CN110445753A - The partition method and device of terminal device abnormal access - Google Patents
The partition method and device of terminal device abnormal access Download PDFInfo
- Publication number
- CN110445753A CN110445753A CN201910580052.3A CN201910580052A CN110445753A CN 110445753 A CN110445753 A CN 110445753A CN 201910580052 A CN201910580052 A CN 201910580052A CN 110445753 A CN110445753 A CN 110445753A
- Authority
- CN
- China
- Prior art keywords
- terminal device
- euclidean distance
- nonlinear combination
- combination feature
- feature set
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention is safety detection technology field, the present invention provides the partition method and device of a kind of terminal device abnormal access, the method includes the first device parameters of the terminal device according to history to obtain multiple first nonlinear combination feature sets, and divides the first nonlinear combination feature set into normal condition cluster and abnormality cluster;The second device parameter of the terminal device current accessed is obtained by the shell script on terminal device, generates the second nonlinear combination feature set;Calculate separately the first Euclidean distance of the mass center of the second nonlinear combination feature set and the normal condition cluster, and the second Euclidean distance between the mass center of abnormality cluster;When first Euclidean distance is greater than second Euclidean distance, determine that the terminal device carries out abnormal access, and isolation processing is carried out to the abnormal access of corresponding terminal device.This method is conducive to improve the isolating power to the access of terminal device present terminal unit exception.
Description
Technical field
The present invention relates to network detection technique fields, specifically, the present invention relates to a kind of terminal device abnormal access
Partition method and device.
Background technique
In the access of terminal device network, the access for providing the available terminal device transmission of server of network connection is asked
Seek the data for being clicking and dragging on track of terminal device.Currently, judging whether the terminal device is normal terminal device, usually
Normal end can be belonged to by the terminal device of the Data Detection for being clicking and dragging on track of the terminal device initiation access request
End equipment or web crawlers.But since the detection method is not easy to distinguish the terminal device and web crawlers normally accessed,
Cause the error rate of detection higher, is easy the terminal device that will normally access detection and is determined as abnormal access, influence normally to use
Family access causes to be not easy to carry out isolation processing to web crawlers.
Summary of the invention
To overcome the above technical problem, when especially passing through terminal device logs network in the prior art, according to user's
It is easy the problem of real user is determined as abnormal user using Trace Data, spy proposes following technical scheme:
In a first aspect, the present invention provides a kind of partition method of terminal device abnormal access, comprising the following steps:
Multiple first nonlinear combination feature sets are obtained according to the first device parameter of the terminal device of history, and will be described
First nonlinear combination feature set divides normal condition cluster and abnormality cluster into;Wherein, the first nonlinear combination feature set
For the nonlinear characteristic information for the terminal device that history obtains, this feature information includes the attribute data and access number of terminal device
According to;
It obtains the second device parameter of the terminal device current accessed by the shell script on terminal device, generates the
Two nonlinear combination feature sets;Wherein, the second nonlinear combination feature set is the non-linear of the terminal device currently obtained
Characteristic information, this feature information include the attribute data and access data of terminal device;
The first Euclidean distance of the mass center of the second nonlinear combination feature set and the normal condition cluster is calculated separately,
And the second Euclidean distance between the mass center of abnormality cluster;
When first Euclidean distance is greater than second Euclidean distance, determine that the terminal device carries out abnormal access,
And isolation processing is carried out to the abnormal access of corresponding terminal device.
The second nonlinear combination feature set and the normal shape are calculated separately described in one of the embodiments,
Before first Euclidean distance of the mass center of state cluster, and the step of the second Euclidean distance between the mass center of abnormality cluster,
Further include:
Initial mass center is preset to the normal condition cluster and abnormality cluster of the first nonlinear combination feature set respectively.
It is described in one of the embodiments, to calculate separately the second nonlinear combination feature set and the normal condition
First Euclidean distance of the mass center of cluster, and the step of the second Euclidean distance between the mass center of abnormality cluster includes:
Calculate separately the second nonlinear combination feature set and normal condition accessed each time in the set time period
First Euclidean distance of the mass center of cluster, and the second Euclidean distance between the mass center of abnormality cluster;
Same terminal device is obtained in the set time period to the first Euclidean distance described in the preceding setting number of sequence
Set and second Euclidean distance set, and respectively obtain first Euclidean distance set and it is described second it is European away from
From set mode value;
And respectively using the mode value of the set of first Euclidean distance and the set of second Euclidean distance as institute
State same terminal device first Euclidean distance and second Euclidean distance in the set time period.
The shell script by terminal device obtains the terminal device and currently visits in one of the embodiments,
The second device parameter asked, generate the second nonlinear combination feature set the step of include:
The second device parameter of current accessed is obtained by the shell script on terminal device, generates the second nonlinear combination
Feature set, and from the second nonlinear combination feature set obtain terminal device user agent;
By parsing to user agent, the model of the terminal device is obtained.
The type of the terminal device is obtained by parsing to user agent described in one of the embodiments,
Number the step of after, further includes:
According to the model of the terminal device, each spy of the second nonlinear combination feature set of the terminal device is obtained
Levy the normal range (NR) of numerical value;
The character numerical value of the second nonlinear combination feature set is compared with the normal range (NR);
The nonlinear combination feature set of the character numerical value counterpart terminal equipment other than the normal range (NR) is obtained as second
Nonlinear combination feature set.
It is non-to obtain multiple first for the first device parameter of the terminal device according to history in one of the embodiments,
The step of linear combination feature set includes:
The first device parameter for obtaining the terminal device of history acquisition, extracts the characteristic information of first device parameter,
Multiple first nonlinear combination feature sets are generated according to the characteristic information.
It is non-to obtain multiple first for the first device parameter of the terminal device according to history in one of the embodiments,
After the step of linear combination feature set, further includes:
Network access idle section is obtained according to the amount of access of the terminal device of history;
Obtain the idle access frequency of the same terminal device in the same network access idle section;
The idle access frequency is compared with preset value;
If the idle access frequency is greater than preset value, the second nonlinear combination feature set of counterpart terminal equipment is obtained.
Second aspect, the present invention also provides a kind of isolating devices of terminal device abnormal access comprising:
Module is obtained, the first device parameter for the terminal device according to history obtains multiple first nonlinear combinations spies
Collection, and divide the first nonlinear combination feature set into normal condition cluster and abnormality cluster;
Generation module is set for obtaining the second of the terminal device current accessed by the shell script on terminal device
Standby parameter, generates the second nonlinear combination feature set;
Computing module, for calculating separately the second nonlinear combination feature set and the mass center of the normal condition cluster
First Euclidean distance, and the second Euclidean distance between the mass center of abnormality cluster;
Isolation module determines the terminal device for being greater than second Euclidean distance when first Euclidean distance
Abnormal access is carried out, and isolation processing is carried out to the abnormal access of corresponding terminal device.
The third aspect, the present invention also provides a kind of servers comprising:
One or more processors;
Memory;
One or more computer programs, wherein one or more of computer programs are stored in the memory
And be configured as being executed by one or more of processors, one or more of computer programs are configured to carry out first
The partition method of terminal device abnormal access described in aspect embodiment.
Fourth aspect, the present invention also provides a kind of computer readable storage medium, on the computer readable storage medium
It is stored with computer program, realizes that terminal device described in first aspect embodiment is different when which is executed by processor
The partition method that frequentation is asked.
The partition method and device of a kind of terminal device abnormal access provided by the present invention respectively acquire the history
Terminal device network access and the access of current network generate multiple first nonlinear combination feature sets and corresponding respectively
Second nonlinear combination feature set, and by the data point of the multiple first nonlinear combination feature set be divided into normal condition cluster and
Abnormality cluster calculates separately to obtain the first Europe of the mass center of the second nonlinear combination feature set and the normal condition cluster
Formula distance, and the second Euclidean distance between the mass center of abnormality cluster;According to first Euclidean distance and described the
The comparison result of two Euclidean distances determines whether the network access is abnormal access, and carries out isolation processing to abnormal access.
Technical solution provided by the present invention feature generated when initiating network access request by the terminal device
Information is converted into corresponding data point, and the spatial relation mutual according to data point, and obtains determining result with this.
In this way, can be by characteristic information that terminal device terminal network accesses to pass through the comparison knot of the distance parameter between related
Fruit intuitively reflects whether the terminal device network access is abnormal access, and carries out isolation processing to the abnormal access.It should
Method is easier to distinguish the terminal device and web crawlers that normally access, reduces the general of web crawlers access invasion website
Rate is effectively isolated web crawlers.
The additional aspect of the isolation present invention and advantage of terminal device abnormal access will be set forth in part in the description,
These will become apparent from the description below, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments
Obviously and it is readily appreciated that, in which:
Fig. 1 is the applied environment figure of the isolation scheme of the embodiment execution terminal device abnormal access in the present invention;
Fig. 2 is the flow chart of the partition method of the terminal device abnormal access of one embodiment in the present invention;
Fig. 3 is the flow chart of the partition method of the terminal device abnormal access of another embodiment in the present invention
Fig. 4 is the schematic diagram of the isolating device of the terminal device abnormal access of one embodiment in the present invention;
Fig. 5 is the structural schematic diagram of the server of one embodiment in the present invention.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end
Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached
The embodiment of figure description is exemplary, and for explaining only the invention, and is not construed as limiting the claims.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singular " one " used herein, " one
It is a ", " described " and "the" may also comprise plural form.It is to be further understood that being arranged used in specification of the invention
Diction " comprising " refer to that there are the feature, integer, step, operation, element and/or component, but it is not excluded that in the presence of or addition
Other one or more features, integer, step, operation, element, component and/or their group.It should be understood that when we claim member
Part is " connected " or when " coupled " to another element, it can be directly connected or coupled to other elements, or there may also be
Intermediary element.In addition, " connection " used herein or " coupling " may include being wirelessly connected or wirelessly coupling.It is used herein to arrange
Diction "and/or" includes one or more associated wholes for listing item or any cell and all combinations.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technology art
Language and scientific term), there is meaning identical with the general understanding of those of ordinary skill in fields of the present invention.Should also
Understand, those terms such as defined in the general dictionary, it should be understood that have in the context of the prior art
The consistent meaning of meaning, and unless idealization or meaning too formal otherwise will not be used by specific definitions as here
To explain.
Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal device " both include wireless communication
The equipment of number receiver, only has the equipment of the wireless signal receiver of non-emissive ability, and including receiving and emitting hardware
Equipment, have on both-way communication chain road, can execute both-way communication reception and emit hardware equipment.This equipment
It may include: honeycomb or other communication apparatus, shown with single line display or multi-line display or without multi-line
The honeycomb of device or other communication apparatus;PCS (Personal Communications Service, person communication system), can
With combine voice, data processing, fax and/or data communication capabilities;PDA (Personal Digital Assistant, it is personal
Digital assistants), it may include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, day
It goes through and/or GPS (Global Positioning System, global positioning system) receiver;Conventional laptop and/or palm
Type computer or other equipment, have and/or the conventional laptop including radio frequency receiver and/or palmtop computer or its
His equipment." terminal " used herein above, " terminal device " can be it is portable, can transport, be mounted on the vehicles (aviation,
Sea-freight and/or land) in, or be suitable for and/or be configured in local runtime, and/or with distribution form, operate in the earth
And/or any other position operation in space." terminal " used herein above, " terminal device " can also be communicating terminal, on
Network termination, music/video playback terminal, such as can be PDA, MID (Mobile Internet Device, mobile Internet
Equipment) and/or mobile phone with music/video playing function, it is also possible to the equipment such as smart television, set-top box.
Those skilled in the art of the present technique are appreciated that remote network devices used herein above comprising but be not limited to count
The cloud that calculation machine, network host, single network server, multiple network server collection or multiple servers are constituted.Here, Yun Youji
It is constituted in a large number of computers or network servers of cloud computing (Cloud Computing), wherein cloud computing is distributed computing
One kind, a super virtual computer consisting of a loosely coupled set of computers.In the embodiment of the present invention, distal end
It can be realized and be communicated by any communication modes between the network equipment, terminal device and WNS server, including but not limited to, is based on
The mobile communication of 3GPP, LTE, WIMAX, based on TCP/IP, the computer network communication of udp protocol and based on bluetooth, infrared
The low coverage wireless transmission method of transmission standard.
Refering to what is shown in Fig. 1, Fig. 1 is the applied environment figure of the embodiment of the present invention;In the embodiment, the technology of the present invention side
Case can be based on realizing on server, and as shown in figure 1, terminal device 110 and 120 can access server by internet
130, the network request that terminal device 110 and/or 120 is issued to server 130, server 130 is counted according to network request
According to interaction.When carrying out data interaction, server 130 obtains terminal according to the solicited message of terminal device 110 and/or 120 and sets
Standby 110 and/or 120 access data and attribute data, and the terminal device is carried out abnormality detection according to the data.
It is easy for real user to be determined as abnormal user to solve the problems, such as to detect abnormal data at present, the present invention provides
A kind of partition method of terminal device abnormal access.It can refer to Fig. 2, Fig. 2 is the terminal device abnormal access of one embodiment
Partition method flow chart, method includes the following steps:
S210, multiple first nonlinear combination feature sets are obtained according to the first device parameter of the terminal device of history, and
Divide the first nonlinear combination feature set into normal condition cluster and abnormality cluster.
When server and terminal device carry out data interaction, according to the network request that terminal device issues, obtaining should
The relevant parameter of terminal device.In this step, server obtains from the network request that the terminal device of history is issued
One device parameter, server parse first device parameter, and non-linear according to the result of parsing acquisition multiple first
Assemblage characteristic collection.
The first nonlinear combination feature set is that one access note of terminal device of data interaction was carried out with server
The feature set generated is recorded, which is the nonlinear characteristic information for the terminal device that history obtains, should
Characteristic information includes the attribute data and access data of terminal device.Such as attribute data may include the model of terminal device, end
The screen resolution x*y of the end equipment or available screen resolution X*Y of browser, access data may include terminal device to service
Device issues the frequency etc. of request.
The corresponding characteristic information of the first nonlinear combination feature set, in the present embodiment, this feature information is specially
Corresponding characteristic value.Corresponding coordinate is set, and marks the access of the terminal device of history each time on coordinate and records generation
Feature set or a n dimension strong point.The feature set to be formed is recorded about different access, and corresponding normal shape is formed on coordinate
State cluster and abnormality cluster.The considerations of being absolutely greater than abnormal conditions according to normal condition, big cluster are normal condition clusters, and tuftlet is different
Normal manifold of states.
Further, it in order to eliminate the dimension relation between variable, so that data be made to be comparable, is marked to characteristic value
Before, the characteristic information value in each feature set is standardized.For example, in the obtained feature set for accessing record each time
In may include the variable of hundred-mark system and the variable of 5 score values, can be in same mark only by all data normalizations
It is compared in standard.
S220, the second device parameter that the terminal device current accessed is obtained by the shell script on terminal device,
Generate the second nonlinear combination feature set.
In order to can the network access of terminal device described in real-time detection whether handle abnormality, it is right according to detection needs
The state that the terminal device currently accesses each time is detected.In this step, the server passes through network connection, to
The terminal device provides shell script, to obtain the second device parameter that the terminal device currently accesses each time.It is described
Second device parameter is identical as the property of first device parameter.The second nonlinear combination feature set currently obtains
The nonlinear characteristic information of terminal device, this feature information include the attribute data and access data of terminal device.
Server is parsed according to second device parameter, is extracted and is obtained the feature letter of second device parameter
Breath is generated according to the characteristic information about the second nonlinear combination when the preceding terminal device for issuing network request to server
Feature set.
Characteristic information included by the second nonlinear combination feature set at least with the first nonlinear combination feature
The characteristic information of collection kind is corresponding, compares so as to subsequent.
S230, the first European of the second nonlinear combination feature set and the mass center of the normal condition cluster is calculated separately
Distance, and the second Euclidean distance between the mass center of abnormality cluster.
In this step, it by being compared with the normal condition of the network of the terminal device of history access, obtains current
Whether the network access for accessing the terminal device of server is abnormality.
On the coordinate of characteristic information for marking the first nonlinear combination feature set, what mark was generated from step S220
And the characteristic information of the second nonlinear combination feature set is obtained by standardization, obtain corresponding data point.
The coordinate is being utilized, is calculating separately data point that the second nonlinear combination feature set obtains to described and institute
The first Euclidean distance of the mass center of normal condition cluster is stated, and the second Euclidean distance between the mass center of abnormality cluster, obtained
To the second nonlinear combination feature set actual range with normal condition cluster and with abnormality cluster respectively.
S240, when first Euclidean distance is greater than second Euclidean distance, it is abnormal to determine that the terminal device carries out
Access, and isolation processing is carried out to the abnormal access of corresponding terminal device.The first Euclidean distance obtained according to step S230
With the second Euclidean distance, and it is compared.If comparison result is that first Euclidean distance is greater than second Euclidean distance,
It indicates that present terminal equipment initiates network access request closer to abnormality to server, at this moment, determines the current end
It is abnormal access state that end equipment, which initiates network access request to server,.
The network request currently initiated for terminal device is judged as abnormal access request, and server is directly to the network
Request carries out isolation processing, that is, refuses to respond abnormal access request, and terminal device described in new demand of laying equal stress on accesses verifying;
If the network request that terminal device is currently initiated is judged as normal access request, directly in response to request.
In the present invention, the first nonlinear combination feature set and the second nonlinear combination feature set be individually by
Made of multiple characteristic value collections.Multiple characteristic values that access is formed by nonlinear combination feature set each time form corresponding
Dimension vector.Therefore, in this application, the first nonlinear characteristic collection caused by each access and described first non-linear
Feature set is measured with its dimension vector.And for the normal condition cluster and abnormality of the first nonlinear characteristic collection
Cluster is to be formed by manifold of states by the dimension vector of corresponding multiple first nonlinear characteristic collection.Therefore, of the invention
The calculating of Euclidean distance in technical solution is the meter of the space length between the dimension vector to corresponding nonlinear characteristic collection
It calculates.
A kind of partition method of terminal device abnormal access provided by the invention initiates network by the terminal device of history
The data point of first nonlinear combination feature set of access divides normal condition cluster and abnormality cluster into, and by present terminal equipment
To server initiate obtained the second nonlinear combination feature set of network access request respectively with normal condition cluster and abnormality
Cluster carries out Euclidean distance calculating, and according to the comparison between distance, obtaining the network access request that present terminal equipment is initiated is
No is abnormality.It is special that data produced by the present invention accesses the terminal device network form the first, second nonlinear combination
Collection, and the data point that will be obtained from the first, second nonlinear combination feature set is marked on coordinate.Technical solution of the present invention
It directly compares, is avoided in the prior art after data caused by the network access request of terminal device initiation are handled
Only in the generated usage record such as authentication procedures of user's using terminal equipment the click time and dragging track
Data are easy the problem of real user is determined as abnormal user according to caused as abnormality detection, more precisely react
The state for the network access request that present terminal equipment is initiated to server, and by more simply and intuitively in a manner of data comparison
Obtain abnormality detection as a result, be conducive to carry out isolation processing to the corresponding abnormal access of abnormality detection.It is described in above scheme
On the basis of, before step S230, that is, calculating separately the second nonlinear combination feature set and the normal condition cluster
Before the second Euclidean distance between first Euclidean distance of mass center and the mass center of abnormality cluster, further includes:
Initial mass center is preset to the normal condition cluster and abnormality cluster of the first nonlinear combination feature set respectively.
In this step, especially for the calculating for never carrying out Euclidean distance with the second nonlinear combination feature set
In the case where, the position of corresponding mass center is sought according to the dimension vector of normal condition cluster and abnormality cluster respectively, is corresponded to
Initial mass center.The mass center is the mass centre of corresponding states cluster, can be according to the collected state of the dimension vector of manifold of states
Variation and change.
When calculating the European of the second nonlinear combination feature set and the normal condition cluster and abnormality cluster for the first time
Apart from when, only need to calculate the second nonlinear combination feature set at a distance from the initial mass center.
If need to continue calculated for subsequent terminal device issues the second nonlinear combination feature set caused by network request
It, only need to be according to the second nonlinear combination feature set newly generated before at a distance from normal condition cluster and abnormality cluster
The value of the position of data point can directly acquire the value of the position of new mass center with the value of the position of the initial mass center, avoid every
After the network request of the secondary terminal device for having increased history newly, need again according to the data of all normal condition clusters and abnormality cluster
Point calculates mass center.In this way, being conducive to control the operand of subsequent abnormality detection, to keep the isolation of terminal device abnormal access
Efficiency.
According to the use habit of the logging in network of general normal users, for a terminal device in a short period of time to
Server issues network request under normal circumstances can be more than one, therefore, can in a short period of time may with regard to same terminal device
More than one network request can be issued to server.
In this regard, corresponding step S230 can include:
S231, the second nonlinear combination feature set for accessing each time in the set time period and normal is calculated separately
First Euclidean distance of the mass center of manifold of states, and the second Euclidean distance between the mass center of abnormality cluster;
S232, same terminal device is obtained in the set time period described in the preceding setting number of sequence first it is European away from
From set and second Euclidean distance set, and respectively obtain first Euclidean distance set and second Europe
The mode value of the set of formula distance;
S233 is simultaneously made respectively with the mode value of the set of first Euclidean distance and the set of second Euclidean distance
For the same terminal device first Euclidean distance and second Euclidean distance in the set time period.
Specifically, same terminal device is every issues primary network request to server, just will form a pair corresponding first
Euclidean distance and the second Euclidean distance.
In the set time period, the second nonlinear combination spy when same terminal device issues network request each time is obtained
Collection, and corresponding dimension vector is obtained according to multiple characteristic values in the second nonlinear combination feature set.In the present embodiment
In, according to the dimension vector of the second nonlinear combination feature set respectively with the mass center of the normal condition cluster and the abnormality
The mass center of cluster is corresponding to seek first Euclidean distance and the second Euclidean distance of same terminal device network request each time.In
In set period of time, obtained multiple first Euclidean distances of network request and more are repeatedly issued according to same terminal device respectively
In a second Euclidean distance the acquiring size of distance value sort it is preceding setting number first Euclidean distance set and
The set of second Euclidean distance, point as described in the number that sets as 100, and respectively with regard to this 100 described first it is European away from
From respective mode value is obtained in set composed by composed set and second Euclidean distance, i.e., in this setting number
It is middle the largest number of distance values occur.And with the set of obtained first Euclidean distance and second Euclidean distance
Gather corresponding mode value as corresponding same terminal device first Euclidean distance in the set time period and described the
Two Euclidean distances.In this way, same terminal device generated pending data in a short period of time can be simplified, exclude as far as possible because of idol
Abnormal data caused by right factor influences the result of related Euclidean distance value.
For step S220, comprising:
A1, the second device parameter that current accessed is obtained by the shell script on terminal device, it is non-linear to generate second
Assemblage characteristic collection, and from the second nonlinear combination feature set obtain terminal device user agent;
A2, by being parsed to user agent, obtain the model of the terminal device.
In step A1-A2, server obtains the second current device parameter by the detection script of terminal device, obtains
The second nonlinear combination feature set current about the terminal device for issuing network request, and from the second nonlinear combination feature
Concentrate the user agent for obtaining the terminal device.By parsing to the user agent, the corresponding terminal device is obtained
Model.
On this basis, by that can also include: after step S220
A3, according to the model of the terminal device, obtain each of the second nonlinear combination feature set of the terminal device
The normal range (NR) of a character numerical value;
A4, the character numerical value of the second nonlinear combination feature set is compared with the normal range (NR);
A5, the character numerical value obtained other than the normal range (NR) correspond to nonlinear combination feature set as second non-linear group
Close feature set.
According to the model of the obtained terminal device of above-mentioned steps A2, to the second nonlinear combination feature of the terminal device
Each character numerical value of collection limits normal range value respectively.
The each character numerical value that will acquire the second nonlinear combination feature set of the terminal device, and it is obtained above right
The normal range value of model is answered to compare, according to the prediction of result of comparison, accordingly whether terminal device is in abnormality,
In this, as the foundation that web crawlers is isolated.
If a certain characteristic value of corresponding terminal device is not in the normal range value of its model, the terminal device
It is likely to be at abnormality, it is likely that be utilized and carry out crawler deployment access network.
Using the nonlinear combination feature set of the terminal device for being likely to be at abnormality as described second non-linear group
Close feature set, screened in advance with will pass through the data treated and compared, reduce the later period progress Euclidean distance seek and data
The data processing works such as comparison.
For will acquire each character numerical value of the second nonlinear combination feature set of the terminal device, obtained with above-mentioned
Correspondence model the process that compares of normal range value, the pixel ratio that may include terminal device, the ginseng about resolution ratio
The comprehensive condition of number either verification time and verifying number.
Specifically, following example can be referred to:
(1) the whether consistent assemblage characteristic of the system platform of pixel ratio and terminal device:
Windows system computerized real pixel is than generally 1 or so, if terminal device acquired in server
Windows system computerized pixel ratio is more than or equal to 2, then it is possible that being that official's simulator of computer simulation mobile phone is attacked
Identifying code, it is more likely that be abnormal terminal device;
The real pixel of iPhone is than being generally 2-3 or so, if the pixel ratio of iPhone acquired in server
It is 1, then it is likely used only to being the attack identifying code such as crawler or automation equipment or official's simulator, then corresponding terminal device
It is likely to abnormal terminal device;
The pixel ratio of apple mac computer is generally 1-2 or so, if the pixel ratio of mac computer acquired in server is
3, then corresponding terminal device is likely to abnormal terminal device.
(2) nonlinear combination feature and the whether consistent assemblage characteristic of system platform based on resolution ratio are generated:
Browser can use screen resolution x, the difference of y product xy and terminal device screen resolution x1, y1 product x1y1
X1y1-xy and the whether consistent assemblage characteristic of system platform:
For example the xy-x1y1 of the computer end chrome browser obtained under normal circumstances by front end is not 0, that is, just
Computer end chrome browser passes through terminal device acquired in server in normal situation available point of screen resolution and browser
Resolution has certain difference, and passes through the screen resolution and browser of terminal device acquired in server when computer simulation mobile phone
Available resolution is identical or widely different (for example x1y1-xy is greater than 150000), then corresponding terminal device is likely to
It is abnormal terminal device.
(3) resolution ratio X*Y value normal range (NR) and the whether consistent assemblage characteristic of system platform;
When especially resolution ratio is too low, corresponding low side devices are disposed for crawler).
It, can for step S210 specifically:
The first device parameter for obtaining the terminal device of history acquisition, extracts the characteristic information of first device parameter,
Multiple first nonlinear combination feature sets are generated according to the characteristic information.
For the first device parameter about terminal device of history acquisition, server is mentioned for first device parameter
Relevant characteristic information, such as pixel ratio, resolution ratio or verification time and frequency characteristic information are taken, and is directed to each characteristic information
Respective first nonlinear combination feature set is generated, and the initiation network request of comprehensive same terminal device each time is generated
All first nonlinear combination feature sets can form the data point of a multi-C vector, and can be in the enterprising rower of corresponding coordinate
Note, to carry out subsequent data analysis and statistics.
After step S210, can also include:
B1, the idle section that network access is obtained according to the amount of access of the terminal device of history;
B2, the idle access frequency for obtaining the same terminal device in the same network access idle section;
B3, the idle access frequency and preset value are compared;
If B4, the idle access frequency are greater than preset value, the second nonlinear combination feature of counterpart terminal equipment is obtained
Collection.
According to above-mentioned steps B1-B4, network access idle section is obtained according to the access number of the terminal device of history.And root
The idle access frequency of same terminal device is obtained according to network access idle section.The display of same terminal device will be accessed
Frequency is compared with preset value.In the present embodiment, the preset value can be by obtaining the terminal device of history described
The amount of access of network access idle section counts to obtain.
If the access frequency of the terminal device is greater than preset value, which is set as monitored object, and
Obtain its second nonlinear combination feature set.Other characteristic informations are extracted by the second nonlinear combination feature set of acquisition, into
The further monitoring of row, comparative analysis improve the capture effect of abnormal conditions so that the detection of network access exception has more specific aim
Rate promotes the effect that the abnormal access caused by web crawlers is isolated.
Based on inventive concept identical with the partition method of above-mentioned terminal device abnormal access, the embodiment of the present invention is also provided
A kind of isolating device of terminal device abnormal access, as shown in Figure 4, comprising:
Module 410 is obtained, the first device parameter for the terminal device according to history obtains multiple first non-linear groups
Feature set is closed, and divides the first nonlinear combination feature set into normal condition cluster and abnormality cluster;Wherein, described first
Nonlinear combination feature set is the nonlinear characteristic information for the terminal device that history obtains, and this feature information includes terminal device
Attribute data and access data;
Generation module 420, for obtaining the of the terminal device current accessed by the shell script on terminal device
Two device parameters generate the second nonlinear combination feature set;Wherein, the second nonlinear combination feature set currently obtains
The nonlinear characteristic information of terminal device, this feature information include the attribute data and access data of terminal device;
Computing module 430, for calculating separately the matter of the second nonlinear combination feature set Yu the normal condition cluster
First Euclidean distance of the heart, and the second Euclidean distance between the mass center of abnormality cluster;
Isolation module 440 determines that the terminal is set for being greater than second Euclidean distance when first Euclidean distance
It is standby to carry out abnormal access, and isolation processing is carried out to the abnormal access of corresponding terminal device.
Referring to FIG. 5, Fig. 5 is the schematic diagram of internal structure of server in one embodiment.As shown in figure 4, the server
Including processor 510, storage medium 520, memory 530 and the network interface 540 connected by system bus.Wherein, the clothes
The storage medium 520 of business device is stored with operating system, database and computer-readable instruction, and control letter can be stored in database
Sequence is ceased, when which is executed by processor 510, processor 510 may make to realize that a kind of terminal device is abnormal
The partition method of access, processor 510 are able to achieve the isolating device of one of embodiment illustrated in fig. 4 terminal device abnormal access
In acquisition module 410, the function of generation module 420, computing module 430 and isolation model 440.The processor of the server
510, for providing calculating and control ability, support the operation of entire server.It can be stored in the memory 530 of the server
Computer-readable instruction may make processor 510 to execute a kind of terminal when the computer-readable instruction is executed by processor 510
The partition method of unit exception access.The network interface 540 of the server is used for and terminal connection communication.Those skilled in the art
It is appreciated that structure shown in Fig. 5, only the block diagram of part-structure relevant to application scheme, is not constituted to this
The restriction for the server that application scheme is applied thereon, specific server may include more more or fewer than as shown in the figure
Component perhaps combines certain components or with different component layouts.
In one embodiment, the invention also provides a kind of storage medium for being stored with computer-readable instruction, the meters
When calculation machine readable instruction is executed by one or more processors, so that one or more processors execute following steps: according to going through
First device parameter of the terminal device of history obtains multiple first nonlinear combination feature sets, and by first nonlinear combination
Feature set divides normal condition cluster and abnormality cluster into;Wherein, the first nonlinear combination feature set is the end that history obtains
The nonlinear characteristic information of end equipment, this feature information include the attribute data and access data of terminal device;It is set by terminal
Standby upper shell script obtains the second device parameter of the terminal device current accessed, generates the second nonlinear combination feature
Collection;Wherein, the second nonlinear combination feature set is the nonlinear characteristic information of the terminal device currently obtained, this feature letter
Breath includes the attribute data and access data of terminal device;Calculate separately the second nonlinear combination feature set and described normal
First Euclidean distance of the mass center of manifold of states, and the second Euclidean distance between the mass center of abnormality cluster;When described
One Euclidean distance is greater than second Euclidean distance, determines that the terminal device carries out abnormal access, and set to corresponding terminal
Standby abnormal access carries out isolation processing.
Based on the above embodiments it is found that the maximum beneficial effect of the present invention is:
The partition method and device of a kind of terminal device abnormal access provided by the present invention respectively acquire the history
Terminal device network access and the access of current network generate multiple first nonlinear combination feature sets and corresponding respectively
Second nonlinear combination feature set, and by the data point of the multiple first nonlinear combination feature set be divided into normal condition cluster and
Abnormality cluster calculates separately to obtain the first Europe of the mass center of the second nonlinear combination feature set and the normal condition cluster
Formula distance, and the second Euclidean distance between the mass center of abnormality cluster;According to first Euclidean distance and described the
The comparison result of two Euclidean distances determines whether network access is abnormal access, and to abnormal access it is corresponding request into
Row isolation processing.
Technical solution provided by the present invention feature generated when initiating network access request by the terminal device
Information is converted into corresponding data point, and the spatial relation mutual according to data point, and obtains determining result with this.
In this way, can be by characteristic information that terminal device terminal network accesses to pass through the comparison knot of the distance parameter between related
Fruit intuitively reflects whether the terminal device network access is abnormal access, makes it easier to judge that the terminal device is
It is no that invasion website is accessed by web crawlers, improve the isolation effect to the abnormal access of terminal device.
To sum up, the present invention passes through the partition method and device of terminal device abnormal access, by visiting terminal device network
It asks that characteristic information data generated carries out visual distance versus, and obtains determining whether the judgement result of abnormal access
Technical solution, solve in the prior art user when by terminal device logs network use Trace Data it is easy will be true
User is determined as the problem of abnormal user, improves the detectability to terminal device abnormal access.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, which can be stored in a computer-readable storage and be situated between
In matter, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, storage medium above-mentioned can be
Storage mediums or the random access memories such as magnetic disk, CD, read-only memory (Read-Only Memory, ROM)
(Random Access Memory, RAM) etc..
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality
It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, all should be considered as described in this specification.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously
Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art
For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention
Protect range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.
Claims (10)
1. a kind of partition method of terminal device abnormal access, which comprises the following steps:
Multiple first nonlinear combination feature sets are obtained according to the first device parameter of the terminal device of history, and by described first
Nonlinear combination feature set divides normal condition cluster and abnormality cluster into;Wherein, the first nonlinear combination feature set is to go through
The nonlinear characteristic information for the terminal device that history obtains, this feature information include the attribute data and access data of terminal device;
The second device parameter of the terminal device current accessed is obtained by the shell script on terminal device, and it is non-to generate second
Linear combination feature set;Wherein, the second nonlinear combination feature set is the nonlinear characteristic of the terminal device currently obtained
Information, this feature information include the attribute data and access data of terminal device;
The first Euclidean distance of the mass center of the second nonlinear combination feature set and the normal condition cluster is calculated separately, and
The second Euclidean distance between the mass center of abnormality cluster;
When first Euclidean distance is greater than second Euclidean distance, determine that the terminal device carries out abnormal access, and right
The abnormal access of corresponding terminal device carries out isolation processing.
2. the method according to claim 1, wherein
The mass center for calculating separately the second nonlinear combination feature set and the normal condition cluster first it is European away from
From, and before the step of the second Euclidean distance between the mass center of abnormality cluster, further includes:
Initial mass center is preset to the normal condition cluster and abnormality cluster of the first nonlinear combination feature set respectively.
3. method according to claim 1 or 2, which is characterized in that
First Euclidean distance of the mass center for calculating separately the second nonlinear combination feature set and the normal condition cluster,
And the step of the second Euclidean distance between the mass center of abnormality cluster, includes:
Calculate separately the second nonlinear combination feature set and normal condition cluster accessed each time in the set time period
First Euclidean distance of mass center, and the second Euclidean distance between the mass center of abnormality cluster;
Same terminal device is obtained in the set time period to the set for the first Euclidean distance described in preceding setting number that sorts
With the set of second Euclidean distance, and respectively obtain first Euclidean distance set and second Euclidean distance
The mode value of set;
And respectively using the mode value of the set of first Euclidean distance and the set of second Euclidean distance as described same
One terminal device first Euclidean distance and second Euclidean distance in the set time period.
4. the method according to claim 1, wherein
The shell script by terminal device obtains the second device parameter of the terminal device current accessed, generates the
The step of two nonlinear combination feature sets includes:
The second device parameter of current accessed is obtained by the shell script on terminal device, generates the second nonlinear combination feature
Collect, and obtains the user agent of terminal device from the second nonlinear combination feature set;
By parsing to user agent, the model of the terminal device is obtained.
5. according to the method described in claim 4, it is characterized in that,
It is described by being parsed to user agent, obtaining the model of the terminal device the step of after, further includes:
According to the model of the terminal device, each characteristic of the second nonlinear combination feature set of the terminal device is obtained
The normal range (NR) of value;
The character numerical value of the second nonlinear combination feature set is compared with the normal range (NR);
The nonlinear combination feature set for obtaining the character numerical value counterpart terminal equipment other than the normal range (NR) is non-thread as second
Property assemblage characteristic collection.
6. the method according to claim 1, wherein
The step of the first device parameter acquisition multiple first nonlinear combination feature sets of the terminal device according to history, wraps
It includes:
The first device parameter for obtaining the terminal device of history acquisition, extracts the characteristic information of first device parameter, according to
The characteristic information generates multiple first nonlinear combination feature sets.
7. the method according to claim 1, wherein
First device parameter of the terminal device according to history obtain the step of multiple first nonlinear combination feature sets it
Afterwards, further includes:
Network access idle section is obtained according to the amount of access of the terminal device of history;
Obtain the idle access frequency of the same terminal device in the same network access idle section;
The idle access frequency is compared with preset value;
If the idle access frequency is greater than preset value, the second nonlinear combination feature set of counterpart terminal equipment is obtained.
8. a kind of isolating device of terminal device abnormal access characterized by comprising
Module is obtained, the first device parameter for the terminal device according to history obtains multiple first nonlinear combination features
Collection, and divide the first nonlinear combination feature set into normal condition cluster and abnormality cluster;
Generation module, the second equipment for obtaining the terminal device current accessed by the shell script on terminal device are joined
Number generates the second nonlinear combination feature set;
Computing module, first of the mass center for calculating separately the second nonlinear combination feature set and the normal condition cluster
Euclidean distance, and the second Euclidean distance between the mass center of abnormality cluster;
Isolation module determines that the terminal device carries out for being greater than second Euclidean distance when first Euclidean distance
Abnormal access, and isolation processing is carried out to the abnormal access of corresponding terminal device.
9. a kind of server characterized by comprising
One or more processors;
Memory;
One or more computer programs, wherein one or more of computer programs are stored in the memory and quilt
It is configured to be executed by one or more of processors, one or more of computer programs are configured to carry out according to right
It is required that the partition method of 1 to 7 described in any item terminal device abnormal access.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program realizes claim 1 to 7 described in any item terminal device abnormal access when the computer program is executed by processor
Partition method.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910580052.3A CN110445753A (en) | 2019-06-28 | 2019-06-28 | The partition method and device of terminal device abnormal access |
| PCT/CN2019/103663 WO2020258509A1 (en) | 2019-06-28 | 2019-08-30 | Method and device for isolating abnormal access of terminal device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910580052.3A CN110445753A (en) | 2019-06-28 | 2019-06-28 | The partition method and device of terminal device abnormal access |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110445753A true CN110445753A (en) | 2019-11-12 |
Family
ID=68428743
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910580052.3A Pending CN110445753A (en) | 2019-06-28 | 2019-06-28 | The partition method and device of terminal device abnormal access |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN110445753A (en) |
| WO (1) | WO2020258509A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111600880A (en) * | 2020-05-14 | 2020-08-28 | 深信服科技股份有限公司 | Method, system, storage medium and terminal for detecting abnormal access behavior |
| CN116150542A (en) * | 2023-04-21 | 2023-05-23 | 河北网新数字技术股份有限公司 | Dynamic page generation method and device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107465648A (en) * | 2016-06-06 | 2017-12-12 | 腾讯科技(深圳)有限公司 | The recognition methods of warping apparatus and device |
| CN109446768A (en) * | 2018-10-09 | 2019-03-08 | 北京北信源软件股份有限公司 | Application access abnormal behavior detection method and system |
| CN109714311A (en) * | 2018-11-15 | 2019-05-03 | 北京天地和兴科技有限公司 | A method of the unusual checking based on clustering algorithm |
| CN109800130A (en) * | 2019-01-31 | 2019-05-24 | 郑州云海信息技术有限公司 | A kind of apparatus monitoring method, device, equipment and medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101219538B1 (en) * | 2009-07-29 | 2013-01-08 | 한국전자통신연구원 | Apparatus for detecting network attack based on visual data analysis and its method thereof |
| CN107819631B (en) * | 2017-11-23 | 2021-03-02 | 东软集团股份有限公司 | Equipment anomaly detection method, device and equipment |
| CN109391620B (en) * | 2018-10-22 | 2021-06-25 | 武汉极意网络科技有限公司 | Method, system, server and storage medium for establishing abnormal behavior judgment model |
| CN109886290B (en) * | 2019-01-08 | 2024-05-28 | 平安科技(深圳)有限公司 | User request detection method and device, computer equipment and storage medium |
-
2019
- 2019-06-28 CN CN201910580052.3A patent/CN110445753A/en active Pending
- 2019-08-30 WO PCT/CN2019/103663 patent/WO2020258509A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107465648A (en) * | 2016-06-06 | 2017-12-12 | 腾讯科技(深圳)有限公司 | The recognition methods of warping apparatus and device |
| CN109446768A (en) * | 2018-10-09 | 2019-03-08 | 北京北信源软件股份有限公司 | Application access abnormal behavior detection method and system |
| CN109714311A (en) * | 2018-11-15 | 2019-05-03 | 北京天地和兴科技有限公司 | A method of the unusual checking based on clustering algorithm |
| CN109800130A (en) * | 2019-01-31 | 2019-05-24 | 郑州云海信息技术有限公司 | A kind of apparatus monitoring method, device, equipment and medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111600880A (en) * | 2020-05-14 | 2020-08-28 | 深信服科技股份有限公司 | Method, system, storage medium and terminal for detecting abnormal access behavior |
| CN116150542A (en) * | 2023-04-21 | 2023-05-23 | 河北网新数字技术股份有限公司 | Dynamic page generation method and device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020258509A1 (en) | 2020-12-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12074888B2 (en) | Network security monitoring method, network security monitoring device, and system | |
| CN111092852A (en) | Network security monitoring method, device, equipment and storage medium based on big data | |
| CN113159615B (en) | Intelligent information security risk measuring system and method for industrial control system | |
| CN103905440B (en) | Network security situation awareness analysis method based on log and SNMP information fusion | |
| CN107861713A (en) | Data calling method, device and computer-readable recording medium | |
| CN102929613B (en) | The tuning apparatus and method of operating system | |
| CN109886290A (en) | Detection method, device, computer equipment and the storage medium of user's request | |
| Lv et al. | A deep convolution generative adversarial networks based fuzzing framework for industry control protocols | |
| CN107370806A (en) | HTTP conditional codes monitoring method, device, storage medium and electronic equipment | |
| CN107958456A (en) | Dispensing detection method, device and electronic equipment | |
| CN110392046A (en) | The method for detecting abnormality and device of network access | |
| CN110535850B (en) | Processing method and device for account login, storage medium and electronic device | |
| CN109117352B (en) | Server performance prediction method and device | |
| CN107203470B (en) | Page adjustment method and device | |
| CN110445753A (en) | The partition method and device of terminal device abnormal access | |
| CN112948224A (en) | Data processing method, device, terminal and storage medium | |
| CN105637488A (en) | Tracing source code for end user monitoring | |
| CN108809926A (en) | Inbreak detection rule optimization method, device, electronic equipment and storage medium | |
| CN106646110A (en) | Low-voltage distribution network fault positioning system based on GIS and Petri technologies | |
| EP4102772A1 (en) | Method and apparatus of processing security information, device and storage medium | |
| CN113849363A (en) | Service monitoring method and related device | |
| CN106027284A (en) | Network fault diagnosis method and device | |
| CN109688099A (en) | Server end hits library recognition methods, device, equipment and readable storage medium storing program for executing | |
| CN103024767A (en) | Mobile communication service end-to-end performance evaluation method and system | |
| CN110417744A (en) | The safe determination method and device of network access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191112 |