CN110401639A - Abnormality determination method, device, server and its storage medium of network access - Google Patents

Abnormality determination method, device, server and its storage medium of network access Download PDF

Info

Publication number
CN110401639A
CN110401639A CN201910578452.0A CN201910578452A CN110401639A CN 110401639 A CN110401639 A CN 110401639A CN 201910578452 A CN201910578452 A CN 201910578452A CN 110401639 A CN110401639 A CN 110401639A
Authority
CN
China
Prior art keywords
network access
feature
missing
access request
assemblage characteristic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910578452.0A
Other languages
Chinese (zh)
Other versions
CN110401639B (en
Inventor
黎立桂
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201910578452.0A priority Critical patent/CN110401639B/en
Publication of CN110401639A publication Critical patent/CN110401639A/en
Priority to PCT/CN2019/118551 priority patent/WO2020258673A1/en
Application granted granted Critical
Publication of CN110401639B publication Critical patent/CN110401639B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention is safety detection technology field, the present invention provides abnormality determination method, device, server and its storage medium of a kind of network access, each relevant feature according to caused by network access request that the method includes prefixed time interval acquisition terminal equipment forms the assemblage characteristic collection about the terminal device according to the feature;The feature list of the feature of the assemblage characteristic collection and setting is compared, the missing item of corresponding assemblage characteristic collection is obtained;Missing data is formed according to each missing item, obtains the validity of corresponding network access request;Using the validity, the judgement of abnormal access is carried out to the network access request.This method is conducive to improve the abnormal determination ability to the access of terminal device current network.

Description

Abnormality determination method, device, server and its storage medium of network access
Technical field
The present invention relates to safety detection technology fields, specifically, the present invention relates to a kind of abnormal determinations of network access Method, apparatus, server and its storage medium.
Background technique
As various services tend to provide using internet channel, the safety of network has been increasingly subject to more extensive pass Note.Include web crawlers in the main means for endangering network service safe at present, web crawlers simulate real user to website into Row access.Under the interference of web crawlers, the server of website is not easy to differentiate web crawlers and normal users, is easy to carry out wrong Differentiation accidentally, to do the reaction to make mistake.For above-mentioned network security problem, existing method is being stepped on by mobile phone user The data being clicking and dragging on when recording website about mouse, to differentiate the type of user.But to user type caused by this method Mistake differentiate ratio it is still higher, normal users and net are accurately distinguished as a result, being still unable to reach by its obtained differentiation The effect of network crawler.
Summary of the invention
To overcome the above technical problem, user's uses trace when especially passing through terminal device logs network in the prior art Mark data are easy the problem of real user is determined as abnormal user, and spy proposes following technical scheme:
In a first aspect, the present invention provides a kind of abnormality determination method of network access comprising following steps:
Prefixed time interval acquisition terminal equipment each relevant feature according to caused by network access request, according to institute State assemblage characteristic collection of the feature formation about the terminal device;
The feature list of the feature of the assemblage characteristic collection and setting is compared, corresponding assemblage characteristic collection is obtained Lack item;
Missing data is formed according to each missing item, obtains the validity of corresponding network access request;
Using the validity, the judgement of abnormal access is carried out to the network access request;
Wherein, the feature list includes that the terminal device initiates essential feature caused by network access request.
It is described in one of the embodiments, to carry out the feature of the assemblage characteristic collection and the feature list of setting pair Than obtaining the missing item of corresponding assemblage characteristic collection, comprising:
The feature list of the feature of the feature set and setting is compared, the missing of corresponding assemblage characteristic collection is obtained The type and quantity of item.
It is described in one of the embodiments, that missing data is formed according to each missing item, obtain corresponding network access The validity of request, comprising:
According to the missing data of the type of the missing item and quantity composition, to the missing data group of the assemblage characteristic collection It closes and carries out data hierarchy;
Using the data hierarchy, the validity of corresponding network access request is obtained.
The missing data that the type and quantity according to the missing item forms in one of the embodiments, to institute The missing data combination for stating assemblage characteristic collection carries out data hierarchy, comprising:
The missing data of type and quantity composition to the missing item is combined;
According to the missing data after the combination, to the carry out data hierarchy of the assemblage characteristic collection.
It is described in one of the embodiments, to utilize the data hierarchy, obtain the effective of corresponding network access request The step of property, comprising:
According to the data hierarchy that the missing data after the combination of the assemblage characteristic collection carries out, training simultaneously obtains lightgbm Model;
The assemblage characteristic collection of sample to be examined is inputted the lightgbm model to determine, obtains the sample to be determined Assemblage characteristic collection abnormal probability, obtain the validity of corresponding network access request.
The data that missing data after the combination according to the assemblage characteristic collection carries out in one of the embodiments, After the step of being layered, training and obtain lightgbm model, further includes:
By GridSearchCV web search to parameter num_leaves, min_data_ of the lightgbm model In_leaf, max_depth, which carry out automatic adjust, to join, and optimization is adjusted to the lightgbm model.
It is described in one of the embodiments, to utilize the validity, abnormal access is carried out to the network access request Judgement the step of, comprising:
When probability abnormal based on the validity is greater than preset threshold value, determining that the network accesses is abnormal visit It asks.
Second aspect, the present invention also provides a kind of abnormity determining devices of network access comprising:
Feature obtains module, each according to caused by network access request for prefixed time interval acquisition terminal equipment Relevant feature forms the assemblage characteristic collection about the terminal device according to the feature;
Contrast module is corresponded to for comparing the feature list of the feature of the assemblage characteristic collection and setting Assemblage characteristic collection missing item;
Validity obtains module, for forming missing data according to each missing item, obtains corresponding network access request Validity;
Determination module carries out the judgement of abnormal access to the network access request for utilizing the validity.
The third aspect, the present invention also provides a kind of servers comprising:
One or more processors;
Memory;
One or more computer programs, wherein one or more of computer programs are stored in the memory And be configured as being executed by one or more of processors, one or more of computer programs are configured to carry out first The abnormality determination method of the access of network described in aspect embodiment.
Fourth aspect, the present invention also provides a kind of computer readable storage medium, on the computer readable storage medium It is stored with computer program, the access of network described in first aspect embodiment is realized when which is executed by processor Abnormality determination method.
The abnormality determination method and device of a kind of network access provided by the invention, pass through the network for sending terminal device The feature of the assemblage characteristic collection of access request and the feature list including essential feature of setting compare, according to the knot of comparison Fruit obtains the missing item of the assemblage characteristic collection, thus judges the validity of the network access request, finally obtains Whether corresponding network access request is abnormal judgement result.
On this basis, another technical solution is also provided, according to the combination of the different missing classifications of the assemblage characteristic collection The data hierarchy of progress, training simultaneously obtain lightgbm model, and using the lightgbm model as decision model, to sentence Whether the network access of breaking is abnormal access.The program, which can utilize, can identify multifarious abnormal scene, and with Sample size increases, and can cover more, more complicated situation.
Technical solution provided by the present invention is by existing feature obtained in network access request and contains necessity The feature list of feature compares, by that can embody the basis of the essential feature of abnormal access as judgement, to utilize Data processing few as far as possible obtains best judgement effect.
The additional aspect of the present invention and advantage will be set forth in part in the description, these will become from the following description Obviously, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments Obviously and it is readily appreciated that, in which:
Fig. 1 is the applied environment figure for the abnormal determination scheme that the embodiment in the present invention executes the network access;
Fig. 2 is the flow chart of the abnormality determination method of the network access of one embodiment in the present invention;
Fig. 3 is the schematic diagram of the abnormity determining device of the network access of one embodiment in the present invention;
Fig. 4 is the structural schematic diagram of the server of one embodiment in the present invention.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached The embodiment of figure description is exemplary, and for explaining only the invention, and is not construed as limiting the claims.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singular " one " used herein, " one It is a ", " described " and "the" may also comprise plural form.It is to be further understood that being arranged used in specification of the invention Diction " comprising " refer to that there are the feature, integer, step, operation, element and/or component, but it is not excluded that in the presence of or addition Other one or more features, integer, step, operation, element, component and/or their group.It should be understood that when we claim member Part is " connected " or when " coupled " to another element, it can be directly connected or coupled to other elements, or there may also be Intermediary element.In addition, " connection " used herein or " coupling " may include being wirelessly connected or wirelessly coupling.It is used herein to arrange Diction "and/or" includes one or more associated wholes for listing item or any cell and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technology art Language and scientific term), there is meaning identical with the general understanding of those of ordinary skill in fields of the present invention.Should also Understand, those terms such as defined in the general dictionary, it should be understood that have in the context of the prior art The consistent meaning of meaning, and unless idealization or meaning too formal otherwise will not be used by specific definitions as here To explain.
Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal device " both include wireless communication The equipment of number receiver, only has the equipment of the wireless signal receiver of non-emissive ability, and including receiving and emitting hardware Equipment, have on both-way communication chain road, can execute both-way communication reception and emit hardware equipment.This equipment It may include: honeycomb or other communication apparatus, shown with single line display or multi-line display or without multi-line The honeycomb of device or other communication apparatus;PCS (Personal Communications Service, person communication system), can With combine voice, data processing, fax and/or data communication capabilities;PDA(Personal Digital Assistant,It is personal Digital assistants), it may include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, day It goes through and/or GPS (Global Positioning System, global positioning system) receiver;Conventional laptop and/or palm Type computer or other equipment, have and/or the conventional laptop including radio frequency receiver and/or palmtop computer or its His equipment." terminal " used herein above, " terminal device " can be it is portable, can transport, be mounted on the vehicles (aviation, Sea-freight and/or land) in, or be suitable for and/or be configured in local runtime, and/or with distribution form, operate in the earth And/or any other position operation in space." terminal " used herein above, " terminal device " can also be communicating terminal, on Network termination, music/video playback terminal, such as can be PDA, MID (Mobile Internet Device, mobile Internet Equipment) and/or mobile phone with music/video playing function, it is also possible to the equipment such as smart television, set-top box.
Those skilled in the art of the present technique are appreciated that remote network devices used herein above comprising but be not limited to count The cloud that calculation machine, network host, single network server, multiple network server collection or multiple servers are constituted.Here, Yun Youji It is constituted in a large number of computers or network servers of cloud computing (Cloud Computing), wherein cloud computing is distributed computing One kind, a super virtual computer consisting of a loosely coupled set of computers.In the embodiment of the present invention, distal end It can be realized and be communicated by any communication modes between the network equipment, terminal device and WNS server, including but not limited to, is based on The mobile communication of 3GPP, LTE, WIMAX, based on TCP/IP, the computer network communication of udp protocol and based on bluetooth, infrared The low coverage wireless transmission method of transmission standard.
Refering to what is shown in Fig. 1, Fig. 1 is the applied environment figure of the embodiment of the present invention;In the embodiment, the technology of the present invention side Case can be based on realizing on server, and as shown in figure 1, terminal device 110 and 120 can access server by internet 130, the network request that terminal device 110 and/or 120 is issued to server 130, server 130 is counted according to network request According to interaction.When carrying out data interaction, server 130 obtains terminal according to the solicited message of terminal device 110 and/or 120 and sets Standby 110 and/or 120 access data and attribute data, and abnormal determination is carried out to the terminal device according to the data.
In order to solve the problems, such as to determine at present that abnormal data is easy for real user to be determined as abnormal user, the present invention is provided A kind of abnormality determination method of network access.It can refer to Fig. 2, Fig. 2 is the abnormal determination side of the network access of one embodiment The flow chart of method, method includes the following steps:
S210, prefixed time interval acquisition terminal equipment each relevant feature according to caused by network access request, The assemblage characteristic collection about the terminal device is formed according to the feature.
When server and terminal device carry out data interaction, compartment to each relevant feature of terminal device It is acquired.The compartment is within a preset time interval, to carry out relevant collection apparatus according to the network request of terminal device, And form an assemblage characteristic collection.
According to the network request that terminal device issues, the relevant parameter of the terminal device is obtained.In this step, Yong Hutong Transmission registration, checking request are crossed, front end obtains the relevant feature of terminal device, including equipment class using JavaScript script Multiple associated eigenvalues of type (IPone, Mac, Andriod), system information (OS type, version, resolution ratio), IP etc., according to The associated eigenvalue forms the assemblage characteristic collection about the terminal device, can mutually each other between the characteristic value which concentrates Non-linear relation.
In the present embodiment, the feature can specifically include by front end obtain equipment feature browser language, as Whether plain ratio, color depth, audio stack fingerprinting provide, the parameter information of audio stack fingerprinting, system are available to user agent Logic processor sum, the list of fonts that whether cpu class unknown, whether browser plug-in is lacked, determined using JS/CSS Whether lack, whether operating system is whether unknown, WebGL supplier lack.Pass through the character in parsing user_agent String information, obtains type, brand, model, the operating system version number of equipment, and the current sending network for passing through above-mentioned parsing accesses Identical equipment brand and model in the brand and model associations base library of the terminal device of request obtain corresponding above content pair The characteristic information answered.Wherein, base library is the real information of the characteristic information of all devices model obtained by authoritative website.
Further, it in order to eliminate the dimension relation between variable, so that data be made to be comparable, is marked to characteristic value Before, the characteristic information value in each feature set is standardized.For example, in the obtained feature set for accessing record each time In may include the variable of hundred-mark system and the variable of 5 score values, can be in same mark only by all data normalizations It is compared in standard.
S220, the feature list of the feature of the assemblage characteristic collection and setting is compared, it is special obtains corresponding combination The missing item of collection.
In this step, the history feature information for the network access request initiated according to terminal device is collected about institute The feature that terminal device initiates network access request is stated, corresponding feature list is formed.The feature list includes at least described Terminal device initiates essential feature caused by network access request.The essential feature is can be looked for by the base library To corresponding real information, reference is used as so as to subsequent.Such as browser language, pixel ratio, system is available to user agent patrols Collect the information such as processor sum, cpu type, operating system, WebGL supplier.
The terminal device is formed by the assemblage characteristic collection when initiating network access request and extracts corresponding spy Sign, the characteristic information of the feature and the feature list is compared.It is necessary as cited by the feature list Feature.Therefore, if the network access request that the terminal device is initiated is normal network access request, the feature The characteristic information of list is normally contained in the assemblage characteristic and concentrates.
Therefore, by the set-up mode of the feature list, after comparison, lacking for corresponding assemblage characteristic collection can be obtained Lose item.
S230, missing data is formed according to each missing item, obtains the validity of corresponding network access request.
On the basis of step S220 obtains missing item, the missing item forms the missing about corresponding assemblage characteristic collection Data, the missing data are corresponding with network access request is initiated.According to the missing data, corresponding network access request is obtained Validity.If the missing data is 0, i.e., characterization server can be obtained from the terminal device for initiating network access request Necessary characteristic information, corresponding validity are highest.According to the increase of the missing data, corresponding net is directly affected The validity of network method request.
In the present embodiment, the validity be embody network access request that the terminal device is initiated whether by with A possibility that normal use at family is issued determines what whether the network access request was initiated by web crawlers whereby.
S240, the judgement using the validity, to the network access request abnormal access.
The validity obtained on the basis of above-mentioned steps, can directly as determine the network access request whether be The network access request that web crawlers or other improper users are issued, as a result, to the network access request whether be Abnormal access is determined.
A kind of abnormality determination method of network access provided by the present invention, obtains according to network access request about terminal The assemblage characteristic collection of equipment, and by the assemblage characteristic collection and it is preset include initiate network access request essential feature spy Sign list compares, and obtains the missing item of corresponding assemblage characteristic collection, obtains the network access request according to the missing item Validity, according to the validity whether be abnormal access judgement result.Technical solution of the present invention by with set The comparison for determining feature list obtains the missing item of the assemblage characteristic collection to determine whether corresponding network access request is abnormal The technical solution of access, and can only pass through being clicking and dragging on of generating when the initiation network access request of user in the prior art The superficial phenomenon of data differentiates the type of user, so that the determination method for carrying out abnormal access is compared, it can be from abnormal access institute Caused by basic phenomenon set out, carry out processing using characteristic caused by basic phenomenon and the result of data processing carried out Determine, can handle to obtain high judgement with data comparison few as far as possible as a result, accuracy rate is improved in this way.
For the step S220, can further comprise:
The feature list of the feature of the feature set and setting is compared, the missing of corresponding assemblage characteristic collection is obtained The type and quantity of item.
In this step, the feature list of feature and setting in the feature set is compared.The mode of the comparison To be enumerated and being summarized the type of the feature of the assemblage characteristic collection, and by type summarize in the feature list Feature corresponds.If the Partial Feature in the feature list is still without the spy of the assemblage characteristic collection after corresponding Corresponding thereto, the item of that corresponding feature is the missing item of the feature of the corresponding assemblage characteristic collection to sign, is thus obtained corresponding Missing item type and quantity.
For example, the Characteristic Contrast by the assemblage characteristic collection, the type of the operating system in the corresponding feature list, The feature that two of WebGL supplier do not obtain the assemblage characteristic collection is corresponding, for assemblage characteristic collection missing item Type is distributed as type and the WebGL supplier of operating system, and quantity is 2.
It is described step S220 is further limited on the basis of, the step S230 can comprise the following steps that
A1, the missing data formed according to the type and quantity of the missing item, to the missing number of the assemblage characteristic collection Data hierarchy is carried out according to combination;
A2, using the data hierarchy, obtain the validity of corresponding network access request.
It can be specially that be concentrated mainly on certain categorical data therein be described lack to the missing data for step A1-A2 The type for losing item is CPU class, the pixel ratio and hard disk type for playing display, then the missing data is mainly that the terminal is set Standby hardware data.Since when initiating network access request, the hardware data plays the operational process of terminal device Basic role, and the missing quantity about the hardware data reaches 3, and corresponding missing degree can be chosen as height, corresponding The validity of network access request is low.
If the type of the missing item of the missing data is scattered in browser language, browser plug-in and audio storehouse respectively The information such as fingerprint, the missing quantity about the characteristic equally reach 3, but the missing item is initiated in terminal device The necessity of network access request necessity for hardware data is relatively low, though 3 missing items are likewise supplied with, but Corresponding missing degree fails to reach high rank, therefore, during the validity of corresponding network access request is.
In the characteristic item of the feature list, the necessity that can initiate network access request to terminal device is divided Grade.Meanwhile including the grade and corresponding quantity of essential feature for the missing data, corresponding grade classification can be set Rule.Data hierarchy is carried out to different missing data combinations according to the rule.
For above-mentioned steps A1, can comprise the further steps of:
A11, the type of the missing item and the missing data of quantity composition are combined;
A12, according to the missing data after the combination, to the carry out data hierarchy of the assemblage characteristic collection.
In step A11-A12, according to the type and quantity of the missing item of corresponding assemblage characteristic collection, it is combined.Root According to the missing data after the combination, the data hierarchy of different arrangements is carried out to the assemblage characteristic collection.
It specifically, can be to the classification setting for lacking item and carrying out tree of the assemblage characteristic collection.In the tree-shaped knot In structure, different root nodes represents different classifications, and two child nodes are segmented under each root node, and each child node is it Root node corresponds to the subclassification of classification.
Each classification can be placed in the root node of different location by the assemblage characteristic collection described for one, be formed different Data hierarchy.
Browser language, browser plug-in are scattered in respectively with the type of the missing item about the missing data again It is illustrated with for the embodiment of audio stack fingerprinting:
In the embodiment, the type about the missing item at least may include whether to lack for browser information, lack Whether item is more than 2.Whether if the first order is set as to be browser information missing, the second level is set as lacking item being more than 2; And whether the first order is set as lacking item more than 2, the second level is set as browser information missing, corresponds to obtained by two groups The data hierarchy of assemblage characteristic collection be different, i.e., obtained corresponding tree is different.
On the basis of step A11-A12, corresponding step A2 may further include following steps:
A21, data hierarchy is carried out according to the missing data after the combination of the assemblage characteristic collection, training simultaneously obtains Lightgbm model;
A22, the assemblage characteristic collection input lightgbm model of sample to be examined is determined, is obtained described to be determined The abnormal probability of the assemblage characteristic collection of sample, obtains the validity of corresponding network access request.
In step A21-A22, lightgbm mould is substituted into according to the different data hierarchies obtained from above-mentioned steps A12 Type, and being trained to the lightgbm model, obtains the parameter in the lightgbm model, as num_leaves, min_data_in_leaf,max_depth.Specific process can first pass through and carry out default settings, generation to above-mentioned parameter Thus the different data hierarchies for entering the example above obtain trained lightgbm to readjusting in above-mentioned parameter progress Model.
The meaning of parameter about the lightgbm model is as follows:
Since num_leaves is the maximum leaf number for representing tree, for adjusting the usual value of complexity of tree For≤2^ (max_depth);Min_data_in_leaf: its value depends on the number of samples and num_ of training data Leaves, be arranged it is larger can to avoid generate a too deep tree;Max_depth represents the maximum of tree Depth.
After obtaining the trained lightgbm model according to the step A21, by the feature set of sample to be determined Data information is input to the lightgbm model, and carries out the network access request progress exception that counterpart terminal equipment is initiated and sentence It is fixed.According to the lightgbm model, the abnormal probability of the assemblage characteristic collection of the sample to be determined is obtained.The exception probability is used It is the probability that improper user accesses in characterizing the network access request that the sample to be determined is initiated, it can directly embody The validity of normal users network access.When abnormal probability is higher, the validity of corresponding network access request is lower.
The network access request that the sample to be determined is initiated by terminal device to be determined.
Use the lightgbm model as decision model, to judge whether the network access is abnormal access Technical solution, can utilize can identify multifarious abnormal scene, and as sample size increases, can cover more, more Complicated situation.
After the step A21, using GridSearchCV web search to the parameter of the lightgbm model into Row is automatic to adjust ginseng, and involved parameter includes the parameter num_ mentioned above about in the lightgbm model leaves,min_data_in_leaf,max_depth.After being adjusted to above-mentioned parameter, complete to described Lightgbm model has carried out adjusting optimization, and the exception for improving the network access request initiated corresponding terminal device is sentenced Fixed accuracy.
For the step S240, it may include:
When probability abnormal based on the validity is greater than preset threshold value, determining that the network accesses is abnormal visit It asks.
In this step, the net that counterpart terminal equipment is initiated is obtained using the lightgbm model according to step A22 The abnormal probability of network access request.The judgment threshold is that the performance terminal device is initiating the general of proper network access request The critical point of rate.When the abnormal probability has exceeded preset threshold value limited range, determine that the network access is different A possibility that frequentation is asked is larger, obtains accessing the judgement knot for abnormal access in the network that corresponding terminal device is initiated with this Fruit.
The network request currently initiated for the terminal device is judged as abnormal access request, and server is directly refused Request requires the terminal device to access verifying again;If the network request that the terminal device is currently initiated is determined For normal access request, then directly in response to request.
In addition, can also include: for the assemblage characteristic collection
Metric data, which is carried out, by the value of the feature to the assemblage characteristic collection spreads the identification outlier being calculated Effective derivative feature information.
It is spread and is calculated according to the metric data, effective derivative feature of available identification outlier.Accordingly, described Feature list also increases corresponding effective derivative feature, in order to carry out pair with effective derivative feature of the assemblage characteristic collection Than, obtain to effective derivative missing item.
It includes that character pair information data calculates very poor, quartile, quartile pole that the metric data, which spreads and calculates, Difference, five numbers are summarized, and it is minimum value, upper quartile, median, lower quartile, maximum value that five number is summarized in order.
By increasing the feature of comparison in the feature list, the assemblage characteristic collection of the sample to be examined is enable to obtain more It is comprehensive to compare, to further increase the decision-making ability of the abnormality determination method of the network access.
Based on the identical inventive concept of the abnormality determination method that accesses with above-mentioned network, the embodiment of the invention also provides one The abnormity determining device of kind network access, as shown in Figure 3, comprising:
Feature obtains module 310, for prefixed time interval acquisition terminal equipment according to caused by network access request Each relevant feature forms the assemblage characteristic collection about the terminal device according to the feature;
Contrast module 320 obtains pair for comparing the feature list of the feature of the assemblage characteristic collection and setting The missing item for the assemblage characteristic collection answered;
Validity obtains module 330, for forming missing data according to each missing item, obtains corresponding network access and asks The validity asked;
Determination module 340 carries out the judgement of abnormal access to the network access request for utilizing the validity.
Referring to FIG. 4, Fig. 4 is the schematic diagram of internal structure of server in one embodiment.As shown in figure 4, the server Including processor 410, storage medium 420, memory 430 and the network interface 440 connected by system bus.Wherein, the clothes The storage medium 420 of business device is stored with operating system, database and computer-readable instruction, and control letter can be stored in database Sequence is ceased, when which is executed by processor 410, it is different to may make that processor 410 realizes that a kind of network accesses Normal determination method, processor 410 are able to achieve the feature in the abnormity determining device of one of embodiment illustrated in fig. 3 network access Obtain the function that module 310, contrast module 320, validity obtain module 330 and determination module 340.The processor of the server 410, for providing calculating and control ability, support the operation of entire server.It can be stored in the memory 430 of the server Computer-readable instruction may make processor 410 to execute a kind of network when the computer-readable instruction is executed by processor 410 The abnormality determination method of access.The network interface 440 of the server is used for and terminal connection communication.Those skilled in the art can be with Understand, structure shown in Fig. 4, only the block diagram of part-structure relevant to application scheme, is not constituted to the application The restriction for the server that scheme is applied thereon, specific server may include than more or fewer portions as shown in the figure Part perhaps combines certain components or with different component layouts.
In one embodiment, the invention also provides a kind of storage medium for being stored with computer-readable instruction, the meters When calculation machine readable instruction is executed by one or more processors, so that one or more processors execute following steps: when default Between be spaced acquisition terminal equipment each relevant feature according to caused by network access request, according to the feature formed about The assemblage characteristic collection of the terminal device;The feature list of the feature of the assemblage characteristic collection and setting is compared, is obtained The missing item of corresponding assemblage characteristic collection;Missing data is formed according to each missing item, obtains corresponding network access request Validity;Using the validity, the judgement of abnormal access is carried out to the network access request.
Based on the above embodiments it is found that the maximum beneficial effect of the present invention is:
Abnormality determination method, device, server and its storage medium of a kind of network access provided by the invention, pass through by Terminal device send network access request assemblage characteristic collection feature and setting the feature list including essential feature into Row comparison, obtains the missing item of the assemblage characteristic collection according to the result of comparison, thus to the effective of the network access request Property is judged finally obtain whether corresponding network access request is abnormal judgement result.
On this basis, another technical solution is also provided, according to the missing data after the combination of the assemblage characteristic collection into Capable data hierarchy, training simultaneously obtain lightgbm model, and using the lightgbm model as decision model, with judgement Whether the network access is abnormal access.The program, which can utilize, can identify multifarious abnormal scene, and with sample This amount increases, and can cover more, more complicated situation.
Technical solution provided by the present invention is by existing feature obtained in network access request and contains necessity The feature list of feature compares, by that can embody the basis of the essential feature of abnormal access as judgement, to utilize Data processing few as far as possible obtains best judgement effect.
To sum up, abnormality determination method, device, server and its storage medium that the present invention is accessed by network, pass through benefit The judgement of abnormal access is easy to get as a result, solution after comparison with the feature list that can embody verifying proper network access The data being clicking and dragging on when in the prior art can only be by the initiation network access request of user of having determined carry out abnormal access Judgement, the higher technical problem of error rate improves the decision-making ability to terminal device abnormal access.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, which can be stored in a computer-readable storage and be situated between In matter, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, storage medium above-mentioned can be Storage mediums or the random access memories such as magnetic disk, CD, read-only memory (Read-Only Memory, ROM) (Random Access Memory, RAM) etc..
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited In contradiction, all should be considered as described in this specification.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention Protect range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.

Claims (10)

1. a kind of abnormality determination method of network access, which comprises the following steps:
Prefixed time interval acquisition terminal equipment each relevant feature according to caused by network access request, according to the spy Sign forms the assemblage characteristic collection about the terminal device;
The feature list of the feature of the assemblage characteristic collection and setting is compared, the missing of corresponding assemblage characteristic collection is obtained ;
Missing data is formed according to each missing item, obtains the validity of corresponding network access request;
Using the validity, the judgement of abnormal access is carried out to the network access request;
Wherein, the feature list includes that the terminal device initiates essential feature caused by network access request.
2. the method according to claim 1, wherein
The feature list by the feature of the assemblage characteristic collection and setting compares, and obtains corresponding assemblage characteristic collection Lack item, comprising:
The feature list of the feature of the feature set and setting is compared, the missing item of corresponding assemblage characteristic collection is obtained Type and quantity.
3. according to the method described in claim 2, it is characterized in that,
It is described that missing data is formed according to each missing item, obtain the validity of corresponding network access request, comprising:
According to it is described missing item type and quantity composition missing data, to the missing data of the assemblage characteristic collection combine into Row data hierarchy;
Using the data hierarchy, the validity of corresponding network access request is obtained.
4. according to the method described in claim 3, it is characterized in that,
The missing data that the type and quantity according to the missing item forms, to the missing data group of the assemblage characteristic collection It closes and carries out data hierarchy, comprising:
The missing data of type and quantity composition to the missing item is combined;
According to the missing data after the combination, to the carry out data hierarchy of the assemblage characteristic collection.
5. according to the method described in claim 3, it is characterized in that,
It is described to utilize the data hierarchy, the step of obtaining the validity of corresponding network access request, comprising:
According to the data hierarchy that the missing data after the combination of the assemblage characteristic collection carries out, training simultaneously obtains lightgbm mould Type;
The assemblage characteristic collection of sample to be examined is inputted the lightgbm model to determine, obtains the group of the sample to be determined The abnormal probability for closing feature set, obtains the validity of corresponding network access request.
6. according to the method described in claim 5, it is characterized in that,
The data hierarchy that missing data after the combination according to the assemblage characteristic collection carries out, training simultaneously obtain lightgbm After the step of model, further includes:
By GridSearchCV web search to parameter num_leaves, min_data_in_ of the lightgbm model Leaf, max_depth, which carry out automatic adjust, to join, and optimization is adjusted to the lightgbm model.
7. according to the method described in claim 5, it is characterized in that,
It is described utilize the validity, to the network access request carry out abnormal access judgement the step of, comprising:
When probability abnormal based on the validity is greater than preset threshold value, determining that the network accesses is abnormal access.
8. a kind of abnormity determining device of network access characterized by comprising
Feature obtains module, is used for prefixed time interval acquisition terminal equipment each correlation according to caused by network access request Feature, assemblage characteristic collection about the terminal device is formed according to the feature;
Contrast module obtains corresponding group for comparing the feature list of the feature of the assemblage characteristic collection and setting Close the missing item of feature set;
Validity obtains module, for forming missing data according to each missing item, obtains having for corresponding network access request Effect property;
Determination module carries out the judgement of abnormal access to the network access request for utilizing the validity.
9. a kind of server characterized by comprising
One or more processors;
Memory;
One or more computer programs, wherein one or more of computer programs are stored in the memory and quilt It is configured to be executed by one or more of processors, one or more of computer programs are configured to carry out according to right It is required that the abnormality determination method of 1 to 7 described in any item network access.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium Program realizes the abnormal determination of the described in any item network access of claim 1 to 7 when the computer program is executed by processor Method.
CN201910578452.0A 2019-06-28 2019-06-28 Method and device for judging abnormality of network access, server and storage medium thereof Active CN110401639B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910578452.0A CN110401639B (en) 2019-06-28 2019-06-28 Method and device for judging abnormality of network access, server and storage medium thereof
PCT/CN2019/118551 WO2020258673A1 (en) 2019-06-28 2019-11-14 Network access abnormality determination method and apparatus, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910578452.0A CN110401639B (en) 2019-06-28 2019-06-28 Method and device for judging abnormality of network access, server and storage medium thereof

Publications (2)

Publication Number Publication Date
CN110401639A true CN110401639A (en) 2019-11-01
CN110401639B CN110401639B (en) 2021-12-24

Family

ID=68323571

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910578452.0A Active CN110401639B (en) 2019-06-28 2019-06-28 Method and device for judging abnormality of network access, server and storage medium thereof

Country Status (2)

Country Link
CN (1) CN110401639B (en)
WO (1) WO2020258673A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020258673A1 (en) * 2019-06-28 2020-12-30 平安科技(深圳)有限公司 Network access abnormality determination method and apparatus, server and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070046684A1 (en) * 2005-08-23 2007-03-01 Eric Jeffrey Methods and Apparatus for Efficiently Accessing Reduced Color-Resolution Image Data
US9727723B1 (en) * 2014-06-18 2017-08-08 EMC IP Holding Co. LLC Recommendation system based approach in reducing false positives in anomaly detection
CN108156166A (en) * 2017-12-29 2018-06-12 百度在线网络技术(北京)有限公司 Abnormal access identification and connection control method and device
CN108259482A (en) * 2018-01-04 2018-07-06 平安科技(深圳)有限公司 Network Abnormal data detection method, device, computer equipment and storage medium
CN108763274A (en) * 2018-04-09 2018-11-06 北京三快在线科技有限公司 Recognition methods, device, electronic equipment and the storage medium of access request
CN109150875A (en) * 2018-08-20 2019-01-04 广东优世联合控股集团股份有限公司 Anti-crawler method, anti-crawler device, electronic equipment and computer readable storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101148002B1 (en) * 2010-04-06 2012-05-24 국방과학연구소 Web robot detection system and method
US8549645B2 (en) * 2011-10-21 2013-10-01 Mcafee, Inc. System and method for detection of denial of service attacks
CN104391979B (en) * 2014-12-05 2017-12-19 北京国双科技有限公司 Network malice reptile recognition methods and device
CN108985048B (en) * 2017-05-31 2022-11-18 腾讯科技(深圳)有限公司 Simulator identification method and related device
CN109766104B (en) * 2018-12-07 2020-10-30 北京数字联盟网络科技有限公司 Download system of application program, installation type determining method and storage medium
CN109886290B (en) * 2019-01-08 2024-05-28 平安科技(深圳)有限公司 User request detection method and device, computer equipment and storage medium
CN110401639B (en) * 2019-06-28 2021-12-24 平安科技(深圳)有限公司 Method and device for judging abnormality of network access, server and storage medium thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070046684A1 (en) * 2005-08-23 2007-03-01 Eric Jeffrey Methods and Apparatus for Efficiently Accessing Reduced Color-Resolution Image Data
US9727723B1 (en) * 2014-06-18 2017-08-08 EMC IP Holding Co. LLC Recommendation system based approach in reducing false positives in anomaly detection
CN108156166A (en) * 2017-12-29 2018-06-12 百度在线网络技术(北京)有限公司 Abnormal access identification and connection control method and device
CN108259482A (en) * 2018-01-04 2018-07-06 平安科技(深圳)有限公司 Network Abnormal data detection method, device, computer equipment and storage medium
CN108763274A (en) * 2018-04-09 2018-11-06 北京三快在线科技有限公司 Recognition methods, device, electronic equipment and the storage medium of access request
CN109150875A (en) * 2018-08-20 2019-01-04 广东优世联合控股集团股份有限公司 Anti-crawler method, anti-crawler device, electronic equipment and computer readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020258673A1 (en) * 2019-06-28 2020-12-30 平安科技(深圳)有限公司 Network access abnormality determination method and apparatus, server and storage medium

Also Published As

Publication number Publication date
CN110401639B (en) 2021-12-24
WO2020258673A1 (en) 2020-12-30

Similar Documents

Publication Publication Date Title
US11138095B2 (en) Identity propagation through application layers using contextual mapping and planted values
EP4203349A1 (en) Training method for detection model, system, device, and storage medium
IL275042A (en) Self-adaptive application programming interface level security monitoring
CN108334758B (en) Method, device and equipment for detecting user unauthorized behavior
CN112231570B (en) Recommendation system support attack detection method, device, equipment and storage medium
CN111371778B (en) Attack group identification method, device, computing equipment and medium
CN110392046B (en) Method and device for detecting abnormity of network access
CN112866281B (en) Distributed real-time DDoS attack protection system and method
US20230195812A1 (en) Optimizing scraping requests through browsing profiles
Brissaud et al. Passive monitoring of https service use
Elekar Combination of data mining techniques for intrusion detection system
CN108768934A (en) Rogue program issues detection method, device and medium
CN110008462A (en) A kind of command sequence detection method and command sequence processing method
CN110225009A (en) It is a kind of that user's detection method is acted on behalf of based on communication behavior portrait
He et al. Mobile app identification for encrypted network flows by traffic correlation
CN109688099A (en) Server end hits library recognition methods, device, equipment and readable storage medium storing program for executing
CN110401639A (en) Abnormality determination method, device, server and its storage medium of network access
WO2020258509A1 (en) Method and device for isolating abnormal access of terminal device
CN110460620A (en) Website defence method, device, equipment and storage medium
Doran Detection, classification, and workload analysis of web robots
CN114726876B (en) Data detection method, device, equipment and storage medium
Su et al. A network traffic-aware mobile application recommendation system based on network traffic cost consideration
CN110311909A (en) The abnormality determination method and device of terminal device network access
CN114780398A (en) Cisco IOS-XE-oriented Web command injection vulnerability detection method
CN110417744A (en) The safe determination method and device of network access

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant