CN110401639A - Abnormality determination method, device, server and its storage medium of network access - Google Patents
Abnormality determination method, device, server and its storage medium of network access Download PDFInfo
- Publication number
- CN110401639A CN110401639A CN201910578452.0A CN201910578452A CN110401639A CN 110401639 A CN110401639 A CN 110401639A CN 201910578452 A CN201910578452 A CN 201910578452A CN 110401639 A CN110401639 A CN 110401639A
- Authority
- CN
- China
- Prior art keywords
- network access
- feature
- missing
- access request
- assemblage characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention is safety detection technology field, the present invention provides abnormality determination method, device, server and its storage medium of a kind of network access, each relevant feature according to caused by network access request that the method includes prefixed time interval acquisition terminal equipment forms the assemblage characteristic collection about the terminal device according to the feature;The feature list of the feature of the assemblage characteristic collection and setting is compared, the missing item of corresponding assemblage characteristic collection is obtained;Missing data is formed according to each missing item, obtains the validity of corresponding network access request;Using the validity, the judgement of abnormal access is carried out to the network access request.This method is conducive to improve the abnormal determination ability to the access of terminal device current network.
Description
Technical field
The present invention relates to safety detection technology fields, specifically, the present invention relates to a kind of abnormal determinations of network access
Method, apparatus, server and its storage medium.
Background technique
As various services tend to provide using internet channel, the safety of network has been increasingly subject to more extensive pass
Note.Include web crawlers in the main means for endangering network service safe at present, web crawlers simulate real user to website into
Row access.Under the interference of web crawlers, the server of website is not easy to differentiate web crawlers and normal users, is easy to carry out wrong
Differentiation accidentally, to do the reaction to make mistake.For above-mentioned network security problem, existing method is being stepped on by mobile phone user
The data being clicking and dragging on when recording website about mouse, to differentiate the type of user.But to user type caused by this method
Mistake differentiate ratio it is still higher, normal users and net are accurately distinguished as a result, being still unable to reach by its obtained differentiation
The effect of network crawler.
Summary of the invention
To overcome the above technical problem, user's uses trace when especially passing through terminal device logs network in the prior art
Mark data are easy the problem of real user is determined as abnormal user, and spy proposes following technical scheme:
In a first aspect, the present invention provides a kind of abnormality determination method of network access comprising following steps:
Prefixed time interval acquisition terminal equipment each relevant feature according to caused by network access request, according to institute
State assemblage characteristic collection of the feature formation about the terminal device;
The feature list of the feature of the assemblage characteristic collection and setting is compared, corresponding assemblage characteristic collection is obtained
Lack item;
Missing data is formed according to each missing item, obtains the validity of corresponding network access request;
Using the validity, the judgement of abnormal access is carried out to the network access request;
Wherein, the feature list includes that the terminal device initiates essential feature caused by network access request.
It is described in one of the embodiments, to carry out the feature of the assemblage characteristic collection and the feature list of setting pair
Than obtaining the missing item of corresponding assemblage characteristic collection, comprising:
The feature list of the feature of the feature set and setting is compared, the missing of corresponding assemblage characteristic collection is obtained
The type and quantity of item.
It is described in one of the embodiments, that missing data is formed according to each missing item, obtain corresponding network access
The validity of request, comprising:
According to the missing data of the type of the missing item and quantity composition, to the missing data group of the assemblage characteristic collection
It closes and carries out data hierarchy;
Using the data hierarchy, the validity of corresponding network access request is obtained.
The missing data that the type and quantity according to the missing item forms in one of the embodiments, to institute
The missing data combination for stating assemblage characteristic collection carries out data hierarchy, comprising:
The missing data of type and quantity composition to the missing item is combined;
According to the missing data after the combination, to the carry out data hierarchy of the assemblage characteristic collection.
It is described in one of the embodiments, to utilize the data hierarchy, obtain the effective of corresponding network access request
The step of property, comprising:
According to the data hierarchy that the missing data after the combination of the assemblage characteristic collection carries out, training simultaneously obtains lightgbm
Model;
The assemblage characteristic collection of sample to be examined is inputted the lightgbm model to determine, obtains the sample to be determined
Assemblage characteristic collection abnormal probability, obtain the validity of corresponding network access request.
The data that missing data after the combination according to the assemblage characteristic collection carries out in one of the embodiments,
After the step of being layered, training and obtain lightgbm model, further includes:
By GridSearchCV web search to parameter num_leaves, min_data_ of the lightgbm model
In_leaf, max_depth, which carry out automatic adjust, to join, and optimization is adjusted to the lightgbm model.
It is described in one of the embodiments, to utilize the validity, abnormal access is carried out to the network access request
Judgement the step of, comprising:
When probability abnormal based on the validity is greater than preset threshold value, determining that the network accesses is abnormal visit
It asks.
Second aspect, the present invention also provides a kind of abnormity determining devices of network access comprising:
Feature obtains module, each according to caused by network access request for prefixed time interval acquisition terminal equipment
Relevant feature forms the assemblage characteristic collection about the terminal device according to the feature;
Contrast module is corresponded to for comparing the feature list of the feature of the assemblage characteristic collection and setting
Assemblage characteristic collection missing item;
Validity obtains module, for forming missing data according to each missing item, obtains corresponding network access request
Validity;
Determination module carries out the judgement of abnormal access to the network access request for utilizing the validity.
The third aspect, the present invention also provides a kind of servers comprising:
One or more processors;
Memory;
One or more computer programs, wherein one or more of computer programs are stored in the memory
And be configured as being executed by one or more of processors, one or more of computer programs are configured to carry out first
The abnormality determination method of the access of network described in aspect embodiment.
Fourth aspect, the present invention also provides a kind of computer readable storage medium, on the computer readable storage medium
It is stored with computer program, the access of network described in first aspect embodiment is realized when which is executed by processor
Abnormality determination method.
The abnormality determination method and device of a kind of network access provided by the invention, pass through the network for sending terminal device
The feature of the assemblage characteristic collection of access request and the feature list including essential feature of setting compare, according to the knot of comparison
Fruit obtains the missing item of the assemblage characteristic collection, thus judges the validity of the network access request, finally obtains
Whether corresponding network access request is abnormal judgement result.
On this basis, another technical solution is also provided, according to the combination of the different missing classifications of the assemblage characteristic collection
The data hierarchy of progress, training simultaneously obtain lightgbm model, and using the lightgbm model as decision model, to sentence
Whether the network access of breaking is abnormal access.The program, which can utilize, can identify multifarious abnormal scene, and with
Sample size increases, and can cover more, more complicated situation.
Technical solution provided by the present invention is by existing feature obtained in network access request and contains necessity
The feature list of feature compares, by that can embody the basis of the essential feature of abnormal access as judgement, to utilize
Data processing few as far as possible obtains best judgement effect.
The additional aspect of the present invention and advantage will be set forth in part in the description, these will become from the following description
Obviously, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments
Obviously and it is readily appreciated that, in which:
Fig. 1 is the applied environment figure for the abnormal determination scheme that the embodiment in the present invention executes the network access;
Fig. 2 is the flow chart of the abnormality determination method of the network access of one embodiment in the present invention;
Fig. 3 is the schematic diagram of the abnormity determining device of the network access of one embodiment in the present invention;
Fig. 4 is the structural schematic diagram of the server of one embodiment in the present invention.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end
Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached
The embodiment of figure description is exemplary, and for explaining only the invention, and is not construed as limiting the claims.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singular " one " used herein, " one
It is a ", " described " and "the" may also comprise plural form.It is to be further understood that being arranged used in specification of the invention
Diction " comprising " refer to that there are the feature, integer, step, operation, element and/or component, but it is not excluded that in the presence of or addition
Other one or more features, integer, step, operation, element, component and/or their group.It should be understood that when we claim member
Part is " connected " or when " coupled " to another element, it can be directly connected or coupled to other elements, or there may also be
Intermediary element.In addition, " connection " used herein or " coupling " may include being wirelessly connected or wirelessly coupling.It is used herein to arrange
Diction "and/or" includes one or more associated wholes for listing item or any cell and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technology art
Language and scientific term), there is meaning identical with the general understanding of those of ordinary skill in fields of the present invention.Should also
Understand, those terms such as defined in the general dictionary, it should be understood that have in the context of the prior art
The consistent meaning of meaning, and unless idealization or meaning too formal otherwise will not be used by specific definitions as here
To explain.
Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal device " both include wireless communication
The equipment of number receiver, only has the equipment of the wireless signal receiver of non-emissive ability, and including receiving and emitting hardware
Equipment, have on both-way communication chain road, can execute both-way communication reception and emit hardware equipment.This equipment
It may include: honeycomb or other communication apparatus, shown with single line display or multi-line display or without multi-line
The honeycomb of device or other communication apparatus;PCS (Personal Communications Service, person communication system), can
With combine voice, data processing, fax and/or data communication capabilities;PDA(Personal Digital Assistant,It is personal
Digital assistants), it may include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, day
It goes through and/or GPS (Global Positioning System, global positioning system) receiver;Conventional laptop and/or palm
Type computer or other equipment, have and/or the conventional laptop including radio frequency receiver and/or palmtop computer or its
His equipment." terminal " used herein above, " terminal device " can be it is portable, can transport, be mounted on the vehicles (aviation,
Sea-freight and/or land) in, or be suitable for and/or be configured in local runtime, and/or with distribution form, operate in the earth
And/or any other position operation in space." terminal " used herein above, " terminal device " can also be communicating terminal, on
Network termination, music/video playback terminal, such as can be PDA, MID (Mobile Internet Device, mobile Internet
Equipment) and/or mobile phone with music/video playing function, it is also possible to the equipment such as smart television, set-top box.
Those skilled in the art of the present technique are appreciated that remote network devices used herein above comprising but be not limited to count
The cloud that calculation machine, network host, single network server, multiple network server collection or multiple servers are constituted.Here, Yun Youji
It is constituted in a large number of computers or network servers of cloud computing (Cloud Computing), wherein cloud computing is distributed computing
One kind, a super virtual computer consisting of a loosely coupled set of computers.In the embodiment of the present invention, distal end
It can be realized and be communicated by any communication modes between the network equipment, terminal device and WNS server, including but not limited to, is based on
The mobile communication of 3GPP, LTE, WIMAX, based on TCP/IP, the computer network communication of udp protocol and based on bluetooth, infrared
The low coverage wireless transmission method of transmission standard.
Refering to what is shown in Fig. 1, Fig. 1 is the applied environment figure of the embodiment of the present invention;In the embodiment, the technology of the present invention side
Case can be based on realizing on server, and as shown in figure 1, terminal device 110 and 120 can access server by internet
130, the network request that terminal device 110 and/or 120 is issued to server 130, server 130 is counted according to network request
According to interaction.When carrying out data interaction, server 130 obtains terminal according to the solicited message of terminal device 110 and/or 120 and sets
Standby 110 and/or 120 access data and attribute data, and abnormal determination is carried out to the terminal device according to the data.
In order to solve the problems, such as to determine at present that abnormal data is easy for real user to be determined as abnormal user, the present invention is provided
A kind of abnormality determination method of network access.It can refer to Fig. 2, Fig. 2 is the abnormal determination side of the network access of one embodiment
The flow chart of method, method includes the following steps:
S210, prefixed time interval acquisition terminal equipment each relevant feature according to caused by network access request,
The assemblage characteristic collection about the terminal device is formed according to the feature.
When server and terminal device carry out data interaction, compartment to each relevant feature of terminal device
It is acquired.The compartment is within a preset time interval, to carry out relevant collection apparatus according to the network request of terminal device,
And form an assemblage characteristic collection.
According to the network request that terminal device issues, the relevant parameter of the terminal device is obtained.In this step, Yong Hutong
Transmission registration, checking request are crossed, front end obtains the relevant feature of terminal device, including equipment class using JavaScript script
Multiple associated eigenvalues of type (IPone, Mac, Andriod), system information (OS type, version, resolution ratio), IP etc., according to
The associated eigenvalue forms the assemblage characteristic collection about the terminal device, can mutually each other between the characteristic value which concentrates
Non-linear relation.
In the present embodiment, the feature can specifically include by front end obtain equipment feature browser language, as
Whether plain ratio, color depth, audio stack fingerprinting provide, the parameter information of audio stack fingerprinting, system are available to user agent
Logic processor sum, the list of fonts that whether cpu class unknown, whether browser plug-in is lacked, determined using JS/CSS
Whether lack, whether operating system is whether unknown, WebGL supplier lack.Pass through the character in parsing user_agent
String information, obtains type, brand, model, the operating system version number of equipment, and the current sending network for passing through above-mentioned parsing accesses
Identical equipment brand and model in the brand and model associations base library of the terminal device of request obtain corresponding above content pair
The characteristic information answered.Wherein, base library is the real information of the characteristic information of all devices model obtained by authoritative website.
Further, it in order to eliminate the dimension relation between variable, so that data be made to be comparable, is marked to characteristic value
Before, the characteristic information value in each feature set is standardized.For example, in the obtained feature set for accessing record each time
In may include the variable of hundred-mark system and the variable of 5 score values, can be in same mark only by all data normalizations
It is compared in standard.
S220, the feature list of the feature of the assemblage characteristic collection and setting is compared, it is special obtains corresponding combination
The missing item of collection.
In this step, the history feature information for the network access request initiated according to terminal device is collected about institute
The feature that terminal device initiates network access request is stated, corresponding feature list is formed.The feature list includes at least described
Terminal device initiates essential feature caused by network access request.The essential feature is can be looked for by the base library
To corresponding real information, reference is used as so as to subsequent.Such as browser language, pixel ratio, system is available to user agent patrols
Collect the information such as processor sum, cpu type, operating system, WebGL supplier.
The terminal device is formed by the assemblage characteristic collection when initiating network access request and extracts corresponding spy
Sign, the characteristic information of the feature and the feature list is compared.It is necessary as cited by the feature list
Feature.Therefore, if the network access request that the terminal device is initiated is normal network access request, the feature
The characteristic information of list is normally contained in the assemblage characteristic and concentrates.
Therefore, by the set-up mode of the feature list, after comparison, lacking for corresponding assemblage characteristic collection can be obtained
Lose item.
S230, missing data is formed according to each missing item, obtains the validity of corresponding network access request.
On the basis of step S220 obtains missing item, the missing item forms the missing about corresponding assemblage characteristic collection
Data, the missing data are corresponding with network access request is initiated.According to the missing data, corresponding network access request is obtained
Validity.If the missing data is 0, i.e., characterization server can be obtained from the terminal device for initiating network access request
Necessary characteristic information, corresponding validity are highest.According to the increase of the missing data, corresponding net is directly affected
The validity of network method request.
In the present embodiment, the validity be embody network access request that the terminal device is initiated whether by with
A possibility that normal use at family is issued determines what whether the network access request was initiated by web crawlers whereby.
S240, the judgement using the validity, to the network access request abnormal access.
The validity obtained on the basis of above-mentioned steps, can directly as determine the network access request whether be
The network access request that web crawlers or other improper users are issued, as a result, to the network access request whether be
Abnormal access is determined.
A kind of abnormality determination method of network access provided by the present invention, obtains according to network access request about terminal
The assemblage characteristic collection of equipment, and by the assemblage characteristic collection and it is preset include initiate network access request essential feature spy
Sign list compares, and obtains the missing item of corresponding assemblage characteristic collection, obtains the network access request according to the missing item
Validity, according to the validity whether be abnormal access judgement result.Technical solution of the present invention by with set
The comparison for determining feature list obtains the missing item of the assemblage characteristic collection to determine whether corresponding network access request is abnormal
The technical solution of access, and can only pass through being clicking and dragging on of generating when the initiation network access request of user in the prior art
The superficial phenomenon of data differentiates the type of user, so that the determination method for carrying out abnormal access is compared, it can be from abnormal access institute
Caused by basic phenomenon set out, carry out processing using characteristic caused by basic phenomenon and the result of data processing carried out
Determine, can handle to obtain high judgement with data comparison few as far as possible as a result, accuracy rate is improved in this way.
For the step S220, can further comprise:
The feature list of the feature of the feature set and setting is compared, the missing of corresponding assemblage characteristic collection is obtained
The type and quantity of item.
In this step, the feature list of feature and setting in the feature set is compared.The mode of the comparison
To be enumerated and being summarized the type of the feature of the assemblage characteristic collection, and by type summarize in the feature list
Feature corresponds.If the Partial Feature in the feature list is still without the spy of the assemblage characteristic collection after corresponding
Corresponding thereto, the item of that corresponding feature is the missing item of the feature of the corresponding assemblage characteristic collection to sign, is thus obtained corresponding
Missing item type and quantity.
For example, the Characteristic Contrast by the assemblage characteristic collection, the type of the operating system in the corresponding feature list,
The feature that two of WebGL supplier do not obtain the assemblage characteristic collection is corresponding, for assemblage characteristic collection missing item
Type is distributed as type and the WebGL supplier of operating system, and quantity is 2.
It is described step S220 is further limited on the basis of, the step S230 can comprise the following steps that
A1, the missing data formed according to the type and quantity of the missing item, to the missing number of the assemblage characteristic collection
Data hierarchy is carried out according to combination;
A2, using the data hierarchy, obtain the validity of corresponding network access request.
It can be specially that be concentrated mainly on certain categorical data therein be described lack to the missing data for step A1-A2
The type for losing item is CPU class, the pixel ratio and hard disk type for playing display, then the missing data is mainly that the terminal is set
Standby hardware data.Since when initiating network access request, the hardware data plays the operational process of terminal device
Basic role, and the missing quantity about the hardware data reaches 3, and corresponding missing degree can be chosen as height, corresponding
The validity of network access request is low.
If the type of the missing item of the missing data is scattered in browser language, browser plug-in and audio storehouse respectively
The information such as fingerprint, the missing quantity about the characteristic equally reach 3, but the missing item is initiated in terminal device
The necessity of network access request necessity for hardware data is relatively low, though 3 missing items are likewise supplied with, but
Corresponding missing degree fails to reach high rank, therefore, during the validity of corresponding network access request is.
In the characteristic item of the feature list, the necessity that can initiate network access request to terminal device is divided
Grade.Meanwhile including the grade and corresponding quantity of essential feature for the missing data, corresponding grade classification can be set
Rule.Data hierarchy is carried out to different missing data combinations according to the rule.
For above-mentioned steps A1, can comprise the further steps of:
A11, the type of the missing item and the missing data of quantity composition are combined;
A12, according to the missing data after the combination, to the carry out data hierarchy of the assemblage characteristic collection.
In step A11-A12, according to the type and quantity of the missing item of corresponding assemblage characteristic collection, it is combined.Root
According to the missing data after the combination, the data hierarchy of different arrangements is carried out to the assemblage characteristic collection.
It specifically, can be to the classification setting for lacking item and carrying out tree of the assemblage characteristic collection.In the tree-shaped knot
In structure, different root nodes represents different classifications, and two child nodes are segmented under each root node, and each child node is it
Root node corresponds to the subclassification of classification.
Each classification can be placed in the root node of different location by the assemblage characteristic collection described for one, be formed different
Data hierarchy.
Browser language, browser plug-in are scattered in respectively with the type of the missing item about the missing data again
It is illustrated with for the embodiment of audio stack fingerprinting:
In the embodiment, the type about the missing item at least may include whether to lack for browser information, lack
Whether item is more than 2.Whether if the first order is set as to be browser information missing, the second level is set as lacking item being more than 2;
And whether the first order is set as lacking item more than 2, the second level is set as browser information missing, corresponds to obtained by two groups
The data hierarchy of assemblage characteristic collection be different, i.e., obtained corresponding tree is different.
On the basis of step A11-A12, corresponding step A2 may further include following steps:
A21, data hierarchy is carried out according to the missing data after the combination of the assemblage characteristic collection, training simultaneously obtains
Lightgbm model;
A22, the assemblage characteristic collection input lightgbm model of sample to be examined is determined, is obtained described to be determined
The abnormal probability of the assemblage characteristic collection of sample, obtains the validity of corresponding network access request.
In step A21-A22, lightgbm mould is substituted into according to the different data hierarchies obtained from above-mentioned steps A12
Type, and being trained to the lightgbm model, obtains the parameter in the lightgbm model, as num_leaves,
min_data_in_leaf,max_depth.Specific process can first pass through and carry out default settings, generation to above-mentioned parameter
Thus the different data hierarchies for entering the example above obtain trained lightgbm to readjusting in above-mentioned parameter progress
Model.
The meaning of parameter about the lightgbm model is as follows:
Since num_leaves is the maximum leaf number for representing tree, for adjusting the usual value of complexity of tree
For≤2^ (max_depth);Min_data_in_leaf: its value depends on the number of samples and num_ of training data
Leaves, be arranged it is larger can to avoid generate a too deep tree;Max_depth represents the maximum of tree
Depth.
After obtaining the trained lightgbm model according to the step A21, by the feature set of sample to be determined
Data information is input to the lightgbm model, and carries out the network access request progress exception that counterpart terminal equipment is initiated and sentence
It is fixed.According to the lightgbm model, the abnormal probability of the assemblage characteristic collection of the sample to be determined is obtained.The exception probability is used
It is the probability that improper user accesses in characterizing the network access request that the sample to be determined is initiated, it can directly embody
The validity of normal users network access.When abnormal probability is higher, the validity of corresponding network access request is lower.
The network access request that the sample to be determined is initiated by terminal device to be determined.
Use the lightgbm model as decision model, to judge whether the network access is abnormal access
Technical solution, can utilize can identify multifarious abnormal scene, and as sample size increases, can cover more, more
Complicated situation.
After the step A21, using GridSearchCV web search to the parameter of the lightgbm model into
Row is automatic to adjust ginseng, and involved parameter includes the parameter num_ mentioned above about in the lightgbm model
leaves,min_data_in_leaf,max_depth.After being adjusted to above-mentioned parameter, complete to described
Lightgbm model has carried out adjusting optimization, and the exception for improving the network access request initiated corresponding terminal device is sentenced
Fixed accuracy.
For the step S240, it may include:
When probability abnormal based on the validity is greater than preset threshold value, determining that the network accesses is abnormal visit
It asks.
In this step, the net that counterpart terminal equipment is initiated is obtained using the lightgbm model according to step A22
The abnormal probability of network access request.The judgment threshold is that the performance terminal device is initiating the general of proper network access request
The critical point of rate.When the abnormal probability has exceeded preset threshold value limited range, determine that the network access is different
A possibility that frequentation is asked is larger, obtains accessing the judgement knot for abnormal access in the network that corresponding terminal device is initiated with this
Fruit.
The network request currently initiated for the terminal device is judged as abnormal access request, and server is directly refused
Request requires the terminal device to access verifying again;If the network request that the terminal device is currently initiated is determined
For normal access request, then directly in response to request.
In addition, can also include: for the assemblage characteristic collection
Metric data, which is carried out, by the value of the feature to the assemblage characteristic collection spreads the identification outlier being calculated
Effective derivative feature information.
It is spread and is calculated according to the metric data, effective derivative feature of available identification outlier.Accordingly, described
Feature list also increases corresponding effective derivative feature, in order to carry out pair with effective derivative feature of the assemblage characteristic collection
Than, obtain to effective derivative missing item.
It includes that character pair information data calculates very poor, quartile, quartile pole that the metric data, which spreads and calculates,
Difference, five numbers are summarized, and it is minimum value, upper quartile, median, lower quartile, maximum value that five number is summarized in order.
By increasing the feature of comparison in the feature list, the assemblage characteristic collection of the sample to be examined is enable to obtain more
It is comprehensive to compare, to further increase the decision-making ability of the abnormality determination method of the network access.
Based on the identical inventive concept of the abnormality determination method that accesses with above-mentioned network, the embodiment of the invention also provides one
The abnormity determining device of kind network access, as shown in Figure 3, comprising:
Feature obtains module 310, for prefixed time interval acquisition terminal equipment according to caused by network access request
Each relevant feature forms the assemblage characteristic collection about the terminal device according to the feature;
Contrast module 320 obtains pair for comparing the feature list of the feature of the assemblage characteristic collection and setting
The missing item for the assemblage characteristic collection answered;
Validity obtains module 330, for forming missing data according to each missing item, obtains corresponding network access and asks
The validity asked;
Determination module 340 carries out the judgement of abnormal access to the network access request for utilizing the validity.
Referring to FIG. 4, Fig. 4 is the schematic diagram of internal structure of server in one embodiment.As shown in figure 4, the server
Including processor 410, storage medium 420, memory 430 and the network interface 440 connected by system bus.Wherein, the clothes
The storage medium 420 of business device is stored with operating system, database and computer-readable instruction, and control letter can be stored in database
Sequence is ceased, when which is executed by processor 410, it is different to may make that processor 410 realizes that a kind of network accesses
Normal determination method, processor 410 are able to achieve the feature in the abnormity determining device of one of embodiment illustrated in fig. 3 network access
Obtain the function that module 310, contrast module 320, validity obtain module 330 and determination module 340.The processor of the server
410, for providing calculating and control ability, support the operation of entire server.It can be stored in the memory 430 of the server
Computer-readable instruction may make processor 410 to execute a kind of network when the computer-readable instruction is executed by processor 410
The abnormality determination method of access.The network interface 440 of the server is used for and terminal connection communication.Those skilled in the art can be with
Understand, structure shown in Fig. 4, only the block diagram of part-structure relevant to application scheme, is not constituted to the application
The restriction for the server that scheme is applied thereon, specific server may include than more or fewer portions as shown in the figure
Part perhaps combines certain components or with different component layouts.
In one embodiment, the invention also provides a kind of storage medium for being stored with computer-readable instruction, the meters
When calculation machine readable instruction is executed by one or more processors, so that one or more processors execute following steps: when default
Between be spaced acquisition terminal equipment each relevant feature according to caused by network access request, according to the feature formed about
The assemblage characteristic collection of the terminal device;The feature list of the feature of the assemblage characteristic collection and setting is compared, is obtained
The missing item of corresponding assemblage characteristic collection;Missing data is formed according to each missing item, obtains corresponding network access request
Validity;Using the validity, the judgement of abnormal access is carried out to the network access request.
Based on the above embodiments it is found that the maximum beneficial effect of the present invention is:
Abnormality determination method, device, server and its storage medium of a kind of network access provided by the invention, pass through by
Terminal device send network access request assemblage characteristic collection feature and setting the feature list including essential feature into
Row comparison, obtains the missing item of the assemblage characteristic collection according to the result of comparison, thus to the effective of the network access request
Property is judged finally obtain whether corresponding network access request is abnormal judgement result.
On this basis, another technical solution is also provided, according to the missing data after the combination of the assemblage characteristic collection into
Capable data hierarchy, training simultaneously obtain lightgbm model, and using the lightgbm model as decision model, with judgement
Whether the network access is abnormal access.The program, which can utilize, can identify multifarious abnormal scene, and with sample
This amount increases, and can cover more, more complicated situation.
Technical solution provided by the present invention is by existing feature obtained in network access request and contains necessity
The feature list of feature compares, by that can embody the basis of the essential feature of abnormal access as judgement, to utilize
Data processing few as far as possible obtains best judgement effect.
To sum up, abnormality determination method, device, server and its storage medium that the present invention is accessed by network, pass through benefit
The judgement of abnormal access is easy to get as a result, solution after comparison with the feature list that can embody verifying proper network access
The data being clicking and dragging on when in the prior art can only be by the initiation network access request of user of having determined carry out abnormal access
Judgement, the higher technical problem of error rate improves the decision-making ability to terminal device abnormal access.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, which can be stored in a computer-readable storage and be situated between
In matter, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, storage medium above-mentioned can be
Storage mediums or the random access memories such as magnetic disk, CD, read-only memory (Read-Only Memory, ROM)
(Random Access Memory, RAM) etc..
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality
It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, all should be considered as described in this specification.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously
Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art
For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention
Protect range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.
Claims (10)
1. a kind of abnormality determination method of network access, which comprises the following steps:
Prefixed time interval acquisition terminal equipment each relevant feature according to caused by network access request, according to the spy
Sign forms the assemblage characteristic collection about the terminal device;
The feature list of the feature of the assemblage characteristic collection and setting is compared, the missing of corresponding assemblage characteristic collection is obtained
;
Missing data is formed according to each missing item, obtains the validity of corresponding network access request;
Using the validity, the judgement of abnormal access is carried out to the network access request;
Wherein, the feature list includes that the terminal device initiates essential feature caused by network access request.
2. the method according to claim 1, wherein
The feature list by the feature of the assemblage characteristic collection and setting compares, and obtains corresponding assemblage characteristic collection
Lack item, comprising:
The feature list of the feature of the feature set and setting is compared, the missing item of corresponding assemblage characteristic collection is obtained
Type and quantity.
3. according to the method described in claim 2, it is characterized in that,
It is described that missing data is formed according to each missing item, obtain the validity of corresponding network access request, comprising:
According to it is described missing item type and quantity composition missing data, to the missing data of the assemblage characteristic collection combine into
Row data hierarchy;
Using the data hierarchy, the validity of corresponding network access request is obtained.
4. according to the method described in claim 3, it is characterized in that,
The missing data that the type and quantity according to the missing item forms, to the missing data group of the assemblage characteristic collection
It closes and carries out data hierarchy, comprising:
The missing data of type and quantity composition to the missing item is combined;
According to the missing data after the combination, to the carry out data hierarchy of the assemblage characteristic collection.
5. according to the method described in claim 3, it is characterized in that,
It is described to utilize the data hierarchy, the step of obtaining the validity of corresponding network access request, comprising:
According to the data hierarchy that the missing data after the combination of the assemblage characteristic collection carries out, training simultaneously obtains lightgbm mould
Type;
The assemblage characteristic collection of sample to be examined is inputted the lightgbm model to determine, obtains the group of the sample to be determined
The abnormal probability for closing feature set, obtains the validity of corresponding network access request.
6. according to the method described in claim 5, it is characterized in that,
The data hierarchy that missing data after the combination according to the assemblage characteristic collection carries out, training simultaneously obtain lightgbm
After the step of model, further includes:
By GridSearchCV web search to parameter num_leaves, min_data_in_ of the lightgbm model
Leaf, max_depth, which carry out automatic adjust, to join, and optimization is adjusted to the lightgbm model.
7. according to the method described in claim 5, it is characterized in that,
It is described utilize the validity, to the network access request carry out abnormal access judgement the step of, comprising:
When probability abnormal based on the validity is greater than preset threshold value, determining that the network accesses is abnormal access.
8. a kind of abnormity determining device of network access characterized by comprising
Feature obtains module, is used for prefixed time interval acquisition terminal equipment each correlation according to caused by network access request
Feature, assemblage characteristic collection about the terminal device is formed according to the feature;
Contrast module obtains corresponding group for comparing the feature list of the feature of the assemblage characteristic collection and setting
Close the missing item of feature set;
Validity obtains module, for forming missing data according to each missing item, obtains having for corresponding network access request
Effect property;
Determination module carries out the judgement of abnormal access to the network access request for utilizing the validity.
9. a kind of server characterized by comprising
One or more processors;
Memory;
One or more computer programs, wherein one or more of computer programs are stored in the memory and quilt
It is configured to be executed by one or more of processors, one or more of computer programs are configured to carry out according to right
It is required that the abnormality determination method of 1 to 7 described in any item network access.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program realizes the abnormal determination of the described in any item network access of claim 1 to 7 when the computer program is executed by processor
Method.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910578452.0A CN110401639B (en) | 2019-06-28 | 2019-06-28 | Method and device for judging abnormality of network access, server and storage medium thereof |
PCT/CN2019/118551 WO2020258673A1 (en) | 2019-06-28 | 2019-11-14 | Network access abnormality determination method and apparatus, server and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910578452.0A CN110401639B (en) | 2019-06-28 | 2019-06-28 | Method and device for judging abnormality of network access, server and storage medium thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110401639A true CN110401639A (en) | 2019-11-01 |
CN110401639B CN110401639B (en) | 2021-12-24 |
Family
ID=68323571
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910578452.0A Active CN110401639B (en) | 2019-06-28 | 2019-06-28 | Method and device for judging abnormality of network access, server and storage medium thereof |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110401639B (en) |
WO (1) | WO2020258673A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020258673A1 (en) * | 2019-06-28 | 2020-12-30 | 平安科技(深圳)有限公司 | Network access abnormality determination method and apparatus, server and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070046684A1 (en) * | 2005-08-23 | 2007-03-01 | Eric Jeffrey | Methods and Apparatus for Efficiently Accessing Reduced Color-Resolution Image Data |
US9727723B1 (en) * | 2014-06-18 | 2017-08-08 | EMC IP Holding Co. LLC | Recommendation system based approach in reducing false positives in anomaly detection |
CN108156166A (en) * | 2017-12-29 | 2018-06-12 | 百度在线网络技术(北京)有限公司 | Abnormal access identification and connection control method and device |
CN108259482A (en) * | 2018-01-04 | 2018-07-06 | 平安科技(深圳)有限公司 | Network Abnormal data detection method, device, computer equipment and storage medium |
CN108763274A (en) * | 2018-04-09 | 2018-11-06 | 北京三快在线科技有限公司 | Recognition methods, device, electronic equipment and the storage medium of access request |
CN109150875A (en) * | 2018-08-20 | 2019-01-04 | 广东优世联合控股集团股份有限公司 | Anti-crawler method, anti-crawler device, electronic equipment and computer readable storage medium |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101148002B1 (en) * | 2010-04-06 | 2012-05-24 | 국방과학연구소 | Web robot detection system and method |
US8549645B2 (en) * | 2011-10-21 | 2013-10-01 | Mcafee, Inc. | System and method for detection of denial of service attacks |
CN104391979B (en) * | 2014-12-05 | 2017-12-19 | 北京国双科技有限公司 | Network malice reptile recognition methods and device |
CN108985048B (en) * | 2017-05-31 | 2022-11-18 | 腾讯科技(深圳)有限公司 | Simulator identification method and related device |
CN109766104B (en) * | 2018-12-07 | 2020-10-30 | 北京数字联盟网络科技有限公司 | Download system of application program, installation type determining method and storage medium |
CN109886290B (en) * | 2019-01-08 | 2024-05-28 | 平安科技(深圳)有限公司 | User request detection method and device, computer equipment and storage medium |
CN110401639B (en) * | 2019-06-28 | 2021-12-24 | 平安科技(深圳)有限公司 | Method and device for judging abnormality of network access, server and storage medium thereof |
-
2019
- 2019-06-28 CN CN201910578452.0A patent/CN110401639B/en active Active
- 2019-11-14 WO PCT/CN2019/118551 patent/WO2020258673A1/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070046684A1 (en) * | 2005-08-23 | 2007-03-01 | Eric Jeffrey | Methods and Apparatus for Efficiently Accessing Reduced Color-Resolution Image Data |
US9727723B1 (en) * | 2014-06-18 | 2017-08-08 | EMC IP Holding Co. LLC | Recommendation system based approach in reducing false positives in anomaly detection |
CN108156166A (en) * | 2017-12-29 | 2018-06-12 | 百度在线网络技术(北京)有限公司 | Abnormal access identification and connection control method and device |
CN108259482A (en) * | 2018-01-04 | 2018-07-06 | 平安科技(深圳)有限公司 | Network Abnormal data detection method, device, computer equipment and storage medium |
CN108763274A (en) * | 2018-04-09 | 2018-11-06 | 北京三快在线科技有限公司 | Recognition methods, device, electronic equipment and the storage medium of access request |
CN109150875A (en) * | 2018-08-20 | 2019-01-04 | 广东优世联合控股集团股份有限公司 | Anti-crawler method, anti-crawler device, electronic equipment and computer readable storage medium |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020258673A1 (en) * | 2019-06-28 | 2020-12-30 | 平安科技(深圳)有限公司 | Network access abnormality determination method and apparatus, server and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN110401639B (en) | 2021-12-24 |
WO2020258673A1 (en) | 2020-12-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11138095B2 (en) | Identity propagation through application layers using contextual mapping and planted values | |
EP4203349A1 (en) | Training method for detection model, system, device, and storage medium | |
IL275042A (en) | Self-adaptive application programming interface level security monitoring | |
CN108334758B (en) | Method, device and equipment for detecting user unauthorized behavior | |
CN112231570B (en) | Recommendation system support attack detection method, device, equipment and storage medium | |
CN111371778B (en) | Attack group identification method, device, computing equipment and medium | |
CN110392046B (en) | Method and device for detecting abnormity of network access | |
CN112866281B (en) | Distributed real-time DDoS attack protection system and method | |
US20230195812A1 (en) | Optimizing scraping requests through browsing profiles | |
Brissaud et al. | Passive monitoring of https service use | |
Elekar | Combination of data mining techniques for intrusion detection system | |
CN108768934A (en) | Rogue program issues detection method, device and medium | |
CN110008462A (en) | A kind of command sequence detection method and command sequence processing method | |
CN110225009A (en) | It is a kind of that user's detection method is acted on behalf of based on communication behavior portrait | |
He et al. | Mobile app identification for encrypted network flows by traffic correlation | |
CN109688099A (en) | Server end hits library recognition methods, device, equipment and readable storage medium storing program for executing | |
CN110401639A (en) | Abnormality determination method, device, server and its storage medium of network access | |
WO2020258509A1 (en) | Method and device for isolating abnormal access of terminal device | |
CN110460620A (en) | Website defence method, device, equipment and storage medium | |
Doran | Detection, classification, and workload analysis of web robots | |
CN114726876B (en) | Data detection method, device, equipment and storage medium | |
Su et al. | A network traffic-aware mobile application recommendation system based on network traffic cost consideration | |
CN110311909A (en) | The abnormality determination method and device of terminal device network access | |
CN114780398A (en) | Cisco IOS-XE-oriented Web command injection vulnerability detection method | |
CN110417744A (en) | The safe determination method and device of network access |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |