CN109729069B - Abnormal IP address detection method and device and electronic equipment - Google Patents
Abnormal IP address detection method and device and electronic equipment Download PDFInfo
- Publication number
- CN109729069B CN109729069B CN201811418960.4A CN201811418960A CN109729069B CN 109729069 B CN109729069 B CN 109729069B CN 201811418960 A CN201811418960 A CN 201811418960A CN 109729069 B CN109729069 B CN 109729069B
- Authority
- CN
- China
- Prior art keywords
- address
- abnormal
- data
- scoring
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a method and a device for detecting an abnormal IP address and electronic equipment, wherein the method comprises the following steps: if any piece of data of any IP address is detected to touch a given rule, giving a basic score to a plurality of pieces of data of a plurality of website platforms under the IP address based on the risk level of the given rule; based on the basic scoring under the IP address, performing overall risk scoring on the IP address; and detecting whether the IP address is an abnormal IP address or not based on the total risk score and the type of the IP address, and adding the IP address into an abnormal IP address library when the IP address is detected to be abnormal. The embodiment of the invention can more finely depict the IP address, thereby more comprehensively and more accurately detecting and processing the abnormal IP address.
Description
Technical Field
The embodiment of the invention relates to the technical field of Internet IP (Internet protocol) portrayal, in particular to a method and a device for detecting an abnormal IP address and electronic equipment.
Background
IP Address (IP Address), which is an Internet Protocol Address (Internet Protocol Address) or is translated as an abbreviation of Internet Protocol Address, is a digital label assigned to a device using Internet Protocol (IP) on the network.
The existing IP portrait technology uses some inherent attribute indexes of IP, such as IP network position, geographic position and the like, to basically depict the IP or evaluate the IP risk through the analysis of IP risk events. Although these can realize the basic image of IP, there are still many disadvantages and shortcomings:
(1) the platform is single and not comprehensive enough;
(2) IP is not accurately depicted or fine enough.
Disclosure of Invention
In order to overcome the above problems or at least partially solve the above problems, embodiments of the present invention provide a method, an apparatus, and an electronic device for detecting an abnormal IP address, so as to detect and process the abnormal IP address more comprehensively and more accurately.
In a first aspect, an embodiment of the present invention provides a method for detecting an abnormal IP address, including:
if any piece of data of any IP address is detected to touch a given rule, giving a basic score to a plurality of pieces of data of a plurality of website platforms under the IP address based on the risk level of the given rule;
based on the basic scoring under the IP address, performing overall risk scoring on the IP address;
and detecting whether the IP address is an abnormal IP address or not based on the total risk score and the type of the IP address, and adding the IP address into an abnormal IP address library when the IP address is detected to be abnormal.
In a second aspect, an embodiment of the present invention provides an apparatus for detecting an abnormal IP address, including:
the system comprises a first scoring module, a second scoring module and a third scoring module, wherein the first scoring module is used for giving basic scoring to a plurality of pieces of data of a plurality of website platforms under any IP address based on the risk level of a given rule if any piece of data of any IP address touches the given rule;
the second scoring module is used for scoring the total risk of the IP address based on the basic scoring under the IP address;
and the detection output module is used for detecting whether the IP address is an abnormal IP address or not based on the total risk score and the type of the IP address, and adding the IP address into an abnormal IP address library when the IP address is detected to be the abnormal IP address.
In a third aspect, an embodiment of the present invention provides an electronic device, including: at least one memory, at least one processor, a communication interface, and a bus; the memory, the processor and the communication interface complete mutual communication through the bus, and the communication interface is used for information transmission between the electronic equipment and the multi-website platform equipment; the memory stores a computer program operable on the processor, and the processor executes the computer program to implement the method for detecting an abnormal IP address according to the first aspect.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium storing computer instructions for causing the computer to execute the method for detecting an abnormal IP address according to the first aspect.
According to the method, the device and the electronic equipment for detecting the abnormal IP address, provided by the embodiment of the invention, the IP address can be more finely described by adopting the man-machine interaction data of the multi-website platform and introducing the new IP address attribute, namely the type attribute of the IP address, so that the abnormal IP address can be more comprehensively and more accurately detected and processed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a method for detecting an abnormal IP address according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a method for detecting an abnormal IP address according to another embodiment of the present invention;
fig. 3 is a schematic structural diagram of an apparatus for detecting an abnormal IP address according to an embodiment of the present invention;
fig. 4 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments obtained by persons of ordinary skill in the art based on the embodiments of the present invention without any creative efforts belong to the protection scope of the embodiments of the present invention.
In the prior art, when an IP address is described, the inherent attribute indexes of the IP address, such as an IP network location, a geographic location, and the like, are generally used, so that the IP address is not described finely. In addition, when the abnormality detection of the IP address is performed, the event behavior for judging the risk is usually the spontaneous behavior of the user, so that the judgment basis is not comprehensive enough.
Aiming at the problems, the embodiment of the invention adopts the man-machine interaction data of the multi-website platform, introduces the new IP address attribute, namely the type attribute of the IP address, and can more finely depict the IP address, thereby more comprehensively and more accurately detecting and processing the abnormal IP address. Embodiments of the present invention will be described and illustrated with reference to various embodiments.
Fig. 1 is a schematic flow chart of a method for detecting an abnormal IP address according to an embodiment of the present invention, as shown in fig. 1, the method includes the following processing flows:
s101, if any piece of data of any IP address is detected to touch a given rule, giving basic scoring to a plurality of pieces of data of a plurality of website platforms under the IP address based on the risk level of the given rule.
In the embodiment of the invention, the data of the website platforms under the same IP address are respectively detected, and whether the given rule is touched or not is detected. For example, if the attribute of a piece of data at an IP address reaches the data amount of a risk level of a given rule, the piece of data at the IP address is considered to touch the given rule, otherwise, the piece of data is considered not to touch the given rule.
And if any data in the IP address is detected to touch a given rule, giving the basic score of the data of the multi-website platform under the IP address by the risk level of the given rule of the data touch. For example, if a piece of data only encounters a rule with a risk level of 9, then the base for that data is scored as 9.
And S102, based on the basic scoring under the IP address, carrying out overall risk scoring on the IP address.
And on the basis of obtaining the basic scores of all the data of the multi-website platform under the IP address, calculating the total risk score of the IP address by using the basic scores of the data. For example, abnormal IP addresses with different risk levels can be obtained according to historical data analysis, a scoring model is trained by using the risk levels of the abnormal IP addresses, and then all basic scores of the IP addresses are comprehensively calculated by using the scoring model to obtain the total risk score of the IP address.
S103, detecting whether the IP address is an abnormal IP address or not based on the overall risk score and the type of the IP address, and adding the IP address into an abnormal IP address library when the IP address is detected to be abnormal.
On the basis of obtaining the total risk score of the IP address, the embodiment of the invention further judges the type of the IP address, such as whether the IP address is of a plurality of types including a data platform, a base station, a public network IP, a household broadband and the like. And then, judging whether the IP address is an abnormal IP address or not by combining the total risk score of the IP address and the type of the IP address. For example, if a certain IP address is determined to be a base station IP or a public network IP, it is not determined to be an abnormal IP address. And then, in order to carry out unified management, after judging that a certain IP address is an abnormal IP address, adding the abnormal IP address into an abnormal IP address library.
According to the method for detecting the abnormal IP address, provided by the embodiment of the invention, the IP is divided into a plurality of types such as a data platform, a base station, a public network IP and a household broadband by adopting the man-machine interaction data of the multi-network-station platform and analyzing the network attribute of the IP address, the different types of the IP are treated differently, the IP address can be described more finely, and the abnormal IP address can be detected and processed more comprehensively and accurately.
In the foregoing embodiment, before the step of detecting that any piece of data of any IP address touches a given rule, the method in the embodiment of the present invention further includes: and analyzing abnormal character strings appearing in the distribution or field values based on the human-computer interaction data of the extreme verification codes, and refining the given rule based on the abnormal character strings to give the risk level of the given rule.
Specifically, when the given rule is obtained, the embodiment of the invention is extracted based on cross-platform human-computer interaction data. Firstly, when data obtained by daily analysis or a verification client feeds back that a website is attacked, verification data of the attack time period is extracted. Then, the part of the verification data is analyzed to find points (abnormal character strings occurring in the distribution or field values) that are unlikely to occur in the normal data, and analysis is performed based on these abnormal character strings to summarize the given rule.
For example, the frequency of the IP address or UA can be checked according to the abnormal character strings, and if the frequency of a certain IP address is very high in a short time, it indicates that a hacker may use the IP address to make a malicious attack. And comparing the frequency of the IP address in the normal data, defining a threshold value aiming at the frequency of the IP address, and if the frequency of the IP address exceeds the threshold value every minute, determining that the IP address is an abnormal IP address. As another example, an IP address may also be considered an abnormal IP address when a field in the UA that explicitly represents a crawler appears as "python 3.6".
The risk level of a given rule is empirically given based on the refinement of the given rule based on the analysis described above. Such as the case where "python 3.6" is present in UA as mentioned above, a higher risk level may be given.
The method for detecting the abnormal IP address, provided by the embodiment of the invention, uses the man-machine interaction data of the extreme verification code, and benefits from the fact that the extreme verification product covers various fields of various industries, so that the scheme has wide and diversified data sources. And more credible and cross-platform rules can be conveniently formulated.
Optionally, according to the foregoing embodiments, the step of giving a base score to the pieces of data of the multiple website platforms under the IP address based on the risk level of the given rule specifically includes: and detecting each rule touched by the data of the IP address in the given rule, and giving a basic score to the data based on the risk level corresponding to each touched rule.
After detecting that a given rule is touched by an IP address according to the above embodiments, the basis of each piece of data in the IP address is scored, which is given by the risk level of the given rule touched by the data. Firstly, for a given rule, detecting which rules are touched by data of an IP address, and according to the risk level corresponding to the touched rule, performing basic scoring on the data touching the rule. It is to be understood that the risk level to which a rule corresponds herein is the risk level for a given rule determined according to the various embodiments described above.
For example, if a piece of data only encounters a rule with a risk level of 9 (assuming a risk level of up to 10) for a given rule, then the base score for that data may be determined to be 9. If a piece of data encounters two rules of a given rule and the risk levels of the two rules are 3 and 9, respectively, then the base score for that data may be 3+ 9-12.
According to the method for detecting the abnormal IP address, provided by the embodiment of the invention, all rules in the given rule touched by the IP address are synthesized to carry out basic scoring on the data of the IP address, so that the scoring result is more accurate.
Optionally, according to the foregoing embodiments, the step of performing overall risk scoring on the IP address based on the basic scoring under the IP address specifically includes: and calculating the total risk score of the IP address by using a scoring model based on the basic score. Wherein, the scoring model is obtained as follows:
based on user side feedback or data analysis, obtaining abnormal IP addresses with different risk degrees as training samples, extracting features from the training samples based on the access data volume of the abnormal IP addresses and the condition of touching given rules, training a regression model, and obtaining a scoring model.
After the basic scores of the data under the IP address are given according to the embodiments, the basic scores can be comprehensively calculated by using a scoring model, so that the total risk score of the IP address is obtained. Before the calculation is performed by using the scoring model, the scoring model needs to be established.
First, a basic scoring model, such as a regression model, is established based on the scoring requirements. And then, according to the attacked feedback uploaded by the user side or the data analysis result of the method, obtaining the abnormal IP addresses with different risk degrees empirically to serve as training samples. And then, extracting features for model calculation from the training samples according to the access data volume of the abnormal IP addresses of the training samples and the condition of touching a given rule, and training the regression model by using the extracted features to obtain a final scoring model. Finally, the scoring model can be utilized to score the total risk of the IP addresses to be scored.
On the basis of the above embodiments, after the step of detecting yes, the method of an embodiment of the present invention further includes: and inquiring whether the IP address exists in the abnormal IP address library or not, if so, scoring the current overall risk of the IP address, and updating the overall risk score of the IP address in the abnormal IP address library.
After the abnormal IP address is added into the abnormal IP address base according to the embodiments of the invention, the updating of the total risk score of the abnormal IP address in the abnormal IP address base can be further realized. By updating the total risk score of the abnormal IP address, the latest information of the abnormal IP address can be known, so that the abnormal IP address can be managed more reasonably. Specifically, for a certain abnormal IP address in the abnormal IP address library, when the IP address appears in the data again, it is continuously determined whether the certain abnormal IP address touches a given rule, and if the certain abnormal IP address touches the given rule, the certain abnormal IP address is subjected to overall risk scoring according to the scoring method of the above embodiments, that is, the current overall risk scoring is performed. The total risk score for the same IP address in the base of abnormal IP addresses is then updated with the current total risk score.
That is, when an abnormal IP address existing in the abnormal IP address library appears again and touches a given rule, the same scoring algorithm is used to perform risk assessment on the IP address, and the risk score may be different from the risk score of the IP address in the abnormal IP address library, so that the total risk score of the IP address in the abnormal IP address library is updated to the newly obtained total risk score.
On the basis of the above embodiments, after the step of adding the IP address to the abnormal IP address library, the method of the embodiment of the present invention further includes: if any IP address in the abnormal IP address base is detected to reappear, whether each piece of data of the IP address touches a given rule or not is detected, and if not, the IP address is removed from the abnormal IP address base.
The embodiment of the invention monitors the state of the abnormal IP address in the abnormal IP address library by setting the risk evaluation mechanism of the IP dynamic state. Specifically, for a certain abnormal IP address in the abnormal IP address library, when the IP address appears in the data again, it is continuously determined whether the IP address touches a given rule, and if the IP address does not touch the given rule, the IP address in the abnormal IP address library is removed, so that the scrub of the IP address is realized. That is, after the IP address is added to the abnormal IP address library, the rule will continue to monitor the condition of each IP (touch rule/no-touch rule), and when it is found that there is an IP but not a rule, the IP is in the abnormal IP address library. At this point, this IP is removed from the library.
The method for detecting the abnormal IP address provided by the embodiment of the invention can remove the recovered normal IP address from the abnormal IP address base in time through a flexible reaction mechanism, and can effectively avoid misjudgment caused by the fact that the IP which is changed into the normal IP address is still remained in the IP base.
On the basis of the above embodiments, after the step of adding the IP address to the abnormal IP address library, the method of the embodiment of the present invention further includes: and setting basic aging for the IP address, and removing the IP address from the abnormal IP address library when the existence duration of the IP address in the abnormal IP address library reaches the basic aging.
According to the embodiment of the invention, after the IP address judged to be abnormal is added into the abnormal IP address base according to the embodiments, a basic time limit is set for the abnormal IP address, the actual existing time length of the IP address in the abnormal IP address base is monitored in real time, and if the actual existing time length reaches the set basic time limit, the IP address is removed from the abnormal IP address base in time.
It will be appreciated that the basic age of an abnormal IP may also be reset in synchronization when the overall risk score for the abnormal IP address in the abnormal IP address repository is updated according to the embodiments described above.
According to the detection method of the abnormal IP address, provided by the embodiment of the invention, through the timeliness setting of risk scoring, and when the timeliness is exceeded, the corresponding IP is converted into the normal IP, so that the misjudgment caused by the fact that the IP which is converted into the normal IP is still left in the abnormal IP address library can be effectively avoided.
In addition, on the basis of the above embodiments, the embodiment of the present invention further optimizes the basic aging length of the risk score. For example, the data of the current date is selected as a test set, and the normal and abnormal IP addresses in the IP addresses of the day are found out by using a given rule. And meanwhile, predicting the IP addresses according to an abnormal IP address library (assumed to contain all abnormal IP addresses within 50 days), calculating prediction accuracy and classification error rate, and weighing the two indexes to provide proper aging length.
To further illustrate the technical solutions of the embodiments of the present invention, the embodiments of the present invention provide the following processing flows of the embodiments according to the above embodiments, but do not limit the scope of the embodiments of the present invention.
The embodiment of the invention aims to seek an interactive data source to realize platform diversification, mine more IP attributes to more finely depict the IP, pay attention to timeliness, set an IP dynamic risk assessment mechanism and monitor the state of the IP.
Fig. 2 is a schematic flow chart of a method for detecting an abnormal IP address according to another embodiment of the present invention, and as shown in fig. 2, the method according to the embodiment of the present invention includes processing logic for finding an abnormal IP, risk assessment, warehousing, updating, and whitening. The whole process comprises the following processing steps:
first, a given rule used by the system is determined. The given rules used by the whole process are extracted based on cross-platform human-computer interaction data. The process of refining a given rule is as follows:
(1) according to daily analysis data, or when the verification client side feeds back that the website is attacked, an analyst can extract verification data in an attack period.
(2) The abnormal data is analyzed to find that no point (abnormal character string occurring in the distribution or the value of the field) is likely to occur in the normal data. If the frequency of an IP or a UA is very high in a short time, it indicates that a hacker may use the IP to make malicious attacks. And (4) comparing the frequency of one IP in the normal data, defining a threshold value aiming at the frequency of the IP, and if the frequency of the one IP per minute exceeds the threshold value, considering that the IP address is an abnormal IP. Alternatively, an IP address anomaly may be detected by detecting the presence of a field in the UA that is an explicit representation of a crawler, such as "python 3.6".
(3) The individual risk levels for a given rule are empirically given based on the refinement of the given rule according to the above steps. Such as the case where "python 3.6" occurs in UA as mentioned above, a higher level of risk may be given.
Secondly, an abnormal IP address is discovered and added into an abnormal IP address library. When a certain piece of data of an IP touches a given rule, a basic score is given to each piece of data according to the condition of the touch rule; the risk assessment system integrates the basic scores of a plurality of data under a plurality of website platforms under the IP, and carries out overall risk scoring on the IP; and judging whether to add the IP library or not according to the type of the IP, if the IP is the base station IP or the public network IP, not adding the abnormal IP library, otherwise, giving a basic time effect and adding the IP library.
Wherein for the base scoring logic, the base score for each piece of data is given by the risk level of the rule of the data touch. For example, if a piece of data only encounters a rule with a risk level of 9 (assuming a risk level of up to 10), then the base score for that data is 9. If a piece of data encounters two rules with risk levels of 3 and 9, respectively, the basis for that data is scored as 3+ 9-12.
The logic for overall risk scoring is implemented by training a scoring model, such as a regression model. The method specifically comprises the following steps: firstly, obtaining abnormal IP with different risk degrees empirically according to client feedback or data analysis as a training sample; secondly, extracting features according to the IP access data volume, the touch rule condition and the like, and training a regression model; and finally, scoring the IP by using the trained scoring model.
And thirdly, updating the abnormal IP risk score in the abnormal IP address library. When an IP touch rule exists in the IP library, the same system is used for carrying out risk assessment on the IP, the risk score at the moment is possibly different from the risk score of the IP in the IP library, the IP risk in the IP library is updated into a newly obtained risk score, and the aging duration is reset.
And finally, timely performing IP whitening after the risk assessment is performed. And monitoring the condition (touch rule/no-touch rule) of each IP in the abnormal IP address library, and when an IP is found to be present but not touch a given rule and is in the abnormal IP address library, removing the IP from the library. Or when a certain IP address in the abnormal IP address library basically fails, the certain IP address is removed from the library.
As another aspect of the embodiments of the present invention, the embodiments of the present invention provide an abnormal IP address detection apparatus according to the above embodiments, which is used to implement the detection of an abnormal IP address in the above embodiments. Therefore, the description and definition in the method for detecting an abnormal IP address in each embodiment described above may be used for understanding each execution module in the embodiments of the present invention, and reference may be specifically made to the above embodiments, which are not described herein again.
According to an embodiment of the present invention, a structure of a device for detecting an abnormal IP address is shown in fig. 3, which is a schematic structural diagram of a device for detecting an abnormal IP address provided in an embodiment of the present invention, and the device may be used to implement detection of an abnormal IP address in each of the above method embodiments, and the device includes: a first scoring module 301, a second scoring module 302, and a detection output module 303. Wherein:
the first scoring module 301 is configured to, if it is detected that any piece of data of any IP address touches a given rule, give a basic score to pieces of data of multiple website platforms under the IP address based on a risk level of the given rule; the second scoring module 302 is configured to score the total risk of the IP address based on the basic scoring under the IP address; the detection output module 303 is configured to detect whether the IP address is an abnormal IP address based on the overall risk score and the type of the IP address, and add the IP address to the abnormal IP address library when the IP address is detected as an abnormal IP address
Specifically, the first scoring module 301 detects each of the data of the multiple website platforms at the same IP address, and detects whether the given rule is touched. For example, if the attribute of a piece of data at an IP address reaches the data amount of a risk level of a given rule, the first scoring module 301 determines that the piece of data at the IP address touches the given rule, otherwise, the piece of data is considered not to touch the given rule. If the first scoring module 301 detects that any piece of data in the IP address touches a given rule, the basic score of the pieces of data of the multi-website platform under the IP address is given by the risk level of the given rule of the data touch.
The second scoring module 302 then calculates an overall risk score for the IP address using the base scores for the data. For example, the second scoring module 302 may obtain abnormal IP addresses with different risk levels according to historical data analysis, train a scoring model by using the risk levels of the abnormal IP addresses, and then perform comprehensive calculation on each basic score of the IP addresses by using the scoring model to obtain a total risk score of the IP addresses.
Then, the detection output module 303 further determines the type of the IP address, such as whether the IP address is of multiple types, such as a data platform, a base station, a public network IP, a home broadband, and the like. The detection output module 303 then determines whether the IP address is an abnormal IP address by combining the overall risk score of the IP address and the type of the IP address. For example, if a certain IP address is determined to be a base station IP or a public network IP, it is not determined to be an abnormal IP address. Finally, for unified management, after determining that a certain IP address is an abnormal IP address, the detection output module 303 adds the abnormal IP address to the abnormal IP address library.
The detection device for the abnormal IP address provided by the embodiment of the invention can be used for describing the IP address more finely by arranging the corresponding execution module, adopting the man-machine interaction data of the multi-website platform and introducing a new IP address attribute, namely the type attribute of the IP address, so that the abnormal IP address can be detected and processed more comprehensively and accurately.
It is understood that, in the embodiment of the present invention, each relevant program module in the apparatus of each of the above embodiments may be implemented by a hardware processor (hardware processor). Moreover, the apparatus for detecting an abnormal IP address according to the embodiment of the present invention can implement a detection process of an abnormal IP address according to each method embodiment by using each program module, and when the apparatus for detecting an abnormal IP address according to each method embodiment is used to implement detection of an abnormal IP address according to each method embodiment, beneficial effects produced by the apparatus according to the embodiment of the present invention are the same as those of each corresponding method embodiment, and reference may be made to each method embodiment, which is not described herein again.
As another aspect of the embodiment of the present invention, in this embodiment, an electronic device is provided according to the above embodiments, and with reference to fig. 4, an entity structure diagram of the electronic device provided in the embodiment of the present invention includes: at least one memory 401, at least one processor 402, a communication interface 403, and a bus 404.
The memory 401, the processor 402 and the communication interface 403 complete mutual communication through the bus 404, and the communication interface 403 is used for information transmission between the electronic device and the multi-website platform device; the memory 401 stores a computer program that can be executed by the processor 402, and when the processor 402 executes the computer program, the method for detecting an abnormal IP address according to the above embodiments is implemented.
It is understood that the electronic device at least includes a memory 401, a processor 402, a communication interface 403 and a bus 404, and the memory 401, the processor 402 and the communication interface 403 are connected in communication with each other through the bus 404, and can complete communication with each other, such as program instructions of a detection method for the processor 402 to read an abnormal IP address from the memory 401. In addition, the communication interface 403 may also implement communication connection between the electronic device and the multi-website platform device, and may complete mutual information transmission, such as detection of an abnormal IP address through the communication interface 403.
When the electronic device is running, the processor 402 calls the program instructions in the memory 401 to perform the methods provided by the above-mentioned method embodiments, including for example: if any piece of data of any IP address touches a given rule, giving a basic score to a plurality of pieces of data of a plurality of website platforms under the IP address based on the risk level of the given rule; based on basic scoring under the IP address, carrying out overall risk scoring on the IP address; and detecting whether the IP address is an abnormal IP address or not based on the overall risk score and the type of the IP address, and adding the IP address into an abnormal IP address library and the like when the IP address is detected to be abnormal.
The program instructions in the memory 401 may be implemented in the form of software functional units and stored in a computer readable storage medium when sold or used as a stand-alone product. Alternatively, all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, where the program may be stored in a computer-readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Embodiments of the present invention also provide a non-transitory computer-readable storage medium according to the above embodiments, where the non-transitory computer-readable storage medium stores computer instructions that cause a computer to execute the method for detecting an abnormal IP address according to the above embodiments, for example, the method includes: if any piece of data of any IP address touches a given rule, giving a basic score to a plurality of pieces of data of a plurality of website platforms under the IP address based on the risk level of the given rule; based on basic scoring under the IP address, carrying out overall risk scoring on the IP address; and detecting whether the IP address is an abnormal IP address or not based on the overall risk score and the type of the IP address, and adding the IP address into an abnormal IP address library and the like when the IP address is detected to be abnormal.
By executing the method for detecting an abnormal IP address described in the embodiments of the present invention, the electronic device and the non-transitory computer-readable storage medium provided in the embodiments of the present invention can use human-computer interaction data of a multi-website platform and introduce a new IP address attribute, that is, a type attribute of an IP address, and can describe the IP address more precisely, so that the abnormal IP address can be detected and processed more comprehensively and more accurately.
It is to be understood that the above-described embodiments of the apparatus, the electronic device and the storage medium are merely illustrative, and that elements described as separate components may or may not be physically separate, may be located in one place, or may be distributed on different network elements. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on such understanding, the technical solutions mentioned above may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a usb disk, a removable hard disk, a ROM, a RAM, a magnetic or optical disk, etc., and includes several instructions for causing a computer device (such as a personal computer, a server, or a network device, etc.) to execute the methods described in the method embodiments or some parts of the method embodiments.
In addition, it should be understood by those skilled in the art that in the specification of the embodiments of the present invention, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising", without further limitation, means that the element so defined is not excluded from the group consisting of additional identical elements in the process, method, article, or apparatus that comprises the element.
In the description of the embodiments of the invention, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description. Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects.
However, the disclosed method should not be interpreted as reflecting an intention that: that is, the claimed embodiments of the invention require more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of an embodiment of this invention.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the embodiments of the present invention, and not to limit the same; although embodiments of the present invention have been described in detail with reference to the foregoing embodiments, it should be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (7)
1. A method for detecting an abnormal IP address is characterized by comprising the following steps:
analyzing abnormal character strings appearing in field values based on human-computer interaction data of the extreme verification codes, refining given rules based on the abnormal character strings, and giving the risk level of the given rules;
if any piece of data of any IP address touches the given rule, giving basic scores to a plurality of pieces of data of a plurality of website platforms under the IP address based on the risk level of the given rule;
based on the basic scoring under the IP address, performing overall risk scoring on the IP address;
the step of performing overall risk scoring on the IP address based on the basic scoring under the IP address specifically includes:
based on the basic scoring, calculating the total risk scoring of the IP address by using a scoring model, wherein the scoring model is obtained according to the following mode:
obtaining abnormal IP addresses with different risk degrees as training samples based on user side feedback or data analysis, extracting features from the training samples based on the access data volume of the abnormal IP addresses and the condition of touching the given rule, training a regression model, and obtaining the scoring model;
detecting whether the IP address is an abnormal IP address or not based on the total risk score and the type of the IP address, and adding the IP address into an abnormal IP address library when the IP address is detected to be abnormal;
on the basis of obtaining the total risk score of the IP address, judging whether the type of the IP address is a data platform, a base station, a public network IP and a household broadband;
after the step of detecting as yes, further comprising:
and inquiring whether the IP address exists in the abnormal IP address base or not, if so, scoring the current total risk of the IP address, and updating the total risk score of the IP address in the abnormal IP address base.
2. The method according to claim 1, wherein the step of providing a base score for the pieces of data of the plurality of website platforms at the IP address based on the risk level of the given rule specifically comprises:
and detecting each rule touched by the data of the IP address in the given rule, and giving the basic score to the data based on the risk level corresponding to each touched rule.
3. The method according to any of claims 1-2, further comprising, after the step of adding the IP address to a repository of abnormal IP addresses:
if any IP address in the abnormal IP address base is detected to reappear, whether each piece of data of the IP address touches the given rule or not is detected, and if not, the IP address is removed from the abnormal IP address base.
4. The method of claim 1, further comprising, after the step of adding the IP address to a repository of abnormal IP addresses: setting a basic time limit for the IP address, and removing the IP address from the abnormal IP address library when the existence duration of the IP address in the abnormal IP address library reaches the basic time limit.
5. An apparatus for detecting an abnormal IP address, comprising:
analyzing abnormal character strings appearing in field values based on human-computer interaction data of the extreme verification codes, refining given rules based on the abnormal character strings, and giving the risk level of the given rules;
the first scoring module is used for giving basic scoring to a plurality of pieces of data of a plurality of website platforms under any IP address based on the risk level of the given rule if any piece of data of any IP address touches the given rule;
the second scoring module is used for scoring the total risk of the IP address based on the basic scoring under the IP address;
the second scoring module is further configured to calculate a total risk score for the IP address based on the basic score using a scoring model, wherein the scoring model is obtained as follows:
obtaining abnormal IP addresses with different risk degrees as training samples based on user side feedback or data analysis, extracting features from the training samples based on the access data volume of the abnormal IP addresses and the condition of touching the given rule, training a regression model, and obtaining the scoring model;
the detection output module is used for detecting whether the IP address is an abnormal IP address or not based on the total risk score and the type of the IP address, and adding the IP address into an abnormal IP address library when the IP address is detected to be the abnormal IP address;
on the basis of obtaining the total risk score of the IP address, judging whether the type of the IP address is a data platform, a base station, a public network IP and a household broadband;
the detection output module is further configured to: and after the detection is yes, inquiring whether the IP address exists in the abnormal IP address base or not, if so, marking the current total risk of the IP address, and updating the total risk of the IP address in the abnormal IP address base.
6. An electronic device, comprising: at least one memory, at least one processor, a communication interface, and a bus;
the memory, the processor and the communication interface complete mutual communication through the bus, and the communication interface is also used for information transmission between the electronic equipment and the multi-website platform equipment;
the memory has stored therein a computer program operable on the processor, which when executed by the processor, implements the method of any of claims 1 to 4.
7. A non-transitory computer-readable storage medium storing computer instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811418960.4A CN109729069B (en) | 2018-11-26 | 2018-11-26 | Abnormal IP address detection method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811418960.4A CN109729069B (en) | 2018-11-26 | 2018-11-26 | Abnormal IP address detection method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109729069A CN109729069A (en) | 2019-05-07 |
| CN109729069B true CN109729069B (en) | 2021-12-28 |
Family
ID=66295487
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811418960.4A Active CN109729069B (en) | 2018-11-26 | 2018-11-26 | Abnormal IP address detection method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109729069B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110689373B (en) * | 2019-09-25 | 2022-08-12 | 恩亿科(北京)数据科技有限公司 | Method and device for detecting state of equipment to be detected |
| CN111078757B (en) * | 2019-12-19 | 2023-09-08 | 武汉极意网络科技有限公司 | Autonomous learning business wind control rule engine system and risk assessment method |
| CN116846678B (en) * | 2023-08-10 | 2024-01-19 | 国网冀北电力有限公司张家口供电公司 | High-suspicious IP determination method |
| CN117037349B (en) * | 2023-08-28 | 2024-02-20 | 珠海市辰宇智能技术有限公司 | Face recognition technology and data interaction service management and control method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101980506A (en) * | 2010-10-29 | 2011-02-23 | 北京航空航天大学 | Flow characteristic analysis-based distributed intrusion detection method |
| CN101990003A (en) * | 2010-10-22 | 2011-03-23 | 西安交通大学 | User action monitoring system and method based on IP address attribute |
| CN105959306A (en) * | 2016-06-30 | 2016-09-21 | 百度在线网络技术(北京)有限公司 | IP address identification method and device |
| CN107070940A (en) * | 2017-05-03 | 2017-08-18 | 微梦创科网络科技(中国)有限公司 | Judge that malice logs in the method and device of IP address in a kind of login daily record from streaming |
| CN107786542A (en) * | 2017-09-26 | 2018-03-09 | 杭州安恒信息技术有限公司 | Methods of marking and device based on big data intellectual analysis malice IP |
| CN107911334A (en) * | 2017-08-31 | 2018-04-13 | 上海壹账通金融科技有限公司 | Ip address risk monitoring method and application server |
| CN107920055A (en) * | 2017-09-27 | 2018-04-17 | 中国银联股份有限公司 | A kind of IP risk evaluating methods and IP Risk Evaluating Systems |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101219538B1 (en) * | 2009-07-29 | 2013-01-08 | 한국전자통신연구원 | Apparatus for detecting network attack based on visual data analysis and its method thereof |
| US8869271B2 (en) * | 2010-02-02 | 2014-10-21 | Mcafee, Inc. | System and method for risk rating and detecting redirection activities |
| US20160171415A1 (en) * | 2014-12-13 | 2016-06-16 | Security Scorecard | Cybersecurity risk assessment on an industry basis |
-
2018
- 2018-11-26 CN CN201811418960.4A patent/CN109729069B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101990003A (en) * | 2010-10-22 | 2011-03-23 | 西安交通大学 | User action monitoring system and method based on IP address attribute |
| CN101980506A (en) * | 2010-10-29 | 2011-02-23 | 北京航空航天大学 | Flow characteristic analysis-based distributed intrusion detection method |
| CN105959306A (en) * | 2016-06-30 | 2016-09-21 | 百度在线网络技术(北京)有限公司 | IP address identification method and device |
| CN107070940A (en) * | 2017-05-03 | 2017-08-18 | 微梦创科网络科技(中国)有限公司 | Judge that malice logs in the method and device of IP address in a kind of login daily record from streaming |
| CN107911334A (en) * | 2017-08-31 | 2018-04-13 | 上海壹账通金融科技有限公司 | Ip address risk monitoring method and application server |
| CN107786542A (en) * | 2017-09-26 | 2018-03-09 | 杭州安恒信息技术有限公司 | Methods of marking and device based on big data intellectual analysis malice IP |
| CN107920055A (en) * | 2017-09-27 | 2018-04-17 | 中国银联股份有限公司 | A kind of IP risk evaluating methods and IP Risk Evaluating Systems |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109729069A (en) | 2019-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109729069B (en) | Abnormal IP address detection method and device and electronic equipment | |
| CN109145216A (en) | Network public-opinion monitoring method, device and storage medium | |
| CN111786950B (en) | Network security monitoring method, device, equipment and medium based on situation awareness | |
| US11507881B2 (en) | Analysis apparatus, analysis method, and analysis program for calculating prediction error and extracting error factor | |
| JP2018045403A (en) | Abnormality detection system and abnormality detection method | |
| US11995593B2 (en) | Adaptive enterprise risk evaluation | |
| CN109495479B (en) | User abnormal behavior identification method and device | |
| US20220156372A1 (en) | Cybersecurity system evaluation and configuration | |
| CN110730164B (en) | Safety early warning method, related equipment and computer readable storage medium | |
| CN111144941A (en) | Merchant score generation method, device, equipment and readable storage medium | |
| CN112003834B (en) | Abnormal behavior detection method and device | |
| EP3460704A1 (en) | Virus database acquisition method and device, equipment, server and system | |
| CN110417751B (en) | Network security early warning method, device and storage medium | |
| CN110457595A (en) | Emergency event alarm method, device, system, electronic equipment and storage medium | |
| CN114978877B (en) | Abnormality processing method, abnormality processing device, electronic equipment and computer readable medium | |
| CN108804501B (en) | Method and device for detecting effective information | |
| CN114417118A (en) | Abnormal data processing method, device, equipment and storage medium | |
| CN112565164A (en) | Dangerous IP identification method, dangerous IP identification device and computer readable storage medium | |
| CN110572402A (en) | internet hosting website detection method and system based on network access behavior analysis and readable storage medium | |
| CN116471174B (en) | Log data monitoring system, method, device and storage medium | |
| CN111431884B (en) | Host computer defect detection method and device based on DNS analysis | |
| Liu et al. | A Markov detection tree-based centralized scheme to automatically identify malicious webpages on cloud platforms | |
| CN116846612A (en) | Attack chain completion method and device, electronic equipment and storage medium | |
| CN110059480A (en) | Attack monitoring method, device, computer equipment and storage medium | |
| CN115204733A (en) | Data auditing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |