CN110311888A - A kind of Web anomalous traffic detection method, device, equipment and medium - Google Patents
A kind of Web anomalous traffic detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN110311888A CN110311888A CN201910385680.6A CN201910385680A CN110311888A CN 110311888 A CN110311888 A CN 110311888A CN 201910385680 A CN201910385680 A CN 201910385680A CN 110311888 A CN110311888 A CN 110311888A
- Authority
- CN
- China
- Prior art keywords
- agreement request
- sample
- web
- measured
- frequency
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The invention discloses a kind of Web anomalous traffic detection method, device, equipment and media.The step of this method includes: acquisition characteristic model;The feature deviation between agreement request to be measured and the agreement request of Web normal discharge is calculated using characteristic model;When feature deviation is greater than preset threshold, the corresponding web traffic of agreement request to be measured is labeled as Web abnormal flow.This method can request judgement of the feature having to agreement request to be measured progress similitude according to normal protocol, with this judge agreement request to be measured level off to normal protocol request degree, without specifically being limited the specific format of abnormal agreement request in advance, it can be consequently used for detecting unknown abnormal agreement request, it is opposite to improve the flexibility for detecting abnormal agreement request, and then really ensure that accuracy when detecting Web abnormal flow.In addition, also to provide a kind of Web abnormal traffic detection device, equipment and medium, beneficial effect same as above by the application.
Description
Technical field
This application involves network safety filed, more particularly to a kind of Web anomalous traffic detection method, device, equipment and
Medium.
Background technique
Web abnormal flow be for Web normal discharge, Web normal discharge refer to user by browser or
Other Web clients flow according to caused by the process that normal requirements for access accesses Web server;And Web abnormal flow is
Refer to and flow caused by the process of abnormal access is carried out to Web server, and abnormal flow is often caused by Web server
Abnormal agreement request is received, and provides corresponding response data according to abnormal agreement request and generates.
Agreement request may be due to by the frequent data access for a certain domain name in the presence of exception, it is also possible to by
In being previously implanted the reasons such as anomaly parameter code or content of parameter, the generation of Web abnormal flow generally means that Web server
By abnormal access, such as website crawls, password is enumerated, vulnerability exploit, steal information etc., can cause website service
Device collapse, database data leakage, the results such as user sensitive information is revealed or even server is completely controlled.Therefore it needs
Abnormal flow is detected in web traffic, avoids abnormal flow to the work safety of Web server with this.
A kind of currently employed Web anomalous traffic detection method is that matching web traffic is included according to regular expressions
Agreement request series of features, regular expression characterizes correlated characteristic possessed by abnormal agreement request, works as agreement request
Match with regular expression, then illustrates that the web traffic of the agreement request is abnormal.Using current method, need in every discovery
It is a kind of exception agreement request characteristic pattern when, write the regular expressions to match with the format of the exception agreement request
Formula, but since the format of abnormal agreement request is varied, and regular expression can only match known abnormal agreement and ask
The format asked, therefore be difficult to completely cover whole abnormal agreement requests by way of regular expression, and then be difficult to ensure
Detect accuracy when Web abnormal flow.
It can be seen that providing a kind of Web anomalous traffic detection method, standard when Web abnormal flow is detected with opposite raising
True property is those skilled in the art's problem to be solved.
Summary of the invention
The object of the present invention is to provide a kind of Web anomalous traffic detection method, device, equipment and media, with opposite raising
Detect accuracy when Web abnormal flow.
In order to solve the above technical problems, the present invention provides a kind of Web anomalous traffic detection method, comprising:
Obtain characteristic model;
The feature deviation between agreement request to be measured and the agreement request of Web normal discharge is calculated using characteristic model;
When feature deviation is greater than preset threshold, the corresponding web traffic of agreement request to be measured is labeled as Web exception stream
Amount.
Preferably, obtaining characteristic model includes:
Obtain the sample characteristics of the agreement request sample of Web normal discharge;
Sample characteristics are extracted, characteristic model is generated.
Preferably, the sample characteristics of agreement request sample include at least the parameter value character length of agreement request sample, association
All kinds of character occurrence frequencies, the parameter integrality of agreement request sample, agreement request sample in the parameter value of view request sample
In at least one in frequency that relative positional relationship and agreement request sample between each sample parameter are initiated by single IP address
The feature of type.
Preferably, when the parameter value character length that the sample characteristics of agreement request sample include agreement request sample, and/or
The frequency that all kinds of character occurrence frequencies and/or agreement request sample are initiated by single IP address in the parameter value of agreement request sample
When rate, sample characteristics are extracted, generate characteristic model, comprising:
It is extracted by parameter value character length of the model formation to agreement request sample, generates characteristic model, and/or
All kinds of character occurrence frequencies in the parameter value of agreement request sample are extracted by model formation, generation characteristic model, and/
Or extracted by the frequency that model formation is initiated agreement request sample by single IP address, generate characteristic model.
Preferably, when the sample characteristics of agreement request sample are specially the parameter value character length of agreement request sample,
It is extracted by parameter value character length of the model formation to agreement request sample, generating characteristic model includes:
Calculate the sample length mean value of the parameter value character length of agreement request sample and the parameter of agreement request sample
It is worth the sample length variance of character length;
Sample length mean value and sample length variance are substituted into Chebyshev's formula, generate characteristic model;
Correspondingly, calculating the feature between agreement request to be measured and the agreement request of Web normal discharge using characteristic model
Deviation, comprising:
Calculate the length mean value to be measured of the parameter value character length of agreement request to be measured and the parameter of agreement request to be measured
It is worth the length variance to be measured of character length;
Length mean value to be measured and length variance to be measured are substituted into characteristic model and calculate feature deviation.
Preferably, when characters all kinds of in the parameter value that the sample characteristics of agreement request sample are specially agreement request sample go out
When existing frequency, all kinds of character occurrence frequencies in the parameter value of agreement request sample are extracted by model formation, are generated special
Levying model includes:
Calculate the sample expected frequency of all kinds of character occurrence frequencies in the parameter value of agreement request sample;
Sample expected frequency is substituted into Chi-square Test formula, generates characteristic model;
Correspondingly, calculating the feature between agreement request to be measured and the agreement request of Web normal discharge using characteristic model
Deviation, comprising:
Calculate the expected frequency to be measured of all kinds of character occurrence frequencies in the parameter value of agreement request to be measured;
Expected frequency to be measured is substituted into characteristic model and calculates feature deviation.
Preferably, when the sample characteristics of agreement request sample are specially the frequency that agreement request sample is initiated by single IP address
It when rate, is extracted by the frequency that model formation is initiated agreement request sample by single IP address, generates characteristic model packet
It includes:
Calculate the sample frequency mean value and agreement request sample of the frequency that agreement request sample is initiated by single IP address
By the sample frequency variance for the frequency that single IP address is initiated;
Sample frequency mean value and sample frequency variance are substituted into Chebyshev's formula, generate characteristic model;
Correspondingly, calculating the feature between agreement request to be measured and the agreement request of Web normal discharge using characteristic model
Deviation, comprising:
Calculate the frequency that agreement request to be measured is initiated by single IP address mean frequency value to be measured and agreement request to be measured
By the frequency variance to be measured for the frequency that single IP address is initiated;
Mean frequency value to be measured and frequency variance to be measured are substituted into characteristic model and calculate feature deviation.
Preferably, when the sample characteristics of agreement request sample include multiple types, when feature deviation is greater than default threshold
When value, include: labeled as Web abnormal flow by the corresponding web traffic of agreement request to be measured
When the fusion results of feature deviation are greater than preset threshold, the corresponding web traffic of agreement request to be measured is marked
For Web abnormal flow.
In addition, the present invention also provides a kind of Web abnormal traffic detection devices, comprising:
Model obtains module, for obtaining characteristic model;
Deviation statistics module, for calculating the agreement request of agreement request to be measured Yu Web normal discharge using characteristic model
Between feature deviation;
Abnormal determination module, for when feature deviation is greater than preset threshold, the corresponding Web of agreement request to be measured to be flowed
Amount is labeled as Web abnormal flow.
In addition, the present invention also provides a kind of Web abnormal traffic detection equipment, comprising:
Memory, for storing computer program;
Processor is realized when for executing computer program such as the step of above-mentioned Web anomalous traffic detection method.
In addition, being stored with meter on computer readable storage medium the present invention also provides a kind of computer readable storage medium
Calculation machine program is realized when computer program is executed by processor such as the step of above-mentioned Web anomalous traffic detection method.
Web anomalous traffic detection method provided by the present invention, first acquisition characteristic model, and then utilize characteristic model meter
The feature deviation in agreement request to be measured and normal web traffic between agreement request is calculated, when feature deviation is greater than default threshold
When value, the corresponding web traffic of agreement request to be measured is labeled as Web abnormal flow.This method compared with the prior art for, this
Method can request the feature having to carry out the judgement of similitude to agreement request to be measured according to normal protocol, be judged with this to be measured
Agreement request level off to normal protocol request degree, without specifically being limited the specific format of abnormal agreement request in advance
It is fixed, it can be consequently used for detecting unknown abnormal agreement request, it is opposite to improve the flexibility for detecting abnormal agreement request, in turn
It really ensure that accuracy when detection Web abnormal flow.In addition, the application also provides a kind of Web abnormal traffic detection device, sets
Standby and medium, beneficial effect are same as above.
Detailed description of the invention
In order to illustrate the embodiments of the present invention more clearly, attached drawing needed in the embodiment will be done simply below
It introduces, it should be apparent that, drawings in the following description are only some embodiments of the invention, for ordinary skill people
For member, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of Web anomalous traffic detection method disclosed in the present application;
Fig. 2 is a kind of flow chart of specific Web anomalous traffic detection method disclosed in the present application;
Fig. 3 is a kind of flow chart of specific Web anomalous traffic detection method disclosed in the present application;
Fig. 4 is a kind of structural schematic diagram of specific Web abnormal traffic detection device disclosed in the present application;
Fig. 5 is a kind of structure chart of specific Web abnormal traffic detection equipment disclosed in the present application.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, rather than whole embodiments.Based on this
Embodiment in invention, those of ordinary skill in the art are without making creative work, obtained every other
Embodiment belongs to the scope of the present invention.
A kind of currently employed Web anomalous traffic detection method is that matching web traffic is included according to regular expressions
Agreement request series of features, regular expression characterizes correlated characteristic possessed by abnormal agreement request, works as agreement request
Match with regular expression, then illustrates that the web traffic of the agreement request is abnormal.Using current method, need in every discovery
It is a kind of exception agreement request characteristic pattern when, write the regular expressions to match with the format of the exception agreement request
Formula, but since the format of abnormal agreement request is varied, and regular expression can only match known abnormal agreement and ask
The format asked, therefore be difficult to completely cover whole abnormal agreement requests by way of regular expression, and then be difficult to ensure
Detect accuracy when Web abnormal flow.
For this purpose, detection Web abnormal flow opposite can be improved this application provides a kind of Web anomalous traffic detection method
When accuracy.
In order to enable those skilled in the art to better understand the solution of the present invention, with reference to the accompanying drawings and detailed description
The present invention is described in further detail.
Shown in Figure 1, the embodiment of the present application discloses a kind of Web anomalous traffic detection method, comprising:
Step S10: characteristic model is obtained.
Characteristic model in this step is with the difference journey calculated between agreement request to be measured and normal agreement request
Degree, the i.e. operational model of feature deviation function.
Step S11: the feature between agreement request to be measured and the agreement request of Web normal discharge is calculated using characteristic model
Deviation.
It should be noted that the main purpose of this step is the feature and agreement to be measured that will be covered in characteristic model
Deviation between request is calculated, in order to learn the difference between agreement request to be measured and normal agreement request
Degree, i.e. feature deviation.
Step S12: when feature deviation is greater than preset threshold, the corresponding web traffic of agreement request to be measured is labeled as
Web abnormal flow.
This step is when feature deviation is greater than preset threshold, i.e., feature deviation has been more than some set range
The corresponding web traffic of agreement request to be measured is labeled as Web abnormal flow, it is therefore an objective to by the difference with normal agreement request by value
Different more agreement request to be measured is determined as abnormal agreement request, and then the web traffic that will be generated by the agreement request
Labeled as Web abnormal flow.After the corresponding web traffic of agreement request to be measured is labeled as Web abnormal flow, this method may be used also
It, can also be to be measured by this further to record the agreement request to be measured to log so that operation maintenance personnel does further verification processing
Communication session corresponding to agreement request blocks, to avoid the security risk of Web server.
The specific setting of preset threshold should be depending on the detection Stringency of actually detected scene, herein not in this step
It is specifically limited.
Web anomalous traffic detection method provided by the present invention, first acquisition characteristic model, and then utilize characteristic model meter
The feature deviation in agreement request to be measured and normal web traffic between agreement request is calculated, when feature deviation is greater than default threshold
When value, the corresponding web traffic of agreement request to be measured is labeled as Web abnormal flow.This method compared with the prior art for, this
Method can request the feature having to carry out the judgement of similitude to agreement request to be measured according to normal protocol, be judged with this to be measured
Agreement request level off to normal protocol request degree, without specifically being limited the specific format of abnormal agreement request in advance
It is fixed, it can be consequently used for detecting unknown abnormal agreement request, it is opposite to improve the flexibility for detecting abnormal agreement request, in turn
It really ensure that accuracy when detection Web abnormal flow.
Shown in Figure 2, the embodiment of the present application discloses a kind of Web anomalous traffic detection method, comprising:
Step S20: the sample characteristics of the agreement request sample of Web normal discharge are obtained.
Step S21: extracting sample characteristics, generates characteristic model.
In the present embodiment, characteristic model is to carry out feature extraction generation by the agreement request sample to Web normal discharge.
It should be noted that the Web normal discharge in above-mentioned steps is the web traffic for corresponding Web abnormal flow,
Web traffic often results from the data exchange process between Web server and client, and client to Web server by sending out
Agreement request is sent to inform that Web server is provided correspondingly, the agreement request to web server response client provides accordingly
Data content, web traffic is generated with this, therefore web traffic is usually in client to after Web server initiation protocol request
It generates.
Web normal discharge refers to the data traffic generated after the reasonable agreement request of web server response, and Web is abnormal
Flow refers to that web server response initiation frequency is higher or carries the data traffic generated after the unconventional agreement request of parameter.
In addition, the agreement request in this method typically refers to the common Http agreement request in Web service.
Pre-generated characteristic model is equivalent to and whether normally differentiates mark for agreement request sample as agreement request
Standard includes the characteristic model of series of features in agreement request sample according to agreement request sample training, and then by be measured
Aspect ratio between agreement request and characteristic model is to determining whether agreement request to be measured levels off to agreement request sample, i.e., to be measured
Whether agreement request is normal.
It carries out feature extraction for agreement request sample and can be to carry out respectively based on many aspects, such as agreement request
Number of parameters, parameter position, parameter value etc..
In addition, it is necessary to explanation, the quantity of agreement request sample can be it is multiple, in the base of multiple agreement request samples
When carrying out feature extraction on plinth, need to carry out each agreement request sample standard deviation the feature extraction of same characteristic aspect, in turn
Again using the average value of extracted feature as the feature in terms of this feature of multiple agreement requests.
Step S22: the feature between agreement request to be measured and the agreement request of Web normal discharge is calculated using characteristic model
Deviation.
Step S23: when feature deviation is greater than preset threshold, the corresponding web traffic of agreement request to be measured is labeled as
Web abnormal flow.
On the basis of the above embodiments, as a preferred embodiment, the sample characteristics of agreement request sample extremely
All kinds of character occurrence frequencies, association in the parameter value of parameter value character length including agreement request sample, agreement request sample less
Relative positional relationship and agreement request sample between the parameter integrality of view request sample, each sample parameter of agreement request sample
Originally the feature of type at least one in frequency initiated by single IP address.
It should be noted that due to consideration that the ginseng of the parameter value character length of agreement request sample, agreement request sample
In numerical value between each sample parameter of all kinds of character occurrence frequencies, the parameter integrality of agreement request sample, agreement request sample
Whether the frequency that relative positional relationship and agreement request sample are initiated by single IP address, can different as judgement web traffic
Normal foundation, that is to say, that above-mentioned series of features is the content being relatively easily tampered in current agreement request, therefore is
It is whether abnormal that agreement request targetedly and then is accurately analyzed relatively, and then concludes whether web traffic is Web exception stream
It measures, the sample characteristics in present embodiment include at least above-mentioned a type of feature.
As a preferred embodiment, when the sample characteristics of agreement request sample include the parameter of agreement request sample
All kinds of character occurrence frequencies and/or agreement request sample are by list in the parameter value of value character length and/or agreement request sample
When the frequency that one IP address is initiated, sample characteristics are extracted, generate characteristic model, comprising:
It is extracted by parameter value character length of the model formation to agreement request sample, generates characteristic model, and/or
All kinds of character occurrence frequencies in the parameter value of agreement request sample are extracted by model formation, generation characteristic model, and/
Or extracted by the frequency that model formation is initiated agreement request sample by single IP address, generate characteristic model.
It should be noted that the model formation in the present embodiment refers to the algebraic expression with known property, with mathematic sign table
Show, the formula of certain relationship (such as law or theorem) between each amount can be widely used in the methods of things of the like description.Tool
There are known property and correctness, the present embodiment is extracted by parameter value character length of the model formation to agreement request sample
To generate characteristic model, it opposite can ensure the accuracy and reliability of characteristic model.
When the sample characteristics of agreement request sample are specially the parameter value character length of agreement request sample, pass through model
Formula extracts the parameter value character length of agreement request sample, generates characteristic model and includes:
Calculate the sample length mean value of the parameter value character length of agreement request sample and the parameter of agreement request sample
It is worth the sample length variance of character length;
Sample length mean value and sample length variance are substituted into Chebyshev's formula, generate characteristic model;
Correspondingly, calculating the feature between agreement request to be measured and the agreement request of Web normal discharge using characteristic model
Deviation, comprising:
Calculate the length mean value to be measured of the parameter value character length of agreement request to be measured and the parameter of agreement request to be measured
It is worth the length variance to be measured of character length;
Length mean value to be measured and length variance to be measured are substituted into characteristic model and calculate feature deviation.
It should be noted that extracting generation by parameter value character length of the model formation to agreement request sample
Characteristic model can be extracted using following Chebyshev's formula:
It should be noted that present embodiment is in view of in practical applications, it is understood that there may be the client of malice pass through to
Web server initiates a large amount of agreement request, and the available resources of Web server are occupied with this, reaches and leads to Web server
The purpose for believing attack, due to being to recycle agreement request to initiate the access without practical significance to Web server, agreement is asked
The parameter value for seeking middle parameter is often the content generated at random, on this basis, in order to avoid the ginseng in numerous agreement requests
Numerical value repetitive rate is higher, and the character length of the parameter value generated at random in current exception agreement request is often longer, therefore this reality
Mode is applied using the parameter value character length in agreement request as the judgement whether normal feature of agreement request, and then extracts agreement
The sample parameter value character length of sample is requested, and is based on Chebyshev inequality construction feature model, is i.e. calculating sample parameter
It is worth the mean value of character length and the variance of sample parameter value character length, and substitutes into Chebyshev inequality, generates character modules
Type:
Wherein,μFor the mean value of sample parameter value character length, σ is the variance of sample parameter value character length, in character modules
In type,μAnd σ is known value, and then calculates the spy between agreement request and agreement request sample to be measured using characteristic model
Deviation is levied, is substantially first to calculate the mean value of the parameter value character length to be measured in agreement request to be measured, and then by ginseng to be measured
The mean value of numeric character length substitutes into characteristic model as l, calculates feature deviationp。
Present embodiment is based on the thought of Chebyshev inequality to parameter value character length in agreement request as judgement
Whether Yi Chang feature extracts agreement request, generates corresponding characteristic model, and calculating agreement request to be measured with this, there are different
Normal probability and as feature deviation, present embodiment generates characteristic model using statistical thought, opposite to improve spy
The reliability and accuracy of model are levied, and then further ensures the overall accuracy of Web abnormal traffic detection.
When the sample characteristics of agreement request sample are specially the frequency that agreement request sample is initiated by single IP address, lead to
It crosses the frequency that model formation is initiated agreement request sample by single IP address to extract, generating characteristic model includes:
Calculate the sample frequency mean value and agreement request sample of the frequency that agreement request sample is initiated by single IP address
By the sample frequency variance for the frequency that single IP address is initiated;
Sample frequency mean value and sample frequency variance are substituted into Chebyshev's formula, generate characteristic model;
Correspondingly, calculating the feature between agreement request to be measured and the agreement request of Web normal discharge using characteristic model
Deviation, comprising:
Calculate the frequency that agreement request to be measured is initiated by single IP address mean frequency value to be measured and agreement request to be measured
By the frequency variance to be measured for the frequency that single IP address is initiated;
Mean frequency value to be measured and frequency variance to be measured are substituted into characteristic model and calculate feature deviation.
It should be noted that being mentioned by the frequency that model formation is initiated agreement request sample by single IP address
It takes, can specifically be extracted using following Chebyshev's formula:
It should be noted that present embodiment is in view of in practical applications, it is understood that there may be the client of malice utilizes certainly
The case where single IP address of body frequently initiates a large amount of agreement request to Web server occupies the available of Web server with this
Resource achievees the purpose that carry out Web server communication attack.For example, the client of malice frequently uses 192.168.1.1
IP address a certain agreement request is initiated to Web server, it is therefore an objective to so that Web server is frequently responded the agreement of malicious client
Request, to cause the occupancy to Web server vast resources, therefore present embodiment by agreement request sample by single IP
The sample that location is initiated initiates frequency as the judgement whether normal feature of agreement request, and then extracts agreement request in predetermined period
The sample that sample is initiated by single IP address initiates frequency, and is based on Chebyshev inequality construction feature model, i.e. calculating sample
The mean value and sample of this initiation frequency initiate the variance of frequency, and substitute into Chebyshev inequality, generate characteristic model:
Wherein,μThe mean value of frequency is initiated for sample, σ is the variance that sample initiates frequency, in characteristic model,μAnd σ is equal
For known value, and then the feature deviation between agreement request and agreement request sample to be measured is calculated using characteristic model, essence
On be first obtain by single IP address initiate agreement request to be measured initiation frequency to be measured, and calculate it is to be measured initiate frequency it is equal
Value, and then characteristic model is substituted into using the mean value to be measured for initiating frequency as l, calculate feature deviationp。
Present embodiment is based on the thought of Chebyshev inequality to the agreement request to be measured initiated by single IP address
As judgement agreement request, whether Yi Chang feature extracts initiation frequency to be measured, corresponding characteristic model is generated, in terms of this
Agreement request to be measured is calculated in the presence of abnormal probability and as feature deviation, present embodiment generates special using statistical thought
Model is levied, it is opposite to improve the reliability and accuracy of characteristic model, and then further ensure Web abnormal traffic detection
Overall accuracy.
When character occurrence frequencies all kinds of in the parameter value that the sample characteristics of agreement request sample are specially agreement request sample
When, all kinds of character occurrence frequencies in the parameter value of agreement request sample are extracted by model formation, generate characteristic model
Include:
Calculate the sample expected frequency of all kinds of character occurrence frequencies in the parameter value of agreement request sample;
Sample expected frequency is substituted into Chi-square Test formula, generates characteristic model;
Correspondingly, calculating the feature between agreement request to be measured and the agreement request of Web normal discharge using characteristic model
Deviation, comprising:
Calculate the expected frequency to be measured of all kinds of character occurrence frequencies in the parameter value of agreement request to be measured;
Expected frequency to be measured is substituted into characteristic model and calculates feature deviation.
It should be noted that being carried out by model formation to character occurrence frequencies all kinds of in the parameter value of agreement request sample
The characteristic model generated is extracted, can be indicated by following Chi-square Test formula:
It should be noted that due to consideration that in actual scene, the client of malice is often through to Web server
A large amount of agreement request is initiated, the available resources of Web server are occupied with this, reaches and communication attack is carried out to Web server
Purpose, due to being to recycle agreement request to initiate the access without practical significance to Web server, the ginseng in agreement request
Numerical value is often the Char Disorder without physical meaning, and there is biggish character repetitions, and then present embodiment asks agreement
The frequency of occurrences of all kinds of characters is extracted agreement first and is asked as the whether normal feature of agreement request is determined in the parameter value asked
The frequency of occurrences of all kinds of characters in the sample parameter value of sample is sought, and then calculates the expectation frequency of all kinds of characters according to the frequency of occurrences
Rate, and Chi-square Test formula is substituted into, generate characteristic model:
Wherein, i is the class number of all kinds of characters, and n is positive integer, EiFor the expected frequency of all kinds of characters, in characteristic model,
I, n and EiIt is known value, and then calculates the feature between agreement request and agreement request sample to be measured using characteristic model
Deviation is substantially the frequency of occurrences of all kinds of characters in the parameter value to be measured for first extract agreement request to be measured, and according to be measured
The frequency of occurrences of all kinds of characters calculates the expected frequency of all kinds of characters in parameter value to be measured in parameter value, and then by parameter value to be measured
In all kinds of characters expected frequency as OiCharacteristic model is substituted into, feature deviation χ is calculated2。
Present embodiment is made based on the frequency of occurrences of the thought of Chi-square Test to all kinds of characters in parameter value in agreement request
To determine that whether Yi Chang feature extracts agreement request, generates corresponding characteristic model, calculates agreement request to be measured with this
In in parameter value to be measured all kinds of character occurrence frequencies chi-square value, characterized with this all kinds of between parameter value and parameter value sample to be measured
The difference of character occurrence frequency, present embodiment generates characteristic model using statistical thought, opposite to improve characteristic model
Reliability and accuracy, and then further ensure the overall accuracy of Web abnormal traffic detection.
Shown in Figure 3, the embodiment of the present application discloses a kind of Web anomalous traffic detection method, when agreement request sample
Sample characteristics include multiple types when, method includes:
Step S30: the sample characteristics of the agreement request sample of Web normal discharge are obtained.
Step S31: extracting sample characteristics, generates characteristic model.
Step S32: the feature between agreement request to be measured and the agreement request of Web normal discharge is calculated using characteristic model
Deviation.
Step S33: when the fusion results of feature deviation are greater than preset threshold, by the corresponding Web of agreement request to be measured
Flow is labeled as Web abnormal flow.
Fusion results are as follows:
Wherein, pjFor j-th of feature deviation, wjFor the weight of j-th of feature deviation, m is positive integer.
Present embodiment is fundamentally based on various features model between agreement request to be measured and agreement request sample
Various aspects difference is calculated, and then generates corresponding feature deviation, and then each feature deviation is fused to whole
Deviation, i.e. fusion results in present embodimentWherein pjFor j-th of feature deviation, wjFor jth
The weight of a feature deviation, m are positive integer, have corresponding weight, the power of each deviation for each deviation
It is again artificial preset value, with this influence journey according to the feature deviation of weight limit various aspects to fusion results
Degree.
Various features model in present embodiment includes corresponding characteristic model in a series of above-mentioned embodiments.This reality
It is whole fusion results according to corresponding weight fusion that mode, which is applied, by various features deviation, is determined by fusion results to be measured
Whether agreement request is abnormal, improves the comprehensive of detection, being capable of the opposite accuracy improved to Web abnormal traffic detection.
It, can also be further by association to be measured after the corresponding web traffic of agreement request to be measured is labeled as Web abnormal flow
View requests corresponding communication session to block, and the corresponding web traffic of agreement request to be measured is recorded to log.By the agreement to be measured
The purpose of request record to log is that further verification processing is done for operation maintenance personnel, by communication corresponding to the agreement request to be measured
Session blocking can reach the hidden danger for avoiding Web server from stability occur.
Shown in Figure 4, the embodiment of the present application discloses a kind of Web abnormal traffic detection device, comprising:
Model obtains module 10, for obtaining characteristic model;
Deviation statistics module 11, for calculating agreement request to be measured using characteristic model and the agreement of Web normal discharge is asked
Feature deviation between asking;
Abnormal determination module 12 is used for when feature deviation is greater than preset threshold, by the corresponding Web of agreement request to be measured
Flow is labeled as Web abnormal flow.
Web abnormal traffic detection device provided by the present invention, first acquisition characteristic model, and then utilize characteristic model meter
The feature deviation in agreement request to be measured and normal web traffic between agreement request is calculated, when feature deviation is greater than default threshold
When value, the corresponding web traffic of agreement request to be measured is labeled as Web abnormal flow.The present apparatus compared with the prior art for, this
Device can request the feature having to carry out the judgement of similitude to agreement request to be measured according to normal protocol, be judged with this to be measured
Agreement request level off to normal protocol request degree, without specifically being limited the specific format of abnormal agreement request in advance
It is fixed, it can be consequently used for detecting unknown abnormal agreement request, it is opposite to improve the flexibility for detecting abnormal agreement request, in turn
It really ensure that accuracy when detection Web abnormal flow.
On the basis of previous embodiment, the embodiment of the present application carries out further Web abnormal traffic detection device
Bright and optimization.It is specific:
In a specific embodiment, the model obtains module further include:
Feature obtains module, the sample characteristics of the agreement request sample for obtaining Web normal discharge;
Model generation module generates the characteristic model for extracting to the sample characteristics.
In another embodiment specific implementation mode, the sample characteristics of agreement request sample include at least the agreement request sample
Parameter value character length, the agreement request sample parameter value in all kinds of character occurrence frequencies, the agreement request sample
Parameter integrality, the agreement request sample each sample parameter between relative positional relationship and the agreement request sample
The feature of type at least one in frequency initiated by single IP address.
In another embodiment specific implementation mode, when the parameter that the sample characteristics of agreement request sample include agreement request sample
All kinds of character occurrence frequencies and/or agreement request sample are by list in the parameter value of value character length and/or agreement request sample
When the frequency that one IP address is initiated, the model generation module includes:
Formula model generation module, for being mentioned by parameter value character length of the model formation to agreement request sample
It takes, generates characteristic model, and/or carry out to character occurrence frequencies all kinds of in the parameter value of agreement request sample by model formation
It extracts, generates characteristic model, and/or mention by the frequency that model formation is initiated agreement request sample by single IP address
It takes, generates characteristic model.
In another embodiment specific implementation mode, when the ginseng that the sample characteristics of agreement request sample are specially agreement request sample
When numeric character length, the formula model generation module includes:
Length operation module, for calculating sample length mean value and the association of the parameter value character length of agreement request sample
The sample length variance of the parameter value character length of view request sample;
Length substitutes into module, for sample length mean value and sample length variance to be substituted into Chebyshev's formula, generates
Characteristic model;
Correspondingly, the deviation statistics module, comprising:
Length variance computing module, for calculate agreement request to be measured parameter value character length length mean value to be measured with
And the length variance to be measured of the parameter value character length of agreement request to be measured;
Length variation computing module, for length mean value to be measured and length variance to be measured to be substituted into characteristic model and calculated
Feature deviation.
In another embodiment specific implementation mode, when the ginseng that the sample characteristics of agreement request sample are specially agreement request sample
In numerical value when all kinds of character occurrence frequencies, the formula model generation module includes:
Frequency calculation module, the sample expectation of all kinds of character occurrence frequencies in the parameter value for calculating agreement request sample
Frequency;
Frequency substitutes into module, for sample expected frequency to be substituted into Chi-square Test formula, generates characteristic model;
Correspondingly, the deviation statistics module, comprising:
Expected frequency computing module, all kinds of character occurrence frequencies is to be measured in the parameter value for calculating agreement request to be measured
Expected frequency;
Frequency departure calculates module, for expected frequency to be measured to be substituted into characteristic model and calculates feature deviation.
In another embodiment specific implementation mode, when the sample characteristics of agreement request sample are specially agreement request sample by list
When the frequency that one IP address is initiated, the formula model generation module includes:
The sample frequency of IP computing module, the frequency initiated by single IP address for calculating the agreement request sample is equal
The sample frequency variance for the frequency that value and the agreement request sample are initiated by single IP address;
IP substitutes into module, public for the sample frequency mean value and the sample frequency variance to be substituted into Chebyshev
Formula generates the characteristic model;
Correspondingly, the deviation statistics module, comprising:
IP variance computing module, the frequency initiated by single IP address for calculating the agreement request to be measured to frequency measurement
The frequency variance to be measured for the frequency that rate mean value and the agreement request to be measured are initiated by single IP address;
IP deviation computing module, for the mean frequency value to be measured and the frequency variance to be measured to be substituted into the feature
Model simultaneously calculates the feature deviation.
In another embodiment specific implementation mode, when the sample characteristics of the agreement request sample include multiple types, institute
Stating abnormal determination module includes:
Determination module is merged, it, will be described for when the fusion results of the feature deviation are greater than the preset threshold
The corresponding web traffic of agreement request to be measured is labeled as Web abnormal flow.
Shown in Figure 5, the embodiment of the present application discloses a kind of Web abnormal traffic detection equipment, comprising:
Memory 20, for storing computer program;
Processor 21 is realized when for executing computer program such as the step of above-mentioned Web anomalous traffic detection method.
Web abnormal traffic detection equipment provided by the present invention, first acquisition characteristic model, and then utilize characteristic model meter
The feature deviation in agreement request to be measured and normal web traffic between agreement request is calculated, when feature deviation is greater than default threshold
When value, the corresponding web traffic of agreement request to be measured is labeled as Web abnormal flow.This equipment compared with the prior art for, this
Equipment can request the feature having to carry out the judgement of similitude to agreement request to be measured according to normal protocol, be judged with this to be measured
Agreement request level off to normal protocol request degree, without specifically being limited the specific format of abnormal agreement request in advance
It is fixed, it can be consequently used for detecting unknown abnormal agreement request, it is opposite to improve the flexibility for detecting abnormal agreement request, in turn
It really ensure that accuracy when detection Web abnormal flow.
On the basis of previous embodiment, the embodiment of the present application carries out further Web abnormal traffic detection equipment
Bright and optimization.It is specific:
In the present embodiment, when the processor 21 executes the computer subprogram saved in the memory 20, can have
Body performs the steps of the sample characteristics for obtaining the agreement request sample of Web normal discharge.Sample characteristics are extracted, it is raw
At characteristic model.The feature deviation between agreement request to be measured and the agreement request of Web normal discharge is calculated using characteristic model
Value.When feature deviation is greater than preset threshold, the corresponding web traffic of agreement request to be measured is labeled as Web abnormal flow.
In the present embodiment, when the processor 21 executes the computer subprogram saved in the memory 20, can have
Body performs the steps of the sample characteristics for obtaining the agreement request sample of Web normal discharge.Sample characteristics are extracted, it is raw
At characteristic model.The feature deviation between agreement request to be measured and the agreement request of Web normal discharge is calculated using characteristic model
Value.When the fusion results of feature deviation are greater than preset threshold, the corresponding web traffic of agreement request to be measured is labeled as Web
Abnormal flow.
Further, the application also provides a kind of computer readable storage medium, stores on computer readable storage medium
There is computer program, realizes when computer program is executed by processor such as the step of above-mentioned Web anomalous traffic detection method.It closes
It can be with reference to Web anomalous traffic detection method disclosed in previous embodiment in the specific steps of this method.Tool about this method
Body step can no longer be repeated herein with reference to corresponding contents disclosed in previous embodiment.
Computer readable storage medium provided by the present invention, first acquisition characteristic model, and then utilize characteristic model meter
The feature deviation in agreement request to be measured and normal web traffic between agreement request is calculated, when feature deviation is greater than default threshold
When value, the corresponding web traffic of agreement request to be measured is labeled as Web abnormal flow.This computer readable storage medium compared to
For the prior art, this computer readable storage medium can request the feature having to agreement request to be measured according to normal protocol
The judgement of similitude is carried out, judges that agreement request to be measured levels off to the degree of normal protocol request with this, without in advance to exception
The specific format of agreement request is specifically limited, and can be consequently used for detecting unknown abnormal agreement request, opposite to improve
The flexibility of abnormal agreement request is detected, and then really ensure that accuracy when detecting Web abnormal flow.
A kind of Web anomalous traffic detection method provided by the present invention, device, equipment and medium have been carried out in detail above
It introduces.Each embodiment is described in a progressive manner in specification, and the highlights of each of the examples are implement with other
The difference of example, the same or similar parts in each embodiment may refer to each other.For the device disclosed in the embodiment,
Since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part illustration
It can.It should be pointed out that for those skilled in the art, without departing from the principle of the present invention, may be used also
With several improvements and modifications are made to the present invention, these improvements and modifications also fall within the scope of protection of the claims of the present invention.
It should also be noted that, in the present specification, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that
A little elements, but also including other elements that are not explicitly listed, or further include for this process, method, article or
The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged
Except there is also other identical elements in the process, method, article or apparatus that includes the element.
Claims (11)
1. a kind of Web anomalous traffic detection method characterized by comprising
Obtain characteristic model;
The feature deviation between agreement request to be measured and the agreement request of Web normal discharge is calculated using the characteristic model;
When the feature deviation is greater than preset threshold, will the corresponding web traffic of the agreement request to be measured to be labeled as Web different
Normal flow.
2. Web anomalous traffic detection method according to claim 1, which is characterized in that the acquisition characteristic model includes:
Obtain the sample characteristics of the agreement request sample of Web normal discharge;
The sample characteristics are extracted, the characteristic model is generated.
3. Web anomalous traffic detection method according to claim 2, which is characterized in that the sample of the agreement request sample
Eigen includes at least all kinds of in the parameter value of the parameter value character length of the agreement request sample, the agreement request sample
Character occurrence frequency, the parameter integrality of the agreement request sample, the agreement request sample each sample parameter between phase
The feature of type at least one in frequency initiated by single IP address positional relationship and the agreement request sample.
4. Web anomalous traffic detection method according to claim 3, which is characterized in that when the agreement request sample
Sample characteristics include in the parameter value character length of the agreement request sample and/or the parameter value of the agreement request sample
It is described to the sample when frequency that all kinds of character occurrence frequencies and/or the agreement request sample are initiated by single IP address
Feature extracts, and generates the characteristic model, comprising:
It is extracted by parameter value character length of the model formation to the agreement request sample, generates the characteristic model,
And/or all kinds of character occurrence frequencies in the parameter value of the agreement request sample are extracted by model formation, generate institute
Characteristic model is stated, and/or is extracted by the frequency that model formation is initiated the agreement request sample by single IP address,
Generate the characteristic model.
5. Web anomalous traffic detection method according to claim 4, which is characterized in that when the agreement request sample
It is described that the agreement is asked by model formation when sample characteristics are specially the parameter value character length of the agreement request sample
The parameter value character length of sample is asked to extract, generating the characteristic model includes:
Calculate the parameter value character length of the agreement request sample sample length mean value and the agreement request sample
The sample length variance of parameter value character length;
The sample length mean value and the sample length variance are substituted into Chebyshev's formula, generate the characteristic model;
Correspondingly, described calculated between agreement request to be measured and the agreement request of Web normal discharge using the characteristic model
Feature deviation, comprising:
Calculate the length mean value to be measured and the agreement request to be measured of the parameter value character length of the agreement request to be measured
The length variance to be measured of parameter value character length;
The length mean value to be measured and the length variance to be measured are substituted into the characteristic model and calculate the feature deviation
Value.
6. Web anomalous traffic detection method according to claim 4, which is characterized in that when the agreement request sample
It is described to pass through model formation pair when sample characteristics are specially all kinds of character occurrence frequencies in the parameter value of the agreement request sample
All kinds of character occurrence frequencies extract in the parameter value of the agreement request sample, generate the characteristic model and include:
Calculate the sample expected frequency of all kinds of character occurrence frequencies in the parameter value of the agreement request sample;
The sample expected frequency is substituted into Chi-square Test formula, generates the characteristic model;
Correspondingly, described calculated between agreement request to be measured and the agreement request of Web normal discharge using the characteristic model
Feature deviation, comprising:
Calculate the expected frequency to be measured of all kinds of character occurrence frequencies in the parameter value of the agreement request to be measured;
The expected frequency to be measured is substituted into the characteristic model and calculates the feature deviation.
7. Web anomalous traffic detection method according to claim 4, which is characterized in that when the agreement request sample
When sample characteristics are specially the frequency that the agreement request sample is initiated by single IP address, it is described by model formation to described
The frequency that agreement request sample is initiated by single IP address extracts, and generates the characteristic model and includes:
Calculate the sample frequency mean value and the agreement request of the frequency that the agreement request sample is initiated by single IP address
The sample frequency variance for the frequency that sample is initiated by single IP address;
The sample frequency mean value and the sample frequency variance are substituted into Chebyshev's formula, generate the characteristic model;
Correspondingly, described calculated between agreement request to be measured and the agreement request of Web normal discharge using the characteristic model
Feature deviation, comprising:
Calculate the frequency that the agreement request to be measured is initiated by single IP address mean frequency value to be measured and the agreement to be measured
Request the frequency variance to be measured for the frequency initiated by single IP address;
The mean frequency value to be measured and the frequency variance to be measured are substituted into the characteristic model and calculate the feature deviation
Value.
8. according to Web anomalous traffic detection method described in claim 2 to 7 any one, which is characterized in that when the agreement
It is described when the feature deviation is greater than preset threshold when the sample characteristics of sample being requested to include multiple types, will it is described to
The corresponding web traffic of agreement request, which is surveyed, labeled as Web abnormal flow includes:
When the fusion results of the feature deviation are greater than the preset threshold, by the corresponding Web of the agreement request to be measured
Flow is labeled as Web abnormal flow.
9. a kind of Web abnormal traffic detection device characterized by comprising
Model obtains module, for obtaining characteristic model;
Deviation statistics module, for calculating the agreement request of agreement request to be measured Yu Web normal discharge using the characteristic model
Between feature deviation;
Abnormal determination module is used for when the feature deviation is greater than preset threshold, and the agreement request to be measured is corresponding
Web traffic is labeled as Web abnormal flow.
10. a kind of Web abnormal traffic detection equipment characterized by comprising
Memory, for storing computer program;
Processor realizes Web abnormal flow as claimed in any one of claims 1 to 8 when for executing the computer program
The step of detection method.
11. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program, the computer program realize Web abnormal flow inspection as claimed in any one of claims 1 to 8 when being executed by processor
The step of survey method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910385680.6A CN110311888A (en) | 2019-05-09 | 2019-05-09 | A kind of Web anomalous traffic detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910385680.6A CN110311888A (en) | 2019-05-09 | 2019-05-09 | A kind of Web anomalous traffic detection method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110311888A true CN110311888A (en) | 2019-10-08 |
Family
ID=68074651
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910385680.6A Pending CN110311888A (en) | 2019-05-09 | 2019-05-09 | A kind of Web anomalous traffic detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110311888A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111064745A (en) * | 2019-12-30 | 2020-04-24 | 厦门市美亚柏科信息股份有限公司 | Self-adaptive back-climbing method and system based on abnormal behavior detection |
| CN111737702A (en) * | 2020-06-22 | 2020-10-02 | 四川长虹电器股份有限公司 | Web fingerprint identification method based on Chebyshev inequality |
| CN113569944A (en) * | 2021-07-26 | 2021-10-29 | 北京奇艺世纪科技有限公司 | Abnormal user identification method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546524A (en) * | 2010-12-09 | 2012-07-04 | 中国科学院沈阳计算技术研究所有限公司 | Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system |
| CN105337985A (en) * | 2015-11-19 | 2016-02-17 | 北京师范大学 | Attack detection method and system |
| CN105471854A (en) * | 2015-11-18 | 2016-04-06 | 国网智能电网研究院 | Adaptive boundary abnormity detection method based on multistage strategies |
| CN107302547A (en) * | 2017-08-21 | 2017-10-27 | 深信服科技股份有限公司 | A kind of web service exceptions detection method and device |
| US10122740B1 (en) * | 2015-05-05 | 2018-11-06 | F5 Networks, Inc. | Methods for establishing anomaly detection configurations and identifying anomalous network traffic and devices thereof |
-
2019
- 2019-05-09 CN CN201910385680.6A patent/CN110311888A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546524A (en) * | 2010-12-09 | 2012-07-04 | 中国科学院沈阳计算技术研究所有限公司 | Detection method aiming at SIP (Session Initiation Protocol) single-source flooding attacks and SIP intrusion-detection system |
| US10122740B1 (en) * | 2015-05-05 | 2018-11-06 | F5 Networks, Inc. | Methods for establishing anomaly detection configurations and identifying anomalous network traffic and devices thereof |
| CN105471854A (en) * | 2015-11-18 | 2016-04-06 | 国网智能电网研究院 | Adaptive boundary abnormity detection method based on multistage strategies |
| CN105337985A (en) * | 2015-11-19 | 2016-02-17 | 北京师范大学 | Attack detection method and system |
| CN107302547A (en) * | 2017-08-21 | 2017-10-27 | 深信服科技股份有限公司 | A kind of web service exceptions detection method and device |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111064745A (en) * | 2019-12-30 | 2020-04-24 | 厦门市美亚柏科信息股份有限公司 | Self-adaptive back-climbing method and system based on abnormal behavior detection |
| CN111064745B (en) * | 2019-12-30 | 2022-06-03 | 厦门市美亚柏科信息股份有限公司 | Self-adaptive back-climbing method and system based on abnormal behavior detection |
| CN111737702A (en) * | 2020-06-22 | 2020-10-02 | 四川长虹电器股份有限公司 | Web fingerprint identification method based on Chebyshev inequality |
| CN113569944A (en) * | 2021-07-26 | 2021-10-29 | 北京奇艺世纪科技有限公司 | Abnormal user identification method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112417439B (en) | Account detection method, device, server and storage medium | |
| JP6732806B2 (en) | Account theft risk identification method, identification device, and prevention/control system | |
| CN104113519B (en) | Network attack detecting method and its device | |
| CN104144419B (en) | Identity authentication method, device and system | |
| CN110311888A (en) | A kind of Web anomalous traffic detection method, device, equipment and medium | |
| CN105930727A (en) | Web-based crawler identification algorithm | |
| CN102710770A (en) | Identification method for network access equipment and implementation system for identification method | |
| CN107302547A (en) | A kind of web service exceptions detection method and device | |
| CN111949803A (en) | Method, device and equipment for detecting network abnormal user based on knowledge graph | |
| WO2013028794A2 (en) | Multi-factor identity fingerprinting with user behavior | |
| CN107682345B (en) | IP address detection method and device and electronic equipment | |
| CN109274637A (en) | The system and method for determining distributed denial of service attack | |
| CN103378991B (en) | A kind of online service method for monitoring abnormality and its monitoring system | |
| CN106549959B (en) | Method and device for identifying proxy Internet Protocol (IP) address | |
| CN104901962B (en) | A kind of detection method and device of web page attacks data | |
| CN110175278A (en) | The detection method and device of web crawlers | |
| US20210168147A1 (en) | Monitoring resource utilization of an online system based on statistics describing browser attributes | |
| CN107992738A (en) | A kind of account logs in method for detecting abnormality, device and electronic equipment | |
| US20150249589A1 (en) | Method and apparatus for determining automatic scanning action | |
| CN107426136B (en) | Network attack identification method and device | |
| CN109547426A (en) | Service response method and server | |
| CN104901924A (en) | Internet account verifying method and device | |
| CN113987504A (en) | Vulnerability detection method for network asset management | |
| CN107819758A (en) | A kind of IP Camera leak remote detecting method and device | |
| CN106301979A (en) | The method and system of the abnormal channel of detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191008 |
|
| RJ01 | Rejection of invention patent application after publication |