the page entering set QfThe set of source pages in (1), wherein F is 1 to F in sequence, and F is the number of destination pages in the page to be protected;
drawing the destination page QfWherein, the route map set comprises X routes;
calculating route reference values of the routes Ax in the route map set to obtain X route reference values, wherein X is 1 to X in sequence, and X is the target page QfThe number of routes contained in the roadmap set;
referencing a maximum route reference value and a minimum route reference value of the X route reference valuesThe value interval composed of the values is used as the target page QfThe route reference value range of (1).
4. The method according to claim 3, wherein calculating the route reference value for the route Ax in the roadmap set comprises:
calculating the probability between any two adjacent nodes in the route Ax in the route map set to obtain a plurality of probabilities, wherein the probability represents the probability from a first node in any two adjacent nodes to a second node in any two adjacent nodes, and a page represented by the first node is an incoming page of a page represented by the second node;
and calculating a route reference value of the route Ax in the route map set by using the plurality of probabilities to obtain the route reference value of the route Ax in the route map set.
5. The method of claim 4, wherein calculating the probability between any two adjacent nodes in the route in the roadmap set Ax comprises:
counting a page entering set corresponding to a destination page represented by a second node on the route Ax, and counting the number of times that the destination page is accessed by the page entering represented by the first node in the page entering set;
calculating the in-degree number of all target pages in the set consisting of the pages to be protected;
and calculating the probability of the incoming page represented by the first node accessing the destination page based on the incoming number and the times.
6. The method of claim 5, wherein calculating the probability that the incoming page represented by the first node will access the destination page based on the number of entries and the number of times comprises:
according to the formula
Figure FDA0002717382130000031
Calculating the access page represented by the first nodeAsking the probability of the target page, wherein j is more than or equal to 1 and less than or equal to k, and countjAs the number of times,
Figure FDA0002717382130000032
and k is the number of page entries in the page entry set corresponding to the target page.
7. The method according to claim 4, wherein calculating the route reference value for the route Ax in the roadmap set using the plurality of probabilities comprises:
calculating the product of the probabilities to obtain a product result;
and carrying out logarithm calculation on the product result, and using the calculation result as a route reference value of the route Ax in the route map set.
8. The method of claim 1, wherein detecting whether the target access route is an abnormal access route based on the target access route reference value comprises:
acquiring a route reference value range of the target page to be detected;
comparing the target access route reference value to the route reference value range;
if the comparison result is that the target access route reference value is within the route reference value range, determining that the target access route is a normal access route;
and if the comparison result is that the target access route reference value is not within the route reference value range, determining that the target access route is an abnormal access route.
9. An access anomaly detection system based on a Markov model, comprising:
the system comprises a drawing unit, a processing unit and a processing unit, wherein the drawing unit is used for drawing an access route map of a target page to be detected when a user is detected to access the target page to be detected through a source page, the access route map comprises a target access route, and the target access route comprises a page from the source page to the target page to be detected;
the calculation unit is used for calculating a route reference value of the target access route to obtain a target access route reference value;
a detection unit configured to detect whether the target access route is an abnormal access route based on the target access route reference value;
wherein the computing unit is to:
counting pages from a source page to the target page to be detected in a target access route;
reading the probability between any two adjacent nodes in the target access route from a probability database to obtain a plurality of probabilities, wherein the probability database comprises the probability of each pre-calculated source page accessing the target page;
calculating the product of the probabilities to obtain a product result;
and carrying out logarithm calculation on the multiplication result, and taking the calculation result as a target access route reference value of the target access route.
CN201810960598.7A 2018-08-22 2018-08-22 Access anomaly detection method and system based on Markov model Active CN109167773B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810960598.7A CN109167773B (en) 2018-08-22 2018-08-22 Access anomaly detection method and system based on Markov model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810960598.7A CN109167773B (en) 2018-08-22 2018-08-22 Access anomaly detection method and system based on Markov model

Publications (2)

Publication Number Publication Date
CN109167773A CN109167773A (en) 2019-01-08
CN109167773B true CN109167773B (en) 2021-01-26

Family

ID=64896529

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810960598.7A Active CN109167773B (en) 2018-08-22 2018-08-22 Access anomaly detection method and system based on Markov model

Country Status (1)

Country Link
CN (1) CN109167773B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110675228B (en) * 2019-09-27 2021-05-28 支付宝(杭州)信息技术有限公司 User ticket buying behavior detection method and device
CN112153033B (en) * 2020-09-16 2023-04-07 杭州安恒信息技术股份有限公司 Method and device for detecting webshell

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011065524A (en) * 2009-09-18 2011-03-31 Hitachi Information Systems Ltd Web access log confirmation system, method and program
CN104135474A (en) * 2014-07-18 2014-11-05 国家计算机网络与信息安全管理中心 Network anomaly behavior detection method based on out-degree and in-degree of host
CN106961410A (en) * 2016-01-08 2017-07-18 阿里巴巴集团控股有限公司 A kind of abnormal access detection method and device
CN107426136A (en) * 2016-05-23 2017-12-01 腾讯科技(深圳)有限公司 A kind of recognition methods of network attack and device
CN107438079A (en) * 2017-08-18 2017-12-05 杭州安恒信息技术有限公司 A kind of detection method of the unknown abnormal behaviour in website
CN108304410A (en) * 2017-01-13 2018-07-20 阿里巴巴集团控股有限公司 A kind of detection method, device and the data analysing method of the abnormal access page

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011065524A (en) * 2009-09-18 2011-03-31 Hitachi Information Systems Ltd Web access log confirmation system, method and program
CN104135474A (en) * 2014-07-18 2014-11-05 国家计算机网络与信息安全管理中心 Network anomaly behavior detection method based on out-degree and in-degree of host
CN106961410A (en) * 2016-01-08 2017-07-18 阿里巴巴集团控股有限公司 A kind of abnormal access detection method and device
CN107426136A (en) * 2016-05-23 2017-12-01 腾讯科技(深圳)有限公司 A kind of recognition methods of network attack and device
CN108304410A (en) * 2017-01-13 2018-07-20 阿里巴巴集团控股有限公司 A kind of detection method, device and the data analysing method of the abnormal access page
CN107438079A (en) * 2017-08-18 2017-12-05 杭州安恒信息技术有限公司 A kind of detection method of the unknown abnormal behaviour in website

Also Published As

Publication number Publication date
CN109167773A (en) 2019-01-08

Similar Documents

Publication Publication Date Title
CN107943954B (en) Method and device for detecting webpage sensitive information and electronic equipment
CN107360188B (en) Website risk value evaluation method and device based on cloud protection and cloud monitoring system
CN107122669B (en) Method and device for evaluating data leakage risk
CN112003838B (en) Network threat detection method, device, electronic device and storage medium
US20200042700A1 (en) Automated threat alert triage via data provenance
CN109164786A (en) A kind of anomaly detection method based on time correlation baseline, device and equipment
CN107508809B (en) Method and device for identifying website type
US9871826B1 (en) Sensor based rules for responding to malicious activity
CN109167773B (en) Access anomaly detection method and system based on Markov model
CA3152858C (en) Link-based risk user identification method and device
US20200380117A1 (en) Aggregating anomaly scores from anomaly detectors
CN111224928B (en) Network attack behavior prediction method, device, equipment and storage medium
CN111062642A (en) Method and device for identifying industrial risk degree of object and electronic equipment
CN114006727B (en) Alarm association analysis method, device, equipment and storage medium
CN117501658A (en) Evaluation of likelihood of security event alarms
CN108683662B (en) Individual online equipment risk assessment method and system
US10560365B1 (en) Detection of multiple signal anomalies using zone-based value determination
CN114445088A (en) Method and device for judging fraudulent conduct, electronic equipment and storage medium
CN108804914A (en) A kind of method and device of anomaly data detection
CN112565164A (en) Dangerous IP identification method, dangerous IP identification device and computer readable storage medium
CN114338195A (en) Web traffic anomaly detection method and device based on improved isolated forest algorithm
JP2020072384A (en) Cyber attack evaluation program, cyber attack evaluation method, and information processing device
CN116346638A (en) Data tampering inference method based on power grid power and alarm information interaction verification
CN110866831A (en) Asset activity level determination method and device and server
CN115146263A (en) User account collapse detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: No. 188, Lianhui street, Xixing street, Binjiang District, Hangzhou, Zhejiang Province, 310000

Applicant after: Hangzhou Anheng Information Technology Co.,Ltd.

Address before: 310000 15-storey Zhejiang Zhongcai Building, No. 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province

Applicant before: Hangzhou Anheng Information Technology Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant