CN109450879A - User access activity monitoring method, electronic device and computer readable storage medium - Google Patents

User access activity monitoring method, electronic device and computer readable storage medium Download PDF

Info

Publication number
CN109450879A
CN109450879A CN201811252655.2A CN201811252655A CN109450879A CN 109450879 A CN109450879 A CN 109450879A CN 201811252655 A CN201811252655 A CN 201811252655A CN 109450879 A CN109450879 A CN 109450879A
Authority
CN
China
Prior art keywords
access
url
history
behavior
targeted sites
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811252655.2A
Other languages
Chinese (zh)
Inventor
王瑶
李映壮
刘松涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Hainan Co Ltd
Original Assignee
China Mobile Group Hainan Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Hainan Co Ltd filed Critical China Mobile Group Hainan Co Ltd
Priority to CN201811252655.2A priority Critical patent/CN109450879A/en
Publication of CN109450879A publication Critical patent/CN109450879A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a kind of user access activity monitoring methods, electronic device and computer readable storage medium, by reading target HTTP log from real-time logs queue with specified time window, the current accessed behavior file of target source IP is generated based on target HTTP log, and it obtains target source IP and behavior file is accessed to the history of targeted sites, behavior file can be accessed according to current accessed behavior file and history, analyzing user, whether this accesses behavior different from the history access behavior to targeted sites to targeted sites, by the application above-mentioned scheme, the application be using user to the history use habits of targeted sites as analysis user this to the access of targeted sites whether Yi Chang foundation, this mode does not have to be based on website frame and site structure preset strategy, practicability and more adaptable , and fully considered the individual character and habit of user, be conducive to promote the recognition accuracy to user's abnormal access behavior.

Description

User access activity monitoring method, electronic device and computer readable storage medium
Technical field
This application involves Internet technical field more particularly to a kind of user access activity monitoring method, electronic device and Computer readable storage medium.
Background technique
User identity authentication refers to the process of confirmation operation person's identity in computer and computer network system, is one Basic security mechanism.
Traditional user identity authentication scheme has to be authenticated based on username and password, and newest research achievement supports that user is logical The biological characteristics such as fingerprint, face recognition, iris are crossed to authenticate.These certifications belong to " fast illuminated " certification of moment, so-called " fast Illuminated " certification refers to user's input (inputting including biological characteristic) by a time point to verify whether the identity of user closes Method.
Under certain conditions, these authentication modes based on fixed password or " fast illuminated " biological characteristic have by around A possibility that crossing or forging.
In order to which solve that the authentication mode of fixed entry password or " fast illuminated " biological characteristic is bypassed or forges asks Topic needs the behavioural characteristic of user to be carried out to continue monitoring, when discovery user's during the entire process of user accesses website When behavioural characteristic exception, alerted immediately.The behavior for accessing website for user at present is monitored and detects whether exist Abnormal mode mainly include the following types:
1. corresponding strategy is established in audit class system, to identify normal access and abnormal access, when user's request When URL meets abnormal access recognition strategy (such as domain name hit or URL hit), then the URL request of hit strategy is considered as different Normal URL request is blocked or is alerted.The problem of the method, is, needs relevant security fields expert preset in advance peace Full strategy, and if the website of user's access is not in preset tactful range or access is page function that website newly increases Face can not then be identified, alarm is then blocked in abnormal access.
2. being based on website crawler, site page content is actively crawled, the relational graph of URL inside URL and the page is established, that is, recognizes It is the link for including to be jumped to from the URL, and this will not met and patrolled by common URL access path in the URL corresponding page The URL access path collected is as off path.The problem of the method, is, needs to think that pass can be jumped present on site structure System is all normally that is, according to website given structure as detected rule, therefore this mode is also a kind of inspection of preset strategy Survey mode;In addition the difference of identity and use habit between different user is not accounted for yet.
Summary of the invention
The embodiment of the present application provides a kind of user access activity monitoring method, electronic device and computer-readable storage medium Matter, can the web-based history use habit based on each user the access behavior of each user is monitored, without preset strategy.
The embodiment of the present application first aspect provides a kind of user access activity monitoring method, this method comprises:
Target HTTP log is read from real-time logs queue with specified time window, the target HTTP log is mesh Mark the HTTP log that source IP access target website generates;
The current accessed behavior file of the target source IP, the current accessed row are generated based on the target HTTP log The behavioural habits that the target source IP accesses the targeted sites in the time window are reflected for file;
It obtains the target source IP and behavior file is accessed to the history of the targeted sites, wherein the history access row The historical behavior habit that the target source IP accesses the targeted sites is reflected for file;
Behavior file is accessed according to the current accessed behavior file and the history, analyzes user in the time window To the access behavior of the targeted sites whether different from the history access behavior to the targeted sites in mouthful
Optionally, the history access behavior file is visited based on history URL of the target source IP to the targeted sites Ask that sequence obtains;
The current accessed behavior file for generating the target source IP based on the target HTTP log includes:
Based on the target HTTP log, the target source IP is obtained in the time window to the targeted sites Current URL access sequence, obtains the current accessed behavior file of the target source IP based on the current URL access sequence.
Optionally, the history access behavior file includes: history access behavior map and/or history access time sequence Map, before the acquisition target source IP accesses behavior file to the history of the targeted sites, further includes:
The HTTP log of target source IP access target website in the phase of history time is obtained, the HTTP log acquisition is based on History URL access sequence of the target source IP to the targeted sites;
Using each URL in the history URL access sequence as node, by a URL node to another URL node Relationship is jumped as a directed edge between two nodes, generates the target source IP for the history access row of the targeted sites For map;And/or obtain in the history URL access sequence, user's residence time on each URL, by the history URL A URL node to another URL node is jumped relationship as between two nodes as node by each URL in access sequence A directed edge, based on user on each URL residence time determine exist jump relationship adjacent node between access Time interval generates target source IP the going through for the targeted sites with the node, directed edge and access time interval History access time sequence map.
Optionally, described according to the current visit if history access behavior file includes history access behavior map It asks behavior file and history access behavior file, analyzes visit of the user in the time window to the targeted sites Ask whether behavior accesses behavior different from the history to the targeted sites and include:
According to the successive access relation of URL in the current URL access sequence, extracts URL and access subsequence, wherein is every A URL access sub-series of packets is containing in the presence of two URL for directly jumping relationship;
Each URL access subsequence is compared with history access behavior map, if URL accesses subsequence In containing the node that is not present in history access behavior map, and/or, if the relationship that jumps between URL access subsequence exists It is not present in the history access behavior map, then user is different to the access behavior of the targeted sites in the time window Behavior is accessed in the history to the targeted sites;
If the history access behavior file includes history access time sequence map, described according to the current accessed row Access behavior file for file and the history, analysis user this to the access behavior of the targeted sites whether different from right The history of the targeted sites accesses behavior
According to the successive access relation of URL in the current URL access sequence, extracts URL and access subsequence, wherein is every A URL access sub-series of packets is containing in the presence of two URL for directly jumping relationship;
Obtain the access time interval between two URL of each URL access subsequence;
Each URL access subsequence is compared with the history access time sequence map, it is following if it exists One of situation, then user goes through the access behavior of the targeted sites different to the targeted sites in the time window History accesses behavior;
Situation one: URL accesses in subsequence containing the node being not present in the history access time sequence map;
The relationship that jumps that situation two: URL accesses between subsequence is not present in the history access time sequence map;
Situation three: URL accesses the access time interval and history access time sequence chart in subsequence between two URL The difference at the access time interval in spectrum between the two URL is unsatisfactory for preset time difference requirement.
Optionally, described to be visited based on history URL of the target source IP described in the HTTP log acquisition to the targeted sites Ask that sequence includes:
Based on the HTTP log, the URL sequence that the target source IP accesses the targeted sites is obtained;
To each URL in the URL sequence, remove the content of argument section, filters out further according to the suffix of each URL and be The URL of the static resource request of the page, obtains history URL access sequence based on remaining URL in the URL sequence;
It is described be based on the target HTTP log, obtain in the time window target source IP to the Target Station Point current URL access sequence include:
Based on the target HTTP log, obtains the target source IP in the time window and access the targeted sites URL sequence;
To each URL in the URL sequence, remove the content of argument section, filters out further according to the suffix of each URL and be The URL of the static resource request of the page, obtains current URL access sequence based on remaining URL in the URL sequence.
Optionally, history access behavior file is equipped with mark, and source IP, the source IP of the mark including access website are visited The destination IP and destination port for the website asked, the history access for obtaining the target source IP to the targeted sites Behavior file includes:
The destination IP and purpose of targeted sites based on the target HTTP log acquisition target source IP, target source IP access The information of port;
The target source IP, destination IP and destination port based on acquisition, query history access the mark of behavior file, obtain The target source IP is taken to access behavior file to the history of the targeted sites.
Optionally, behavior file is being accessed according to the current accessed behavior file and the history, analysis user exists After whether the interior access behavior to the targeted sites of the time window is different from the history access behavior to the targeted sites, Further include:
If user goes through the access behavior of the targeted sites different to the targeted sites in the time window History accesses behavior, then to the alarm of the target source IP output access exception and/or the access for blocking the target source IP current.
The embodiment of the present application second aspect provides a kind of electronic device, which includes:
Read module, for reading target HTTP log, the mesh from real-time logs queue with specified time window Marking HTTP log is the HTTP log that target source IP access target website generates;
Generation module, for generating the current accessed behavior file of the target source IP based on the target HTTP log, The current accessed behavior file reflects the behavior that the target source IP accesses the targeted sites in the time window Habit;
Module is obtained, behavior file is accessed to the history of the targeted sites for obtaining the target source IP, wherein institute It states history access behavior file and reflects the historical behavior habit that the target source IP accesses the targeted sites;
Processing module, for accessing behavior file according to the current accessed behavior file and the history, analysis is used Whether family is in time window to the access behavior of the targeted sites different from the history access behavior to the targeted sites.
The embodiment of the present application third aspect provides a kind of electronic device, which includes: memory, processor and deposit Store up the computer program that can be run on the memory and on the processor, which is characterized in that the processor executes When the computer program, the step in the user access activity monitoring method of above-described embodiment first aspect offer is realized.
The embodiment of the present application fourth aspect provides a kind of computer readable storage medium, is stored thereon with computer program, It is characterized in that, realizing user's access that above-described embodiment first aspect provides when the computer program is executed by processor Step in behavior monitoring method.
The embodiment of the present application provides a kind of user access activity monitoring method, electronic device and computer-readable storage medium Matter is generated by reading target HTTP log from real-time logs queue with specified time window based on target HTTP log The current accessed behavior file of target source IP, and obtain target source IP and behavior file, Ke Yigen are accessed to the history of targeted sites Behavior file is accessed according to current accessed behavior file and history, analyzing user, whether this is different to the access behavior of targeted sites Behavior is accessed in the history to targeted sites, by the above-mentioned scheme of the application it is found that the application is with user to targeted sites History use habit as analysis user this to the access of targeted sites whether Yi Chang foundation, this mode is without being based on Website frame and site structure preset strategy, practicability and more adaptable, and fully considered the individual character and habit of user, have Conducive to the recognition accuracy promoted to user's abnormal access behavior.
Detailed description of the invention
Fig. 1 is one embodiment flow diagram of user access activity monitoring method provided by the present application;
Fig. 2 is the schematic diagram that history provided by the present application accesses behavior map;
Fig. 3 is the schematic diagram of history access time sequence map provided by the present application;
Fig. 4 is the method schematic diagram that one kind provided by the present application obtains that multiple history access behavior file parallel;
Fig. 5 is one embodiment structural schematic diagram of electronic device provided by the present application;
Fig. 6 is another example structure schematic diagram of electronic device provided by the present application.
Specific embodiment
To enable present invention purpose, feature, advantage more obvious and understandable, below in conjunction with the application Attached drawing in embodiment, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described reality Applying example is only some embodiments of the present application, and not all embodiments.Based on the embodiment in the application, those skilled in the art Member's every other embodiment obtained without making creative work, shall fall in the protection scope of this application.
In the prior art, the auditing system based on strategy needs expert's preset strategy and the detection mode based on website frame It needs site structure preset strategy to detect, belongs to the mode for presetting strategy, do not account for user identity and use habit, The embodiment of the present application provides a kind of user access activity monitoring method, can access behavior based on the history of user to analyze user Whether current access behavior is normal, promotes the safety of network access.Referring to Fig. 1, user access activity is supervised in the present embodiment Prosecutor method comprises the following steps that
Step 101 reads target HTTP log, target HTTP log with specified time window from real-time logs queue The HTTP log generated for target source IP access target website;
Optionally, the length of the time window in the present embodiment can be any setting, such as time window is 5 points Clock, time window are 4 minutes etc., and the present embodiment is not limited in this respect.Targeted sites in the present embodiment can be any class Website of type, such as game class, shopping class etc..
In the present embodiment, include but is not limited to access time, source IP and destination IP in HTTP log, come origin url, access The fields such as URL are based on these contents, can quickly and accurately obtain the target HTTP of target source IP access target website generation Log.
The corresponding terminal of target source IP can be the mobile terminals such as mobile phone, plate, Intelligent bracelet in the present embodiment, can also be with It is the fixed terminals such as desktop computer, smart television, the present embodiment is not limited in this respect.
The user access activity monitoring method of the present embodiment can carry out on the electronic devices such as such as server, can also be It is carried out in (as distributed) system that multiple electronic devices are constituted, the present embodiment is not limited in this respect.In order to reduce acquisition target The time of the target HTTP log of source IP, protected site list can be set, includes the title of shielded website in list, It before reading target HTTP log in real-time logs queue, can first be filtered out from HTTP log with specified time window Destination IP is located at the HTTP log of protected site list, and destination IP is used to add destination port as the mark of website.
In the present embodiment, the analysis of different target website can be and be separated and independently performed, this target HTTP days Will is the HTTP log that target source IP accesses that the same targeted sites generate.
Step 102, the current accessed behavior file that target source IP is generated based on target HTTP log, wherein the current visit Ask that behavior file reflects the behavioural habits of target source IP access target website in time window;
Optionally, it may include target source IP in the current accessed behavior file of the present embodiment and access station in time window The relevant information of the URL of point, for example, the access time of URL, URL of the website of access and time departure, jumping between URL Relationship etc. information.
Step 103 obtains target source IP to the history access behavior file of targeted sites, wherein history accesses behavior text Part reflects the historical behavior habit of target source IP access target website;
Optionally, it may include target source IP in the history access behavior file of the present embodiment and access station in time window The relevant information of the URL of point, for example, the access time of URL, URL of the website of access and time departure, jumping between URL Relationship etc. information.
Step 104 accesses behavior file according to current accessed behavior file and history, analyzes user in time window Behavior is accessed whether different from the history access behavior to targeted sites to targeted sites.
Behavior is accessed whether different from the history visit to targeted sites to targeted sites in time window in analysis user When asking behavior, behavior file can be accessed according to access rule and history of the target source IP in current accessed behavior file to URL Whether middle target source IP is regular to the access of URL, abnormal to analyze access behavior of the user in time window.
Optionally, in the present embodiment, history is accessed behavior file and is accessed based on history URL of the target source IP to targeted sites Sequence obtains.History access behavior file includes: history access behavior map and/or history access time sequence map, is being obtained It further include generating history access behavior map and/or history before taking target source IP to access behavior file to the history of targeted sites The step of access time sequence map.
Behavior map is accessed for history, generation method includes:
The HTTP log of target source IP access target website in the phase of history time is obtained, HTTP log acquisition target is based on History URL access sequence of the source IP to targeted sites;Using each URL in history URL access sequence as node, by a URL Node jumps relationship as a directed edge between two nodes to another URL node, generates target source IP for Target Station The history of point accesses behavior map.
In the present embodiment, obtain in the phase of history time before the HTTP log of target source IP access target website, Ke Yixian The HTTP log that destination IP is located at protected site list is filtered out from HTTP log, is then obtained in the log filtered out again Target HTTP log is taken, this helps to reduce the time for obtaining target HTTP log.
In the present embodiment, the history of generation access behavior map as shown in Fig. 2, user website one, two, three business Under have accessed multinomial business, each business jumps relationship such as Fig. 2, uppermost user access site paths in, Yong Hucong The node of ingress for service enters website, jumps to the node of business 1 later, and the section of business 1-1 is jumped to from the node of business 1 Point jumps to the node of business 1-1-1 from the node of business 1-1.
For history access time sequence map, generation method includes: to obtain target source IP in the phase of history time to visit The HTTP log for asking targeted sites, based on HTTP log acquisition target source IP to the history URL access sequence of targeted sites;It obtains User's residence time on each URL in history URL access sequence, using each URL in history URL access sequence as node, One URL node to another URL node is jumped into relationship as a directed edge between two nodes, based on user each The upper residence time of URL determines the access time interval between the adjacent node that there is the relationship that jumps, with node, directed edge and visit Ask that time interval generates target source IP for the history access time sequence map of targeted sites.
Optionally, history access time sequence map can be on the basis of history accesses behavior map to target source IP (i.e. user) residence time on each node is portrayed to obtain, for example, can be based on the user access activity in Fig. 2 Map obtains user's access time sequence map in Fig. 3.As shown in figure 3, user enters website from the node of ingress for service, It is stopped 2 seconds on the node of ingress for service, jumps to the node of business 2 later, 4S is stopped on the node of business 2, is obtained employment later The node of business 2 jumps to the node of business 2-2, and 2S is stopped on the node of business 2-2, later, is jumped from the node of business 2-2 To the node of business 2-2-1, stops x seconds, jump on XXX node later on the node of business 2-2-1.
Optionally, in the present embodiment, the current accessed behavior file packet of target source IP is generated based on target HTTP log It includes: based on target HTTP log, obtaining the target source IP in time window and the current URL access sequence of targeted sites is based on Current URL access sequence obtains the current accessed behavior file of target source IP.
Current URL access sequence contains target source IP in current time window and accesses the letter such as sequence of URL of website Breath.
On the basis of above-mentioned history accesses behavior map and history access time sequence map, the present embodiment can be more Accurately analysis user is in time window to the access behavior of targeted sites, if accesses row different from the history to targeted sites For.
Optionally, behavior map is accessed based on history, behavior file is accessed according to current accessed behavior file and history, Analyze user includes: to whether the access behavior of targeted sites accesses behavior different from the history to targeted sites in time window
According to the successive access relation of URL in current URL access sequence, extracts URL and access subsequence, wherein each URL Access sub-series of packets is containing in the presence of two URL for directly jumping relationship;
Each URL access subsequence is compared with history access behavior map, if containing in URL access subsequence There is the node being not present in history access behavior map, and/or, if the relationship that jumps between URL access subsequence is accessed in history It is not present in behavior map, then user visits the access behavior of targeted sites different from the history to targeted sites in time window Ask behavior, if the node in all URL access subsequences all exists in history access behavior map, and each URL is accessed The relationship that jumps between subsequence also all exists in history access behavior map, then user is in time window to targeted sites Access behavior does not access behavior different from the history to targeted sites.
According to the successive access relation of URL in current URL access sequence, when extracting URL access subsequence, can according to from Access time earliest URL starts to extract, and two URL for directly jumping relationship will be present as a subsequence, wherein different There can be a URL to repeat in URL subsequence, such as the sequence of URL1-URL2-URL3-URL4, extract URL access Sequence URL1-URL2, URL2-URL3, URL3-URL4, in another example, it is closed according to the successive access of URL in current URL access sequence System extracts N-1 subsequence, such as { u from the set of URL conjunction for the current URL access sequence that element is N1,u2, u3...unSet of URL close, obtained subsequence be { u1->u2,u2->u3,...,un-1->unEtc..
After obtaining above-mentioned map, map sequence can be turned into binary object, the data that serializing is obtained It is stored in HDFS (Hadoop distributed file system), for using.Certainly, it is not limited to serialize in the present embodiment To data be stored on HDFS, can also otherwise store, such as there are on specific one server etc..
Optionally, it is based on history access time sequence map, behavior is accessed according to current accessed behavior file and history File, analyzing user, this includes: to whether the access behavior of targeted sites accesses behavior different from the history to targeted sites
According to the successive access relation of URL in current URL access sequence, extracts URL and access subsequence, wherein each URL Access sub-series of packets is containing in the presence of two URL for directly jumping relationship;
Obtain the access time interval between two URL of each URL access subsequence;
Each URL access subsequence is compared with history access time sequence map, if it exists following scenario described One of, then user accesses behavior different from the history to targeted sites to the access behavior of targeted sites in time window, if institute With the presence of URL access subsequence in node all in history access time sequence map, each URL accesses the jump between subsequence Transfer the registration of Party membership, etc. from one unit to another and also all exist in history access time sequence map, and when access in each URL access subsequence between two URL Between be spaced and history access time sequence map in the difference at access time interval between the two URL meet the preset time difference and want It asks, then user does not access behavior different from the history to targeted sites to the access behavior of targeted sites in time window;
Situation one: URL, which accesses in subsequence, contains the node being not present in history access time sequence map;
The relationship that jumps that situation two: URL accesses between subsequence is not present in history access time sequence map;
Situation three: URL accesses the access time interval and history access time sequence map in subsequence between two URL In the difference at access time interval between the two URL be unsatisfactory for the preset time difference and require.
In the scheme based on history access time sequence map, the mode of URL access subsequence is extracted referring to above-mentioned Associated description, details are not described herein.The preset time difference requires to include but is not limited in URL access subsequence between two URL Access time interval, and the access time interval in history access behavior map between the two URL difference be no more than it is certain Access time interval in standard, such as URL access subsequence between two URL is no more than this in history access behavior map Three times of access time interval between two URL.
It is understood that in the above-mentioned analysis based on history access behavior map and history access time sequence map Cheng Zhong needs to obtain after first accessing behavior map and history access time sequence map progress unserializing to the history of serializing Map object, then carry out above-mentioned analysis.
In one example, it in order to avoid the interference of the static resource adulterated in URL, needs generating history access behavior Denoising is carried out to URL during file and current accessed behavior file, optionally, accesses behavior file generating history During, within the acquisition phase of history time after the HTTP log of target source IP access target website, need to HTTP log In URL denoised.Optionally, above-mentioned that sequence is accessed based on history URL of the HTTP log acquisition target source IP to targeted sites Column include:
Based on HTTP log, the URL sequence of target source IP access target website is obtained;
To each URL in URL sequence, remove the content of argument section, to filter out be the page further according to the suffix of each URL Static resource request URL, history URL access sequence is obtained based on remaining URL in URL sequence.
Optionally, during generating current accessed behavior file, it is also desirable to carry out denoising, above-mentioned base to URL In target HTTP log, obtain the target source IP in time window includes: to the current URL access sequence of targeted sites
Based on target HTTP log, the URL sequence of the target source IP access target website in time window is obtained;
To each URL in URL sequence, remove the content of argument section, to filter out be the page further according to the suffix of each URL Static resource request URL, current URL access sequence is obtained based on remaining URL in URL sequence.
In the above scheme, the content for removing the argument section of URL can be all the elements removed in URL after question mark. Filtered out according to the suffix of each URL be the page static resource request URL when, if the suffix of URL belongs to default suffix, such as belong to In js (Javascript script), css (pattern file), png/jpg/gif/jpeg (picture file) etc., then it is assumed that URL is page The static resource in face is requested, and is not belonging to the scope of the URL path analysis in the embodiment of the present application, these url filterings are fallen, remaining The URL for belonging to the dynamic resource request of the page carries out subsequent analysis, i.e. history URL access sequence and current URL access sequence In URL be target source IP to the URL of the dynamic resource requests of targeted sites.
For the ease of quickly and accurately getting history access behavior file, quickly and accurately obtain using in time window Family access behavior whether Yi Chang conclusion, in the present embodiment, history accesses behavior file and is equipped with mark, and mark includes accessing website Source IP, source IP access website destination IP and destination port.
Optionally, after generating history access behavior map and/or history access time sequence map, further includes: with target Source IP, the destination IP of the targeted sites of target source IP access and destination port are identified history access behavior file.
Optionally, the step of above-mentioned acquisition target source IP accesses behavior file to the history of targeted sites include:
The destination IP and destination port of targeted sites based on target HTTP log acquisition target source IP, target source IP access Information;
Target source IP, destination IP and destination port based on acquisition, query history access the mark of behavior file, obtain mesh It marks source IP and behavior file is accessed to the history of targeted sites.
Optionally, in the present embodiment, behavior file is being accessed according to current accessed behavior file and history, is analyzing user In time window to the access behavior of targeted sites whether different from the history access behavior to targeted sites after, further includes: if User accesses behavior different from the history to targeted sites to the access behavior of targeted sites in time window, then to target source IP The alarm of output access exception and/or the access for blocking target source IP current (block target source IP currently to the visit of targeted sites It asks).
Due in history HTTP log, there is very more source IPs to access website pair, in order to improve the generative nature of above-mentioned map Can, the distributed operator of Spark such as can be used in the present embodiment and concurrently generate the history of target source IP access target website It accesses behavior file (two above-mentioned maps), i.e., in the application, multiple source IP-websites is concurrently obtained using distributed operator Pair history access behavior file.It is understood that source can occur in the multiple history access behavior file obtained parallel IP accesses behavior file to the history of multiple and different websites, different source IPs can also occurs to the history access row of the same website For file.
In the present embodiment, above-mentioned step 101-104 can also be performed in parallel using the distributed operator such as Spark, Behavior is accessed to the active user of multiple target source IP to analyze.
As shown in figure 4, server or system can first read HTTP log in N days, extraction time, source from HTTP log IP and destination IP carry out the fields such as origin url, access URL, are based on these fields, filter out the flow of interior web site in log, filter Destination IP is located at the HTTP log of protected site list out, then carries out denoising to the URL in HTTP log and (specifically goes The process made an uproar is referring to the above embodiments content), according to source IP+destination IP+destination port information to the URL in HTTP log It is polymerize, obtains different source IP-website pair URL access sequences, subsequently into distributed process, in Fig. 4, into three The acquisition of different source IP-website pair history access behavior files is carried out in a distributed process arranged side by side.As shown in figure 4, Map object after serializing obtained in distributed process arranged side by side, which can be put into HDFS, to be stored.
In order to solve the problems in the prior art, the embodiment of the present application also proposes a kind of electronic device, referring to Fig. 5, the electricity Sub-device includes:
Read module 501, for reading target HTTP log, target from real-time logs queue with specified time window HTTP log is the HTTP log that target source IP access target website generates;
Generation module 502, it is current to visit for generating the current accessed behavior file of target source IP based on target HTTP log Ask that behavior file reflects the behavioural habits of target source IP access target website in time window;
Module 503 is obtained, behavior file is accessed to the history of targeted sites for obtaining target source IP, wherein history is visited Ask that behavior file reflects the historical behavior habit of target source IP access target website;
Processing module 504, for accessing behavior file according to current accessed behavior file and history, analysis user when Between window to targeted sites access behavior whether different to targeted sites history access behavior.
Optionally, history access behavior file is obtained based on history URL access sequence of the target source IP to targeted sites.It obtains Modulus block 503 obtains the target source IP in time window and visits the current URL of targeted sites for being based on target HTTP log It asks sequence, the current accessed behavior file of target source IP is obtained based on current URL access sequence.
Optionally, in the present embodiment, history access behavior file includes: history access behavior map and/or history access Time series map, electronic device further include the second generation module, which is used to obtain target source IP to mesh Before the history access behavior file of labeling station point, the HTTP log of target source IP access target website in the phase of history time is obtained, Based on HTTP log acquisition target source IP to the history URL access sequence of targeted sites;And it will be every in history URL access sequence A URL jumps relationship as a directed edge between two nodes as node, using a URL node to another URL node, It generates target source IP and behavior map is accessed for the history of targeted sites.And/or second generation module be used for obtain target source Before IP accesses behavior file to the history of targeted sites, the HTTP of target source IP access target website in the phase of history time is obtained Log obtains history URL access sequence based on HTTP log acquisition target source IP to the history URL access sequence of targeted sites Middle user residence time on each URL arrives a URL node using each URL in history URL access sequence as node Another URL node jumps relationship as a directed edge between two nodes, and it is true to be based on user's residence time on each URL Access time interval between the fixed adjacent node that there is the relationship that jumps generates mesh with node, directed edge and access time interval Source IP is marked for the history access time sequence map of targeted sites.
Optionally, if history access behavior file includes history access behavior map, processing module 504 is worked as basis The successive access relation of URL in preceding URL access sequence extracts URL and accesses subsequence, wherein each URL access sub-series of packets contains In the presence of two URL for directly jumping relationship;Each URL access subsequence is compared with history access behavior map, If containing the node being not present in history access behavior map in URL access subsequence, and/or, if between URL access subsequence Jump relationship history access behavior map in be not present, then user in time window to the access behavior of targeted sites different from Behavior is accessed to the history of targeted sites, if the node in all URL access subsequences is all deposited in history access behavior map , and the relationship that jumps between each URL access subsequence exists in history access behavior map, then user is in time window Behavior is not accessed different from the history to targeted sites to the access behavior of targeted sites.
If history access behavior file includes history access time sequence map, processing module 504, for according to current The successive access relation of URL in URL access sequence extracts URL and accesses subsequence, wherein each URL access sub-series of packets, which contains, deposits In two URL for directly jumping relationship;Obtain the access time interval between two URL of each URL access subsequence;For Each URL access subsequence is compared with history access time sequence map, if it exists one of following scenario described, then user exists Behavior is accessed different from the history to targeted sites to the access behavior of targeted sites in time window, if all URL access son Node in sequence all exists in history access time sequence map, and the relationship that jumps between each URL access subsequence also all exists Exist in history access time sequence map, and in each URL access subsequence between two URL access time interval with go through The difference at the access time interval in history access time sequence map between the two URL meets preset time difference requirement, then uses Family does not access behavior different from the history to targeted sites to the access behavior of targeted sites in time window;
Situation one: URL, which accesses in subsequence, contains the node being not present in history access time sequence map;
The relationship that jumps that situation two: URL accesses between subsequence is not present in history access time sequence map;
Situation three: URL accesses the access time interval and history access time sequence map in subsequence between two URL In the difference at access time interval between the two URL be unsatisfactory for the preset time difference and require.
Optionally, the second generation module, for the HTTP based on target source IP access target website in the phase of history time Log obtains the URL sequence of target source IP access target website;To each URL in URL sequence, remove the interior of argument section Hold, further according to each URL suffix filter out be the page static resource request URL, obtained based on remaining URL in URL sequence To history URL access sequence.
Optionally, generation module 502 obtain the target source IP in time window and access for being based on target HTTP log The URL sequence of targeted sites;To each URL in URL sequence, remove the content of argument section, further according to the suffix mistake of each URL Filter be the page static resource request URL, current URL access sequence is obtained based on remaining URL in URL sequence.
Optionally, history access behavior file is equipped with mark, and mark includes the website of the source IP of access website, source IP access Destination IP and destination port.Module 503 is obtained, for visiting based on target HTTP log acquisition target source IP, target source IP The destination IP for the targeted sites asked and the information of destination port;Target source IP, destination IP and destination port based on acquisition, inquiry History accesses the mark of behavior file, obtains target source IP and accesses behavior file to the history of targeted sites.
Optionally, the electronic device of the present embodiment further includes abnormal reply module, the analysis knot for receiving processing module Fruit, if user accesses behavior different from the history to targeted sites to the access behavior of targeted sites in time window, to mesh The access marked the alarm of source IP output access exception and/or block target source IP current.
Fig. 6 provides a kind of electronic device for the embodiment of the present application.The electronic device can be used for realizing in embodiment illustrated in fig. 1 User access activity monitoring method.As indicated with 6, which specifically includes that
Memory 601, processor 602 and it is stored in the computer journey that can be run on memory 601 and on processor 602 Sequence when processor 602 executes the computer program, realizes the user access activity monitoring method in embodiment illustrated in fig. 1.
Further, electronic device further include: communication bus 603, above-mentioned memory 601 and processor 602 pass through total Line 603 connects.
Memory 601 can be high random access memory body (RAM, Random Access Memory) memory, It can be non-labile memory (non-volatile memory), such as magnetic disk storage.Memory 601 is for storing one Group executable program code, processor 602 are coupled with memory 601.
By the embodiment of the present application, can be read from real-time logs queue target HTTP days with specified time window Will, the current accessed behavior file of target source IP is generated based on target HTTP log, and obtains target source IP to targeted sites History accesses behavior file, can access behavior file according to current accessed behavior file and history, analyzing user, this is right Whether the access behavior of targeted sites different from the history to targeted sites accesses behavior, based on the application known to above scheme be with User to the history use habits of targeted sites as analysis user this to the access of targeted sites whether Yi Chang foundation, this Kind of mode does not have to be based on website frame and site structure preset strategy, practicability and more adaptable, and has fully considered user Individual character and habit, be conducive to promote the recognition accuracy to user's abnormal access behavior.
Further, the embodiment of the present application also provides a kind of computer readable storage medium, the computer-readable storages Medium can be in the electronic device being set in the various embodiments described above, which can be earlier figures 6 Memory in illustrated embodiment.It is stored with computer program on the computer readable storage medium, which is held by processor The user access activity monitoring method in embodiment illustrated in fig. 1 is realized when row.Further, the computer can storage medium may be used also To be that USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), RAM, magnetic or disk etc. are various can be with Store the medium of program code.
In several embodiments provided herein, it should be understood that disclosed device and method can pass through it Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the module, only Only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple module or components can be tied Another system is closed or is desirably integrated into, or some features can be ignored or not executed.Another point, it is shown or discussed Mutual coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or logical of device or module Letter connection can be electrical property, mechanical or other forms.
The module as illustrated by the separation member may or may not be physically separated, aobvious as module The component shown may or may not be physical module, it can and it is in one place, or may be distributed over multiple On network module.Some or all of the modules therein can be selected to realize the mesh of this embodiment scheme according to the actual needs 's.
It, can also be in addition, can integrate in a processing module in each functional module in each embodiment of the application It is that modules physically exist alone, can also be integrated in two or more modules in a module.Above-mentioned integrated mould Block both can take the form of hardware realization, can also be realized in the form of software function module.
If the integrated module is realized in the form of software function module and sells or use as independent product When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a readable storage medium storing program for executing, including some instructions are used so that a meter It calculates machine equipment (can be personal computer, server or the network equipment etc.) and executes each embodiment the method for the application All or part of the steps.And readable storage medium storing program for executing above-mentioned includes: USB flash disk, mobile hard disk, ROM, RAM, magnetic or disk etc. The various media that can store program code.
It should be noted that for the various method embodiments described above, describing for simplicity, therefore, it is stated as a series of Combination of actions, but those skilled in the art should understand that, the application is not limited by the described action sequence because According to the application, certain steps can use other sequences or carry out simultaneously.Secondly, those skilled in the art should also know It knows, the embodiments described in the specification are all preferred embodiments, and related actions and modules might not all be this Shen It please be necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiments.
The above are to user access activity monitoring method, electronic device and computer-readable storage medium provided herein The description of matter, for those skilled in the art, according to the thought of the embodiment of the present application, in specific embodiment and application range Upper there will be changes, and to sum up, the contents of this specification should not be construed as limiting the present application.

Claims (10)

1. a kind of user access activity monitoring method characterized by comprising
Target HTTP log is read from real-time logs queue with specified time window, the target HTTP log is target source The HTTP log that IP access target website generates;
The current accessed behavior file of the target source IP, the current accessed behavior text are generated based on the target HTTP log Part reflects the behavioural habits that the target source IP accesses the targeted sites in the time window;
It obtains the target source IP and behavior file is accessed to the history of the targeted sites, wherein the history access behavior text Part reflects the historical behavior habit that the target source IP accesses the targeted sites;
Behavior file is accessed according to the current accessed behavior file and the history, analyzes user in the time window Behavior is accessed whether different from the history access behavior to the targeted sites to the targeted sites.
2. user access activity monitoring method according to claim 1, which is characterized in that the history accesses behavior file It is obtained based on history URL access sequence of the target source IP to the targeted sites;
The current accessed behavior file for generating the target source IP based on the target HTTP log includes:
Based on the target HTTP log, the target source IP is obtained in the time window to the current of the targeted sites URL access sequence obtains the current accessed behavior file of the target source IP based on the current URL access sequence.
3. user access activity monitoring method according to claim 2, which is characterized in that the history accesses behavior file Include: history access behavior map and/or history access time sequence map, obtains the target source IP to the mesh described Before the history access behavior file of labeling station point, further includes:
The HTTP log for obtaining target source IP access target website in the phase of history time, based on described in the HTTP log acquisition History URL access sequence of the target source IP to the targeted sites;
Using each URL in the history URL access sequence as node, by URL node jumping to another URL node Relationship generates the target source IP and accesses behavior figure for the history of the targeted sites as a directed edge between two nodes Spectrum;And/or user's residence time on each URL in the history URL access sequence is obtained, the history URL is accessed into sequence A URL node to another URL node is jumped relationship as one between two nodes as node by each URL in column Directed edge, based on user, residence time is determined in the presence of between the access time between the adjacent node for jumping relationship on each URL Every, with the node, directed edge and access time interval generate the target source IP for the targeted sites history access Time series map.
4. user access activity monitoring method according to claim 3, which is characterized in that if history access behavior text Part includes history access behavior map, described to access behavior file according to the current accessed behavior file and the history, Whether analysis user is in the time window to the access behavior of the targeted sites different from the history to the targeted sites Access behavior includes:
According to the successive access relation of URL in the current URL access sequence, extracts URL and access subsequence, wherein each URL Access sub-series of packets is containing in the presence of two URL for directly jumping relationship;
Each URL access subsequence is compared with history access behavior map, if containing in URL access subsequence There is the node being not present in the history access behavior map, and/or, if jumping relationship described between URL access subsequence History access behavior map in is not present, then user in the time window to the access behavior of the targeted sites different from right The history of the targeted sites accesses behavior;
It is described according to the current accessed behavior text if the history access behavior file includes history access time sequence map Part and the history access behavior file, analysis user this to the access behavior of the targeted sites whether different to described The history of targeted sites accesses behavior
According to the successive access relation of URL in the current URL access sequence, extracts URL and access subsequence, wherein each URL Access sub-series of packets is containing in the presence of two URL for directly jumping relationship;
Obtain the access time interval between two URL of each URL access subsequence;
Each URL access subsequence is compared with the history access time sequence map, if it exists following scenario described One of, then user visits the access behavior of the targeted sites different from the history to the targeted sites in the time window Ask behavior;
Situation one: URL accesses in subsequence containing the node being not present in the history access time sequence map;
The relationship that jumps that situation two: URL accesses between subsequence is not present in the history access time sequence map;
Situation three: URL access in subsequence between two URL access time interval and the history access time sequence map in The difference at the access time interval between the two URL is unsatisfactory for preset time difference requirement.
5. according to user access activity monitoring method described in power 3, which is characterized in that described to be based on the HTTP log acquisition institute State target source IP includes: to the history URL access sequence of the targeted sites
Based on the HTTP log, the URL sequence that the target source IP accesses the targeted sites is obtained;
To each URL in the URL sequence, remove the content of argument section, to filter out be the page further according to the suffix of each URL Static resource request URL, history URL access sequence is obtained based on remaining URL in the URL sequence;
It is described be based on the target HTTP log, obtain in the time window target source IP to the targeted sites Currently URL access sequence includes:
Based on the target HTTP log, obtains the target source IP in the time window and access the targeted sites URL sequence;
To each URL in the URL sequence, remove the content of argument section, to filter out be the page further according to the suffix of each URL Static resource request URL, current URL access sequence is obtained based on remaining URL in the URL sequence.
6. user access activity monitoring method according to claim 1-5, which is characterized in that history accesses behavior File is equipped with mark, and the mark includes the destination IP and mesh of the source IP for accessing website, the website of source IP access Port, it is described to obtain the target source IP and include: to the history access behavior file of the targeted sites
The destination IP and destination port of targeted sites based on the target HTTP log acquisition target source IP, target source IP access Information;
The target source IP, destination IP and destination port based on acquisition, query history access the mark of behavior file, obtain institute It states target source IP and behavior file is accessed to the history of the targeted sites.
7. user access activity monitoring method according to claim 1-5, which is characterized in that working as according to Preceding access behavior file and the history access behavior file, analyze user in the time window to the targeted sites Access behavior whether different from the history access behavior to the targeted sites after, further includes:
If user visits the access behavior of the targeted sites different from the history to the targeted sites in the time window Ask behavior, then to the alarm of the target source IP output access exception and/or the access for blocking the target source IP current.
8. a kind of electronic device characterized by comprising
Read module, for reading target HTTP log, the target from real-time logs queue with specified time window HTTP log is the HTTP log that target source IP access target website generates;
Generation module, it is described for generating the current accessed behavior file of the target source IP based on the target HTTP log Current accessed behavior file reflects the behavioural habits that the target source IP accesses the targeted sites in the time window;
Module is obtained, behavior file is accessed to the history of the targeted sites for obtaining the target source IP, wherein described to go through History access behavior file reflects the historical behavior habit that the target source IP accesses the targeted sites;
Processing module, for accessing behavior file according to the current accessed behavior file and the history, analysis user exists Whether the time window is to the access behavior of the targeted sites different from the history access behavior to the targeted sites.
9. a kind of electronic device, comprising: memory, processor and be stored on the memory and can transport on the processor Capable computer program, which is characterized in that when the processor executes the computer program, realize in claim 1 to 7 and appoint Step in the method for anticipating.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program When being executed by processor, the step in any one the method in claim 1 to 7 is realized.
CN201811252655.2A 2018-10-25 2018-10-25 User access activity monitoring method, electronic device and computer readable storage medium Pending CN109450879A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811252655.2A CN109450879A (en) 2018-10-25 2018-10-25 User access activity monitoring method, electronic device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811252655.2A CN109450879A (en) 2018-10-25 2018-10-25 User access activity monitoring method, electronic device and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN109450879A true CN109450879A (en) 2019-03-08

Family

ID=65548543

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811252655.2A Pending CN109450879A (en) 2018-10-25 2018-10-25 User access activity monitoring method, electronic device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN109450879A (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111079138A (en) * 2019-12-19 2020-04-28 北京天融信网络安全技术有限公司 Abnormal access detection method and device, electronic equipment and readable storage medium
CN111221722A (en) * 2019-09-23 2020-06-02 平安科技(深圳)有限公司 Behavior detection method and device, electronic equipment and storage medium
CN112152873A (en) * 2020-09-02 2020-12-29 杭州安恒信息技术股份有限公司 User identification method and device, computer equipment and storage medium
CN112667991A (en) * 2020-12-31 2021-04-16 北京市首都公路发展集团有限公司 User identity continuous authentication method and system based on behavior map
CN112906752A (en) * 2021-01-26 2021-06-04 山西三友和智慧信息技术股份有限公司 User identity authentication method based on browsing history sequence
CN113660296A (en) * 2021-10-21 2021-11-16 中国核电工程有限公司 Method and device for detecting anti-attack performance of industrial control system and computer equipment
CN113726786A (en) * 2021-08-31 2021-11-30 上海观安信息技术股份有限公司 Method and device for detecting abnormal access behavior, storage medium and electronic equipment
CN114547423A (en) * 2022-04-27 2022-05-27 彭州市教育人才管理服务中心 Occupational competence big data knowledge graph data access management method and system
CN114650187A (en) * 2022-04-29 2022-06-21 深信服科技股份有限公司 Abnormal access detection method and device, electronic equipment and storage medium
CN115065539A (en) * 2022-06-17 2022-09-16 国家电网有限公司信息通信分公司 Data security monitoring method, device, equipment and storage medium
CN117874842A (en) * 2024-01-23 2024-04-12 广州感应科技有限公司 Security control method and system for data storage device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014166371A1 (en) * 2013-04-12 2014-10-16 中兴通讯股份有限公司 Data information processing system and method
CN106789352A (en) * 2017-01-25 2017-05-31 北京兰云科技有限公司 A kind of exception flow of network detection method and device
CN106789885A (en) * 2016-11-17 2017-05-31 国家电网公司 User's unusual checking analysis method under a kind of big data environment
CN106936781A (en) * 2015-12-29 2017-07-07 亿阳安全技术有限公司 A kind of decision method and device of user's operation behavior
CN107306259A (en) * 2016-04-22 2017-10-31 腾讯科技(深圳)有限公司 Attack detection method and device in Webpage access
CN108665297A (en) * 2017-03-31 2018-10-16 北京京东尚科信息技术有限公司 Detection method, device, electronic equipment and the storage medium of abnormal access behavior

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014166371A1 (en) * 2013-04-12 2014-10-16 中兴通讯股份有限公司 Data information processing system and method
CN106936781A (en) * 2015-12-29 2017-07-07 亿阳安全技术有限公司 A kind of decision method and device of user's operation behavior
CN107306259A (en) * 2016-04-22 2017-10-31 腾讯科技(深圳)有限公司 Attack detection method and device in Webpage access
CN106789885A (en) * 2016-11-17 2017-05-31 国家电网公司 User's unusual checking analysis method under a kind of big data environment
CN106789352A (en) * 2017-01-25 2017-05-31 北京兰云科技有限公司 A kind of exception flow of network detection method and device
CN108665297A (en) * 2017-03-31 2018-10-16 北京京东尚科信息技术有限公司 Detection method, device, electronic equipment and the storage medium of abnormal access behavior

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111221722A (en) * 2019-09-23 2020-06-02 平安科技(深圳)有限公司 Behavior detection method and device, electronic equipment and storage medium
CN111221722B (en) * 2019-09-23 2024-01-30 平安科技(深圳)有限公司 Behavior detection method, behavior detection device, electronic equipment and storage medium
CN111079138A (en) * 2019-12-19 2020-04-28 北京天融信网络安全技术有限公司 Abnormal access detection method and device, electronic equipment and readable storage medium
CN112152873B (en) * 2020-09-02 2022-10-21 杭州安恒信息技术股份有限公司 User identification method and device, computer equipment and storage medium
CN112152873A (en) * 2020-09-02 2020-12-29 杭州安恒信息技术股份有限公司 User identification method and device, computer equipment and storage medium
CN112667991A (en) * 2020-12-31 2021-04-16 北京市首都公路发展集团有限公司 User identity continuous authentication method and system based on behavior map
CN112906752A (en) * 2021-01-26 2021-06-04 山西三友和智慧信息技术股份有限公司 User identity authentication method based on browsing history sequence
CN113726786B (en) * 2021-08-31 2023-05-05 上海观安信息技术股份有限公司 Abnormal access behavior detection method and device, storage medium and electronic equipment
CN113726786A (en) * 2021-08-31 2021-11-30 上海观安信息技术股份有限公司 Method and device for detecting abnormal access behavior, storage medium and electronic equipment
CN113660296A (en) * 2021-10-21 2021-11-16 中国核电工程有限公司 Method and device for detecting anti-attack performance of industrial control system and computer equipment
CN114547423B (en) * 2022-04-27 2022-08-09 杜江波 Occupational competence big data knowledge graph data access management method and system
CN114547423A (en) * 2022-04-27 2022-05-27 彭州市教育人才管理服务中心 Occupational competence big data knowledge graph data access management method and system
CN114650187A (en) * 2022-04-29 2022-06-21 深信服科技股份有限公司 Abnormal access detection method and device, electronic equipment and storage medium
CN114650187B (en) * 2022-04-29 2024-02-23 深信服科技股份有限公司 Abnormal access detection method and device, electronic equipment and storage medium
CN115065539A (en) * 2022-06-17 2022-09-16 国家电网有限公司信息通信分公司 Data security monitoring method, device, equipment and storage medium
CN115065539B (en) * 2022-06-17 2024-02-27 国家电网有限公司信息通信分公司 Data security monitoring method, device, equipment and storage medium
CN117874842A (en) * 2024-01-23 2024-04-12 广州感应科技有限公司 Security control method and system for data storage device
CN117874842B (en) * 2024-01-23 2024-05-31 广州感应科技有限公司 Security control method and system for data storage device

Similar Documents

Publication Publication Date Title
CN109450879A (en) User access activity monitoring method, electronic device and computer readable storage medium
CN111401416B (en) Abnormal website identification method and device and abnormal countermeasure identification method
CN104144142B (en) A kind of Web bug excavation methods and system
CN103166917A (en) Method and system for network equipment identity recognition
CN110677384B (en) Phishing website detection method and device, storage medium and electronic device
CN103384888A (en) Systems and methods for malware detection and scanning
CN108763274B (en) Access request identification method and device, electronic equipment and storage medium
WO2015103122A2 (en) A method and system for tracking and gathering multivariate testing data
CN102436564A (en) Method and device for identifying falsified webpage
CN108573146A (en) A kind of malice URL detection method and device
US10255371B2 (en) Methods and systems for identifying multiple devices belonging to a single user by merging deterministic and probabilistic data to generate a cross device data structure
CN114528457B (en) Web fingerprint detection method and related equipment
CN103618696A (en) Method and server for processing cookie information
CN107508809A (en) Identify the method and device of website type
CN107800686A (en) A kind of fishing website recognition methods and device
CN111209325B (en) Service system interface identification method, device and storage medium
US10560473B2 (en) Method of network monitoring and device
US20240236133A1 (en) Detecting Data Exfiltration and Compromised User Accounts in a Computing Network
CN112347457A (en) Abnormal account detection method and device, computer equipment and storage medium
US8364776B1 (en) Method and system for employing user input for website classification
CN112989158A (en) Method, device and storage medium for identifying webpage crawler behavior
EP3789890A1 (en) Fully qualified domain name (fqdn) determination
CN109446807A (en) The method, apparatus and electronic equipment of malicious robot are intercepted for identification
Rizothanasis et al. Identifying user actions from HTTP (S) traffic
US9723017B1 (en) Method, apparatus and computer program product for detecting risky communications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190308

WD01 Invention patent application deemed withdrawn after publication