CN109450879A - User access activity monitoring method, electronic device and computer readable storage medium - Google Patents
User access activity monitoring method, electronic device and computer readable storage medium Download PDFInfo
- Publication number
- CN109450879A CN109450879A CN201811252655.2A CN201811252655A CN109450879A CN 109450879 A CN109450879 A CN 109450879A CN 201811252655 A CN201811252655 A CN 201811252655A CN 109450879 A CN109450879 A CN 109450879A
- Authority
- CN
- China
- Prior art keywords
- access
- url
- history
- behavior
- targeted sites
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a kind of user access activity monitoring methods, electronic device and computer readable storage medium, by reading target HTTP log from real-time logs queue with specified time window, the current accessed behavior file of target source IP is generated based on target HTTP log, and it obtains target source IP and behavior file is accessed to the history of targeted sites, behavior file can be accessed according to current accessed behavior file and history, analyzing user, whether this accesses behavior different from the history access behavior to targeted sites to targeted sites, by the application above-mentioned scheme, the application be using user to the history use habits of targeted sites as analysis user this to the access of targeted sites whether Yi Chang foundation, this mode does not have to be based on website frame and site structure preset strategy, practicability and more adaptable , and fully considered the individual character and habit of user, be conducive to promote the recognition accuracy to user's abnormal access behavior.
Description
Technical field
This application involves Internet technical field more particularly to a kind of user access activity monitoring method, electronic device and
Computer readable storage medium.
Background technique
User identity authentication refers to the process of confirmation operation person's identity in computer and computer network system, is one
Basic security mechanism.
Traditional user identity authentication scheme has to be authenticated based on username and password, and newest research achievement supports that user is logical
The biological characteristics such as fingerprint, face recognition, iris are crossed to authenticate.These certifications belong to " fast illuminated " certification of moment, so-called " fast
Illuminated " certification refers to user's input (inputting including biological characteristic) by a time point to verify whether the identity of user closes
Method.
Under certain conditions, these authentication modes based on fixed password or " fast illuminated " biological characteristic have by around
A possibility that crossing or forging.
In order to which solve that the authentication mode of fixed entry password or " fast illuminated " biological characteristic is bypassed or forges asks
Topic needs the behavioural characteristic of user to be carried out to continue monitoring, when discovery user's during the entire process of user accesses website
When behavioural characteristic exception, alerted immediately.The behavior for accessing website for user at present is monitored and detects whether exist
Abnormal mode mainly include the following types:
1. corresponding strategy is established in audit class system, to identify normal access and abnormal access, when user's request
When URL meets abnormal access recognition strategy (such as domain name hit or URL hit), then the URL request of hit strategy is considered as different
Normal URL request is blocked or is alerted.The problem of the method, is, needs relevant security fields expert preset in advance peace
Full strategy, and if the website of user's access is not in preset tactful range or access is page function that website newly increases
Face can not then be identified, alarm is then blocked in abnormal access.
2. being based on website crawler, site page content is actively crawled, the relational graph of URL inside URL and the page is established, that is, recognizes
It is the link for including to be jumped to from the URL, and this will not met and patrolled by common URL access path in the URL corresponding page
The URL access path collected is as off path.The problem of the method, is, needs to think that pass can be jumped present on site structure
System is all normally that is, according to website given structure as detected rule, therefore this mode is also a kind of inspection of preset strategy
Survey mode;In addition the difference of identity and use habit between different user is not accounted for yet.
Summary of the invention
The embodiment of the present application provides a kind of user access activity monitoring method, electronic device and computer-readable storage medium
Matter, can the web-based history use habit based on each user the access behavior of each user is monitored, without preset strategy.
The embodiment of the present application first aspect provides a kind of user access activity monitoring method, this method comprises:
Target HTTP log is read from real-time logs queue with specified time window, the target HTTP log is mesh
Mark the HTTP log that source IP access target website generates;
The current accessed behavior file of the target source IP, the current accessed row are generated based on the target HTTP log
The behavioural habits that the target source IP accesses the targeted sites in the time window are reflected for file;
It obtains the target source IP and behavior file is accessed to the history of the targeted sites, wherein the history access row
The historical behavior habit that the target source IP accesses the targeted sites is reflected for file;
Behavior file is accessed according to the current accessed behavior file and the history, analyzes user in the time window
To the access behavior of the targeted sites whether different from the history access behavior to the targeted sites in mouthful
Optionally, the history access behavior file is visited based on history URL of the target source IP to the targeted sites
Ask that sequence obtains;
The current accessed behavior file for generating the target source IP based on the target HTTP log includes:
Based on the target HTTP log, the target source IP is obtained in the time window to the targeted sites
Current URL access sequence, obtains the current accessed behavior file of the target source IP based on the current URL access sequence.
Optionally, the history access behavior file includes: history access behavior map and/or history access time sequence
Map, before the acquisition target source IP accesses behavior file to the history of the targeted sites, further includes:
The HTTP log of target source IP access target website in the phase of history time is obtained, the HTTP log acquisition is based on
History URL access sequence of the target source IP to the targeted sites;
Using each URL in the history URL access sequence as node, by a URL node to another URL node
Relationship is jumped as a directed edge between two nodes, generates the target source IP for the history access row of the targeted sites
For map;And/or obtain in the history URL access sequence, user's residence time on each URL, by the history URL
A URL node to another URL node is jumped relationship as between two nodes as node by each URL in access sequence
A directed edge, based on user on each URL residence time determine exist jump relationship adjacent node between access
Time interval generates target source IP the going through for the targeted sites with the node, directed edge and access time interval
History access time sequence map.
Optionally, described according to the current visit if history access behavior file includes history access behavior map
It asks behavior file and history access behavior file, analyzes visit of the user in the time window to the targeted sites
Ask whether behavior accesses behavior different from the history to the targeted sites and include:
According to the successive access relation of URL in the current URL access sequence, extracts URL and access subsequence, wherein is every
A URL access sub-series of packets is containing in the presence of two URL for directly jumping relationship;
Each URL access subsequence is compared with history access behavior map, if URL accesses subsequence
In containing the node that is not present in history access behavior map, and/or, if the relationship that jumps between URL access subsequence exists
It is not present in the history access behavior map, then user is different to the access behavior of the targeted sites in the time window
Behavior is accessed in the history to the targeted sites;
If the history access behavior file includes history access time sequence map, described according to the current accessed row
Access behavior file for file and the history, analysis user this to the access behavior of the targeted sites whether different from right
The history of the targeted sites accesses behavior
According to the successive access relation of URL in the current URL access sequence, extracts URL and access subsequence, wherein is every
A URL access sub-series of packets is containing in the presence of two URL for directly jumping relationship;
Obtain the access time interval between two URL of each URL access subsequence;
Each URL access subsequence is compared with the history access time sequence map, it is following if it exists
One of situation, then user goes through the access behavior of the targeted sites different to the targeted sites in the time window
History accesses behavior;
Situation one: URL accesses in subsequence containing the node being not present in the history access time sequence map;
The relationship that jumps that situation two: URL accesses between subsequence is not present in the history access time sequence map;
Situation three: URL accesses the access time interval and history access time sequence chart in subsequence between two URL
The difference at the access time interval in spectrum between the two URL is unsatisfactory for preset time difference requirement.
Optionally, described to be visited based on history URL of the target source IP described in the HTTP log acquisition to the targeted sites
Ask that sequence includes:
Based on the HTTP log, the URL sequence that the target source IP accesses the targeted sites is obtained;
To each URL in the URL sequence, remove the content of argument section, filters out further according to the suffix of each URL and be
The URL of the static resource request of the page, obtains history URL access sequence based on remaining URL in the URL sequence;
It is described be based on the target HTTP log, obtain in the time window target source IP to the Target Station
Point current URL access sequence include:
Based on the target HTTP log, obtains the target source IP in the time window and access the targeted sites
URL sequence;
To each URL in the URL sequence, remove the content of argument section, filters out further according to the suffix of each URL and be
The URL of the static resource request of the page, obtains current URL access sequence based on remaining URL in the URL sequence.
Optionally, history access behavior file is equipped with mark, and source IP, the source IP of the mark including access website are visited
The destination IP and destination port for the website asked, the history access for obtaining the target source IP to the targeted sites
Behavior file includes:
The destination IP and purpose of targeted sites based on the target HTTP log acquisition target source IP, target source IP access
The information of port;
The target source IP, destination IP and destination port based on acquisition, query history access the mark of behavior file, obtain
The target source IP is taken to access behavior file to the history of the targeted sites.
Optionally, behavior file is being accessed according to the current accessed behavior file and the history, analysis user exists
After whether the interior access behavior to the targeted sites of the time window is different from the history access behavior to the targeted sites,
Further include:
If user goes through the access behavior of the targeted sites different to the targeted sites in the time window
History accesses behavior, then to the alarm of the target source IP output access exception and/or the access for blocking the target source IP current.
The embodiment of the present application second aspect provides a kind of electronic device, which includes:
Read module, for reading target HTTP log, the mesh from real-time logs queue with specified time window
Marking HTTP log is the HTTP log that target source IP access target website generates;
Generation module, for generating the current accessed behavior file of the target source IP based on the target HTTP log,
The current accessed behavior file reflects the behavior that the target source IP accesses the targeted sites in the time window
Habit;
Module is obtained, behavior file is accessed to the history of the targeted sites for obtaining the target source IP, wherein institute
It states history access behavior file and reflects the historical behavior habit that the target source IP accesses the targeted sites;
Processing module, for accessing behavior file according to the current accessed behavior file and the history, analysis is used
Whether family is in time window to the access behavior of the targeted sites different from the history access behavior to the targeted sites.
The embodiment of the present application third aspect provides a kind of electronic device, which includes: memory, processor and deposit
Store up the computer program that can be run on the memory and on the processor, which is characterized in that the processor executes
When the computer program, the step in the user access activity monitoring method of above-described embodiment first aspect offer is realized.
The embodiment of the present application fourth aspect provides a kind of computer readable storage medium, is stored thereon with computer program,
It is characterized in that, realizing user's access that above-described embodiment first aspect provides when the computer program is executed by processor
Step in behavior monitoring method.
The embodiment of the present application provides a kind of user access activity monitoring method, electronic device and computer-readable storage medium
Matter is generated by reading target HTTP log from real-time logs queue with specified time window based on target HTTP log
The current accessed behavior file of target source IP, and obtain target source IP and behavior file, Ke Yigen are accessed to the history of targeted sites
Behavior file is accessed according to current accessed behavior file and history, analyzing user, whether this is different to the access behavior of targeted sites
Behavior is accessed in the history to targeted sites, by the above-mentioned scheme of the application it is found that the application is with user to targeted sites
History use habit as analysis user this to the access of targeted sites whether Yi Chang foundation, this mode is without being based on
Website frame and site structure preset strategy, practicability and more adaptable, and fully considered the individual character and habit of user, have
Conducive to the recognition accuracy promoted to user's abnormal access behavior.
Detailed description of the invention
Fig. 1 is one embodiment flow diagram of user access activity monitoring method provided by the present application;
Fig. 2 is the schematic diagram that history provided by the present application accesses behavior map;
Fig. 3 is the schematic diagram of history access time sequence map provided by the present application;
Fig. 4 is the method schematic diagram that one kind provided by the present application obtains that multiple history access behavior file parallel;
Fig. 5 is one embodiment structural schematic diagram of electronic device provided by the present application;
Fig. 6 is another example structure schematic diagram of electronic device provided by the present application.
Specific embodiment
To enable present invention purpose, feature, advantage more obvious and understandable, below in conjunction with the application
Attached drawing in embodiment, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described reality
Applying example is only some embodiments of the present application, and not all embodiments.Based on the embodiment in the application, those skilled in the art
Member's every other embodiment obtained without making creative work, shall fall in the protection scope of this application.
In the prior art, the auditing system based on strategy needs expert's preset strategy and the detection mode based on website frame
It needs site structure preset strategy to detect, belongs to the mode for presetting strategy, do not account for user identity and use habit,
The embodiment of the present application provides a kind of user access activity monitoring method, can access behavior based on the history of user to analyze user
Whether current access behavior is normal, promotes the safety of network access.Referring to Fig. 1, user access activity is supervised in the present embodiment
Prosecutor method comprises the following steps that
Step 101 reads target HTTP log, target HTTP log with specified time window from real-time logs queue
The HTTP log generated for target source IP access target website;
Optionally, the length of the time window in the present embodiment can be any setting, such as time window is 5 points
Clock, time window are 4 minutes etc., and the present embodiment is not limited in this respect.Targeted sites in the present embodiment can be any class
Website of type, such as game class, shopping class etc..
In the present embodiment, include but is not limited to access time, source IP and destination IP in HTTP log, come origin url, access
The fields such as URL are based on these contents, can quickly and accurately obtain the target HTTP of target source IP access target website generation
Log.
The corresponding terminal of target source IP can be the mobile terminals such as mobile phone, plate, Intelligent bracelet in the present embodiment, can also be with
It is the fixed terminals such as desktop computer, smart television, the present embodiment is not limited in this respect.
The user access activity monitoring method of the present embodiment can carry out on the electronic devices such as such as server, can also be
It is carried out in (as distributed) system that multiple electronic devices are constituted, the present embodiment is not limited in this respect.In order to reduce acquisition target
The time of the target HTTP log of source IP, protected site list can be set, includes the title of shielded website in list,
It before reading target HTTP log in real-time logs queue, can first be filtered out from HTTP log with specified time window
Destination IP is located at the HTTP log of protected site list, and destination IP is used to add destination port as the mark of website.
In the present embodiment, the analysis of different target website can be and be separated and independently performed, this target HTTP days
Will is the HTTP log that target source IP accesses that the same targeted sites generate.
Step 102, the current accessed behavior file that target source IP is generated based on target HTTP log, wherein the current visit
Ask that behavior file reflects the behavioural habits of target source IP access target website in time window;
Optionally, it may include target source IP in the current accessed behavior file of the present embodiment and access station in time window
The relevant information of the URL of point, for example, the access time of URL, URL of the website of access and time departure, jumping between URL
Relationship etc. information.
Step 103 obtains target source IP to the history access behavior file of targeted sites, wherein history accesses behavior text
Part reflects the historical behavior habit of target source IP access target website;
Optionally, it may include target source IP in the history access behavior file of the present embodiment and access station in time window
The relevant information of the URL of point, for example, the access time of URL, URL of the website of access and time departure, jumping between URL
Relationship etc. information.
Step 104 accesses behavior file according to current accessed behavior file and history, analyzes user in time window
Behavior is accessed whether different from the history access behavior to targeted sites to targeted sites.
Behavior is accessed whether different from the history visit to targeted sites to targeted sites in time window in analysis user
When asking behavior, behavior file can be accessed according to access rule and history of the target source IP in current accessed behavior file to URL
Whether middle target source IP is regular to the access of URL, abnormal to analyze access behavior of the user in time window.
Optionally, in the present embodiment, history is accessed behavior file and is accessed based on history URL of the target source IP to targeted sites
Sequence obtains.History access behavior file includes: history access behavior map and/or history access time sequence map, is being obtained
It further include generating history access behavior map and/or history before taking target source IP to access behavior file to the history of targeted sites
The step of access time sequence map.
Behavior map is accessed for history, generation method includes:
The HTTP log of target source IP access target website in the phase of history time is obtained, HTTP log acquisition target is based on
History URL access sequence of the source IP to targeted sites;Using each URL in history URL access sequence as node, by a URL
Node jumps relationship as a directed edge between two nodes to another URL node, generates target source IP for Target Station
The history of point accesses behavior map.
In the present embodiment, obtain in the phase of history time before the HTTP log of target source IP access target website, Ke Yixian
The HTTP log that destination IP is located at protected site list is filtered out from HTTP log, is then obtained in the log filtered out again
Target HTTP log is taken, this helps to reduce the time for obtaining target HTTP log.
In the present embodiment, the history of generation access behavior map as shown in Fig. 2, user website one, two, three business
Under have accessed multinomial business, each business jumps relationship such as Fig. 2, uppermost user access site paths in, Yong Hucong
The node of ingress for service enters website, jumps to the node of business 1 later, and the section of business 1-1 is jumped to from the node of business 1
Point jumps to the node of business 1-1-1 from the node of business 1-1.
For history access time sequence map, generation method includes: to obtain target source IP in the phase of history time to visit
The HTTP log for asking targeted sites, based on HTTP log acquisition target source IP to the history URL access sequence of targeted sites;It obtains
User's residence time on each URL in history URL access sequence, using each URL in history URL access sequence as node,
One URL node to another URL node is jumped into relationship as a directed edge between two nodes, based on user each
The upper residence time of URL determines the access time interval between the adjacent node that there is the relationship that jumps, with node, directed edge and visit
Ask that time interval generates target source IP for the history access time sequence map of targeted sites.
Optionally, history access time sequence map can be on the basis of history accesses behavior map to target source
IP (i.e. user) residence time on each node is portrayed to obtain, for example, can be based on the user access activity in Fig. 2
Map obtains user's access time sequence map in Fig. 3.As shown in figure 3, user enters website from the node of ingress for service,
It is stopped 2 seconds on the node of ingress for service, jumps to the node of business 2 later, 4S is stopped on the node of business 2, is obtained employment later
The node of business 2 jumps to the node of business 2-2, and 2S is stopped on the node of business 2-2, later, is jumped from the node of business 2-2
To the node of business 2-2-1, stops x seconds, jump on XXX node later on the node of business 2-2-1.
Optionally, in the present embodiment, the current accessed behavior file packet of target source IP is generated based on target HTTP log
It includes: based on target HTTP log, obtaining the target source IP in time window and the current URL access sequence of targeted sites is based on
Current URL access sequence obtains the current accessed behavior file of target source IP.
Current URL access sequence contains target source IP in current time window and accesses the letter such as sequence of URL of website
Breath.
On the basis of above-mentioned history accesses behavior map and history access time sequence map, the present embodiment can be more
Accurately analysis user is in time window to the access behavior of targeted sites, if accesses row different from the history to targeted sites
For.
Optionally, behavior map is accessed based on history, behavior file is accessed according to current accessed behavior file and history,
Analyze user includes: to whether the access behavior of targeted sites accesses behavior different from the history to targeted sites in time window
According to the successive access relation of URL in current URL access sequence, extracts URL and access subsequence, wherein each URL
Access sub-series of packets is containing in the presence of two URL for directly jumping relationship;
Each URL access subsequence is compared with history access behavior map, if containing in URL access subsequence
There is the node being not present in history access behavior map, and/or, if the relationship that jumps between URL access subsequence is accessed in history
It is not present in behavior map, then user visits the access behavior of targeted sites different from the history to targeted sites in time window
Ask behavior, if the node in all URL access subsequences all exists in history access behavior map, and each URL is accessed
The relationship that jumps between subsequence also all exists in history access behavior map, then user is in time window to targeted sites
Access behavior does not access behavior different from the history to targeted sites.
According to the successive access relation of URL in current URL access sequence, when extracting URL access subsequence, can according to from
Access time earliest URL starts to extract, and two URL for directly jumping relationship will be present as a subsequence, wherein different
There can be a URL to repeat in URL subsequence, such as the sequence of URL1-URL2-URL3-URL4, extract URL access
Sequence URL1-URL2, URL2-URL3, URL3-URL4, in another example, it is closed according to the successive access of URL in current URL access sequence
System extracts N-1 subsequence, such as { u from the set of URL conjunction for the current URL access sequence that element is N1,u2,
u3...unSet of URL close, obtained subsequence be { u1->u2,u2->u3,...,un-1->unEtc..
After obtaining above-mentioned map, map sequence can be turned into binary object, the data that serializing is obtained
It is stored in HDFS (Hadoop distributed file system), for using.Certainly, it is not limited to serialize in the present embodiment
To data be stored on HDFS, can also otherwise store, such as there are on specific one server etc..
Optionally, it is based on history access time sequence map, behavior is accessed according to current accessed behavior file and history
File, analyzing user, this includes: to whether the access behavior of targeted sites accesses behavior different from the history to targeted sites
According to the successive access relation of URL in current URL access sequence, extracts URL and access subsequence, wherein each URL
Access sub-series of packets is containing in the presence of two URL for directly jumping relationship;
Obtain the access time interval between two URL of each URL access subsequence;
Each URL access subsequence is compared with history access time sequence map, if it exists following scenario described
One of, then user accesses behavior different from the history to targeted sites to the access behavior of targeted sites in time window, if institute
With the presence of URL access subsequence in node all in history access time sequence map, each URL accesses the jump between subsequence
Transfer the registration of Party membership, etc. from one unit to another and also all exist in history access time sequence map, and when access in each URL access subsequence between two URL
Between be spaced and history access time sequence map in the difference at access time interval between the two URL meet the preset time difference and want
It asks, then user does not access behavior different from the history to targeted sites to the access behavior of targeted sites in time window;
Situation one: URL, which accesses in subsequence, contains the node being not present in history access time sequence map;
The relationship that jumps that situation two: URL accesses between subsequence is not present in history access time sequence map;
Situation three: URL accesses the access time interval and history access time sequence map in subsequence between two URL
In the difference at access time interval between the two URL be unsatisfactory for the preset time difference and require.
In the scheme based on history access time sequence map, the mode of URL access subsequence is extracted referring to above-mentioned
Associated description, details are not described herein.The preset time difference requires to include but is not limited in URL access subsequence between two URL
Access time interval, and the access time interval in history access behavior map between the two URL difference be no more than it is certain
Access time interval in standard, such as URL access subsequence between two URL is no more than this in history access behavior map
Three times of access time interval between two URL.
It is understood that in the above-mentioned analysis based on history access behavior map and history access time sequence map
Cheng Zhong needs to obtain after first accessing behavior map and history access time sequence map progress unserializing to the history of serializing
Map object, then carry out above-mentioned analysis.
In one example, it in order to avoid the interference of the static resource adulterated in URL, needs generating history access behavior
Denoising is carried out to URL during file and current accessed behavior file, optionally, accesses behavior file generating history
During, within the acquisition phase of history time after the HTTP log of target source IP access target website, need to HTTP log
In URL denoised.Optionally, above-mentioned that sequence is accessed based on history URL of the HTTP log acquisition target source IP to targeted sites
Column include:
Based on HTTP log, the URL sequence of target source IP access target website is obtained;
To each URL in URL sequence, remove the content of argument section, to filter out be the page further according to the suffix of each URL
Static resource request URL, history URL access sequence is obtained based on remaining URL in URL sequence.
Optionally, during generating current accessed behavior file, it is also desirable to carry out denoising, above-mentioned base to URL
In target HTTP log, obtain the target source IP in time window includes: to the current URL access sequence of targeted sites
Based on target HTTP log, the URL sequence of the target source IP access target website in time window is obtained;
To each URL in URL sequence, remove the content of argument section, to filter out be the page further according to the suffix of each URL
Static resource request URL, current URL access sequence is obtained based on remaining URL in URL sequence.
In the above scheme, the content for removing the argument section of URL can be all the elements removed in URL after question mark.
Filtered out according to the suffix of each URL be the page static resource request URL when, if the suffix of URL belongs to default suffix, such as belong to
In js (Javascript script), css (pattern file), png/jpg/gif/jpeg (picture file) etc., then it is assumed that URL is page
The static resource in face is requested, and is not belonging to the scope of the URL path analysis in the embodiment of the present application, these url filterings are fallen, remaining
The URL for belonging to the dynamic resource request of the page carries out subsequent analysis, i.e. history URL access sequence and current URL access sequence
In URL be target source IP to the URL of the dynamic resource requests of targeted sites.
For the ease of quickly and accurately getting history access behavior file, quickly and accurately obtain using in time window
Family access behavior whether Yi Chang conclusion, in the present embodiment, history accesses behavior file and is equipped with mark, and mark includes accessing website
Source IP, source IP access website destination IP and destination port.
Optionally, after generating history access behavior map and/or history access time sequence map, further includes: with target
Source IP, the destination IP of the targeted sites of target source IP access and destination port are identified history access behavior file.
Optionally, the step of above-mentioned acquisition target source IP accesses behavior file to the history of targeted sites include:
The destination IP and destination port of targeted sites based on target HTTP log acquisition target source IP, target source IP access
Information;
Target source IP, destination IP and destination port based on acquisition, query history access the mark of behavior file, obtain mesh
It marks source IP and behavior file is accessed to the history of targeted sites.
Optionally, in the present embodiment, behavior file is being accessed according to current accessed behavior file and history, is analyzing user
In time window to the access behavior of targeted sites whether different from the history access behavior to targeted sites after, further includes: if
User accesses behavior different from the history to targeted sites to the access behavior of targeted sites in time window, then to target source IP
The alarm of output access exception and/or the access for blocking target source IP current (block target source IP currently to the visit of targeted sites
It asks).
Due in history HTTP log, there is very more source IPs to access website pair, in order to improve the generative nature of above-mentioned map
Can, the distributed operator of Spark such as can be used in the present embodiment and concurrently generate the history of target source IP access target website
It accesses behavior file (two above-mentioned maps), i.e., in the application, multiple source IP-websites is concurrently obtained using distributed operator
Pair history access behavior file.It is understood that source can occur in the multiple history access behavior file obtained parallel
IP accesses behavior file to the history of multiple and different websites, different source IPs can also occurs to the history access row of the same website
For file.
In the present embodiment, above-mentioned step 101-104 can also be performed in parallel using the distributed operator such as Spark,
Behavior is accessed to the active user of multiple target source IP to analyze.
As shown in figure 4, server or system can first read HTTP log in N days, extraction time, source from HTTP log
IP and destination IP carry out the fields such as origin url, access URL, are based on these fields, filter out the flow of interior web site in log, filter
Destination IP is located at the HTTP log of protected site list out, then carries out denoising to the URL in HTTP log and (specifically goes
The process made an uproar is referring to the above embodiments content), according to source IP+destination IP+destination port information to the URL in HTTP log
It is polymerize, obtains different source IP-website pair URL access sequences, subsequently into distributed process, in Fig. 4, into three
The acquisition of different source IP-website pair history access behavior files is carried out in a distributed process arranged side by side.As shown in figure 4,
Map object after serializing obtained in distributed process arranged side by side, which can be put into HDFS, to be stored.
In order to solve the problems in the prior art, the embodiment of the present application also proposes a kind of electronic device, referring to Fig. 5, the electricity
Sub-device includes:
Read module 501, for reading target HTTP log, target from real-time logs queue with specified time window
HTTP log is the HTTP log that target source IP access target website generates;
Generation module 502, it is current to visit for generating the current accessed behavior file of target source IP based on target HTTP log
Ask that behavior file reflects the behavioural habits of target source IP access target website in time window;
Module 503 is obtained, behavior file is accessed to the history of targeted sites for obtaining target source IP, wherein history is visited
Ask that behavior file reflects the historical behavior habit of target source IP access target website;
Processing module 504, for accessing behavior file according to current accessed behavior file and history, analysis user when
Between window to targeted sites access behavior whether different to targeted sites history access behavior.
Optionally, history access behavior file is obtained based on history URL access sequence of the target source IP to targeted sites.It obtains
Modulus block 503 obtains the target source IP in time window and visits the current URL of targeted sites for being based on target HTTP log
It asks sequence, the current accessed behavior file of target source IP is obtained based on current URL access sequence.
Optionally, in the present embodiment, history access behavior file includes: history access behavior map and/or history access
Time series map, electronic device further include the second generation module, which is used to obtain target source IP to mesh
Before the history access behavior file of labeling station point, the HTTP log of target source IP access target website in the phase of history time is obtained,
Based on HTTP log acquisition target source IP to the history URL access sequence of targeted sites;And it will be every in history URL access sequence
A URL jumps relationship as a directed edge between two nodes as node, using a URL node to another URL node,
It generates target source IP and behavior map is accessed for the history of targeted sites.And/or second generation module be used for obtain target source
Before IP accesses behavior file to the history of targeted sites, the HTTP of target source IP access target website in the phase of history time is obtained
Log obtains history URL access sequence based on HTTP log acquisition target source IP to the history URL access sequence of targeted sites
Middle user residence time on each URL arrives a URL node using each URL in history URL access sequence as node
Another URL node jumps relationship as a directed edge between two nodes, and it is true to be based on user's residence time on each URL
Access time interval between the fixed adjacent node that there is the relationship that jumps generates mesh with node, directed edge and access time interval
Source IP is marked for the history access time sequence map of targeted sites.
Optionally, if history access behavior file includes history access behavior map, processing module 504 is worked as basis
The successive access relation of URL in preceding URL access sequence extracts URL and accesses subsequence, wherein each URL access sub-series of packets contains
In the presence of two URL for directly jumping relationship;Each URL access subsequence is compared with history access behavior map,
If containing the node being not present in history access behavior map in URL access subsequence, and/or, if between URL access subsequence
Jump relationship history access behavior map in be not present, then user in time window to the access behavior of targeted sites different from
Behavior is accessed to the history of targeted sites, if the node in all URL access subsequences is all deposited in history access behavior map
, and the relationship that jumps between each URL access subsequence exists in history access behavior map, then user is in time window
Behavior is not accessed different from the history to targeted sites to the access behavior of targeted sites.
If history access behavior file includes history access time sequence map, processing module 504, for according to current
The successive access relation of URL in URL access sequence extracts URL and accesses subsequence, wherein each URL access sub-series of packets, which contains, deposits
In two URL for directly jumping relationship;Obtain the access time interval between two URL of each URL access subsequence;For
Each URL access subsequence is compared with history access time sequence map, if it exists one of following scenario described, then user exists
Behavior is accessed different from the history to targeted sites to the access behavior of targeted sites in time window, if all URL access son
Node in sequence all exists in history access time sequence map, and the relationship that jumps between each URL access subsequence also all exists
Exist in history access time sequence map, and in each URL access subsequence between two URL access time interval with go through
The difference at the access time interval in history access time sequence map between the two URL meets preset time difference requirement, then uses
Family does not access behavior different from the history to targeted sites to the access behavior of targeted sites in time window;
Situation one: URL, which accesses in subsequence, contains the node being not present in history access time sequence map;
The relationship that jumps that situation two: URL accesses between subsequence is not present in history access time sequence map;
Situation three: URL accesses the access time interval and history access time sequence map in subsequence between two URL
In the difference at access time interval between the two URL be unsatisfactory for the preset time difference and require.
Optionally, the second generation module, for the HTTP based on target source IP access target website in the phase of history time
Log obtains the URL sequence of target source IP access target website;To each URL in URL sequence, remove the interior of argument section
Hold, further according to each URL suffix filter out be the page static resource request URL, obtained based on remaining URL in URL sequence
To history URL access sequence.
Optionally, generation module 502 obtain the target source IP in time window and access for being based on target HTTP log
The URL sequence of targeted sites;To each URL in URL sequence, remove the content of argument section, further according to the suffix mistake of each URL
Filter be the page static resource request URL, current URL access sequence is obtained based on remaining URL in URL sequence.
Optionally, history access behavior file is equipped with mark, and mark includes the website of the source IP of access website, source IP access
Destination IP and destination port.Module 503 is obtained, for visiting based on target HTTP log acquisition target source IP, target source IP
The destination IP for the targeted sites asked and the information of destination port;Target source IP, destination IP and destination port based on acquisition, inquiry
History accesses the mark of behavior file, obtains target source IP and accesses behavior file to the history of targeted sites.
Optionally, the electronic device of the present embodiment further includes abnormal reply module, the analysis knot for receiving processing module
Fruit, if user accesses behavior different from the history to targeted sites to the access behavior of targeted sites in time window, to mesh
The access marked the alarm of source IP output access exception and/or block target source IP current.
Fig. 6 provides a kind of electronic device for the embodiment of the present application.The electronic device can be used for realizing in embodiment illustrated in fig. 1
User access activity monitoring method.As indicated with 6, which specifically includes that
Memory 601, processor 602 and it is stored in the computer journey that can be run on memory 601 and on processor 602
Sequence when processor 602 executes the computer program, realizes the user access activity monitoring method in embodiment illustrated in fig. 1.
Further, electronic device further include: communication bus 603, above-mentioned memory 601 and processor 602 pass through total
Line 603 connects.
Memory 601 can be high random access memory body (RAM, Random Access Memory) memory,
It can be non-labile memory (non-volatile memory), such as magnetic disk storage.Memory 601 is for storing one
Group executable program code, processor 602 are coupled with memory 601.
By the embodiment of the present application, can be read from real-time logs queue target HTTP days with specified time window
Will, the current accessed behavior file of target source IP is generated based on target HTTP log, and obtains target source IP to targeted sites
History accesses behavior file, can access behavior file according to current accessed behavior file and history, analyzing user, this is right
Whether the access behavior of targeted sites different from the history to targeted sites accesses behavior, based on the application known to above scheme be with
User to the history use habits of targeted sites as analysis user this to the access of targeted sites whether Yi Chang foundation, this
Kind of mode does not have to be based on website frame and site structure preset strategy, practicability and more adaptable, and has fully considered user
Individual character and habit, be conducive to promote the recognition accuracy to user's abnormal access behavior.
Further, the embodiment of the present application also provides a kind of computer readable storage medium, the computer-readable storages
Medium can be in the electronic device being set in the various embodiments described above, which can be earlier figures 6
Memory in illustrated embodiment.It is stored with computer program on the computer readable storage medium, which is held by processor
The user access activity monitoring method in embodiment illustrated in fig. 1 is realized when row.Further, the computer can storage medium may be used also
To be that USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), RAM, magnetic or disk etc. are various can be with
Store the medium of program code.
In several embodiments provided herein, it should be understood that disclosed device and method can pass through it
Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the module, only
Only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple module or components can be tied
Another system is closed or is desirably integrated into, or some features can be ignored or not executed.Another point, it is shown or discussed
Mutual coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or logical of device or module
Letter connection can be electrical property, mechanical or other forms.
The module as illustrated by the separation member may or may not be physically separated, aobvious as module
The component shown may or may not be physical module, it can and it is in one place, or may be distributed over multiple
On network module.Some or all of the modules therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
It, can also be in addition, can integrate in a processing module in each functional module in each embodiment of the application
It is that modules physically exist alone, can also be integrated in two or more modules in a module.Above-mentioned integrated mould
Block both can take the form of hardware realization, can also be realized in the form of software function module.
If the integrated module is realized in the form of software function module and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a readable storage medium storing program for executing, including some instructions are used so that a meter
It calculates machine equipment (can be personal computer, server or the network equipment etc.) and executes each embodiment the method for the application
All or part of the steps.And readable storage medium storing program for executing above-mentioned includes: USB flash disk, mobile hard disk, ROM, RAM, magnetic or disk etc.
The various media that can store program code.
It should be noted that for the various method embodiments described above, describing for simplicity, therefore, it is stated as a series of
Combination of actions, but those skilled in the art should understand that, the application is not limited by the described action sequence because
According to the application, certain steps can use other sequences or carry out simultaneously.Secondly, those skilled in the art should also know
It knows, the embodiments described in the specification are all preferred embodiments, and related actions and modules might not all be this Shen
It please be necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, it may refer to the associated description of other embodiments.
The above are to user access activity monitoring method, electronic device and computer-readable storage medium provided herein
The description of matter, for those skilled in the art, according to the thought of the embodiment of the present application, in specific embodiment and application range
Upper there will be changes, and to sum up, the contents of this specification should not be construed as limiting the present application.
Claims (10)
1. a kind of user access activity monitoring method characterized by comprising
Target HTTP log is read from real-time logs queue with specified time window, the target HTTP log is target source
The HTTP log that IP access target website generates;
The current accessed behavior file of the target source IP, the current accessed behavior text are generated based on the target HTTP log
Part reflects the behavioural habits that the target source IP accesses the targeted sites in the time window;
It obtains the target source IP and behavior file is accessed to the history of the targeted sites, wherein the history access behavior text
Part reflects the historical behavior habit that the target source IP accesses the targeted sites;
Behavior file is accessed according to the current accessed behavior file and the history, analyzes user in the time window
Behavior is accessed whether different from the history access behavior to the targeted sites to the targeted sites.
2. user access activity monitoring method according to claim 1, which is characterized in that the history accesses behavior file
It is obtained based on history URL access sequence of the target source IP to the targeted sites;
The current accessed behavior file for generating the target source IP based on the target HTTP log includes:
Based on the target HTTP log, the target source IP is obtained in the time window to the current of the targeted sites
URL access sequence obtains the current accessed behavior file of the target source IP based on the current URL access sequence.
3. user access activity monitoring method according to claim 2, which is characterized in that the history accesses behavior file
Include: history access behavior map and/or history access time sequence map, obtains the target source IP to the mesh described
Before the history access behavior file of labeling station point, further includes:
The HTTP log for obtaining target source IP access target website in the phase of history time, based on described in the HTTP log acquisition
History URL access sequence of the target source IP to the targeted sites;
Using each URL in the history URL access sequence as node, by URL node jumping to another URL node
Relationship generates the target source IP and accesses behavior figure for the history of the targeted sites as a directed edge between two nodes
Spectrum;And/or user's residence time on each URL in the history URL access sequence is obtained, the history URL is accessed into sequence
A URL node to another URL node is jumped relationship as one between two nodes as node by each URL in column
Directed edge, based on user, residence time is determined in the presence of between the access time between the adjacent node for jumping relationship on each URL
Every, with the node, directed edge and access time interval generate the target source IP for the targeted sites history access
Time series map.
4. user access activity monitoring method according to claim 3, which is characterized in that if history access behavior text
Part includes history access behavior map, described to access behavior file according to the current accessed behavior file and the history,
Whether analysis user is in the time window to the access behavior of the targeted sites different from the history to the targeted sites
Access behavior includes:
According to the successive access relation of URL in the current URL access sequence, extracts URL and access subsequence, wherein each URL
Access sub-series of packets is containing in the presence of two URL for directly jumping relationship;
Each URL access subsequence is compared with history access behavior map, if containing in URL access subsequence
There is the node being not present in the history access behavior map, and/or, if jumping relationship described between URL access subsequence
History access behavior map in is not present, then user in the time window to the access behavior of the targeted sites different from right
The history of the targeted sites accesses behavior;
It is described according to the current accessed behavior text if the history access behavior file includes history access time sequence map
Part and the history access behavior file, analysis user this to the access behavior of the targeted sites whether different to described
The history of targeted sites accesses behavior
According to the successive access relation of URL in the current URL access sequence, extracts URL and access subsequence, wherein each URL
Access sub-series of packets is containing in the presence of two URL for directly jumping relationship;
Obtain the access time interval between two URL of each URL access subsequence;
Each URL access subsequence is compared with the history access time sequence map, if it exists following scenario described
One of, then user visits the access behavior of the targeted sites different from the history to the targeted sites in the time window
Ask behavior;
Situation one: URL accesses in subsequence containing the node being not present in the history access time sequence map;
The relationship that jumps that situation two: URL accesses between subsequence is not present in the history access time sequence map;
Situation three: URL access in subsequence between two URL access time interval and the history access time sequence map in
The difference at the access time interval between the two URL is unsatisfactory for preset time difference requirement.
5. according to user access activity monitoring method described in power 3, which is characterized in that described to be based on the HTTP log acquisition institute
State target source IP includes: to the history URL access sequence of the targeted sites
Based on the HTTP log, the URL sequence that the target source IP accesses the targeted sites is obtained;
To each URL in the URL sequence, remove the content of argument section, to filter out be the page further according to the suffix of each URL
Static resource request URL, history URL access sequence is obtained based on remaining URL in the URL sequence;
It is described be based on the target HTTP log, obtain in the time window target source IP to the targeted sites
Currently URL access sequence includes:
Based on the target HTTP log, obtains the target source IP in the time window and access the targeted sites
URL sequence;
To each URL in the URL sequence, remove the content of argument section, to filter out be the page further according to the suffix of each URL
Static resource request URL, current URL access sequence is obtained based on remaining URL in the URL sequence.
6. user access activity monitoring method according to claim 1-5, which is characterized in that history accesses behavior
File is equipped with mark, and the mark includes the destination IP and mesh of the source IP for accessing website, the website of source IP access
Port, it is described to obtain the target source IP and include: to the history access behavior file of the targeted sites
The destination IP and destination port of targeted sites based on the target HTTP log acquisition target source IP, target source IP access
Information;
The target source IP, destination IP and destination port based on acquisition, query history access the mark of behavior file, obtain institute
It states target source IP and behavior file is accessed to the history of the targeted sites.
7. user access activity monitoring method according to claim 1-5, which is characterized in that working as according to
Preceding access behavior file and the history access behavior file, analyze user in the time window to the targeted sites
Access behavior whether different from the history access behavior to the targeted sites after, further includes:
If user visits the access behavior of the targeted sites different from the history to the targeted sites in the time window
Ask behavior, then to the alarm of the target source IP output access exception and/or the access for blocking the target source IP current.
8. a kind of electronic device characterized by comprising
Read module, for reading target HTTP log, the target from real-time logs queue with specified time window
HTTP log is the HTTP log that target source IP access target website generates;
Generation module, it is described for generating the current accessed behavior file of the target source IP based on the target HTTP log
Current accessed behavior file reflects the behavioural habits that the target source IP accesses the targeted sites in the time window;
Module is obtained, behavior file is accessed to the history of the targeted sites for obtaining the target source IP, wherein described to go through
History access behavior file reflects the historical behavior habit that the target source IP accesses the targeted sites;
Processing module, for accessing behavior file according to the current accessed behavior file and the history, analysis user exists
Whether the time window is to the access behavior of the targeted sites different from the history access behavior to the targeted sites.
9. a kind of electronic device, comprising: memory, processor and be stored on the memory and can transport on the processor
Capable computer program, which is characterized in that when the processor executes the computer program, realize in claim 1 to 7 and appoint
Step in the method for anticipating.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program
When being executed by processor, the step in any one the method in claim 1 to 7 is realized.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811252655.2A CN109450879A (en) | 2018-10-25 | 2018-10-25 | User access activity monitoring method, electronic device and computer readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811252655.2A CN109450879A (en) | 2018-10-25 | 2018-10-25 | User access activity monitoring method, electronic device and computer readable storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109450879A true CN109450879A (en) | 2019-03-08 |
Family
ID=65548543
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811252655.2A Pending CN109450879A (en) | 2018-10-25 | 2018-10-25 | User access activity monitoring method, electronic device and computer readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109450879A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111079138A (en) * | 2019-12-19 | 2020-04-28 | 北京天融信网络安全技术有限公司 | Abnormal access detection method and device, electronic equipment and readable storage medium |
CN111221722A (en) * | 2019-09-23 | 2020-06-02 | 平安科技(深圳)有限公司 | Behavior detection method and device, electronic equipment and storage medium |
CN112152873A (en) * | 2020-09-02 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | User identification method and device, computer equipment and storage medium |
CN112667991A (en) * | 2020-12-31 | 2021-04-16 | 北京市首都公路发展集团有限公司 | User identity continuous authentication method and system based on behavior map |
CN112906752A (en) * | 2021-01-26 | 2021-06-04 | 山西三友和智慧信息技术股份有限公司 | User identity authentication method based on browsing history sequence |
CN113660296A (en) * | 2021-10-21 | 2021-11-16 | 中国核电工程有限公司 | Method and device for detecting anti-attack performance of industrial control system and computer equipment |
CN113726786A (en) * | 2021-08-31 | 2021-11-30 | 上海观安信息技术股份有限公司 | Method and device for detecting abnormal access behavior, storage medium and electronic equipment |
CN114547423A (en) * | 2022-04-27 | 2022-05-27 | 彭州市教育人才管理服务中心 | Occupational competence big data knowledge graph data access management method and system |
CN114650187A (en) * | 2022-04-29 | 2022-06-21 | 深信服科技股份有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
CN115065539A (en) * | 2022-06-17 | 2022-09-16 | 国家电网有限公司信息通信分公司 | Data security monitoring method, device, equipment and storage medium |
CN117874842A (en) * | 2024-01-23 | 2024-04-12 | 广州感应科技有限公司 | Security control method and system for data storage device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014166371A1 (en) * | 2013-04-12 | 2014-10-16 | 中兴通讯股份有限公司 | Data information processing system and method |
CN106789352A (en) * | 2017-01-25 | 2017-05-31 | 北京兰云科技有限公司 | A kind of exception flow of network detection method and device |
CN106789885A (en) * | 2016-11-17 | 2017-05-31 | 国家电网公司 | User's unusual checking analysis method under a kind of big data environment |
CN106936781A (en) * | 2015-12-29 | 2017-07-07 | 亿阳安全技术有限公司 | A kind of decision method and device of user's operation behavior |
CN107306259A (en) * | 2016-04-22 | 2017-10-31 | 腾讯科技(深圳)有限公司 | Attack detection method and device in Webpage access |
CN108665297A (en) * | 2017-03-31 | 2018-10-16 | 北京京东尚科信息技术有限公司 | Detection method, device, electronic equipment and the storage medium of abnormal access behavior |
-
2018
- 2018-10-25 CN CN201811252655.2A patent/CN109450879A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014166371A1 (en) * | 2013-04-12 | 2014-10-16 | 中兴通讯股份有限公司 | Data information processing system and method |
CN106936781A (en) * | 2015-12-29 | 2017-07-07 | 亿阳安全技术有限公司 | A kind of decision method and device of user's operation behavior |
CN107306259A (en) * | 2016-04-22 | 2017-10-31 | 腾讯科技(深圳)有限公司 | Attack detection method and device in Webpage access |
CN106789885A (en) * | 2016-11-17 | 2017-05-31 | 国家电网公司 | User's unusual checking analysis method under a kind of big data environment |
CN106789352A (en) * | 2017-01-25 | 2017-05-31 | 北京兰云科技有限公司 | A kind of exception flow of network detection method and device |
CN108665297A (en) * | 2017-03-31 | 2018-10-16 | 北京京东尚科信息技术有限公司 | Detection method, device, electronic equipment and the storage medium of abnormal access behavior |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111221722A (en) * | 2019-09-23 | 2020-06-02 | 平安科技(深圳)有限公司 | Behavior detection method and device, electronic equipment and storage medium |
CN111221722B (en) * | 2019-09-23 | 2024-01-30 | 平安科技(深圳)有限公司 | Behavior detection method, behavior detection device, electronic equipment and storage medium |
CN111079138A (en) * | 2019-12-19 | 2020-04-28 | 北京天融信网络安全技术有限公司 | Abnormal access detection method and device, electronic equipment and readable storage medium |
CN112152873B (en) * | 2020-09-02 | 2022-10-21 | 杭州安恒信息技术股份有限公司 | User identification method and device, computer equipment and storage medium |
CN112152873A (en) * | 2020-09-02 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | User identification method and device, computer equipment and storage medium |
CN112667991A (en) * | 2020-12-31 | 2021-04-16 | 北京市首都公路发展集团有限公司 | User identity continuous authentication method and system based on behavior map |
CN112906752A (en) * | 2021-01-26 | 2021-06-04 | 山西三友和智慧信息技术股份有限公司 | User identity authentication method based on browsing history sequence |
CN113726786B (en) * | 2021-08-31 | 2023-05-05 | 上海观安信息技术股份有限公司 | Abnormal access behavior detection method and device, storage medium and electronic equipment |
CN113726786A (en) * | 2021-08-31 | 2021-11-30 | 上海观安信息技术股份有限公司 | Method and device for detecting abnormal access behavior, storage medium and electronic equipment |
CN113660296A (en) * | 2021-10-21 | 2021-11-16 | 中国核电工程有限公司 | Method and device for detecting anti-attack performance of industrial control system and computer equipment |
CN114547423B (en) * | 2022-04-27 | 2022-08-09 | 杜江波 | Occupational competence big data knowledge graph data access management method and system |
CN114547423A (en) * | 2022-04-27 | 2022-05-27 | 彭州市教育人才管理服务中心 | Occupational competence big data knowledge graph data access management method and system |
CN114650187A (en) * | 2022-04-29 | 2022-06-21 | 深信服科技股份有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
CN114650187B (en) * | 2022-04-29 | 2024-02-23 | 深信服科技股份有限公司 | Abnormal access detection method and device, electronic equipment and storage medium |
CN115065539A (en) * | 2022-06-17 | 2022-09-16 | 国家电网有限公司信息通信分公司 | Data security monitoring method, device, equipment and storage medium |
CN115065539B (en) * | 2022-06-17 | 2024-02-27 | 国家电网有限公司信息通信分公司 | Data security monitoring method, device, equipment and storage medium |
CN117874842A (en) * | 2024-01-23 | 2024-04-12 | 广州感应科技有限公司 | Security control method and system for data storage device |
CN117874842B (en) * | 2024-01-23 | 2024-05-31 | 广州感应科技有限公司 | Security control method and system for data storage device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109450879A (en) | User access activity monitoring method, electronic device and computer readable storage medium | |
CN111401416B (en) | Abnormal website identification method and device and abnormal countermeasure identification method | |
CN104144142B (en) | A kind of Web bug excavation methods and system | |
CN103166917A (en) | Method and system for network equipment identity recognition | |
CN110677384B (en) | Phishing website detection method and device, storage medium and electronic device | |
CN103384888A (en) | Systems and methods for malware detection and scanning | |
CN108763274B (en) | Access request identification method and device, electronic equipment and storage medium | |
WO2015103122A2 (en) | A method and system for tracking and gathering multivariate testing data | |
CN102436564A (en) | Method and device for identifying falsified webpage | |
CN108573146A (en) | A kind of malice URL detection method and device | |
US10255371B2 (en) | Methods and systems for identifying multiple devices belonging to a single user by merging deterministic and probabilistic data to generate a cross device data structure | |
CN114528457B (en) | Web fingerprint detection method and related equipment | |
CN103618696A (en) | Method and server for processing cookie information | |
CN107508809A (en) | Identify the method and device of website type | |
CN107800686A (en) | A kind of fishing website recognition methods and device | |
CN111209325B (en) | Service system interface identification method, device and storage medium | |
US10560473B2 (en) | Method of network monitoring and device | |
US20240236133A1 (en) | Detecting Data Exfiltration and Compromised User Accounts in a Computing Network | |
CN112347457A (en) | Abnormal account detection method and device, computer equipment and storage medium | |
US8364776B1 (en) | Method and system for employing user input for website classification | |
CN112989158A (en) | Method, device and storage medium for identifying webpage crawler behavior | |
EP3789890A1 (en) | Fully qualified domain name (fqdn) determination | |
CN109446807A (en) | The method, apparatus and electronic equipment of malicious robot are intercepted for identification | |
Rizothanasis et al. | Identifying user actions from HTTP (S) traffic | |
US9723017B1 (en) | Method, apparatus and computer program product for detecting risky communications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190308 |
|
WD01 | Invention patent application deemed withdrawn after publication |